OWASP AppSec California Brings Diversity to the Beach

By Selena Templeton

At this year’s AppSec California conference – a yearly event for InfoSec professionals, developers, pentesters, and QA and testing professionals – the Women in Security panel was among the most highly attended, a very clear indication that this topic resonates strongly with both women and men.

Unless you’ve been living under a rock, you’ve surely memorized the statistic by now that women make up a mere 10% of the infosec workforce – but rather than simply discussing this problem, the panel of distinguished women set out to answer some of the most pressing questions on this subject.


Marian Merritt
Lead for Industry Engagement, National Initiative for Cybersecurity Education (NICE), National Institute of Standards and Technology


Deidre Diamond
Founder and CEO, CyberSN - #brainbabe

Kelly FitzGerald
Senior Principal Information Security Analyst, Veritas Technologies LLC.

Julie Medero
Assistant Professor of Computer Science, Harvey Mudd College

Chenxi Wang
Chief Strategy Officer, Twistlock

If there are one million unfilled cybersecurity jobs, a number which is expected to rise to 1.5 million by 2019, and the problem is a shortage of talent and the talent thus far has been pulled from only half of the population, then doesn’t it make sense to fill jobs from the untapped gender?

How do we – parents, teachers, society – get girls interested in STEM? First of all, stop discouraging them when they express interest! Parents buying gifts for their sons and daughters are doing their girls a great disservice when they give the boy a science- or tech-related present and the girl a doll or makeup set.

Marian shared research on this subject which found that girls are interested in STEM subjects or careers when they are high achievers, they have adult mentors in their lives, and are exposed to STEM at an early age.

Chenxi, who grew up in China where schoolgirls and boys are treated the same in terms of expectations, recalls that her mother, a high school math teacher, regularly gave her math problems to solve at dinner (and she couldn’t leave the table until she had answered them). Every little girl in China had a book on Marie Curie and wanted to be her, whereas girls’ role models in the U.S. today are women like Kim Kardashian.

[Women] have a lot of issues with how we’re depicted in the media. And news reports – they always use that same stock footage of the guy with the hoodie hunched over the keyboard, regardless of whether it’s a good guy or a bad guy. But it’s never a woman.
— Marian Merritt

Kelly also had a family member who was pivotal in her childhood: her grandpa, an aeronautical engineer who worked on Apollo 13, gave her math problems to solve on a regular basis. The household computer was put into her bedroom, not her brothers’ rooms (who preferred sports). Her parents embraced her interest in science and when budget cuts removed science classes at school, she complained to her 6th grade teacher and they added science classes to the curriculum again.

Julie’s mother was an electrician in the Navy and went back to school and got a degree in computer science when Julie was young (and the one computer in the house was her mom’s). Clearly, role models and exposure to math, science and tech when you’re younger play a huge part in a girl’s choice of career.  

How do we attract women into STEM careers and classes at college?

Julie says that Harvey Mudd is a STEM-focused school, which means that every first-year student must take at least one computer science class. This method gets them – men, women, those already interested in computer science careers, those who have never been exposed to these subjects – in the door. They have the opportunity to ask the professor questions, learn about the different components of tech, and be around others who are at various levels of understanding and eagerness, so they don’t feel so alone.

The Grace Hopper Conference is the world’s largest gathering of women in computing – last year there were 15,000 attendees (which is outstanding for a women’s conference).... It’s one of the most encouraging, powerful environments that I’ve ever been in.
— Chenxi Wang

What is it like for a woman in the “trenches” once they get into InfoSec?

According to Deidre, the problem is not just attracting women to this industry, but keeping them there. And as far as she is concerned, from her cybersecurity staffing point of view, this is a communications and soft skills challenge as much as it is an unconscious bias. She watches men leave their jobs in tech and cyber every 12-18 months – which means that it’s not just women, it’s the industry. She’s created and leads (ISC)²-certified classes for accreditation for cybersecurity professionals to learn win-win communication skills.

Some of the issue here is how women speak up for themselves – or don’t. Julie shared the fact that every year Google puts out the call for employees to put themselves up for promotion, and way more men were putting themselves out for promotion than women. So the change that they made was to send a company-wide message that explained it, encouraged people to try for it, and reminded everyone that there wouldn’t be any negative consequences if they submitted themselves.

This benefits not just women, who tend not to promote themselves as much, but anyone who is shy or uncertain about speaking up about their own accomplishments. In Chenxi’s experience, she sees that women are afraid to fail far more than men, and part of that is because women’s failures are not looked upon kindly (“She failed? I knew she wasn’t cut out for this job.”). And if they’re afraid to fail, they’re afraid to try.

If you haven’t failed, then you haven’t tried hard enough
— Chenxi Wang

What is it like to be a woman at a cybersecurity conference?

After a moment of silence, everyone chimed in with, “Booth babes!” Although there have been initiatives like Chenxi’s 2014 grassroots group Equal Respect which got RSA to change their code of conduct and remove booth babes from their annual conference, most industry events are still very much male-oriented.

Deidre pointed out that even without the booth babes, there’s still often a sexual tension in the room and inappropriate touching. She started #brainbabe, a leadership platform “born out of frustration that ‘booth babes’ still exist’... to help make a difference in solving the problem of women leaving tech and also help encourage more women to join the cyber security community.”

People don’t leave jobs because of money. That’s actually rare. It’s the culture and how we treat each other and how we communicate with each other – i.e. all the soft skills.
— Deidre Diamond

Because these are professional events, Marian pointed out that if you’re not comfortable bringing your daughter or mother to these places, something’s not right. How is a young woman going to be inspired to get into tech if she feels incredibly uncomfortable at her first industry conference? If we want more diversity in this industry, we’ve got to make sure that it’s comfortable for everyone.

What can we do for positive change?

One male audience member said that he had gotten into trouble twice for setting his engineers at the same salary when he realized that the female engineer had been doing the same work. The HR rep told him, “You can’t give a person a 30% raise. You must be having an affair with her.”

Here are some thoughts the panel had on inspiring positive change for diversity, inclusion and equal respect:

  • If you’re at an event where inappropriate things are happening (like touching or comments), speak up! Tell the management of the event – especially men because it will (sadly) have more of an impact.

  • A young man in the audience said he regularly watches his male colleagues interrupt and talk over his female colleagues and wanted some advice on how to deal with this. Chenxi suggested not just criticizing the interrupters or telling them to be quiet, but to actually say something to keep the focus on the female speaker – asking her to continue with what she was saying, for example.

  • When Leyla Seka brought data to Salesforce CEO Marc Benioff that clearly showed a gender pay gap for the same job titles and work done, Benioff immediately made salary adjustments to the tune of $3 million. If she could figure out how to do this (i.e. convince the CEO to take this seriously and make a change) then others can, too.

  • Women come in with low salaries and aren’t generally good at negotiating for themselves, so they need to learn better negotiating skills. Additionally, Massachusetts became the first state to make it illegal for employers to ask job applicants what their previous salary was; starting in 2018, a company will have to offer a suitable salary upfront instead of basing their offer on what the person made at their last job.

About Selena Templeton

Selena Templeton is the Column Editor for the Equal Respect column on ITSPmagazine.

More About Selena