Accenture's Tammy Moskites on the cybersecurity gender gap

The cybersecurity gender gap has existed for decades, but Tammy Moskites believes there are opportunities today to bring more women into the industry.

Moskites, managing director of Accenture Security, has spent 30 years in the technology and security industries and has seen the percentage of women in those professions remain relatively stagnant. In this Q&A from RSA Conference 2018, Moskites talks about her own infosec career path and the obstacles she faced along to the way to becoming a longtime CISO for such companies as Home Depot and Time Warner Cable.

In part one of this interview, Moskites talked about working with enterprise security teams in her new role at Accenture and the challenges and changes facing the CISO position. In part two, Moskites discusses her efforts to narrow the cybersecurity gender gap and offers her thoughts on the criticism the RSA Conference faced over its lack of female keynote speakers.

Editor's note: This interview has been edited for clarity and length.

You took a different path to your infosec career.

Tammy Moskites: I did. And I don't have a college degree also. I went to technical school. So it's even more different than most folks.

My career really started as an administrative assistant back in the day. And then I was a programmer and did a lot of technology work. And then I actually switched my career and got into the actuarial department. And, in actuarial, I was doing trend analysis. I was a senior trend analyst.

For example, what [affect will] a whitefly infestation [have] on the consumer price index? And in that piece of the country or the world, everybody's going to die younger because those tomatoes got infested and were their main source of food. And so I would do the analysis based off of morbidity tables; what's the average likelihood of the event -- death -- to occur from starvation. You have to change your underwriting.

If you fast forward ahead, it's like what we are doing today. What is the average likelihood of an event to occur, such as a breach, whether it's a malicious insider or malicious outsider? It's pretty damn likely. And then you ask what controls do we have in place and what are we going to do about the threats? It's the same approach.

That's something that has come up in conversations about the cybersecurity skills shortage. I've heard more and more people argue to get rid of the four-year degree requirement for infosec jobs. But, in a lot of cases, enterprise HR departments demand those degrees. Do you see that as a contributor to the hiring challenge?

Moskites: In my past life, many years back, I got a job offer in writing and I was so excited about it. And they sent me a follow-up note that said, 'We didn't get your college information,' and thank god I didn't give my notice at my previous job.

And they said, 'You don't have a degree.' I said, 'Well, you know, back in the early days, I went to the Computer Processing Institute for a year and did 40-hour-a-week classes.' And they said, 'Yeah, we have to pull that offer back. It's mandatory for our executive level [to have a four-year college degree].' So they pulled back my offer. That was pretty bad.

But, personally, I never look at degrees. Finding candidates is hard. Getting resumes is hard. I think a lot of it is because of the way that we write job descriptions.

You have the required and the mandatory things that you see in the descriptions. When women look at a job posting and they see mandatory requirements, we look at it as being 100%; that's the way our brains work. 'If I don't meet 100% of this, I'm not going to send my resume in.' Now, when a guy looks at it, he may say, 'I've got half of this, I'm good to go.'

It's true. I've definitely done that.

Moskites: I see that all the time. I ask, 'Why am I getting no women resumes?' It's a problem.

So what I did was I took the requirements thing off it because I couldn't get a job filled, and it was open for eight months. HR was not thrilled with it, but I said, 'Just take off the requirements.' And all I put in there was basic qualifications that said 'To include one or more of the following.' I had so many resumes coming in -- men and women -- and that's the first time I got a pile of resumes like that.

And don't get me wrong -- they were not all qualified. But you also can't use that 80/20 rule that we used in the past, where you say 'I'll get 80% of the requirements and train for the other 20%.' You have to really look at a 50/50 split on the skill set.

I've seen some people claim there is no cybersecurity skills shortage and that the real issue for the industry is that companies aren't paying people enough. Do you think that's an issue?

Moskites: I think it's geographically challenging sometimes. If you're in a big area where there are a lot of jobs, you go through what I call the circle of life.

When you're in an area like Ohio, you work for Nationwide, Huntington Bank, Bank One now Chase, and The Limited, and you go through the circle. And you either have a choice between re-entering another piece of that circle or leaving it. And that's how it is in a lot of areas; you have the circle of jobs. And we change jobs for a host of reasons, including making more money and getting more experience.

When people are saying to you they're not making enough money or that companies are not paying, I think we're paying a lot more in some [geographic] areas. In some areas, we're behind. But I also think that, geographically, the salaries are catching up to one another.

