International Women’s Day is a time to celebrate the progress the cyber-security industry has made in improving gender diversity. Yet it’s a sad but true fact that women are still facing discrimination and sexual harassment when attending and speaking at conferences.
The industry is trying to encourage more women to get involved in cyber-security events. Yet when your talk is followed by sexist remarks and in the worst cases, unwanted advances, it’s not hard to see why women might prefer to stay away altogether.
The figures reflect the truth. More than 40 percent of women who attend cyber-security conferences experience derogatory, inflammatory or discriminatory language, comments or conduct, according to a study by Jane Frankland’s IN Security Movement.
Frankland’s study of 2,150 women across the world found one in four had been sexually harassed at conferences, often by older, more powerful men. When these incidents were reported, more than half were dissatisfied with how it was handled.
Cyber security researcher Maggie Morganti has experienced the dark side of conferences first-hand. “People started leading with sentences like ‘not to be creepy but...’, physically touching me, and other very uncomfortable interactions. They did this whether I was alone, with other women, or with male friends.”
Morganti tried several tactics in hope of avoiding these unwelcome advances, such as always ensuring she was accompanied by a male friend. But it solved nothing. “I was still pawed at by men I barely knew. I was nearly followed home by a total stranger because I was ‘Maggs from Twitter’ – and I'm willing to bet I wasn't the only one.”
Speaking at conferences
Despite this behaviour, women still want to attend and speak at conferences. But while many organisers complain the suitable speakers simply aren’t there, the IN Security survey tells a different story: The data reveals that only nine percent of women do not want to speak at events.
However, men are more likely to put themselves themselves forward as speakers, and the number of senior men working in cyber-security is higher. “If men are more senior in rank, they are more attractive to conference organisers whose business models are often built on having one-to-one meetings with security buyers,” Frankland says. “Conference organisers need to satisfy their buyers so they remain in business.”
Meanwhile, many events run a "sponsors get to speak" business model, rather than a call for papers merit-based system, says Nicola Whiting, chief strategy officer at Titania. “This often results in a disproportionate number of male speakers, delivering thinly veiled product pitches.”
Exhibitors can make the issue worse. So-called “booth babes” persist despite the fact they reinforce the view that women are at cyber-security conferences to be looked at.
“I hate seeing women at conferences being used as advertising accessories; I don’t care if they’re wearing bikinis or ball gowns,” says Abigail McAlpine, a cyber-security researcher at Secure Societies Institute, University of Huddersfield. “You may believe that there is no harm in this approach as an exhibitor, but there are huge ripple effects on how women attending events are then treated or seen by male attendees.”
Gender shouldn’t be important if you are good at what you do, but conference attendees sometimes think otherwise. Zoe Rose, an ethical hacker, loves speaking at events but the experience hasn’t always been good.
During a Q&A session following a conference talk, Rose was even asked about her relationship status. “This isn't a legitimate question. However, the conference handled it well and the rest of the attendees gave a standing ovation after they called it out.”
All male panels and speakers
Despite positive change, the industry is still in many ways an old boy’s club, which can be reflected at cyber-security conferences. Seeing all male panels and speakers at events makes it very daunting for others to apply, says Mairi MacQueer, an ethical hacking student at Abertay University. “The male voice online and at conferences is so loud and confident because they get far less scrutiny about what they know, and they don’t have to prove they are a ‘real hacker’ and not a ‘poser’.”
At the same time, alcohol is a consistent feature at many cyber-security events – and that’s not necessarily a good thing, says Dr Victoria Baines, visiting research fellow, Oxford University. “I come from a law enforcement background where being caught drinking on the job is a disciplinary matter. It’s presumed that you’re unfit to be on duty while under the influence, and I’ve been surprised to see how this doesn’t carry over into industry.”
She points out: “People are more likely to misbehave when they have had a few drinks. I’d wager that the prospect of loose tongues and wandering hands puts some women off from attending this type of event. I, for one, avoid events when I know the usual suspects will be present and uninhibited.”
Change needs to happen, but who is responsible for making the industry and its conferences a better place for women? First, conference organisers must insist on having equal representation, says Frankland. “They must demand this and work hard to ensure it happens.”
At the same time, Whiting says the Security BSides conference has a more inclusive method of encouraging diverse speakers. A call for papers is made and presented to the attendees to vote on the content and topics they'd like to see. “This has two benefits, firstly it removes the ‘pay to pitch’ element, putting the focus on quality of content. Secondly, by being anonymous, it levels the playing field for women and other underrepresented groups.”
A code of conduct, such as Frankland’s IN Security Code of Conduct, can help. This is now being used by more than 65 companies world-wide and has been endorsed by conferences including Black Hat, (ISC)2 and The Cyber Security Challenge.
In addition, Rose advises event organisers: “Be mindful when planning events. I want to feel safe, and I want a safe way back to the hotel. If my only options are pitch black alleyways alone, or relying on another attendee to walk me back, it's not brilliant.”
Another overlooked but important fact is, change isn’t just about women advocating women. A number of men have started to insist on panels including at least one woman before they will agree to speak at an event. Dr Baines says: “Rik Ferguson is the one you’ll hear mentioned most often, but we need more like him.”