Halfpoint - Fotolia

Women in cybersecurity: How to make conferences more diverse

The lack of women speaking at security conferences might be representative of the low number of women in cybersecurity, but efforts are finally being made to close the gender gap.

Women in cybersecurity have had the often uncomfortable experience of being the minority at industry conferences and events, and there have been few, if any, signs of improvement over the years.

It's hard not to see the gender gap walking through the halls of a convention center in a sea of male attendees. From the scandalous booth babes to reports of harassment, security conferences haven't offered the most diversity-friendly environment.

This has also been the case for speaker lineups at conferences. Both keynote and breakout session speakers at a wide array of security conferences have often had noticeably fewer women speakers.

The problem today

The gender gap at security conferences led to controversy regarding the 2018 RSA Conference. Early in 2018, RSA announced the keynote speakers for its April conference and was immediately met with an outpouring of criticism. The original lineup consisted of 22 speakers, and only one of them -- cyberbullying and anti-harassment activist Monica Lewinsky -- was a woman.

Not for the first time, the RSA Conference produced a keynote lineup that lacked diversity. In 2017, the conference only had one female keynote speaker, and in 2016, there were only two.

This year, after being heavily criticized, the RSA Conference issued a statement that its keynote lineup was not yet final, and that it heard the industry's plea for more diversity.

"We've been listening closely to the recent discussions surrounding the lack of female keynote speakers at RSA Conference, and we want to address it head on," wrote Sandra Toms, vice president and curator of the RSA Conference, in a blog post. "We hear you. We understand. The Conference leadership team is made up of women, like myself , and we're very much aware of the importance and value of bringing more women's voices, perspectives and experiences to the forefront of conversations in all industries, not least of all our own."

Toms went on to say that most of the women the conference had approached about speaking had declined due to scheduling conflicts, but still, only 20% of the non-keynote speakers were women.

"We fully recognize there is still work to be done," she added.

A few weeks later, RSA Conference released an updated, finalized schedule of keynote speakers with six additional women, totaling seven out of 28 -- including two all-male panels. While a 25% female speaker list is better than the original lineup and the lineups in previous years, it is still a far cry from equal representation.

In the few short weeks between RSA Conference's reveal of the initial lineup and its eventual update, many in the security industry took to Twitter to express their discontent with how the conference was handling diversity. One in particular was Facebook CSO Alex Stamos, who called for an alternative conference that actually represented diversity.

From this, the OURSA Conference was born. Our Security Advocates was a one-day event held in San Francisco -- the same city that hosts the RSA Conference -- at the same time as RSA, and it was co-chaired by Adrienne Porter Felt, security and privacy researcher for Google Chrome; Aanchal Gupta, security director at Facebook; Amie Stepanovich, U.S. policy manager at the internet advocacy group Access Now; and Lea Kissner, principal engineer and lead for Google's product privacy team.

OURSA came together in five days and had a speaker lineup that, according to the organizers, was "100% from traditionally under-represented backgrounds." The event, which covered a wide range of security topics, sold out in about 12 hours.

OURSA, among many other things, served as an example of how easy it is to book exceptional women speakers -- the event had nearly 30 speakers and over 100 talk submissions -- for a security conference, despite all of the excuses offered up in the past.

"I've always said when you have a diverse team, you get better outcomes. And, of course, now all the research shows that as well," said Michelle Zatlyn, co-founder and chief operating officer of CloudFlare, which was one of OURSA's biggest supporters.

"When Parisa [Tabriz of Google] and Amie [Stepanovich of Access Now] didn't like the speaker lineup at the conference down the street, and they got a pretty disappointing answer from the other organizers, what I admired most is [that] it's one thing to talk about it and complain about things, but they actually came up with a solution and they did something about it," Zatlyn said of the OURSA organizers in her opening remarks at the conference, carefully avoiding calling out the RSA Conference by name. "They put a solution forward and, in 12 hours, it was sold out. So, clearly, people wanted an alternative."

Under-representation of women in cybersecurity conferences isn't a new issue, of course, and the RSA Conference is not the only offender. The Black Hat Conference, for instance, also has a low percentage of woman speakers -- its selection process is blind, which adds a layer of complexity to representing a diverse lineup -- however, this year Google's Parisa Tabriz is the conference's only keynote. And, in 2018, Identiverse, which was previously called the Cloud Identity Summit, had just two women scheduled to take the keynote stage, both of whom spoke together and at the last session on the last day of the conference.

Why you should care about diverse representation

The Executive Women's Forum partnered with (ISC)2 and The Center for Cyber Safety and Education to produce "The 2017 Global Information Security Workforce Study," which specifically looked at women in cybersecurity.

The study found that only about 11% of cybersecurity professionals globally are women, which is the same percentage as in 2013. In North America, the number is slightly higher at 14%, though the report notes that females comprise 48% of the general workforce in the United States -- which shows the gender disparity in cybersecurity specifically.

