However bad you think gender disparity is in the information security sector, the reality is probably worse: Research backed by information security association (ISC)² and the Center for Cyber Safety and Education reveals that women represent only some 11 per cent of the security workforce.
The 2017 Global Information Security Workforce Study (GISWS) found that, globally, men are four times more likely than women to hold executive-level security positions and nine times more likely to hold managerial positions. More than half of the women who participated in the survey of infosec professionals reported various forms of discrimination, and, the report reveals, in 2016 women earned less than men at every level.
For infosec veteran Jane Frankland, boosting the representation of women in the sector isn’t just a question of addressing sexism — it’s also about strengthening information security as a practice.
Frankland is the author of InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe — a book with a self-evident central thesis.
A lot of her efforts in recent years haven’t focused only on helping women get into the industry but on helping the industry retain them, Frankland told Computerworld ahead of a visit to Australia for the AISA Cyber Conference.
“Really a lot of the practices that are centred around [recruiting and retaining] women are just good practices for the whole of the industry,” she told Computerworld. “I’m about the performance of the industry and making it stronger and better so that we can do a better job of protecting businesses, countries and individuals. That’s really what I’m about.”
“We know more women leave the industry than come into it and to me that’s a huge problem,” she said. “Women do see risk in a different way to men.”
But, Frankland added, she sees some of the issues relating to the retention of women as echoing problems that organisations face when it comes to retaining security talent in general. “Women are burning out; leaders are burning out as well,” she explained.
One of Frankland’s current projects is the development of a code of conduct for security events.
The code of conduct initiative was sparked after Frankland encountered ‘booth babes’ hired by an exhibitor at Infosecurity Europe.
A tweet by Frankland that she was “disappointed” drew a significant number of reactions — many from people who shared her disappointment — and Infosecurity Europe moved to address the issue. However, in the wake of Newsweek coverage of the incident, Frankland revealed that she “became a major target for online abuse and harassment”.
“People from outside our industry joined in - everyone from CEOs, CTOs, university lecturers, consultants, practitioners and so on - men and women,” Frankland wrote in a LinkedIn post.
“When trolls came out in force and Twitter had to remove comments and suspend individuals, people phoned and messaged me to check I was OK. They told me they felt too afraid to comment online or were concerned they'd just be fanning the flames. I understood and recommended they keep quiet rather than be attacked, especially as the accusations became more and more nonsensical. It became crystal clear that women who showed support were targeted more than men, too.”
One of Frankland’s key takeaways was that security events should have a code of conduct — and that code should be “clear and enforced.”
Frankland’s experience at Infosec Europe was not the only trigger — there was also an additional ‘booth babe’ incident and a case of a woman being groped at another security industry event.
In the wake of Infosec Europe, Frankland staged an IN Security event to address the development of a code
“After three events with issues I thought it would be really useful to look at codes of conduct and put together an event and actually do something that I thought would be helpful to the industry,” she told Computerworld.
Frankland gathered feedback at the event and used it to inform the drafting of the code. That code has been circulated for review and is undergoing revisions.
“What this is, is it really looks at defining standards — essentially this will be a standard. So when somebody turns up at an event and they have an ‘IN security’ standard on there, then they can expect certain things from it,” she said.
“It’s fairly short but it’s something that an organisation can put straight onto their website,” Frankland said. “It actually defines what good behaviour is, what inappropriate behaviour is, and how inappropriate behaviour is handled — who do you approach, how can you report inappropriate behaviour, through what channel. What are the expectations you can [have] in terms of someone coming back to you, how will they investigate it?
“It details all of that, including the timelines as well. So essentially almost from a customer service perspective – if you’re complaining about something then you need to follow a process. In all of the codes of conducts I saw I didn’t see a process for that defined.”
Frankland said that (ISC)² and Cyber Security Challenge UK have already indicated support for the code, and she is currently in discussions with a major European infosec event about endorsing the initiative.
Frankland is a keynote speaker at the AISA conference in Melbourne, October 9-11.