I love going to cybersecurity conferences, and no – it’s not because of the talks, or the coffee stands or the fake minecraft swords some vendors give away.
…Ok, maybe the swords are part of the reason. But really, I love going to cybersecurity conferences because I usually get to meet a lot of really cool and smart people.
But here’s the catch: you don’t see a lot of women in such conferences, and if you’ve worked in cybersecurity for a while, that’s probably not a huge surprise: according to the American Association of University Women, women make up just 28% of the workforce in technology, engineering and math fields. Still, I always imagined that among the various STEM professions, cybersecurity – with its high concentration of intelligent and often forward-thinking individuals, would probably lead the pack in terms of gender equality.
But the reality, it turns out, is vastly different: not only does cybersecurity not lead the pack in terms of women participating in the workforce – it actually has the lowest percentage of women amongst the different STEM fields: only about 20 to 24 percent.
Why is that? That’s the question we’ll try to answer in this episode of Malicious Life.
“[Keren] Hi everybody. I’m Keren Elazari, also known as k3r3n3 – so I use the number 3 instead of the letter e: That’s my handle. I’m known as the friendly hacker. I’m a security researcher, author and analyst.”
Keren Elazari is a twenty year veteran of the Israeli cybersecurity sector, and worked for some major international vendors.
“[Keren] So, first of all I want to preface this by saying that throughout my career in my hacking days, in my military service days, in my time with AT&T and after that with a bunch of other companies – Israeli companies, international companies – I have almost never had a female colleague or a female boss.”
“[Keren] The only woman at the conference. The only woman at the team. The only woman at the company in some cases.”
Most women, I imagine, would find being the only female in a room full of men a somewhat uncomfortable position. But what you need to know about Keren is that she’s been a hacker since she was 14 years old, and being a hacker for so long probably instills a kind of ‘hacker mentality’, you might say, of constantly looking for that slight edge…
“[Keren] Maybe this is the only time I’ve ever said this, but back in the day I didn’t consider it to be a problem. If I’m honest, from my young hacker mind, I saw it as an advantage. I can stand out. I’m an outlier. People don’t expect me to know, so when I sit at a table and I know more than them I can actually use that to my advantage. And if there aren’t any women around – Ok, Great, I can command the conversation. I can command the attention in the room. I can use this disadvantage to my advantage. […] At least that was my perspective. Again, I know I’m coming off very very unhumble here. So, Dear listeners, please remember I’m telling you how I felt when I was maybe thirteen or fifteen years younger, so don’t judge me too much.”
As Keren got older and wiser, however, she began to see the disadvantages of the position she was in.
“[Keren] So I can’t tell you it was a single moment, but sometime about ten years ago my perspective did change, and I started to kind of develop, if you will, my feminist understanding. […] I think there were a couple of things that contributed to that. One was that I worked at one company and I left because of a lot of reasons – I had some health issues and it wasn’t a good fit for me. And I left the job and another woman or another person at that company started spreading a rumor that the reason I left was because I got knocked up, I was with a child. I had an affair with somebody in the company. You know a lot of these different stories, and I felt really betrayed by that. Not just betrayed by that individual – but rather by the fact that I don’t think they would have told these types of stories or rumors about a guy, ever, right? So I really did feel like that was gendered. And later on, in another job, another company that I worked with, […] I looked up at the hierarchy of that organization. And I couldn’t see any women: not at the director level, not at the VP level, not at the C level. I just couldn’t see any women there – and so I had this very strong feeling: Okay, well I’m doing great now. What’s going to happen in 2, 3, 4, 5 years? Is this company culture going to even allow me to thrive and grow and become a leader, become a manager, become a VP or director or what have you? and I realized – you know what? probably not.”
Keren’s concerns about an invisible ‘glass ceiling’ that will prevent her from advancing her career are shared among many women professionals in the cyber industry. In fact, a 2023 survey conducted by WiCys – an organization dedicated to the recruitment, retention and advancement of women in cybersecurity – cites concerns about career and growth as the 2nd highest factor contributing to feelings of exclusion amongst women.
Just A Little Respect
What was the highest contributor to feelings of exclusion, according to this survey? Well, our second interviewee for this episode had a rather rare opportunity to learn the answer to this question from both sides of the equation, one might say.
“[Aoibh] So I began my transition approximately ten years ago. And the way we describe it is transitioning from presenting male to presenting female, is a better way to describe it I think. But I started that transition about ten years ago, and it was accompanied by quite a few changes in my career, very significant perception changes among my peers.”
