Friday, August 23, 2013

Women in Information Security

TL;DR

Many changes and improvements have occurred in the last 10 years which has enabled the Information Security profession to be a more welcoming place for women.  It continues to make improvements every day to further this welcoming atmosphere.

Op-Ed: Women are succeeding in InfoSec

In the Information Security profession, diversity comes second only to having the requisite technical skill set.  It has to.  Diverse viewpoints enable security professionals to see a problem before a hacker does, and fix it before it can be exploited.  This need for diversity makes the current landscape of the Information Security Industry – also known as White Hats, Black Hats, Hackers, Security Researchers, among others – a hotbed of opportunity for career minded people of both genders.

Unfortunately, this diversity is not always evident in Information Security.  Security Conferences, where security professionals gather; are where the lack of diversity is often most visible. A majority of speakers and panelists are male. Globally, only 9% of speakers/panelists are female. At the same time, the majority of conference attendees are also male.

Where many argue that drastic changes are needed, I believe many of these desired changes are already underway. Thirteen years ago, the first conference I participated in was an almost exclusively male gathering. The women present were accompanying a male attendee. Today, the number of woman attending conferences is increasing year over year and they are active participants. The average age for attendees is increasing too.  I believe that the community that, not long ago, was known as an immature bunch of boys is growing into a more balanced and self-regulated community. Recent initiatives at these types of conferences include entire sections dedicated to working with kids, and throwing M80 dynamite in hotel pools isn't as common as it used to be. While many women testify that the community improves itself continuously, their attendance - often on their own budget - is a testament to the lessons we as a community have learned.
At the same time the number of women in security jobs is increasing.  I have witnessed this myself during my tenure at a Fortune 500 company in Silicon Valley.  While working on their internal security team, made up of 60 people across the globe, 40% of the staff was female (well above industry averages).  This was especially noticeable in the Audit & Compliance division, where women actually outnumbered men.  In fact, the present Chief Information Security Officer at that company is female, as was her predecessor.  Investing in diversity grew dividends for the business.  My personal growth and understanding of Information Security, business and risk management, would not have occurred if not for the consistent feedback from everyone, women and men alike.  In turn, I have shared my knowledge without discrimination. It is how we as a community work and how we collectively get better. Better at what we do and better at who we are.

Change is happening in education as well.  Women are now outpacing men in college degrees issued in Science, Technology, Engineering and Math (STEM), although not in Computer Science. Not just yet.  STEM degrees are the core of the Information Security industry.  In response, many professional security organizations like (ISC)2 have started offering scholarships to encourage women to enter the Information Security industry. This helps in bridging the gap, and I can only hope to see more influx of such initiatives. 

It pays to be in Information Security.  The average salary for junior level positions sits at $60 - $90k USD year, with senior positions topping out at $250k.  According to research by Dice.com – a technology job driven careers sites – the pay gap between women and men in IT has virtually disappeared.  This means that not only are there careers waiting for anyone who wants them – with year over year demand increasing by 27% for the last 10 years – but while staying intellectually challenged, one won't go hungry either.

Recently, we have seen attacks on the information security community. Pointing out fundamental and structural flaws is one thing. Gutting a community that, over more than a decade, has made great strides forward is of a completely different and questionable level to say the least. With the growing importance of information security in the world comes great responsibility. A responsibility I am sure our community and industry will take up and honor. 

As we keep focusing on a healthy, diverse and cooperative future while learning from our past, I am confident that a positive and inclusive industry is the common goal that keeps us together.

References:

Information Security Job Growth Part 1
Villanova University

When Geeks Attack
Marie Claire

Spotlight on Women in Tech
Dice.com

Information Security Scholarships for Women
(ISC)2

Tuesday, August 20, 2013

Robert Imhoff for (ISC)2 Board of Directors

TL;DR

I am running for a seat on the (ISC)2 Board of Directors.  To support this initiative, please help by nominating me for a spot on the ticket this Fall!

To achieve this goal, I will require 500 nominations from my peers - all certifications offered by (ISC)2 accepted.

Ready to help?  Great!  Here is what to do:
  1. Compose an email from email address on file with (ISC)2
  2. TO: hackajar@gmail.com
  3. Subject: I Nominate Robert Imhoff for (ISC)2 Board of Directors
  4. Body: Insert your full name as it is on file with (ISC)2 and you exact Certification Number
  5. Send it away!  I will respond promptly when it is received!
  6. Follow me @hackajar on twitter
  7. Spread the word! Link other (ISC)2 Members to this post and encourage them to nominate me!

What is the problem with current Board of Directors?

The current impression of Information Security professionals with (ISC)2 certifications is very poor.  So called "serious" security professionals and hackers consider these certifications laughable.  While on the "enterprise" side, questions are being raised about the value of these certifications over SANS and ISACA ones.  It has been four long years of mediocre handling of the situation that has driven these important certifications into just "a checkbox for recruiters".

The current board seems to be focusing more on assisting professionals with CPE credits, vendor based webcasts, and growing local chapters, but not focusing at all on the "brand" of having a CISSP, SSCP or other certification.  While all of these areas are important to an organization, they: 1) Mean nothing if the certification is rendered pointless 2) Create a sense of isolationism mixed with a "Them and Us" culture of those with (ISC)2 certifications, and those without.

Who am I to solve this problem?

After spending 13 years working in Information Security field in all aspects and industry verticals, simply put, I have the diverse background to give (ISC)2 what it desperately needs: the collective knowledge of its members.  Without making this too much of a resume, here are some key highlights to my strong position:
  • 5 Years of programming experience
  • Top Secret clearance working with the NNSA
  • Published research in Credit Card Fraud and GPU Password Cracking
  • Experience in Fortune 500, Semiconductor, Networking, Hardware, Software and Start-Up companies
  • Co-Founder of the largest independent fundraising body for the Electronic Frontier Foundation
  • Co-Founder of the only Information Security member of NCWIT

What is the Platform?

Push forward a three-point plan to enhance the value of certifications maintained and issued by (ISC)2:
  1. Require partial re-testing of all members who have a certificate in good standing every 6 years.
  2. Require more transparent view of how money is spent by (ISC)2; force organization to either draw down overfunded accounts through industry benefiting programs, or lower yearly dues to members.
  3. Require (ISC)2 to design better recognition system for community members that create positive change for Information Security; ensure a better system is in place to report members that deviate from Code of Ethics.

About me and (ISC)2:

Member Name: Robert Imhoff-Dousharm
(ISC)2 CISSP Number: 112747
Member Since: June 30, 2007
Member Exp: June 30, 2016
Member Email: hackajar@gmail.com