Ellison Anne Williams has a PhD in mathematics, vast experience at the den of wizards known as the National Security Agency, and entrepreneurial chops. She’s accomplished and smart.
So what happened to her at a recent business meeting left her dismayed, although it is far from uncommon for women in cybersecurity.
“I was in the room and the fellow walked in. He stopped dead in his tracks and the first words out of his mouth were, ‘You’re a girl.’ And I said, ‘Yes, what were you expecting?’” said Williams, founder and chief executive of Enveil, a Fulton, Maryland, data security company.
Males hold three out of four jobs in the tech world, but it is in cybersecurity where the lack of participation of women is most acute. By one reckoning, only 14 percent of the U.S. workforce in cybersecurity is female. Those women that do break into the industry talk of glass ceilings, insensitivity in the workplace, a lack of mentors and popular culture that reinforces the image of male tech workers.
The gender imbalance has potential consequences for the nation’s security. The United States already suffers a shortage of cybersecurity workers, even as global hacking threats grow more acute. The labor shortage is forecast to worsen. A study last year by Frost & Sullivan, a consulting firm, found that North America will face a shortage of 265,000 cybersecurity workers by 2022.
Prod just about any woman at a cybersecurity firm and anecdotes pour forth.
“Everyone has a story where you’re the only woman in the room, and being asked to take notes,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future, a Boston-area cyber threat intelligence firm.
The cybersecurity industry writ large has yet to take the gender imbalance seriously, she said, even as some firms take big steps.
“Women are not getting promoted at the same rate as men are, and women are not getting salary increases at the same rate as men are even though they are asking for and applying at the same rate,” Moriuchi said.
A number of nonprofit groups and private companies actively promote training to get younger girls involved in information security. They include goodgirlswritecode.org and girlswhocode.com. The Girl Scouts organization says that later this year it will add merits badge in cybersecurity.
Several executives said girls winnow out of tech and cybersecurity career paths at a young age.
Search online for images of cybersecurity researchers, Tremblay said, and “you’re going to get an image of a guy in a hoodie.” Females see such images and feel alienation. “They don’t see themselves as these people with the hoodies on.”
In middle and high schools, girls interested in computer science and coding clubs commonly feel little social support, several executives said.
Moriuchi recalled her own experience: “They weren’t unfriendly to girls but there weren’t many girls there, and as a result that lessens the appeal.”
Ashley Podhradsky, a professor of computer forensics at Dakota State University, is among experts trying to change this. In 2015, Podhradsky founded a residential cybersecurity summer camp for girls under a trademarked name: CybHER Security. It’s bursting at the seams. Last year, the camp attracted 130 students from 16 states.
The weeklong camp is free for participants, and the costs are partly funded by the National Security Agency and a series of private corporations, like AT&T and Citigroup, she said. At the camp, girls learn things like how to find deleted messages on a phone and how to analyze photos to see where they were taken and by what device.
“I’ve heard so many times that girls aren’t interested. That’s just not true,” added Podhradsky, who is an associate professor of information security at the university.
Once out in the workplace, women in cybersecurity often find themselves in a common situation — being the only woman in a room.
“It’s a very male dominated culture,” Williams said. “It can be a little more crass, a little bit more rough and maybe some … females don’t like that, and it is off-putting.”
Even getting a foot in the door can be hard.
“There’s a lot of unconscious bias in hiring,” said Lisa Jiggetts, founder and chief executive of Women’s Society of Cyberjutsu, a support community for women in the field. “There’s conscious bias, too. For whatever reason, women aren’t viewed as capable and skillful in the field.”
As a rule, women wait until they accrue required skills before applying for cybersecurity jobs, said Tremblay, of Arctic Wolf, while men routinely bluff their way through.
“The men may have none of (the skills) and will still apply,” Tremblay said.
Some positive stories are out there. Williams spent 12 years working at the National Security Agency, the top-secret government branch that deals in signals intelligence, hacking and defending against cyberattack. As she rose in the ranks, helped by male mentors, she said she was able to help make inroads on the gender issue.
“One of the things that NSA has gotten really right is that they’ve done a really great job of building a cadre of excellent female mathematicians,” she said.
But for every positive story, there are also negative ones.
“Yesterday, I was walking around and I had on my speaker’s badge. Someone asked me who’s speaker badge I was borrowing. I was like, ‘This is mine,’” Figueroa said on the sidelines of the Shmoocon hacker conference in Washington earlier this month.
Figueroa said she has professional colleagues who face diminishment at client meetings.
“They have clients who won’t speak directly to them,” she said. “It’s the assumption that the woman is not the lead on the project. They just default to speaking to the men.”