Several security companies are hosting a capture the flag challenge this weekend to build the pipeline of women in information security careers.More than 1,000 people have signed up for the all-women event from noon – four on Nov. 2: “Women Unite Over Capture the Flag.”

The Capture the Flag (CTF) competition tests information security skills including: Cryptography, stego, binary analysis, reverse engineering, mobile security, and other talents. Event organizers said beginners will have the opportunity to practice their skills in a reverse engineering challenge, while experienced security experts will take on more advanced challenges.

People will join the sold-out event online and at physical locations in San Francisco and Baltimore. Point3 Security is hosting the East Coast location. Participants will use the company’s Escalate training platform in Saturday’s CTF event. The company specializes in workforce development and measurement for cybersecurity professionals.

Synack is the lead sponsor of the event, along with Remediant, Magic, and Cybrary. Point3 Security, Gatebreachers, Women’s Society of Cyberjutsu, @WoSECTweets, and WomenHackerz are also supporting the competition.

Aisling MacRunnels, a founding member of Synack and the company’s CMO, leads Synack’s Courageous Women CISO Initiative, which encourages more women to enter the cybersecurity field. MacRunnels said the CTF challenge is part of several projects to keep women who major in STEM in college in the IT industry after graduation.

“Fifty percent of STEM majors are women, but the numbers go down to 10 or 11% at best when you get into roll-up-your-sleeves security roles,” she said. “We need more women in these roles to get better at stopping these attacks.”

Security breaches are getting more common and more expensive. A new Ponemon Institute survey found a 17% growth in cyberattack volume and a nearly 30% increase in attack severity. Cybersecurity provider Kaspersky found that the average cost of enterprise data breaches was $1.41 million in 2018, up from $1.23 million in 2017.

“We have to grab the best and the brightest to solve these problems, and women need to play a bigger role in that,” MacRunnels said. “We believe the female mindset can be very beneficial in winning the cyber war.”

SEE: Transgender employees in tech (special report)

MacRunnels said that when Synack first launched, ethical hacking felt risky to potential clients. However, she noticed that 50% of Synack’s customers were women, at a time when there were not many women in chief information security officer roles. This led her to believe that women might be willing to take risks that their male colleagues were not.

“I hope five years from now, women see security and ethical hacking as a career path for them,” she said.

Strengthening the pipeline of women security experts

Not many women are on that path now. To change that, MacRunnels wants the capture the flag event to connect experienced security researchers with other professional women, particularly women on Synack’s Red Team. The Red Team is the crowd in crowdsourced hacking: a private network of security researchers who work with Synack. Team members have have to apply for the job and meet security and ethics standards to join.

“We turn away 88% of people who apply,” MacRunnels said. “The team is at 1,500 right now, tried to keep it at 1,000 but as our customer list got bigger, we had to grow the team.”

Currently, only 11% of the Red Team are women. This team works with Synack clients to test the digital security of products on the marketplace and in development. The Red Team attacks a digital asset, finds vulnerabilities, and then reports back to the client.

“Not only do we share the 34 vulnerabilities that we found, but they are stack ranked with severity scores as well as information on how the hackers could get in and what they could do,” she said.

The Department of Defense is one of Synack’s clients and used crowdsourcing to test its systems last year with a “Hack the Pentagon” competition. MacRunnels said that the red team hosted a live hacking event with the Air Force last summer, and the target was an F15.
“We had tested this before, but they brought us back in to check things again,” she said. “The Air Force is a great example of how you can’t just do these tests as a one-off.”

Synack looks for people with subspecialties within cyber security to join the Red Team. Red Team hacker Emily, aka @baybe_doll, specializes in password cracking. MacRunnels said that women bring a very rational, pragmatic approach to that particular task.

“People share so much when it comes to social media,” MacRunnels said. “Once we found a person who loved Harry Potter and a hacker said, ‘Try every spell name.”

Aside from working for the Red Team, @babye_doll has served as a DEF CON SOC Goon for five years, and the co-director for a password cracking track at Security B-Sides Las Vegas for three years. She also runs the CTF at Hushcon Seattle. In her day job, Emily is the COO of Terahash.

Some Red Team members share their team membership on Linked IN and others want to be totally private. Macrunnels said that a few hackers make more than $1 million from working with Synack over several years. Red team members get paid based on the severity of the vulnerability they find.

Editor’s note: This article has been edited to reflect the correct dollar amount for the potential earnings as a Synack Red Team member.

Synack and Point3 Security are hosting a capture the flag competition to bring more women into cybersecurity jobs.
Image: Getty Images/iStockphoto/AlexandrBognat