That’s Aoibh [Pronounced “Eve”] Wood. Aoibh, it should be noted, spells her name in Celtic letters – “Aoibh” – and yeah, she’s a pretty unique individual.
“[Aoibh] I am a principal security advisor at Cybereason, I have been with the company for 7 years. I have been in technology since Ronald Reagan was president of the United States, which dates me a little bit…We’ll just leave it at that. […] And I am an author of three novels in the urban fantasy space, and two more coming.”
After twenty years of presenting herself as a male to her colleagues – that was before she joined Cybereason, to be clear – Aiobh decided to transition to female. And that’s when things began to change.
“[Aoibh] There were some significant changes in the way that I was viewed, in the way that I was treated. […] Things that had never ever been said to me before. ‘You seem very emotional today,’ that was something that someone said to me. Or ‘it seems like lately you’ve been very emotional,’ and I’m like – I’m always emotional, that hasn’t changed. […] many of my male counterparts at the company suddenly felt no problem with talking over me in meetings. […] My opinion started carrying less and less weight. I found myself being interrupted consistently in meetings. […] I even had somebody tell me that I should smile more… so this was unexpected.”
This apparent lack of respect is, according to WiCys’ survey, the top reason why women feel excluded in cybersecurity. And it made Aoibh look back with discomfort at her own behavior when she was still presenting male.
“[Aoibh] It gave me some perspective that I didn’t have on my perceived privilege when I was presenting male. And I think that was probably the most eye opening experience for me. […] One was the recognition that something that I had and a privilege that I had taken for granted or didn’t really fully understand, because I had always had it – was suddenly no longer there. And the other side of that was a recognition that there was behavior that I had, I’m sure exhibited when I was presenting male. And that probably wasn’t the most…Um, what’s the word I’m looking for…that probably wasn’t the most conducive or the most welcoming to my female counterparts within the organizations in which I worked. so it was quite the eye opener.”
And then, there’s one more important factor: money.
“[Aoibh] Someone at the company I was at when I made my transition, when I said I’m going to be presenting female full time from now on, I’m transitioning from male to female, one of the jokes that a friend of mine made was – okay, are you ready for your 30% pay cut?… and maybe people think that’s funny, but it’s not. It’s not funny at all, because it’s bloody true, right?”
It is true: according to a 2018 research from ISC2, a nonprofit that focuses on cybersecurity training and certification, 29% of men working in cybersecurity earn a salary of 50-100K per year – while only 17% of women get the same level of compensation, and this pay disparity persists across different age groups and roles.
Early in her career, when she was doing cybersecurity in the Israeli Army, Keren Elazari didn’t feel this pay gap, and for a good reason.
“[Keren] So of course for the first few years I was in the army. So naturally the paycheck was standardized and it was very low because it was just the army paycheck.
[Ran] (laughing) Nobody’s getting paid. So there’s no difference in payment.
[Keren] Yeah so it’s very egalitarian in that perspective, right?”
Jokes aside, later in her career Keren realized that women have a real problem with demanding the pay they deserve.
“[Keren] But I can speak to my personal experience, and I can speak to how I see women around me in cybersecurity negotiate and demand to get paid, and maybe this is something that we have been socialized to be more agreeable on. Maybe this is something that we have been socialized to be like – well okay, but if I say a number that’s too high, maybe they’ll think I’m a Diva. Maybe they’ll never want to hire me again, or maybe you know this company is really important for my career. So I’ll agree to whatever terms they’re giving me and not argue for the best paycheck or the best terms that I can negotiate.”
Keren’s point touches upon another possible reason why there are so few women working in cybersecurity.
Research clearly shows that a large majority – up to 80% – of those who end up working in STEM professions, had first developed an interest in STEM while in middle school or high school. This means that engaging young girls at this early stage is critical if we want to establish the sort of talent “pipeline” that brings more women into cybersecurity. Yet evidence suggests that the preconceptions that these young girls form at that critical juncture in their lives are pushing them away from technical professions.
It’s certainly not due to poor skills in math or problem solving skills: a 1990 research by Dr. Janet Shibley Hyde, a psychologist at the University of Wisconsin, who compiled data from 100 different studies and more than 3 million participants, showed no large overall difference between boys and girls in math performance. If anything, girls were even slightly better in computation in elementary and middle school.
