Women in IT and Infosec

I was asked why I keep nattering on about women in IT. It's a fair question.

Two years ago, while I was on a Systems Administration team, I got to work with an intern to help her start thinking automation and scripting, and give her some basic tasks. She and I had a jocular working relationship; we were not friends outside of work, but we had friendly interactions that tolerated joking and teasing. One day, while working on a script to get log metrics (the platform did not play nicely with our enterprise logging framework), I accidentally let my mouth run, and said something (teasingly) I would normally not say at work, and only to a close friend. I immediately apologized and we both laughed it off, but a few days later, I was summoned to personnel, and asked to explain myself. I owned my mistake, made it clear that I would not repeat the mistake, and asked for an opportunity to learn from it and to demonstrate that it was an anomaly. 

I said the right thing, but didn't really learn. At the end of the intern's time with our company, she let me know that she was not offended or hurt, and that management had encouraged her to go to personnel. I thanked her for doing so, because it was a wake-up call for me. I expressed that I meant her no harm or discomfort, but kept my distance. It hadn't learned.

A friend of mine (a systems architect in the gov't space) told me a year later that the actions and words of her coworkers made her feel unsafe. I had never really thought about the teasing, uncomfortable, uncouth behavior being threatening; I had assumed it topped out at obnoxious, with regular forays into awkwardness. Knowing that this friend had experienced real violence, her comment made it clear to me. I started to learn. 

In the same summer, I found out that a security professional who I respect was violently assaulted while attending a security industry conference. Around the same time, another up-and-coming security professional talked about how the obnoxious revelry at Defcon rapidly devolved into harmful behavior (uninvited touching that didn't stop at "no", drinks being spiked without the knowledge of the drinker). This helped me understand that when we let it slide, we are making our field unsafe. Only at this point, I saw the connection between letting the rude behavior slide and letting the harmful behavior escalate. I learned a little more. 

It was pointed out to me just how many of my female friends (and one of my male friends) had experienced some form of sexual violence, and how it changed them. I started really paying attention. 

I value having women in IT and INFOSEC, and for far more than ornamental reasons (actually, that is an obnoxious reason in-and-of-itself). Because of the way women are inculturated, they bring a different point of view and keep things fresh. We often say we want innovation, and that means encouraging input from someone who is not like us. 

I value having women in IT and INFOSEC because we need more real talent, and an untapped pool (especially if that pool is half the population) of talent is a waste. When we assume that women are not talented or somehow inferior, we cheat ourselves out of the chance to find a rockstar colleague, who makes our team a winner. We don't want to miss out on the next Hedy Lamar (spread-spectrum frequency hopping), Admiral Grace Hopper (high-level programming languages), Dr Evi Nemeth (Systems Administration guru and pirate on the high seas) or other brilliant contributors who fundamentally changed our profession.  We need to remind ourselves that the best man for the job may not be a man, and that is not a problem. The best man for the job may not look or sound like us, and that's OK. Because we are looking for talent, not a watered down version of more-of-the-same. 

We are doing better at bringing girls into IT and INFOSEC and encouraging engineering curiosity at a young age, but when we act in ways that implicitly threaten violence, we scare them away, and we make our profession and our teams poorer in the process. If we want to quit sucking, we need to quit making ourselves suck (and if you think your team doesn't suck, you are delusional; every team has miles of room for improving, otherwise we would not keep talking about the Chinese and the Russians). This doesn't mean you and your bros can't have fun in your job or in your interactions, just be aware of the implications, and quit chasing the women away, because I want the bad-ass rockstar girl on my team to show us a novel way to suck less. If your bro is being a dick or hostile, call him on it. Reinforce the behavior that will bring in the next rockstar, discourage the behavior that chases the next rockstar away. 

And to prove to the intern, to myself, to the personnel manager who graciously gave me a second chance, and to the others I've scared away without even knowing.