People come into cyber security from a wide range of backgrounds, but the usual image is of a core cadre of techies depicted as having progressed from being boys in bedrooms hacking into games – but that’s not true, rather, it was only ever part of the picture, with women also involved in every step of the nascent cyber security industry.
Joan D Pepin, Chief Security Officer at AuthO is a great example. She explains her own route into cyber, telling Guru how, from the age of eight, for three years in the 1980s, she was sent by her parents to a kids computer summer camp. While not the majority, girls were by no means a rarity and computing was not perceived as primarily a male domain. There she learned Logo and Basic programming languages, wrote games, programmed robots and learned graphics progams and data structure – which she readily admits was quite advanced for the time. She went on to get an early computer and became interested in hacking, had access to BBS, and was using a 300 baud modem, to sign on. In her junior year of high school she was able to log in to Massachusetts University and got onto the internet, which was not commercialised at that stage.
“There were some girls on the course – it seems that back then there were more women in the computing field than there seem to be today. One of the instructors was a woman and at least a quarter of those attending were women. And before the 60s, women such as Hopper etc were pioneers, and at places such as Bletchley Park, women were instrumental and many of the first programmers. It wasn’t until the 1980s and 90s that it became an increasingly male dominated field.”
While the reasons for this change are not clear Pepin suggests, “Maybe it was because it became more lucrative, and it became easier to push women aside. Also, the very first games that I remember were text based adventures – black screens and green lettering, eg you are standing in a field, type ‘go left’ etc and work out what you understand and draw out the map. They were not gendered, you were you, and they were built around exploration and you had a mystery to solve. You were playing yourself. Later as graphics evolved we saw more of those games (such as Doom, that developed into today’s ‘shoot ‘em up’ franchises).
Pepin later went to the University of Massachusetts and hung out with hackers, was a member of a group that met regularly, and produced a fracking publication. While she majored in art and film, on graduating she subsequently saw that the best way to make a living was to leverage security schools.
“I still consider myself an artist and a musician, but I have a really good day job. It’s a career that has been very good to me. I’d moved from home at 18, so the prospect of moving back home was not attractive. I worked in a non-profit healthcare centre where I did everything as IT manager as I was the sole IT person. I did that for a year and a half before going into website design then LLC Rap Group LLC, the Wu-Tang Clan, and Wu-Wear fashion label, one of the first ecommerce sites. Taking credit cards meant being part of that early technology, before PCI, so security was very important – and it aligned with my hacking interest. I then got a job as a penetration tester with International Network Services, hacker for hire, getting two-week engagements, primarily manual pen testing as there was not much in the way of automation tools then. So from broad IT, to web design to specifically focussing on security, then I went to a company that does not exist, associated with MIT Lincoln Laboratories, doing top secret research for the department of defence, and worked on things that I still can’t talk about. From there I went on to managed security services and have spent most of my career in security services, with VeriSign Inc’s Managed Security Services (MSS) which was sold to SecureWorks Inc and then Dell and I came out as director of security at Sumo Logic where I was employee No 11, then Nike business security manager for its US$10 billion revenue consumer division.”
Now Pepin is at Auth0, a high growth start-up. She explained that there are three things that appealed about this role.
- “I have spent a large part of my career getting good at information security. I don’t want to be where this is a necessary evil, I want to be where it is a necessary part, central to the product, a contributor not a cost. Where my role would be more central to the organisation.
- “It was a gruelling interview process during which I got to know executive team well and they are really collaborative, without any jerks and narcissists – so the exec team was a draw.
- “Having been in a high growth start up I could see the numbers were good, with so little money needed to be raised for so much revenue, so I knew it would be successful, and a high growth company.
“The move was for the opportunities here. I have several titles at AuthO, and often have the chance to stretch beyond my normal remit. I’ve had the opportunity to wear many different hats – I have managed security, ran an IT department, a private SAS business, engineering operations, during different periods, QA, built the pipeline, and been CISO twice before. Now I am able to focus more on security with growth; we’ve gone from 250 to 700 employees now and its good to be involved in further growth.
“It may look like it’s been an easy progression, but first, it’s been a lot of work. A lot of hours, many of which were stressful. Often it entailed handling difficult situations with not enough resources. But like Nietzsche (‘What doesn’t kill you, makes you stronger’) I’d say I am now seasoned, not stressed out or traumatised.”
Pepin agrees that there are specific challenges as a woman in a male dominated sector, and says its good if women are able to tell (their issues to) women who mentor. She adds that a significant problem identified by research is that, “When a woman talks more than 25 percent of the time, men see her as dominating the conversation, so they don’t get as many words in the conversation. And so they have to always be correct.”
Pepin describes the problem faced many women, and explains her own strategies to overcome it:
“I will ask myself, ‘Do I really have something to say, am I just going to tell a relatable anecdote’ or I will have less chance to say what I need to say, before they (men) hear Wah, Wah, Wah.
“(My approach has therefore been) Only open my mouth if I have something of value to add, make my point clear and precise and understood and then shut up. This has been a big part of my success.
“If you have something to say, send enough emails about it with your name on so no one can claim its their idea. It’s not just about doing the work, but making sure you get credit for the work, and so do the work AND get recognised. Doing that can get you reputation as a diva, or a reputation hog, but it has to be a price you are willing to pay. You will either be known as someone who didn’t do a lot even if you did, or a self-promoter and I would rather pick the latter. At some point that won’t be necessary, and I can’t wait for that to happen.
“I guarantee that if women do group projects where they are 10 to 20 percent of the group, they will already know this is true, whether they have put voice to it or not. It should not be necessary, but something is.
“Another tool, a curse – can be used positively. I am cursed to empathise with both sides of the argument and know why they want those things and this has been a successful tool that has enabled me to mediate both sides of an argument. It has allowed me to be seen as someone who wants what’s best for the team (compared to wanting to get credit for things) and to give to the other side. The mediator role has also been very helpful.
“Being a good communicator bridges gaps and shines a light on issues. Whether it’s viewed as a stereotype not, if women are either better at or more comfortable doing that then they should do that, ie understand the other point of view even if it is wrong.
“When it comes to soft skills or tech skills – both have a purpose. I have a relatively complicated patent (thanks to my tech skills). My soft skills have also been very important. If you are super tech and that excites you, well we are understaffed, and all teams need more tech help. Its important to be excited about what you do and women can do those (tech) jobs fantastically well. But if you are more interested in building those connections there is room for that too. If you want to stay focussed on tech that’s your prerogative. To get the promotion and do interesting projects, not the maintenance, you will have to employ some social skills, as just being a good technical worker will probably not get you on the good projects.
“Stereotypically when men are socialising with other men, men talk for status “I caught a bigger fish” etc. When women do that it’s seen as rude. Woman can’t play that game – so they have to play a different game. She is not going to be standing around talking about catching a bigger fish. Soft skills are necessary for everyone but if you are a minority, there’s a particular way to do it, it’s not natural and we need to learn.
“What barriers are there to women progressing in this sector? Thinking of things that have happened to me, at one company where I was director of security, I sat near the front door and was assumed to be secretary, I was near the thermostat and told to adjust it. At small companies, someone is expected to buy the birthday cake – and there are unconscious gendered expectations. Assumptions need to be overcome. There is a little fight every day, situation by situation. Are they a jackass or confused about unconscious bias? What is the small indignity today and how do I deal with it gracefully today, or if I am all out of grace, how do I deal with it?”
As a parting shot, Pepin concludes: “Women, if you are at all interested in a career in cyber security, it’s not always easy, and may not be initially welcoming but you can have a successful career, others have, and there are interesting jobs and promotions to be had in cyber security.”