Blog

Meet the Young Women Tackling Gender Bias in Cybersecurity

Mar 18, 2022

Screen Shot 2022-03-16 at 3.32.07 PM To celebrate Women’s History Month in March, four female security leaders met for a wide-ranging panel discussion on how they’ve broken through gender biases to forge their career paths, as well as what’s needed to help young women in the cybersecurity profession succeed. This (ISC)² Think Tank webinar is part of the organization’s multi-year commitment to DEI which includes a new DEI series featuring diverse voices and perspectives within cyber and aimed at helping to build a more inclusive cyber profession.

The panel was moderated by Sharon Smith , CISSP, cybersecurity strategy and advisory consultant, and included:

  • Ebony Stevens, (ISC)² Security Engineer
  • Weijia Yan , an InfoSec student at Carnegie Mellon University
  • Megan West , X-Force Cybersecurity Incident Response Consultant at IBM

Each panelist is at a different phase in her career. Yan is currently studying cybersecurity and hoping to pursue a career after she graduates, while Smith has more than 15 years’ experience working in security, and Stevens and West are young women relatively new to the industry. That said, they shared a number of common experiences and strategies on how women can continue to advance.

You Still Need To Prove Them Wrong

Smith kicked off the panel by noting that it was time to celebrate the extraordinary growth of women in the industry, and that while she evolved into her cyber career, she was pleased to see younger women pursuing cybersecurity “on purpose.”

“When I first started my career in security, I never had to wait in line for the bathroom at tradeshows and was pleasantly surprised by that change on my last business trip,” Smith added. “That said, even with 700,000 people added to the security industry in 2020, there’s still a long way to go. Women and people of color continue to be underrepresented.”

West pursued a graduate degree in cybersecurity, and when she started her first job, she was the only woman on a Fortune 100 global security team of about 40 people. She was still the only woman when she left four years later.

“In my first cybersecurity role, a coworker told me that the only reason I was hired is because ‘they’ needed a female on the team. He was insinuating that I was a diversity hire, and not hired because of my potential, ability and skill sets,” she said. “I was much younger and this was an older person I looked up to. But I took it as a challenge and let it light a fire underneath me.”

Smith noted that it’s extremely important to keep a “prove you wrong” attitude while asking Stevens about her own journey into cybersecurity. Stevens had been finishing up her undergraduate degree when one of her professors suggested that if she took the PMP exam, it would help secure her a cozy and well-paid career in Governance, Risk and Compliance (GRC).

“I realized, though, that I really want to be an engineer and do technical work,” Stevens said. “As a small act of rebellion, I didn’t take the PMP exam. I’ve been pursuing certifications.”

Yan had to push back against her own family to pursue her education in cybersecurity. Her parents wanted her to pursue Law because they felt it was more stable.

“I wanted a career in cybersecurity, and I wanted to prove to my mom that I could do it,” she said. “I took the Security+ certification exam and after 30 days of grinding and studying, when I showed it to my mom, she was able to see my potential, determination and passion for cybersecurity. I’m very fortunate to now have my family’s support.”

Pedigree is Great When You Have It, But You Probably Already Have Cybersecurity Skills

All the panelists highlighted the industry’s ongoing issue with job titles and stressed the importance of being able to communicate how a nontraditional background can translate into cybersecurity.

“There is a huge disconnect between hiring managers and HR and cybersecurity job descriptions,” said West. “People look at these and get intimidated by them because they don’t meet all the qualifications. Apply anyway. The worst thing that can happen is that they don’t get back to you. The best thing to happen is that someone takes a chance, and you can speak effectively about why you are a good fit for that role. Being a great communicator is half the battle. Being able to explain to the hiring person what you can bring to the table and how you plan to achieve the qualifications is much more impressive.”

“We feel like we have to check every box,” added Smith. “But you can be creative about how you get in front of people.”

Create Your Own Space and Pull Up Your Chair

Each panelist stressed the importance of tackling imposter syndrome and creating opportunities for yourself. Yan watched a video on ethical hacking in middle school and fell in love with cybersecurity. During her undergraduate work, she founded the Texas A&M chapter of Women in Cybersecurity, driving membership growth from three to more than 30 annually and is looking to replicate her success at Carnegie Mellon.

West, who is known online as Cybersecurity Meg, created her social media presence, after studying for her CISSP exam and desiring content “taught by people that looked like me or had backgrounds similar to me.”

West also created her own job description after she realized that she was handling 95% of incident response for a global Fortune 100 company without the appropriate title and pay. She went to her management with data that demonstrated the work she was doing, the improvement to the company’s bottom line and similar roles at other companies.

“It’s so cliche, but that phrase ‘if there’s no chair for you at the table, pull yourself up’ works,” she said. “You don’t need to wait for someone to make an opportunity for you.”

Smith reiterated the need for self-advocacy, while Stevens highlighted how saying ‘no’ can help lead to career success and offers a platform for dictating what work you can and want to do.

Mentor The Next Up and Comers

All of the panelists highlighted the importance of mentorship, but many pointed out that this doesn’t necessarily mean having a formal training program. West suggested seeking out people you look up to, and Stevens noted that informal, fluid conversations allow you to “make mistakes in a more graceful manner. You’re being taught something, but you also work through the problem conversationally.”

Smith added that women should be proactive about reaching out to people they admire, and that “success leaves clues. Look at what other successful people have done and replicate it.”

Yan mentioned that she has relied on conferences to connect with InfoSec experts, and that she is looking to repeat this.

“It brings me joy to connect people. When they come together, it makes me feel better,” she said. “My mentors did a lot for me and I wanted to pass it along.”

The session ended with each panelist reiterating that diverse teams help organizations look at problems from different perspectives, and they are what is needed to tackle today’s complex cybersecurity issues.