At S(h)ecurity, a focus on infosec industry imbalance (Q&A)

If the current state of cybersecurity—from APT hackers to rogue botnets to hacked gas stations—feels overwhelming, it might be because companies have been devaluing their women and minority employees. And it’s past time to knock that off, says Vijaya Kaza, Lookout Mobile Security’s chief development officer.

“The time has come when we need to take it up a notch here,” she said during a phone call with The Parallax prior to Lookout’s Day of S(h)ecurity, the fourth gender and diversity development day the company has held in the past year.

Unlike its three predecessors, which were held at Lookout’s respective offices in San Francisco, Boston, and Toronto, this S(h)ecurity day in San Francisco, held Saturday, is open to the public. It also includes presentations on a wider range of information security topics, from more people. Tickets to the free event, capped at 200 attendees, were snapped up in 24 hours.

When it comes to explaining why gender and diversity are important to computer security, Kaza—who, after growing up in Andhra Pradesh, India, worked her way up the engineering ladder over 17 years at Cisco Systems, from software engineer to head of engineering—turns to the facts.

According to the 2017 Global Information Security Workforce Study, “only 11 percent of worldwide security professionals are women,” she says.

The same report found that women experience much higher rates of ethnic or gender discrimination. While it didn’t cite specific examples, it did highlight that women in managerial and executive positions report significantly higher rates of discrimination than women not in leadership roles: 67 percent of women executives in cybersecurity reported discrimination, versus 36 percent of women in contractor and entry-level jobs.

A dearth of gender or ethnic diversity leads to a monoculture, she says. And homogenous viewpoints can lead security teams to jump to conclusions, or miss key details, when analyzing online threats.

“It’s completely unbalanced,” Kaza says. “To attract more talent, we need to open up to those untapped resources.”

Talented security specialists are in short supply: Nearly 2 million information security jobs are expected to go unfilled by 2022, further exposing consumers to threats. Kaza says her S(h)ecurity keynote speech will focus on convincing aspiring information security personnel that today’s industry challenges are interesting and worth solving.

Clearly, many members of the infosec community want to address its discrimination and homogeneity issues. In response to a lack of women and ethnic minority keynote speakers at the RSA Conference in San Francisco, a group of cybersecurity experts held a one-off conference called OuRSA. And DefCon, the largest hacker conference in the world, released a transparency report.

Perhaps tellingly, however, DefCon’s report, which included notes about harassment complaints and lifetime bans (as well as three adorable dogs), lacked information on women and ethnic-minority presenters.

Kaza concedes that meaningful changes may still be decades away. What follows is an edited transcript of our conversation.

Q: What made Lookout decide that gender and ethnic diversity are important to its business?

By the time I joined [in June 2017], its importance was already recognized, in some sense. That said, Lookout is not a traditional cybersecurity company. I’ve worked at plenty of those before.

As an industry leader, Lookout recognizes that the work force is completely imbalanced, and that to attract more talent, we need to open up virtually untapped pools of resources. And as a trendsetter, focusing on mobile security—the cutting edge—it only makes sense that it would take the ball forward.

Looking beyond Lookout, why is diversity important to information security?

Any technology, but cybersecurity in particular, can benefit significantly from diverse thought. Different people with different mind-sets bring different perspectives.

Security is a large and wide field, with many different types of roles, from coding to testing to incident response to internal security. There are many different variations and potential roles, each requiring a slightly different mind-set and diverse thinking. Having as many perspectives as possible simply makes sense.

Incident response, for example, requires information gathering, investigating, and pinpointing the root cause. You need a broader perspective—a good understanding of the full picture—before deciding on a course of action. I can totally see women thriving in various roles. So it’s frustrating that more women aren’t joining the team.

How do you go about teaching the importance of diverse perspectives to people who may be more narrowly focused in their approach to problem solving?

It’s a balance of perspectives more than anything. When I first started in security, I didn’t know anything about it, beyond what I’d read in textbooks. Over time, I’ve learned that processes and procedures are as important as technologies.

Through workshops, training sessions, or just casual conversations, I try to make that obvious to people. I help them work through cases, tell them stories, and maybe even talk about what specific types of programs actually entail. And they often respond with, “Ah, that’s way different than what I thought security was.”

What led to information security becoming so homogenous?

For various reasons that we see well beyond Silicon Valley, few women have joined the industry in the first place. They, in turn, have had fewer opportunities to accel their careers—and fewer opportunities to serve as role models. I have largely been the only woman in the room throughout my career. Men have stayed at the top.

It’s a cycle we have to break at some point. And breaking it isn’t easy. Even when we go out of our way to recruit and promote women or others with diverse perspectives, saying things like, “Hey, you’ve got this; you’re going to be successful at this,” they tend to shy away for whatever reasons.