One excuse often tossed around for why there are so few speakers who are women in cybersecurity conferences is that it's representative of the industry at large.

"Shouldn't we aspire to be better than that?" asked Sandy Carielli, director of security technologies at Entrust Datacard. "Shouldn't we aspire to having conferences where we want to be and that encourage people to want to join the industry?"

Carielli, who spoke at RSA Conference 2018, also disagrees that the lack of women in cybersecurity is why conferences don't have more female speakers.

"I haven't had trouble, when I've looked, to find interesting women, particularly for a keynote," she said. "There are a lot of women with a lot of very interesting experiences to share, and I think they are out there and can be found."

It's also important, said Endgame's chief social scientist Andrea Limbago, to have the women who do speak at security conferences speak about their professional expertise.

"Having women in cybersecurity only speak about what it's like to be a female in this field isn't going to move the needle at all," Limbago said.

And as for why that needle needs to move at all, "industry conferences play an essential role in supporting professional development, networking, and job opportunities, and so unequal representation hits retention and the workforce pipeline," Limbago wrote in a blog post.

Bobbie Carlton, founder of Innovation Women, thinks conference managers need to take a measure of responsibility for finding more women speakers.

"My belief is that event managers need to be the leaders because this is a self-fulfilling prophecy," she said. "Not having these women on stage means they don't get considered for [executive officer] positions or board positions or new jobs ... Conferences and events set themselves up as the arbiters of who is a mover and shaker; they set themselves up as 'these are the important people in our industry because we should all be listening to them.' So, they need to put more women on stage even if they need to work a little bit harder to do that."

Every time we get a woman on stage, she's able to make her business more successful or her career more successful, but she's also a success example for others. So, the more women we get on stage, the more women we will get on stage.
Bobbie Carltonfounder, Innovation Women

Carlton added two other reasons why there need to be more women in cybersecurity conferences, particularly for speaking engagements.

"Number one: more interesting events," she said. "The more diversity you get, the more interesting conversations you get, the more different, diverse points of view are on stage ... Give me better events any day."

The second reason is that it will encourage more women to join the field -- something the security industry desperately needs if it wants to close the skills gap and end the staffing shortage.

"When women are speaking or more diverse speakers are represented on stage, they are representing to an audience that looks up at them and says 'I could do that.' You can't be what you can't see," Carlton said. "Every time we get a woman on stage, she's able to make her business more successful or her career more successful, but she's also a success example for others. So, the more women we get on stage, the more women we will get on stage."

Getting more women on stage

Finding female speakers is, if the excuses are to be believed, a challenge for conference organizers, and this is where Carlton and Innovation Women come into the picture.

Carlton launched Innovation Women in May 2015 after spending "a lot of time sitting in the audience [at conferences and events] and watching the all-male, all-pale panels at the front of the room."

The idea is to connect great women speakers directly with event managers, and Innovation Women does that with a self-service online platform. Women interested in speaking opportunities pay an annual fee, create a profile, and event managers search that database to find women with a wide variety of expertise to speak at their events.

"We market the database and online platform to event managers of all stripes -- conferences and events, corporations, and even Meetups," Carlton said.

While event managers can use the platform for free, Innovation Women does require a $100 annual fee from speakers. This helps make sure that the women who use the platform actually want to speak.

"We want people who are going to respond to the event managers and who really want to speak," Carlton said. "So we make them jump through a couple hoops there."

Carlton noted that there are plenty of people out there who have attended conferences and noted the imbalance as she did and who then generated lists of women who would be good candidates for speaking engagements, but there are flaws with that system. First, event managers have no way of knowing whether the women on the list have any actual interest in speaking or if their names were just put forward, and the information on the lists becomes outdated very quickly. Event managers are less likely to use these lists or even remember that they exist.

"Those lists are awesome, but they are not created as a sustainable push forward," Carlton said. "There's nobody out there driving them on a daily basis."

Innovation Women cultivates a database of speakers across many different industries, but the technology field is definitely in need. One reason for that, according to Carlton, is that technology conferences have been male-dominated for a long time.

"Speaking begets speaking," she said. "It's the perpetuation of the same voices, and those same voices have been speaking for years. I think it's just a continuation of the problem."

Innovation Women is just one of the efforts in play right now working toward equal representation at conferences.

Mentorship is often brought up in discussions about a diverse workforce, as well as networking and getting to know more people in the industry. But when it comes to conferences, Carielli said that making conference organizers aware that they have a problem is a good first step.

"I think calling folks to the carpet on it is a good first step," she said. "It doesn't have to be public all the time. Sometimes it can just be a private conversation that you have. But I do think that, sometimes, people just don't notice and they need to be made aware."

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing