SAN FRANCISCO -- There's no question that women can thrive working in the information security field, according to a group of women who've done just that, but the industry needs to do more to not only encourage women to pursue infosec careers, but also help mentor them along the way.
Those were some of the key discussion themes during a Monday panel at RSA Conference 2015 exploring the changing role of women in information security.
According to the results of the newly released 2015 (ISC)2 Global Information Security Workforce Study, women account for just 10% of today's infosec workforce. According to panel moderator and freelance journalist Fahmida Rashid, with as many as 900,000 unfilled security jobs today, adding more women to the workforce is essential.
"It's a lopsided team we have out in the field," Rashid said. "That figure is a little disconcerting when women aren't nearly 10% of the population, and considering the fact that study after study says organizations are struggling to fill cybersecurity jobs, that's a very disappointing number."
Rashid offered more statistics highlighting the state of women in security, most notably that 46% of women believe that a gender bias exists in their evaluations, and 56% of women working in technology leave their careers after achieving a midlevel role.
Despite those data points, four female panelists shared their experiences on how they've succeeded and the many valuable skills women bring to information security.
Michelle Johnson Cobb, vice president of marketing for Skybox Security, said that research shows women can provide infosec teams with key expertise in badly needed areas, such as spurring communication, collaboration and teamwork, focusing on big-picture/long-term strategy and fostering innovation.
"One thing I feel strongly about is that the status quo -- this 10% participation figure -- is starting to show its weakness," Cobb said. "Bringing women into information security is going to help in all those areas. It's been shown time and again that having a diverse workforce has those kinds of benefits. So we need to make those changes now."
Penny Leavy, chief operating officer of Outlier Security, noted that information sharing has long been a struggle for the industry as a whole, but it's an area where women have a lot to offer in the way of team-building and looking at the big picture.
"It takes a lot to share information because it makes you vulnerable," Leavy said, "but if we could get more people with those particular traits, we could all benefit."
Women in security: Ask for mentors
All the participants spoke of the importance of having mentors who can offer career help and guidance. Rashid noted that (ISC)2 recently found that 84% of women say they don't have sponsors in their organizations to help mentor them.
Panelist Melinda Rogers, chief information security officer for the U.S. Department of Justice, said she had a mentor earlier in her career whom she credits with helping her be more direct and not worry about hurting anyone's feelings when offering feedback, something she said can be a struggle for women.
Cobb said mentors can be men or women, peers or managers. While a mentor can be someone within a woman's team or department, she recommended taking the opportunity to work with people on different teams or in other organizations.
Rogers added that women shouldn't be afraid to formally ask someone to be a mentor.
"If you feel like you could use a mentor, identify someone you respect," Rogers said. "They're usually flattered; they don't know you need a mentor, and you'd be surprised where making that call is going to take you."
Panelist Angela Knox, engineering director for Cloudmark, said that through pursuing an MBA she learned about the importance of "owning" her career and pushing herself to achieve challenging goals, but that for many women a mentor can serve the same purpose.
Achieving the work-life balance
None of the panelists shied away from an audience member's question about the challenge many women face when they decide to start a family, often at a point when their careers are just starting to take off.
Leavy, who is married to Outlier Security CEO and former HB Gary cofounder Greg Hoglund, said she eventually realized that it wasn't the quantity of time she spent with her now-college-age daughter that mattered, rather it was the quality of that time together.
"You could be there for your child all day, but if you're not engaged, it doesn't matter," Leavy said. "My daughter grew up beautifully, so give yourself a break. If you want to work, you can find someone to help you out."
Rogers, who has twin sons, said there's no magic to finding the right work-life balance, and though it's hard it's OK to have a job you love and work hard doing it.
"I have a lot of guilt about not spending enough time with them," Rogers said, "but I want them to respect their mom when they grow up and know that she had a career to help support them."
Knox, who has two daughters, said the issue is getting easier for women to manage because many companies now recognize that both men and women need flexibility for both work and family.
For women in security, path getting easier
While the path into information security for women may often be circuitous or even accidental -- most of the women on the panel worked either in sales or marketing in some capacity before finding their way into infosec -- they were unanimous in their belief that the gender bias that once existed in the industry has largely gone away.
Leavy said that when going on sales calls early in her career, male customers would often look to her male colleagues for answers instead of to her, but those colleagues would quickly defer to her, and that support helped grow her confidence.
"I don't see that bias anymore," Leavy said. "I feel there are a lot of women given a lot more credibility in the business now. Not as many as we'd like to see, but women in this business are capable, bright and respected by their coworkers."
Cobb said that, in her experience, too many women in infosec feel like they have to be beyond reproach, constantly working to be the best and feeling obligated to prove it over and over again. In reality, she said, it shouldn't be that way.
"You don't always have to wear that armor," Cobb said. "To provide valuable leadership as a woman, you have to tap into the masculine characteristics of leadership, but also the female ones, and that means integrating both sides of your personality."
Attendee La Tonya Simmons, a technical sales engineer with IBM, said she could relate to many of the panelists' experiences; as a biology major, she found her way into information security thanks to the help of mentors who encouraged her beginning as a systems administrator and then an IT engineer.
She said that the industry needs to do more to show girls at an early age that information security can not only be a viable career choice, but also one they can thrive in and enjoy.
Facebook's director of security speaks out on women in IT
The ban on 'booth babes' at RSA may signal new era for infosec women