Men, on the other hand, tend to be much more vocal about what they want. With a confident approach, they say, “Hey, I don’t have this particular experience or skill yet, but I know I can do it.” It becomes self-fulfilling.

What do you think would make a meaningful difference, and why?

We have to start recruiting women very, very early. I mean, going back to late elementary or early middle school, when girls are starting to feel boxed into stereotypical career trajectories. They might start thinking things like, “I’m a girl, so I need to go into art, or music, or something else. Science is not a good job for me.”

This, too, becomes self-fulfilling. We really have to start at the roots, getting girls and women to join STEM programs, then pursue related degrees in college, where security is part of the curriculum (rather than something you attack when you get to the master’s level).

Security is fundamental. There’s nothing in the technology world that can be done without understanding security. The problems that we have today are because most people don’t understand what it takes to build a secure product or a piece of code.

Starting it early is really the answer. That’s the only way we’ll correct this problem over the next 20 to 30 years. It’s just a long, drawn-out problem.

Are women better represented in other areas of STEM?

There are a lot more women in general tech roles. The more general the skill set, the higher the percentage of women you will find. The more specialized it gets, the narrower it gets. I think that, again, a self-fulfilling perception of what it takes to be successful in those fields is at play. This may include worries about work-life balance.

But to be honest, this struggle holds true for women in any field. If you have high goals, you need to put in extra effort, at least at the early part of your career. And as you get more and more experience, you develop expertise, and ideally figure out how to balance everything. Specializing in cybersecurity makes sense.

Do you see any value in recruiting women and minorities at later stages in their careers from more general STEM fields or roles?

Probably, but the earlier they are in their careers, the better. As you progress, it becomes more difficult to change.

How has the culture and diversity conversation changed over the years you’ve been working in the industry?

When I joined the industry [in 1998, as a software engineer at Cisco], it was not even a conversation. Now there is definitely a lot of conversation. A lot of people are paying attention for one reason or another. Maybe there’s value in supporting a politically correct standpoint, or maybe they’re genuinely interested in promoting diversity.

Either way, there is a lot more awareness—a lot more going on right now. But it continues to be a problem. While there’s momentum toward diversity in midlevel and upper-level positions, very little has changed at the C or board levels. A whole lot needs to be done.

That issue stretches far beyond cybersecurity, right? How much of that is sort of a culture-at-large question? And what can cybersecurity do about it?

There is a larger cultural issue at play here, for sure. But for cybersecurity, it begins with not having enough efforts to get women into the field in the first place. The funnel is a big problem in all of this, for if the funnel is large, at least more people will make it. But if the funnel isn’t big, the culture will never change.

What’s been the most helpful for you?

I have never thought of myself as just a woman. In India, where I grew up, STEM was always on top of all of our minds. That’s kind of where careers are, where people tend to be successful, and what they naturally gravitate toward. So it was surprising to me to see that in the United States, women typically move away from a STEM focus in high school and college.

Growing up in a culture where a STEM focus is natural, expected, and supported has been incredibly helpful. It’s part of the reason I never thought to myself as a kid, “I will have fewer opportunities.” It wasn’t until I grew into bigger or higher-level roles that I actually started seeing or feeling some of that.

What have you found to be the least helpful?

A lot of companies have diversity programs, but don’t really do much other than just talk about it. They don’t really put their actions behind their words. For a program to be meaningful, it needs to come with specific changes.

At Lookout, we could have hired a diversity committee without really changing anything. But by providing training and opportunities, we’ve started to act on our words.

How do convince people that there’s there’s a real workplace diversity problem? Or convince people who sort of give lip service to it to follow through with meaningful change?

You look for ways to measure successes, and celebrate and publicize those bright spots. That’s really the only way we can impact and change people’s mind-set. At the end of the day, we are looking for results, right?

Can you point to some examples of those bright spots over the course of your career?

Not to the extent that I would like; it’s just part of what we need to change. Even at Lookout, where we are trying to promote diversity through activities like Day of S(h)ecurity, there are very few women.

Once we have programs (likely starting at the grade level) that are effectively recruiting women and minorities to the industry, we can start making use of that data to feed a positive cycle. Even at companies like Cisco, which have had diversity programs in place for a long time, I haven’t seen meaningful change.

How do you see things developing over the next few years?

I see things changing very, very slowly. Maybe this year will be an inflection point. We are seeing a lot of activity, a lot of momentum, a lot of intent on the part of many people to address this problem. I hope that our kids will be able to take advantage of many of the programs we are establishing. Maybe nothing magical will happen in the next two to three years, but if we look at the three- to five-year timeline, then there’s definitely hope for change.