But there are other issues with salaries. Women's salaries overall are still about 76 cents to the dollar compared to men, which is pretty bad.

There's recent research from (ISC)² on the cybersecurity gender gap that shows women earn about 4-6% less -- depending on the position -- than men for the same jobs.

Moskites: And when you look at it, yes, it's disheartening. But I think Accenture does a good job; they have a huge diversity program, which I love. Over 40% of our workforce is women.

They actually have an internal initiative to have 50% of our workforce women by 2025. And you have to realize, we're about 450,000-plus employees; to get 50% of our workforce by 2025 and also have 25% of managing directors to be women by 2020 is a huge deal. It's exciting. And the thing is, it's not just lip service. They are so passionate about it.

When you saw criticism of RSA Conference due to the lack of female keynote speakers primarily, but also the percentage of female speakers in general, what was your reaction? And what do you think the answer is?

Moskites: Not specific to RSA and, in general, I think that you have to have a mix. You have to allow a more diverse speaking engagement. And if you have three people that actually want to speak about the same thing, you might have to pick someone that's more diverse to get that mix.

I think it's challenging when you go to these types of events -- not just RSA, but all events -- and your only [female] keynote speaker is Monica Lewinsky.

And the criticism there, despite her being a respected speaker, was that she wasn't an infosec professional, which led RSA Conference to add more keynotes with women speakers.

Moskites: But they've added them after the fact. And that's what led to OuRSA, and that's also disheartening.

As a woman, I've been in a man's world my whole life. When I've had to get a job or look for my next job, I wasn't always the first choice; I was the second choice very often even when I felt that I was the most qualified. In my career, a company I worked for many years ago gave a job to a man for a position that I created.

As a woman, I've been in a man's world my whole life. When I've had to get a job or look for my next job, I wasn't always the first choice; I was the second choice very often even when I felt that I was the most qualified.

I built an AppleTalk network back in the day with the Mac S series with the old black and white screens. And I was so excited; I got it all working. And the company said, 'Let's create a job for this.' So I created this little network admin job or system admin job. And the boss said 'We're going to announce it at the all-hands meeting.'

I was so excited because I got to do something; I got to build a network. But the boss gets up and says, 'I want to thank Tammy for all her hard work. She did such a great job on this. She wrote the job description. Now everybody, let's congratulate ...' -- and I'm making the name up -- "... Simon for getting this new position."

Wow. And you were the one that built the network in the first place.

Moskites: Yeah. I sat there and actually what I said was a lot of expletives -- not out loud, but to myself.

Afterward, I walked in the boss's office and shut the door and I basically said, 'What happened?' He said, 'Tammy, you wear skirts, and when you fix computers, you have to go under desks, and it's really not appropriate if you're wearing skirts. So I gave this a lot of thought last night and that's why I decided to give the job to him.' No lie.

I was so pissed. I mean, talk about a fire in your belly -- that really lights one. And it's a fire that says you're responsible for your own success. I can't rely on [other people] to get me to my next job. Sometimes you get a sponsor or mentor to help you move or grow as an executive and sometimes that's necessary. But, overall, we're all responsible for what we do.

What do you think the issue is with the cybersecurity gender gap today? Is it because there's still some biases or is it more about representation? Technology and security are male-dominated fields and professions, and if younger women don't see other women in those roles, they may not consider infosec careers.

Moskites: I think that what you find mostly is this: If you think back into the '60s and '70s and bring it all the way back there, about 10% or 11% of the workforce in IT and technology was women. If you move it ahead to today, the same exact percentage is women; however, there's a lot more of us. Before it was 10,000, women and now we're in the millions. But if you think of it in percentages, you say, 'Wow, we've been kind of stagnant.'

I think we have to reach younger people. What we have to do is really encourage them and help them understand that not all security jobs are 24 hours a day, seven days a week, 365 days a year.

The other thing you have to do is bring some excitement to it. You have to bring it into early education. I'm in the schools all the time talking with students. You have to reach the young ones. When they have the fire in their belly like I did, and when you see that they have that excitement, we have got to provide them the guidance to get involved and learn more about security.

Do we have gaps? Sure. Are they going to continue? Sure. Are there still some [gender] biases? Probably. But you can't change a leopard's spots; it just is what it is. [But] you can get younger people, and especially women, excited about security.