Infosec: what’s its problem with women?
Security industry still waiting for its “Weinstein moment” as women face ongoing misogyny, Stewart Mitchell discovers
The information security industry is still waiting for its “Weinstein moment” as women face ongoing misogyny, Stewart Mitchell discovers.
If i nfosecurity conferences have been cancelled during the coronavirus crisis, there’s one group of attendees who probably let out a quiet sigh of relief: women. A staggering one in four women have reported being sexually harassed at infosec events, according to an international survey. The question is why – given this level of abuse and several high-profile cases of sexual assault – has the infosec industry done nothing about it?
For Chloé Messdaghi, co-founder of support group Women of Security (WoSEC), her introduction to the perils of working in what she describes as a toxic environment was at a 2017 conference. “I was leaving a drinks event and when I was walking out this guy grabbed me by my neck and put me up against a car and was saying ‘You want it,’ and I remember I pushed him away and just started running,” she said.
“Another time was at the RSA Conference 2019 and I was getting into a shared Uber and the guy in the back had his RSA event badge on. I think he thought I was intoxicated.”
What followe d left Messdaghi in a state of shock, initially too scared to protest. “He grabbed my upper thigh and was squeezing it and I quickly pushed [his hand] away, but I remained silent because I was stuck in the car on a bridge, I couldn’t get out and I didn’t want things to escalate.”
Having twice had conference attendees trying to get into her room after events, Messdaghi now stays in nearby hotels rather than at the hosting venue and takes extra precautions. “I don’t stay at conference hotels anymore,” she said. “And if I am walking somewhere in a conference I will make sure that I am with someone at all times.”
These incidents might be rare, but not rare enough, and women in infosec say harassment is often under-reported and rarely punished.
With little research into the issue, security professional and activist Jane Frankland has started collating data with information drawn from a survey of 2,150 women globally. The final findings will be published in a report later this year, but headline figures shared with PC Pro paint an ugly picture.
“We found that one in four women (26%) were sexually harassed when they attended an infosec conference,” said Frankland. “These were women in leadership positions as well as people coming through the ranks, and included both technical positions and non-technical.”
According to Frankland, 40% of respondents suffered derogatory, discriminatory, inflammatory comments or behaviour, but only 8% reported the sexual harassment or inappropriate behaviour at the security event. “I know people who are thinking about wearing body cams so they have proof if there’s a problem and people don’t believe them later,” she said.
I know people who are thinking about wearing body cams so they have proof… if people don’t believe them later
Time for change
Some in the industry believe its leaders can do more to curb such vile behaviour and that infosec should have looked by now to Hollywood’s #MeToo movement for inspiration.
According to insiders, there are too many instances where the community knows or suspects that misogynists are straying into abuse, but can’t do anything about it because victims are too scared to make reports. “It’s not just about supporting the victims, it’s about sanctioning the perpetrators,” said Rik Ferguson, vice president of research at security firm Trend Micro.
“That doesn’t happen nearly enough, particularly when that perpetrator is fortunate enough to have a known ‘public persona’ – there are too many apologists, third chances, too much explaining away,” said Ferguson.
Ferguson highlighted the cases of two high-profile professionals who were censured by their companies over allegations of sexual assault, but have never faced charges, and the allegations remain merely allegations.
Security researcher Morgan Marquis-Boire resigned his post with security firm Citizen Lab and was dropped by the Electronic Frontier Foundation amid a series sexual assault claims exposed by The Verge in 2017, but he has faced no criminal charges. A year earlier, another researcher, Jacob Appelbaum, was also accused of sexual misconduct – claims he denied – and was cut loose by several companies he worked for, including the Tor Project.
“Infosec had a couple of opportunities for a ‘Weinstein moment’,” Ferguson said. “The Appelbaum and MarquisBoire incidents, for example, could have sparked something – but so far, crickets.”
Part of the reason may be fear that an investigation makes life harder for victims, who feel threatened by both the perpetrator and their often vocal supporters. “Women flag up to me cases of assaults and abuse, but they’re scared to come forward about it officially,” Messdaghi said.
“A colleague recently told me about someone who is pretty well-known in this space who was blackmailing her having recorded (without her permission) them having sex and he said he’d put it out there. The scary thing is that if I released the name of the person, it would get back to them and they might follow through on the threat.
“You can talk to any women in this industry and they know someone it’s happened to or it’s happened to them – blackmail’s something that’s really high in our industry.”
The vengeful mob
On top of physical threats, women in security are also subjected to a bombardment of criticism if they speak out about grievances. “I was trolled on Twitter extensively for speaking out about a conference attendee firm dressing women up in fancy dress gowns,” said Frankland.
“Everyone brought their opinions to it, but didn’t bother to find out what was going on.
“This was from CEOs, CTOs, professors all the way through – it didn’t matter what their title was they all piled in – some companies sacked or reprimanded staff for their vile bullying behaviour, but not all of them.”
Security-focused women are also routinely called out for their professionalism or technical skills, regardless of whether the critic has any knowledge of the subject or not. “He’ll attack her credibility, suggest she isn’t as knowledgeable as she claims, all in an effort to make sure she doesn’t get ahead of where he feels he is at. So, to him, the woman is a vulnerable target,” said Alyssa Miller, an independent hacker and security consultant.
“We saw this again last week with a very well-known member of the security community who, along with some of his cohorts, has been harassing a female member of the community,” Miller said, declining to name the accounts involved as it might make the bullying worse.
“They created a sock account on Twitter dedicated to harassing her and anyone who dares defend her. They doxed her location. Twitter eventually suspended the account for a short period, but it’s back now and continuing to harass.”
The vitriol enrages men in the industry as well as women, but more importantly the professionals we spoke to universally agreed that the constant battle against negative and vindictive comments was pushing women out of the industry. “It overwhelmingly happens on social media, as insults, belittling, dismissal or dogpile (and that’s only the visible part),” said Ferguson.
“At the personal level of social media, honestly, I find it difficult to comprehend the kind of mindset this very public abuse comes from and am really at a loss to know how to combat it. It seems block and report is a woman’s only weapon and is of very limited effectiveness.”
You can talk to any women in this industry and they know someone it’s happened to or it’s happened to them