Think of a hacker, and you’re probably thinking of a white dude in a hoodie with a Guy Fawkes mask nearby. Turn on the television or open a newspaper to learn about the latest massive data breach and youll probably hear white dudes talk about what went wrong. Go to most tech companies and look over their cybersecurity teams and you’ll find an overwhelming number of white dudes.
To put it in non-technical language: that is a clusterfuck. In the last two years, gender diversity in cybersecurity is actually regressing. According to a study from earlier this year, only about 10 percent of security professionals are women, and that number has gotten lower over the last two years.
Andrea Little Limbago, for one, is not happy about those numbers. Limbago is the chief social scientist at Endgame, a company that provides cybersecurity to commercial firms and government agencies. At a talk during the O’Reilly Security Conference this week in New York City, Limbago laid out the myriad of reasons why women are either not entering the field of computer security, are choosing to leave the field, or are getting passed over for jobs they’re qualified to perform.
Some companies have made increased efforts at diversifying their initial recruiting practices, but that’s often not enough. “There are studies that show if you put one woman in a five candidate pool, there’s a zero percent chance that woman will get chosen,” Limbago said in her presentation. She also highlighted a problem with retention of women due to a dearth of promotions. Other institutional practices, like throwing faux-fraternity parties as a work function — like one company did — also go a long way towards creating a hostile environment.
Limbago later told Inverse that a diverse security team will see flaws, openings, and shortcomings that a more homogenous group will miss. In her first-hand experience, either at Endgame or her previous life working counterterrorism at the Department of Defense, Limbago has seen countless examples of diversity in hiring leading to better outcomes.
It’s not just gender, either. According to Limbago’s presentation, just 7 percent of the computer security workforce is African-American, and Hispanics make up only 5 percent. If companies or governments want to offer safe digital communication, they need to employ people of different ethnicities, nationality, religions, and gender expressions.
When it comes to threat modeling, male-only team is much more likely to have blinders on and ignore the lived experiences of half the population. “Women are disproportionately more likely to have privacy concerns, because they’re the ones who are going to have the breaches, they’re going to be cyberbullied,” Limbago tells Inverse. “Stalking happens disproportionately to women.”
“There’s a woman here from one of the social media companies, and they were going to [make a product] where you had to opt-in to not be geotagged. So if you download that app you’ll be geotagged. It’s a huge privacy concern for a lot of women, and [users] wouldn’t even have known that was part of the app,” Limbago says. “But they had a woman there, a developer, who said: ‘that’s not a good idea.’”