If there’s no biological factors that limit young girls from engaging in STEM activities, it stands to reason that we should be looking for some sort of a ‘cultural roadblock.’ It’s likely that social pressures from parents, teachers and fellow students contribute much to the formation of these ill-advised preconceptions, and there’s one other important contributing factor: role models, or more precisely – the lack of role models.
“[Keren] I think role models are critical for any individual. Any young, individual male or female boy or girl in showcasing. What is possible. There’s a famous saying you cannot be what you cannot see.”
ISC2’s 2018 survey showed that 70% of those who have some or a lot of knowledge of cybersecurity, said that they had a role model who encouraged them to learn more about the field.
“I constantly hear from women, from girls, from younger individuals at least here in Israel but also around the world, how important it is for them to see somebody who looks like them or who sounds like them onstage or on a podcast if you will, or on a Youtube channel.”
Keren’s role model was none other than Angelina Jolie, who portrayed the hacker ‘Acid Burn’ in the 1995 movie ‘Hackers.’ The movie critics didn’t appreciate Hacker’s “clichéd and disappointingly uninspired story” – but for 13 years old Keren Elazary, Acid Burn was someone to look up to. In 2014, she came full circle and gave a TED talk – the first Israeli woman to do so, actually – about hacking.
“[Keren] Even though the Ted talk is from almost ten years ago, I get emails daily from kids – girls, boys all around the world in different parts of the world, including countries that don’t have any international relations with Israel. I get messages from all of these different kids saying – wow, because of your talk I realized that I can be a hacker and I can be a hacker for good. I can be a friendly hacker. It is that important.”
So there’s a basic lack of respect, a feeling as if there’s a glass ceiling overhead that prevents you from taking your career to the next level, the lack of role models – and on top of that, there’s the 30% pay gap: taken all together, very good reasons why there are so few women in cybersecurity.
But these, I think, do not provide us a good explanation as to why amongst all the STEM fields cybersecurity has the lowest rate of women participating in the workforce, because these factors – the pay gap, the lack of respect, the glass ceiling – are true for all STEM fields, and not only in cybersecurity. So what makes cybersecurity different from other STEM fields?
“[Keren] But there’s also really, maybe a little more subtle things. Like for example, just a bunch of hackers standing talking about something doing a HallwayCon, which many of you might know is maybe where the best content is – the hallway, where a bunch of people are standing and talking. And I walk by or maybe I want to be part of that conversation and I’m challenged to see if I am ‘hacker enough’ to be in a conversation. So they would ask me, like, what does character X mean in you know, such and such programming language. Or what is port 80. You know, basic things like that, and this is insulting. This is insulting because I’m at a conference. I’m there to learn, I’m there to share my knowledge. I Want to be part of the conversation and not judged because of my gender and then immediately slated into the category of ‘you must answer a challenge or you may not enter this hall of knowledge’. And so that kind of gatekeeping is something that I definitely experience a lot and I feel like a lot of. Other women have experienced that as well.”
Keren’s experience points at a potential answer to our question: the competitive nature of cybersecurity. Obviously, there’s some measure of competitiveness in almost every human endeavor, including in other STEM fields – but it seems to me that such competitiveness is more deeply ingrained in cybersecurity. Competitions such as Capture The Flag, PWN2OWN, scavenger hunts and the like are staple of cybersecurity events and conferences, and are less common in other tech fields. This is likely related to the adversarial nature of cybersecurity, where attackers and defenders wage constant battle for supremacy.
Such a competitive environment can be challenging to anyone, of course – but it seems that it’s even more of a challenge for women who Keren says, feel they have to be extra good in order to be taken seriously.
“[Keren] I know a lot of other women feel you constantly have to be not just good. Not just Better. You have to be Excellent. You have to be the best. You have to reinvent your knowledge, you have to reinvent yourself and you can’t ever ever be caught in the slightest tiniest teensiest mistake, because while it’s okay for the guys to get things wrong – If you get it wrong, you’re not just getting it wrong for you, you’re getting it wrong for all women, right? This is maybe, you know, this is maybe something that we feel like we have to deal with, where we’re not just being a professional in our line of work. We also represent our gender […] So that’s quite a weight to have on a person’s shoulders and maybe not everybody wants to have that weight. Maybe not everybody wants to be better than better. Excellent and excellent. Be the best in the room and constantly push themselves and constantly feel like everybody at the table is super smart, so you have to be super duper uber smart, so that you can basically claim your spot at the table. That can be exhausting.”
