Women in information security are a fascinating group of people. I should know, being one myself. But being female in a quickly growing male-dominated industry poses its own challenges. And those of us who pursue security and IT in spite of gender stereotypes have unique strengths and insight. I first interviewed Tiberius Hefflin, a Scottish security analyst who's working in the United States. Then, I spoke to Tracy Maleeff, otherwise known as @InfoSecSherpa on Twitter. After years of working in different fields, including as a legal librarian, she found infosec and her own business. Then I spoke to Isly, who's a penetration tester for a defense contractor. For my fourth interview, I spoke to Kat Sweet. Web development got her to explore IT and eventually led to her infosec career. For my next interview, I spoke with Jess Dodson, a sysadmin from Australia who is very much infosec-minded. As difficult as it was to navigate the time zone differences between Toronto, Canada, and the "Land Down Under," we managed to have a fascinating discussion. Kim Crawley: How would you describe your job and title? Jess Dodson: System Administrator. I'm operational staff. I look after servers and keep systems running. My primary focus is our active directory domains and domain controllers, which is how I stepped over into the infosec side of things. I've started taking more of an interest in the security side of managing our domains. KC: That's really cool. How did you get into sysadmining in the first place? JD: Slightly long story. My dad's a systems engineer (though he hates the term engineer), and so I've always had computers around for as far back as I can remember. Probably when I was thirteen or so I started taking more of an interest in IT. I bombed high school a bit, (Thank you, Diablo II.) so I studied at TAFE (a trade college). Then, I was lucky enough to have a friend from TAFE say there was a job opening at the university she worked at. I went for an informal interview, was hired on the spot and started four days later. That was nearly twelve years ago. I started as a helpdesk lackey three days a week. I then went to five days. Then I got a permanent position as an "IT Officer." I stayed in that job for just under seven years before I jumped ship for an official system administrator position for state government. KC: Did you have any credentials before you became helpdesk? JD: I had a Diploma of Information Technology and a Certificate IV in Information Technology. That took eighteen moths of study altogether. KC: When you were helpdesk, did your employer help to pay for any certifications? JD: Not certs, but further study, definitely. Working for a university, they want you to have a university degree. So while working, I was studying part time for my Bachelor of Information Technology, which my work did pay for in a matter of speaking. If I passed each semester, they refunded me my course fees. That continued up until the time I resigned and left the university in 2012. I continued to pay for my study after that until I graduated in 2014. KC: How long have you been sysadmining? JD: My "IT Officer" role was technically a sysadmin role, just on a smaller scale. So I've been doing system administration for about nine or ten years now. KC: What started your interest in infosec? JD: I'm honestly not sure. I don't think it was ever a conscious decision. It just stemmed naturally from the work I was doing within our identity space. Because of the work I was doing to look after our Active Directory, the security of it (and our servers) sort of came naturally. I started looking into it more because it interested me. And also because I really didn't want to see a news story written about a lack of security for servers that I was in charge of. So there was probably a bit of pride thrown in there. KC: I have a theory about infosec people. We have to have a knack for imagining everything that can go wrong. Does that apply to you? JD: Yes. Yes. 100% yes. Maybe we're permanent pessimists. KC: Do you think you've faced any hurdles being female in IT? JD: Starting out, I was often treated as the secretary. I heard things like "I'd like to speak to one of the guys" more times than I could count. I had university professors and lecturers be incredibly sexist and make very inappropriate remarks about my looks and my clothing. But I was very lucky because my manager was a woman, and she taught me not to take sh*t from anyone. I loved what I did, and my gender had nothing to do with it. I still encounter sexism, but I think it is getting better. There's a hell of a lot more we need to be doing, but that's a whole different story. KC: Do you think the relative lack of women in infosec is a weakness for the field? JD: Yes, because we think differently. We might say that men and women are completely equal, but there are definitely differences between us, but those differences are strengths. The fact that we're different, that we think differently, see things from different perspectives, look at problems in a different light... we're missing that in infosec because almost all of the leaders in the field are men. We need the differences if the field is to grow. KC: Yeah, I agree. What do you think we could do to attract more women into infosec? JD: It's about balance, and it's the same for all male-dominated fields. For women who are currently in the field or wanting to be in the field, it's about flexible work arrangements, paid maternity and carer leave, and management that's understanding. Because while it sounds so very "old school," women are still the primary carers in families. Also, they're the ones who have to carry around a baby for ten months and need time to recuperate after all that! But I think it starts much earlier than that. I think we need to get into schools. We need to teach young girls that computers and math and science aren't just for boys. They're for girls. They're fun and cool, and if that's what they like to do, then they should do it. I'm trying to find a way to become a mentor or a spokesperson locally for young girls (I'm speaking with the women who run the Tech Girls Are Superheroes movement.) to show them that you can be a girl and be good at computers. Now that technology is so pervasive in our lives, I think it makes it more likely that we'll see more women in IT from the generations following ours. KC: I agree completely. I like what the Scandinavian countries do. Mandated paid time off for parents regardless of gender, for example. JD: For women already in the industry, our issue is trying to keep them here. The “death by a thousand papercuts” thing is very real. They may be small events. A guy making a sexist joke. A woman being passed over for a promotion for her less qualified male counterpart. A colleague calling her "emotional." And these small things tip women over the edge and push them out of the industry. We need to be getting people to say, “Stop, this is not cool, this is not funny, this is not on." Because if we do that, we might actually maintain the women who we already have working in these positions. A large number of women drop out of information technology in their mid-thirties because of the "death by a thousand papercuts." KC: Are there areas of IT that are more welcoming to women than others? JD: I really don't know. I've only got experience in the areas I've been in. From women I've spoken with, I think the non-technical side of IT seems to be. That's probably not a good thing because it means that we're taken more seriously when we're not in technical roles. KC: What's the non-technical side of IT? JD: Procurement, contract negotiation, business analysis, project management. The women I've seen in those positions seem to be much happier and are more equal with their colleagues and are treated better. Though that could just be rose-tinted glasses and grass-is-greener. KC: What do you think is the biggest problem in infosec right now? JD: It's a double-edged sword. Management either caring too much about security and sticking their noses where it's really not needed, (I hate micromanagement.) or pretending that security isn't an issue, not giving any money to it, and blaming everyone but themselves when something happens. There doesn't seem to be a happy middle ground for infosec in organizations, at least from what I've seen. KC: Yeah, the sociology of infosec is terribly overlooked. So, what would you say to a young girl who is curious about an infosec career? JD: If you enjoy it, do it! Don't let anyone tell you that you can't do what you want to do. Don't take crap from anyone. I struggle to find things to say to young girls about it because they see what we do as so very uncool. KC: Fair enough. Before I go, do you have any last words about women and infosec? JD: We're an amazing bunch of women. We need to do more to support each other rather than tear each other down. And I think you writing this piece and speaking to other women is amazing.
Conclusion
Tune in next time for my next interview with Zoё Rose, another woman in information security.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.