This article originally appeared in issue 33 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here. Please note that his article contains descriptions of sexual assault that some readers may find upsetting
Sexual harassment is rife in the cyber security industry, with women often reporting being groped at events and or receiving inappropriate content online. One in four women (26%) have experienced sexual harassment at a cyber security conference, with 12% reporting multiple incidents, according to research by the IN Security Movement, led by founder Jane Frankland.
Sexual harassers often work in high-profile positions, hiding in plain sight. Some 35% say their harasser was an executive or in top-level management, the global survey of 2,157 women found. What’s more, attempts to report harassment are often dismissed. When alerting event organisers of sexual harassment or inappropriate behaviour, 44% were unhappy with how it was handled.
Things are so bad that some women have started to avoid cyber security events altogether. One former attendee tells IT Pro she’s always on “high alert” at conferences. “I never drink much, and avoid being on my own where possible,” she says. She also describes how one friend was groped and another was raped at a tech conference.
Many assaults happen when alcohol is involved, often at sponsored after-show parties or company gatherings, which is a growing concern as in-person events ramp up post-COVID. In fact, almost half of security professionals have experienced harassment at work socials (48%) according to Respect in Security.
Understanding the scale of the problem
It’s not difficult to find evidence of the scale of the problem, with incidents happening online, in the workplace and at conferences. One female cyber security professional, speaking anonymously to IT Pro, explains that COVID-19 lockdowns increased the amount of harassment she was receiving online, such as the sharing of nude images and videos.
“I’ve received DMs (direct messages) on LinkedIn containing nude images from members of the community,” she says, adding that many of her peers have had similar experiences. “Some are images, others are videos or in one friend’s case, sexual voice notes. Another friend received a naked photo of a CISO and, in the background, she said you could see a photo of his wife and kids.”
This type of abuse is compounded by the fact the security community is very active online, which can lead to very different behaviour than might occur in person. “My friends who work in law and medicine often network with their immediate geographic peers in person,” one contributor says, “but our community is larger and more heavily focused on social media.”
Many victims are afraid to speak up, especially when they need to work with the harasser in a business capacity. “I had always had what I deemed to be a very good rapport with my perpetrator, and we had worked together many times before lockdown, so imagine my shock when I opened my LinkedIn one morning to find unsolicited nude pictures of them in my inbox,” another woman working in the industry says.
Her immediate reaction was guilt and shame. “I questioned everything about my working relationship with this person: Was this my fault? Had I given the wrong signals? How would I tell my partner? I didn’t report it, and I think this is very common in my situation, as it may have had an impact on the amount of business their company does with mine.”
Employees are choosing how they work
And with the right secure digital strategy, this could be a great thing for your business: today and far into the future
There’s also a worry that if you take action to report an incident, the perpetrator may claim “you were asking for it”, another survivor adds. “Will they ruin your reputation, which, as a woman, has been so hard to build? That’s why I’ve never called a single one of them out,” they say.
A lack of reporting – as well as a lack of action when incidents are reported – can see perpetrators getting away with sexual harassment multiple times. “Yes, I’ve had managers who have touched me inappropriately, but – honestly – that isn’t the worst of it,” one woman says. “The most shocking thing is that these people who have engaged in this kind of behaviour have been allowed to go unchallenged again and again.”
Deflating the “macho” culture
The problem is certainly not unique to the industry, but isn’t helped by what’s viewed as a “macho” culture in cyber security. Only 24% of the cyber security workforce are women, according to ISC2, which compounds the issue further.
“I've had so many colleagues make jokes about me dating or sleeping with male colleagues that I’m friends with, despite the fact I’m married and haven't shown even a scrap of flirtatious behaviour with any of them,” one woman tells IT Pro. She thinks harassment is exacerbated in the cyber security industry because it's “such a male-dominated environment”.
Taking this into account, preventing and resolving the issue requires the support of men. While many have been vocal in their support, some worry about how they’ll be perceived by their peers if they advocate for women, or don't feel qualified to speak about the issue.
Several initiatives exist to help deal with sexual harassment at conferences and other events, as well as in the workplace. One of the most comprehensive of these is the IN Security Code of Conduct, created to ensure participants are fully aligned on what constitutes unacceptable behaviour, how it can be reported, and what will be done about it.
Respect In Security was also set up during the pandemic to help deal with harassment in cyber security. Founded by a group of industry professionals, the volunteer initiative aims to support companies and individuals in addressing harassment.
Despite what might seem like inertia in responding to the issue, conference organisers have started to pay attention too. Frankland says 98 organisations have signed up to the Code of Conduct, including ISC(2) and Black Hat. In the US, the Def Con security conference banned an ethical hacker for breaching its code of conduct, although details of why the ban was delivered have not been confirmed.
Women, however, still say they’ve been dismissed when trying to report inappropriate behaviour to event organisers. One woman who was groped at an event, for example, was told: “I can’t believe he would do that; he is such a nice guy.”
It’s clear, as Frankland says, “safer provisions are needed”. Sadly, for now, it comes down to steps women – and men – can take to keep themselves and their colleagues safe. Frankland advises teaming up with other women, and to avoid being alone while attending conferences, adding that wearing a body-worn camera is also an option.
More broadly, all organisations should aim to develop a culture where it’s known that any form of harassment is not acceptable while empowering all staff to bring complaints without fear, says one of the affected women. “These complaints should be dealt with promptly, seriously and discreetly.”
If you have been affected by any topics covered in this article, or you would like to know more, the following information may be useful
Respect In Security is not a counselling service nor a legal channel to file complaints, but if you have a story that you would like to share, and you are comfortable without anonymity, then the organisation would love to hear from you using their contact form. The group won't use any screenshots or any names other than your own, but seeks bringing real testimony to the public eye. Similarly, the group can point you in the right direction if you're suffering from abuse or harassment.
There are several organisations, including charities, you can reach out to in the UK if you require support from a specialist helpline, or you wish to report on behalf of a friend or colleague. These include:
SARSAS: 0808 801 0456 or 0808 801 0464
Rape Crisis England and Wales: 0808 802 9999
Advisory, Conciliation and Arbitration Service (ACAS): 0300 123 1100
The Survivors Trust: 0808 801 0818
Victim Support: 0808 168 9111
There are also a number of groups that advocate for the interests of women in tech, and which have conducted research on sexual harassment in the industry, including Women Who Tech, Women in Technology, InfosecGirls and Women in Cybersecurity.
