The week of June 28 was a big one (not in a good way) for showcasing the persistence and depth of harassment and exclusion for women in cybersecurity. Those on infosec social media were flooded with bikini selfies protesting the harassment that a woman received for posting her own bikini selfie. Men and women took to Twitter posting their #infosecbikini pictures, generating a wave of awareness, goodwill, and solidarity, which was amazing and should be applauded.

This Is Why We Can’t Have Nice Things

As if to slap us all in the face, and remind us that we still live in the dark ages as far as harassment and exclusion are concerned, someone decided to turn those pictures (of solely the women, none of the men) into an infosec bikini calendar, without seeking the permission of these women. You cannot make this stuff up.

As we all riled and protested and retweeted and told our own tales, what surfaced was a sense of deep rage. Along with our rage, we were surprised to feel an overwhelming fatigue, exasperated not only by the many long months of pandemic isolation and confusion but also by a sense of cumulative trauma resulting from the daily cases of harassment and undermining of women in cybersecurity. This was not an isolated incident — this was merely the latest and most visible example. These kinds of experiences are a daily occurrence for many women in this space, starting in higher education and training environments. Until recently, these experiences typically only come up in hushed or angry back-channel conversations. Industry veterans shook their heads, having experienced the spectrum of this trauma before, and those new to the profession watched the events in disbelief.

Tackling Infosec Gender Diversity Head On In Research

Even prior to this, the revolving door of issues facing women in security and risk led a few of us in the S&R team to write research helping our clients to deal with those issues. Most were supportive, and others were skeptical. We were challenged to answer why, out of all diversity dimensions, single out gender as a topic of research. Do issues that our clients and colleagues raised with us about harassment at tech conferences still exist? It’s 2021, after all. Yet everywhere we turned, including in our own backyard, there were gender-related cultural challenges.

The events of the week of July 12 reminded us in no uncertain terms that our research is more important than ever, and it aims to bring awareness to the top 10 most commonly raised gender-related questions, such as:

  • Do I continue to show up to male-dominated security events? How do I do that safely?
  • How can I do a better job at encouraging women to apply for security roles?
  • Is it OK to bring women into my organization while toxic masculinity is blatantly occurring in the team?
  • How do I deal with the various prejudices associated with my personal decision to have children?
  • How do we retain our most experienced women, at the top of their careers, as they experience menopause?

As we collaborated and wrote, as with all great pieces of research, we were challenged, and we challenged. Some of us wanted to promote the importance of networking and personal branding, only to be reminded that those were the domain of the very privileged. Some of us wanted to guide our clients to lean in, until, mercifully, others reminded us that “leaning in” is in fact unnecessary emotional labor. Here is what we have agreed on:

  • Lean in, but also know when to draw a line on emotional labor. Asking women to solve all these challenges above can result in high levels of stress and compound feelings of difference and isolation. The emotional labor involved with these efforts, coupled with a potential loss of time spent on career-related activities, can set back the very people that inclusion efforts are designed to support. Before taking on leadership roles in employee resource groups or other gender initiatives, understand how your organization will compensate you for that work and account for it in your performance evaluation. If it is seen as “extra” work with no additional reward or, even worse, a distraction from your daily job duties, push back. Be wary of vague promises of visibility to senior management — you may get some visibility, but unless senior management views the work as high-value and ties it to career potential and performance, the visibility won’t translate to career advancement.
  • Treat gender issues for what they really are: systemic business and social issues. It is all too easy to think that you need to deal with all these gender-related issues and take personal responsibility, especially when so many people tell you to lean in. You may succumb to the notion of the imposter syndrome, doubting your abilities, feeling like a fraud, and wishing you could increase your confidence. While it’s important for all of us to take some personal responsibility, there is only so far that your confidence can take you when the system is broken. Cybersecurity does not have a “women’s issue.” Instead, it has a culture where women regularly face systemic racism, sexism, and bias.
  • Your male allies are as crucial to influencing change as you are. To ensure that everyone in your organization takes responsibility for some of those challenges we’ve discussed, you need allies within the organization. Your allies aren’t necessarily of the same gender, race, or diversity dimension as you. They work side by side with you and other women to drive organizationwide diversity, equity, and inclusion initiatives and effect cultural change. They will amplify your messages and challenges, translate it into the language of those who don’t want to understand it, call out unwanted behaviors, and model correct behaviors.

We look forward to sharing this upcoming research with you — follow us all on social media for announcements.

What we look forward to more than anything, though, is breaking this circuit and making infosec a safe and inviting place for future generations. Join us in the mission of changing this culture, and always #choosetochallenge in whatever way you can.

If you’re an infosec pro and would like to contribute to this research, please reach out to Melissa Bongarzone, senior research associate.