LONGMEADOW, Mass. -- One of the top information security leaders at Facebook believes the information security industry's long-term success likely depends on encouraging more women to work in the field, but doing so will require overcoming a number of vexing misperceptions about women and security.
During a keynote speech last week at Bay Path University's second annual Cybersecurity Management Summit, Jennifer Lesser Henley, director of security operations for the San Francisco-based social media company, said information security is becoming less focused on technology and more about people.
Henley spoke repeatedly on the importance of "changing the game," or finding ways to tilt the balance of power in information security back toward defenders and away from attackers. A crucial way to do that, she said, is by adding empathetic workers to the profession who can connect with others by understanding and sharing their feelings.
"We want to understand people's behaviors and protect people as they live and work and be whoever they want to be," Henley said. "To do that, to change the image of what security is, we need to humanize what we do and why we do it, and think about what is driving us to make the decisions that we do."
The growing importance of non- technical skills like empathy, collaboration and multifactorial analysis, Henley said, is why so much opportunity exists for women in the security field. However, she said the industry has an image problem when it comes to recruiting women, who account for only about 11% of the field, according to industry estimates.
Jennifer Lesser Henleydirector of security operations at Facebook
"Nine times out of 10, if you ask someone to picture a person working in security," Henley said, "they're going to picture a man -- most often a white man."
She noted that the images of women and security that do exist are usually inaccurate stereotypes depicting quirky, isolated female TV characters who are only called on to interact with colleagues when the men need something from them.
"There's a breadth and depth of technical skills that exist in the space. We have to acknowledge that a diverse group of employees can help change the game," Henley said. "We need to start dispelling the myth that security is a homogenous group of individuals and that we don't let anyone else in."
Security success with non-traditional path
Henley spoke at length about her own career path and how she essentially found herself working in information security by accident.
Even though she enjoyed science and math growing up, she decided to attend a liberal arts college and major in communications. After graduating, she landed a job with Andersen Consulting (now Accenture plc) and eventually participated in a 10-week bootcamp to learn how to program in C++.
That kindled a passion for IT, she said, and kickstarted what became a series of fun, engaging roles in IT project management.
"I loved it. I felt like this is what I was meant to do," Henley said. "I love bringing people together and working through complex issues."
Eventually, she found herself at eBay working on project management for the information security team. Right away, she said, she knew she had found the part of the IT industry in which she wanted to build her career long-term.
"What I loved was [that], at the heart of what we were doing was protecting people," Henley said. "We were trying to protect the network, but ultimately that and all the compliance efforts in place were about protecting our employees and the millions of people who use eBay."
Today at Facebook, like her previous role at eBay subsidiary PayPal, she helps manage the day-to-day operations of the information security team, overseeing high-priority initiatives and ensuring the team is on track to meet its goals. But, because her career path remains the exception rather than the rule in information security, Henley said few women realize that there are an abundance of roles like hers in which they can thrive.
Even though Facebook and most other companies still look for information security candidates who know operating systems, interpretive programming languages, and have a background in servers, networks and applications, Henley advised women to ignore all that and look at her career as a model.
"There's no one-size-fits-all in security," Henley said. "If you have passion and enthusiasm and you're willing to learn, hone those skills and consider this as a career choice."
Multifactor authentication critical to Internet security
Though Henley's address was largely career-focused, she did spend a few minutes highlighting the importance of two-factor authentication, particularly in the wake of last week's iCloud data breach that led to the exposure of sensitive photos and videos belonging to several celebrities.
She said single-factor password-based authentication can be too easily breached in any number of ways to be a reliable standalone security control on today's Internet.
"If there's one general best practice that's important, on Facebook or anywhere else, use a second factor of authentication anywhere and everywhere you can," Henley said. "Gmail offers it, so does Yahoo and LinkedIn. Make sure you turn it on."
Even though traditionally, users have been unwilling to implement multifactor authentication for fear of being inconvenienced, Henley spoke of Facebook's success internally implementing two-factor authentication. The company uses Yubikey USB devices that require users to tap the Yubikey, in addition to entering a password in some circumstances, such as if a user is logging in from an unfamiliar device or location.
"The company has embraced it," Henley said. "This small piece of technology, that many people were questioning, they now love and they talk about how it gives them flexibility but allows them to understand the heart of what we're doing is protecting people and their data."
As a security tip for Facebook users, Henley strongly recommended enabling login approvals, which asks users to provide a special one-time security code sent to an authorized mobile device when accessing Facebook from a new device or browser.
Learn how one educator is trying to recruit women to the information security field.
In this video, (ISC)2 chief W. Hord Tipton discusses the growing importance of women in information security.