The Time is Now for Greater Representation at Security Cons
A few times a year, the security community briefly focuses attention on the ridiculously low statistics for women and underrepresented groups in our industry. This is usually prompted by a new report detailing, for instance, how representation of women in the industry has not budged from roughly 10% or a conference may make headlines for sexist events. This time around the industry’s lack of diversity is making headlines thanks to the keynote lineup at the upcoming RSA conference, where just one out of 22 keynotes is a woman. While it is easier to blame the tech industry for security’s lack of diversity, there must be some introspection within the industry to address this issue. Industry conferences play an essential role in supporting professional development, networking, and job opportunities, and so unequal representation hits retention and the workforce pipeline. On this International Women’s Day, and in light of this latest keynote controversy, I would like to dispel two of the main excuses for underrepresentation on conference programs. I’ll also offer some actionable suggestions based on what we at Endgame are doing to create an inclusive culture within the company, and spark change across the community.
Excuse #1: We Couldn’t Find Any Women
We’ve heard this excuse time and again. The relative absence of women in security makes it difficult to support diverse program schedules. This excuse is usually followed by a justification that the conference committee also doesn’t want to lower their standards or the quality of talks. Wanting to maintain the high technical quality of talks is understandable, but it’s a complete non-sequitur. Standards must remain high, but that doesn’t justify exclusion of major demographic groups from speaking at a conference. In fact, women are generally held to higher, not lower, standards when submitting research and code.
Fortunately, many security conferences have already disproven this fallacy and have taken concrete steps to ensure greater representation on their programs. BSides NYC recently wrote an excellent piece detailing their steps and missteps on their quest to achieve gender parity in speakers. Although they fell short of their goal with 40% of speakers as women, they note, “Anyone who tells you they can’t find women speakers in security hasn’t tried looking.” O’Reilly Security also is turning this paradigm on its head. Through a blind review process and a diverse program committee, the conference reached 36% for diverse speakers in its first year. It starts with a more diverse program committee, extends into the review process, and is solidified thanks to the power of social networking to broader groups. Social networks are notoriously homogenous. If a program committee is truly committed to seeking gender parity, it needs to look beyond its own networks and perhaps bring new ideas from other industries to improve representation.
For those who may still be skeptical that there simply aren’t enough women in security to help create more representative programs, I’d like to provide my own data point and highlight a few of my colleagues. Their vast range of talent reflects some of the amazing, technical work women in the community achieve daily. Jane Miller is a Software Engineer who focuses on C++ development for the Endgame sensor on macOS, Windows, and Linux and helps productize R&D. Yamin Tian is a Senior Software Engineer with expertise in kernel/user mode programming and performance tuning, and will be presenting her research on debugging in the kernel at this year’s BSidesSF. Amanda Rousseau is a Senior Malware Researcher whose research focuses on dynamic behavior detection and reverse engineering malware, and she has presented and keynoted across the con circuit. Lindsey Poli is a Product Designer, solidifying the user behavior science behind UX design by integrating user requirements to create workflows that accommodate all skill levels within a security operations team. Janeen Mikell-Straughn is a Senior Technical Writer who creates user-facing content, such as user guides, reference documents, and computer-based tutorials, to optimize user experience. Mindy Stevens is Endgame’s QA Manager, coordinating across teams to build and automate scalable, efficient, and smart infrastructure. Nayyara Samuel is a Software Engineer who focuses on backend development in distributed systems and microservices and works on building and optimizing our management platform. She recently helped create 'SMP Pulse', a monitoring console for our management platform. How’s that for a diversity of skills within our research and engineering teams? Unfortunately, I don’t have the space to highlight the broad range of phenomenal women across the entire company. Clearly, the community is full of exceptional, talented, and impressive women who continue to positively impact our security daily. Anyone who says otherwise is simply not looking.
At Endgame, we take numerous steps to attract and retain such great talent. It all begins with first impressions, from how our job descriptions are written to representation on our website to providing Endgame swag in women’s cut. Our hiring process also includes women on interview committees, and a representative interview pool of candidates and broadening networks. We also participate in numerous events that support women in industry, from speaking at and serving on program committees of Women in Cybersecurity, the Diana Initiative, and Grace Hopper conferences to hosting events that amplify the voice of women in media to sponsoring events like Lesbians Who Tech. There is no one-stop solution to improve representation. By moving beyond lip service and taking concrete steps we can help change the industry.
Excuse #2: Women Don’t Submit
Although the recent conversation focuses on keynotes, the rest of the conference program is just as important. RSA claims their broader program consists of 20% female speakers, in line with their audience. This problem is not unique to RSA, and impacts many security conferences, some of which receive less than 10% of submissions from women. Instead of blaming women for not submitting, conference organizers should consider why women aren’t submitting to their conference. In many cases, women may not submit due to conference culture. Although security conferences increasingly create codes of conduct, ensuring compliance remains a key problem. Also, when directly requesting submissions from specific individuals from underrepresented groups, how you frame the request is really important. When encouraging more women to submit to a CFP, don't frame the request in terms of gender. Instead, highlight their expertise and how it would be a great fit for the conference. The BSides NYC post again does a great job explaining why women may opt out of attending or speaking at specific conferences, and how little it may have to do with the actual presentation.
Women also are often asked to submit and contribute to tracks on diversity and culture. Again, these are important, but most women would rather highlight their research and expertise than talk (yet again) about the role of women in the industry. The majority of speaking opportunities for women focus on culture and diversity, not their technical expertise. According to one analysis, when women are provided the opportunity to speak, these opportunities only focus on their technical work about a fifth of the time. This places an unfair burden on women who alone are expected to ameliorate representation in the industry, while also diminishing their role as experts in a field.
Even the most inclusive conferences struggle with submission rates from underrepresented groups. This is where companies must play a larger role if they are truly committed to diversity, inclusion, and professional development. At Endgame, we support numerous speaking opportunities for our experts at all levels of their career. From internal technical talks and opportunities at local meet-ups to the national conferences, Endgame offers a range of financial and professional support to hone both presenting and writing skills. This is part of professional development, but has the intrinsic, additional value of encouraging greater representation and more diverse speakers and backgrounds throughout the entire company and across the industry.
Overcoming the Streetlight Effect
It is unfortunate that the industry is still at a point where acknowledgement that there is a lack of diversity is the status quo. Conference representation is indicative of the broader lack of diversity across the entire industry and a failure to look beyond the existing paradigm.
A brief look at security’s workforce shortage drives home yet another reason why conference representation matters. For students and professionals considering entering or transferring into security, if they do not see role models or success stories with whom they can relate, they are less likely to enter the field. Put more succinctly, if they don’t see it, they won’t be it.
We also need to move beyond having to endlessly justify the positive impact of diversity on innovation, company performance, and culture and focus instead on concrete action. Importantly, this shouldn’t only occur in response to the latest headline, but must be instilled within corporate and conference cultures. As Endgame’s CEO Nate Fick has commented, given both the failure of the industry to protect the world’s data from attack, and the industry’s talent shortage, it is imperative to “do things differently and that requires bringing different perspectives and experiences to the table...That means creating a culture and atmosphere that’s welcoming of people of all kinds, provided they are great at what they do and care about supporting their teammates and our customers.” While we must continue to improve, it is heartening to be surrounded by great women and men who are driven both by the mission and a desire to evolve the industry to ensure we are equipped with the best minds from a range of backgrounds to tackle today’s national and economic security challenges.