leowolfert - Fotolia
With the current IT security skills shortage, it can be said the lack of gender diversity in tech is an advanced persistent threat. If the workforce shortage is so problematic, why is the number of women recruited and promoted in security careers so low?
For starters, cybersecurity has not been traditionally welcoming of women, said Shannon Lietz, leader and director of DevSecOps at Intuit Inc. Also the founder and leader of Intuit's cybersecurity Red Team, Lietz is determined to address the systemic barriers facing women in the threat intelligence space.
A veteran white hat hacker with more than 30 years of experience, she has witnessed some improvements with respect to gender diversity in tech. But, for women, she said, hacking into the threat intelligence field hasn't gotten any easier.
Here, Lietz discusses how the threat intelligence workplace culture may extrapolate its gender diversity problem and how skill building, male allies and the right resources for women can help to mitigate it.
Would you describe your field as male-dominated? How has that influenced your career as a woman in threat intelligence?
Shannon Lietz: It's male-dominated but not necessarily on purpose. Historically, IT and threat intelligence started through militaristic means. When ARPANET originated in 1967, men were the primary facilitators of technology.
Shannnon LietzLeader and director of DevSecOps, Intuit
It was rough starting out. I got discouraged early on in my career from becoming a technologist before I became interested in security, which had an even smaller population of women. One of my first computer teachers, a woman, basically said this was no place for women. I was shocked. She said, 'I've been in the industry for a long time, and trust me, you just don't want this.'
One of the greatest experiences has been finding male allies in security who have allowed me to come out from the sidelines, which subsequently made it possible for me to help other women in this space.
What obstacles do women face pursuing security and threat intelligence careers?
Lietz: In security, there are few opportunities to learn tactical skills. That tends to be a barrier women face early on. It's also a challenge for women getting started to create goals and metrics for self-assessment. This is one of the consequences of limited representation of gender diversity in tech. We need to create pathways for women to learn the necessary skills, find them jobs and help them measure their job success. If you look at the cloud trends, most of the work is moving to code. Unless a woman has the coding skills to write policies and standards -- or any security configuration -- they are going to feel like they cannot compete in this industry.
What about threat intelligence culture makes it so hard for women to break into?
Lietz: In threat intelligence, you're looking at bad acts of the world -- for example, dark web monitoring. It's easier for a woman to break into reverse engineering than pursue a career as a dark web specialist. The perception is that most of the material you find on the dark web is centered around things like human trafficking, for example. There is a darker side, a sexual connotation to threat intelligence, that may thwart gender diversity efforts.
It can be hard to let prospective hires know about the more discrete elements of the job. There may be sensitivity nowadays discussing these things in a professional context. For example, there are cases where people surf porn at work, and women must deal with that. As a threat intelligence specialist, you need to figure out if that image is showing up in the dark web, what lured them to that image and how they got there. Allies need to feel comfortable educating and clarifying skills for women to help prepare them for a career in threat intelligence so they can be successful. It's not just looking at malware variants. It's a much more active trade.
Why is it important to increase gender diversity in threat intelligence?
Lietz: I'm passionate about increasing the number of women in threat intelligence because I'm looking at adversary trends. I'm watching these trends and tactics getting stronger and more sophisticated, and we just don't have enough specialists out there to match. Women could be a significant defensive mechanism against adversaries. For example, we may look at problems in a different way. A lot of women, including myself, are data-driven because we must compete more to prove our worth and combat stigmas about gender on our way to claim a spot in threat intelligence.
New job opportunities due to changing technology and a security skills shortage have created smaller barriers to entry. I'm worried that, if we don't increase the security workforce in size and skill, a societal distrust of technology will result. If people stop believing in technology, that could be very harmful to society's function and progress.
What can help women seeking entry into the threat intelligence field gain the necessary skills to be successful?
Lietz: I used to be a bigger fan of certifications than I am today. The standard curriculum for a threat intelligence analyst certification is so light. For certifications to be helpful for women -- or anyone hoping to get hired -- the training needs to be more technical and applicable to the day-to-day job.
We need more threat intelligence leaders who are willing to cultivate the skills of prospective female threat intelligence specialists. Over time, you can build on the fundamentals and broach more advanced topics, such as chasing adversaries into forums that are helping protect their anonymity.
Look at the Bugcrowds and HackerOnes of the world. They are fostering the development of more women in cybersecurity by cultivating their skills. Once women understand how to hack, they can direct those skills into the threat intelligence role, such as finding and tracking adversaries and investigating their motives. When women are armed with these foundational skills, it can go a long way toward not just getting them the job, but keeping it.
What steps is the industry taking to recruit and promote women? Could anything be done better?
Lietz: I'm still sad that conference organizers haven't fully taken on numeric gender diversity goals. I would encourage cybersecurity conferences and organizations to commit to quantifiable goals and hold them accountable for those metrics publicly.
But I am seeing change. Five years ago, at RSA Conference, the women's bathrooms were near empty. Recently, I just had to stand in line to go to the restroom. It's an interesting bar, but it's amazing to see.
The other place we're seeing things change is women's panels -- there are noticeably more of them. There are men in the industry saying, 'I will not speak unless I see diversity represented on the panel.' Kudos to them because that is a needle-moving activity -- it helps make representation of women more accessible.