blvdone - Fotolia
CISOs are too often bombarded with a lot of vendor jargon and little substance. Chenxi Wang is among the veterans in the information security industry who have pointed to poor marketing and communication styles—especially at conferences. The former chief strategy officer at cloud container security provider Twistlock—she left the company in February—Wang has also worked at CipherCloud, Intel Security and Forrester Research. Early in her career, she spent time in the classroom as an associate professor of computer engineering at Carnegie Mellon University.
Wonder why few women attend some of the more "rebellious" hacker conventions, like the DEF CON hacking conference, where important industry findings -- and security hiring -- are discussed? The near-striptease at a DEF CON hacking conference trivia game might indicate a trouble spot. While the use of promotional models at conferences is nothing new (and is on the wane at security events), a growing number of people like Wang are encouraging security event planners and technology vendors to adopt better communication strategies. Wang co-launched a Facebook group named "Equal Respect" (originally called "Starting a New Dialogue") for like-minded security professionals. Today, she continues her efforts to promote diversity and inclusion. Marcus J. Ranum, who ruffled a few feathers when he tackled this same topic in 2014, checked in with Wang to find out how far the information security industry has come and what needs to happen next to promote more diversity in the talent-seeking field.
Have you encountered any impediments in the security industry as a woman executive? Are we past the glass ceiling yet?
Chenxi Wang: I can only speak from my own personal experience, of course, but speaking with customers, partners and my team, it has been a nonissue. It may be because I have a history in the industry, and I have a reputation and I'm somewhat respected. I've never met a situation where I've felt belittled, although I hear stories all the time. I did experience a few unpleasant interactions at [the DEF CON hacking conference], but that's not my work environment.
It's hard for me to know how much of a problem harassment is, other than the occasional debate in the coffee line about political correctness run amok, which is very tedious, but it's important to engage [in those conversations]. What should we do?
Wang: It's a long process. Conferences should do something, obviously, but they can't do much more than provide a framework. For example, RSA can say 'no booth babes' and that works—but someone who wants to work around it can. Really, it's a matter of changing the mindset, and that takes every single person doing something about it. We wrote in our blog:
If you're on the buyer side, ask vendors if they adhere to a good code of conduct and hold them accountable for their marketing. If you're on the vendor side, listen to your customers, and if you're on the marketing side think hard about how to communicate your message without leveraging sexist, racist, or non-inclusive imagery or tactics.
If every one of us does a little bit, it will make all the difference. I have friends who have told me personally that they will not buy from vendors that use booth babes, and I tell them, ‘You should tell the vendors that.’ The best pressure is the wallet.
Maybe that's why security is improving faster than gaming—there's more money at stake. I know a woman CSO who walked by a booth at RSA—this was years ago—and they had booth babes; she asked one of the people at the booth if the marketing director was there, then explained that her company wasn't going to buy anything from them as long as they were such an embarrassment to themselves. I think a lot of what this boils down to is bad marketing. You look stupid in front of more than half of your potential customers.
Wang: Security's an industry about trust. So you have to project seriousness and trustworthiness. … A lot of this can come down to 'perverse incentives' in marketing. If they are being scored on how many badges they scan, then they're just trying to get as many people as possible to stop by the booth—and that can lead to unfortunate decision-making. What they're attracting in that situation are not necessarily target buyers. If the marketing department thinks about it, losing that woman CSO is much more detrimental to their business than bringing in 50 or even 100 [people in] random foot traffic.
That's the best argument I've ever heard for why organizations need to think more carefully about these issues. What else should we do?
Wang: As executives, we need to expand our definition of skills. A lot of companies don't look at the full range of what people can do and want to hire people that look and act like them. If you look for people who do things in different ways, you get a broader range of skills and personalities, and that works better. One company I know, Duo Security [an authentication services vendor], has a staff of 43% women; their CEO follows the approach of trying to look deeper at what people can do.
That's Dug Song's company? He's great. I once talked to a venture capitalist who said their hiring model is exactly the opposite: They are constantly trying to match 'the last thing that worked,' which means that they literally are looking for a clone of Mark Zuckerberg, down to his favorite hobbies and what he wears. Then they wonder why it's hard to innovate.
Chenxi Wangformer chief strategy officer, Twistlock
A friend forwarded me to Catalyst, a non-profit organization for women, which makes a great argument that diverse organizations are more effective, successful and—most importantly for the venture capitalist—have the highest returns on investment.
Wang: I tell my recruiters, and teams, to dig deeper to find people, to look in places they normally wouldn't. One thing I am doing is starting a women speakers' bureau—we're building up a database of women speakers on various topics. Hey, look, you no longer have the excuse that you couldn't find anyone!
That's wonderful! It's kind of embarrassing to be invited to be on a panel and it's always four old white guys. As Jack Daniel [strategist, Tenable Network Security] once said, 'I'm an old, bearded white guy, and I'm getting tired of being asked about diversity by other old, bearded white guys.'
I know you have some opinions about the booth babes at conferences, and so do I. Do you think we're making progress?
Wang: If you look at [it] since 2004 till now, I think there is improvement. In 2004, at the big industry conferences, we had all the booth babes, and come 2014 we had visibly less. In 2016, we had hardly any. We probably will see some stragglers here and there, but as an industry it's pretty good. [The DEF CON hacking conference is] still DEF CON. Infosecurity Europe has gotten visibly better as well. As an industry, we are making progress.
In that regard, it's always seemed to me that Europe is ahead of the United States. When you spoke out against the booth babes' scene, how did that work for you? Some of us who spoke about it in 2014 got pushback in the form of apologies for the status quo.
Wang: My experience after I spoke out was fairly positive. I didn't get any trolling—I had a few people try to dismiss it as 'it's not a problem.' I got more positive response from colleagues in the industry who wanted to help. As a result, there's more work that is being done on various fronts. My sense, overall, is very positive.
It's nice that, as an industry and a community, we managed to avoid anything like #Gamergate [a Twitter harassment campaign targeting female developers in the video game industry].
Wang: I followed that, and it speaks volumes to the dangers of not challenging the status quo. What those women had to go through was very, very troubling. It's hard to put my finger on one thing that's different between security and other fields; it's probably that security's customer base is more diverse. If your customers are teenagers or direct consumers, you're selling to a community that is notoriously bad in terms of diversity and inclusion.
The advertising in that field is pretty bad; it's a self-reinforcing problem.
Wang: DEF CON still has room for improvement.
I know there has been pushback against the attitudes there.
Wang: This year at Hacker Jeopardy, many people spoke out against that [male-orientation], so the next day they changed the rewards [from female models rewarding right answers by removing clothing]. It's getting better.
How CISOs can cut through the hype in technology decisions
Preparing women for the information security profession
Marcus Ranum chats with Digital Rivers' Dyann Bradbury