The Gender Equality Paradox
All the possible reasons for the gender gap in cybersecurity we talked about thus far point at the actions needed in order to mitigate the problem. None of these steps are likely to come as a surprise: encouraging organizations to foster an inclusive organizational culture that welcomes women, does not tolerate any type of harassment and prioritizes diversity. Establish educational programs for young girls that expose them to STEM and cybersecurity in a positive and welcoming environment. These are all things that are already being done in many places in the US and around the world, and we’re already seeing their results: the current rate of women’s participation in the cybersecurity workforce, 20%-24%, is roughly double of what it was in 2010.
But a surprising and somewhat controversial research that came out relatively recently hints at the possibility that all these measures might not be enough to close the gender gap in STEM any time soon – if ever.
In a paper published in the journal Psychological Science in 2018, psychologists Gijsbert Stoet and David Geary pointed at a baffling phenomenon. Their research focused on the relationship between the proportion of women studying STEM fields in various countries, and these countries’ GGGI (Global Gender Gap Index) score: an index designed to measure gender equality.
Here’s the thing: if I were to ask you where you think we would find more women in STEM fields: Algeria, or Norway – what would you say? Most people, myself included, would guess that Norway has a larger share of women with STEM degrees. Why? Because obviously Scandinavian countries are well known for promoting gender equality, and one would assume that their inclusive cultures would encourage more women to follow their STEM dreams.
But the reality, Stoet and Geary show, is the exact opposite. According to their findings, countries with high GGGI scores – that is, countries with a higher degree of gender equality – have a lower share of women in STEM fields! Algerian women are roughly 55% of the STEM workforce in their country, while Norwegian women account for only 30%. Moroccan women are 45%, while Swedish women are roughly 35%. Tunisia has almost double the rate of women in STEM than Finland.
These are the kinds of numbers that make you scratch your head in wonder, and are the reason why this phenomenon is known as the “Gender Equality Paradox.”
We should note, right off the bat, that there are researchers who cast doubts on Stoet’s and Geray’s findings, and criticize the research methods and some metrics used by the two psychologists. This pushback forced Stoet and Geary to issue a correction to their original paper – but the authors still stand behind their claims. Moreover, a follow up research unearthed similar paradoxical results in the relationship between gender equality and certain personality traits, showing that the gap in such traits gets larger the higher a country ranks on the Global Gender Gap Index – lending more weight to the Gender Equality Paradox.
What could be the reasons behind this perplexing paradox? The experts are still debating amongst themselves. Stoet and Geary suggested that since countries with higher equality scores, like Scandinavian countries, tend to be welfare states – women in such countries feel less economic pressures and are free to pursue their own interests, while women in less gender equal countries – who also tend to be poorer – join STEM fields as it is a clear path to financial freedom. Other sociologists posit that the paradox can be explained by cultural differences between countries, or that boys are more confident in their STEM abilities – even when such confidence is not justified.
Closing the gender gap in cybersecurity, then, certainly seems like a challenging task: at the very least it requires deep changes in our cultures, and if the Gender Equality Paradox turns out to be real – as it currently seems to be – then even more basic research into the causes of gender gap is needed.
But whatever the challenges, closing the gender gap is a must: not only due to ethical and moral considerations – but also because of a very practical reason: Cybersecurity is desperate for more skilled workers. According to various estimates, in 2021 the global cybersecurity workforce was short some 3.5 million positions – and with the risk to organizations and businesses due to cyber attacks rising from year to year, this shortage makes our defenses even weaker.
In addition, the lack of gender diversity might be harming the cybersecurity industry in more subtle ways. For example, less diversity means less variety of perspectives, less flexibility and less creativity when it comes to solving difficult problems. This might be why companies with greater gender diversity in leadership positions outperform less diverse competitors: according to a report by the World Economic Forum, gender-diverse companies show 48% higher operating margin and 42% higher return on sales.
“[Keren] What I do know for a fact is that we need all of the skill sets at the table. We need teams that are made up with different people with different skill sets with different perspectives with different experiences and this is how I believe the cyber security ecosystem will thrive and generally how I believe Humanity will thrive, by looking at human beings for what they bring to the table. What skill set they bring to the table, and not just what gender category they fall into. Amen. Yeah, and now let’s just get rid of passwords.”