The annual RSA Security Conference is one of the largest and most important information security trade shows. On the first day of the 2015 conference, we heard that "It is a lopsided team in the field" when it comes to women in IT security. When I walked the halls at the Moscone Center in San Francisco, I saw men and women, old and young, and people of colour. If you look at the print advertisements in the conference's program guide, all of that diversity disappears.
When we look at how the industry describes itself, through its own advertisements, that underrepresenation becomes incredibly obvious. This fits the experience many women are seeing on the inside. It also helps explain why women and people of colour may not be attracted to the field or tempted to stay in it. Far from attracting women and people of colour, it seems the industry barely even acknowledges their presence.
One specific example is what I see in the 2015 RSA Conference program guide. I detail my findings and methodology below.
My methodology for gathering the data
For each advertisement in the 216-page RSA program guide, I looked at whether any recognisable faces were present. I counted cartoon faces (there were two) the same as real faces. The vast majority of genders and races were obvious. The "number of faces" is different from the "number of advertisers who choose to use faces"; Dell's ad, for example, features three faces: two men and one woman. Thus, there are 23 faces across 16 advertisers.
A look inside the 2015 RSA guide
We are white men
There are 63 advertisers in the guide (Figure A) and 16 of them chose to include a recognisable person's face in their ad; the other ads are primarily abstract pictures, text, or pictures of equipment and software. The overwhelming majority of those faces (20 out of 23) are white men. Of the handful of advertisers that showed only body parts (hands holding devices, the back of someone's head), all of those body parts were obviously male. The one non-white appearance in all the ads is a non-white hand holding a mobile device.
Women are nearly absent
The RSA Conference received a lot of attention for banning so-called "booth babes" from exhibits. This is a step in the right direction for women in information security, but it is still a long way from treating them and depicting them as competent professionals in the field.
When I look at the program guide, I only see three female faces in the print ads. Akamai's ad is a notable bright spot; the company has only one person (a woman) in its ad, and she is depicted in a professional role getting business done. This ad should not be remarkable — there should be other ads that depict women in professional roles.
When I look at the photos of the 17 keynote speakers, there are only three women. According to Harvard Business Review, 11% of info security professionals are women, so three out of 17 keynote speakers is just slightly better than that average.
People of colour are totally absent
Not one advert depicts a person who appears to be of Asian, Middle Eastern, African, or Latino descent. I have never worked with a credible information security team that was this homogenous.
A few ads are noteworthy in their whiteness. The StaySafeOnline.org ad on page 31 depicts children in its discussion of online safety, and all three children are white boys. It should be easy to show diversity in a picture of children using the internet. The Hob ad uses unreal colours and a cartoon depiction, but the face of the cartoon man is the only part of the ad that is not blue or orange, and the colour used indicates he's white.
A message to information security marketing departments
Advertisements reflect an industry's view of itself, and information security's self-image is white and male. The conference attracts a wide and diverse audience, so when the industry depicts itself as white and male, it seems out of touch.
Increasing women and people of colour means finding a place for them in the picture, both literally and figuratively. While eliminating a hostile work environment is a more important goal, normalising the presence of women in the workplace by depicting them is a critical step.
Businesses need to update their vision of their customers and depict a more inclusive marketplace. Even if one argues that the adverts reflect reality, we should acknowledge that adverts shape what we accept as "normal." Thus, infosec adverts have the power to have a positive influence on the industry, while still performing their primary purpose of promoting their products and services.
- Gender gap: Why information security needs more women
- The top tech priority of 2015: Two X chromosomes
- The state of women in technology: 15 data points you should know
- Diversity in tech: 10 data points you should know
- Diversity stats: 10 tech companies that have come clean
- RSA 2015 Expo: Best in Show (ZDNet)
- The DHS brings its infantile, cyber-fantasy world to RSA 2015 (ZDNet)
Note: TechRepublic, ZDNet, and CNET are CBS Interactive properties.
Paco Hope is a security consultant at Cigital.
Author of the Web Security Testing Cookbook and frequent conference speaker, Paco Hope is a security consultant with Cigital who has been working in the field of software security for almost two decades. Paco helps secure software in the financial, retail, and online gaming industries through security requirements, source code review and architectural risk analysis. He serves as a subject matter expert to (ISC)² for the CISSP and CSSLP certifications. Outside of secure software, he is passionate about privacy, user experiences, and data visualization. Paco fundamentally believes that security is less about wizardry and more about common sense.