Listen you little wise-acre. I'm smart. You're dumb. I'm big, you're small. I'm right, you're wrong. And, there's nothing you can do about it.
Roald Dahl's heroine Matilda’s father Mr Wormwood was a bully, and he was wrong. At five and a half years old, Matilda could do something about it, and she did. She righted a wrong. And, she used her ‘special powers' to do so.
This week reminds me of her story and strength, plus my own special powers. So, let's start with one of them – communication – and two of the most important words you'll ever use.
These words are so powerful because what you put after them shapes your reality.
Cue me, and my Infosec ‘booth babes' story.
I am a leader. I am strong. And, I am humbled to learn.
Last week was tough, and I learnt a lot. Having delivered a keynote at the SC Awards on Tuesday night, things went from good to bad a few days later. It begun at Infosecurity Europe (Infosec) on Wednesday when I tweeted about a company that was exhibiting, Radar Services, and their use of women in red ball gowns. Having watched Infosec become much more inclusive to women, and understanding their strict no ‘booth babe' policy, I decided to look into the matter. I viewed the booth from afar, and when I couldn't see any men dressed in tuxedos, which would have implied this was an event gimmick based on their ‘Diamonds are a Hacker’s Best Friend' marketing campaign, I spoke to the women. I didn't want to presume they didn't know anything about security, so I respectfully asked them a few questions about what Radar Services did, and what they were selling.
When the women made it clear that they were only temping for the three-day event, I decided to take a photo of their booth. Then, I posted a comment with it on Twitter. It was minimal as I was in a rush. Regretfully, I didn't blank out the womens' faces. I didn't hashtag the company either, believing it was clear enough on the photo. Not intending to shame the women, or cause them any harm or harassment, all my post said was,
Disappointed to see booth babes at #Infosec2018 today. The girls were hired for the event & knew nothing about security. Not seen this tactic for a long time at the event.
As soon as I tweeted, my network started to comment. They thanked me for raising this and hearted the post to show their support. Many said they saw this as a distasteful and regressive approach, which needed to be investigated. The Infosec team took action. By the next day, Eleanor Dallaway, the editor of U.K. trade publication Infosecurity Magazine, an official media partner with close ties to the Reed Exhibitions (Infosecurity Europe's event organisers), gave the following statement:
Hi all. @infosecurity does have a no booth babe policy, which it has worked hard to enforce over the years. They are looking at the exact terminology of what is considered ‘booth babe.' It's sad that exhibitors are insulting visitors by misunderstanding what they're looking for.
Around the same time, Infosecurity Europe responded.
@K4tyS @KateOflaherty @JaneFranland @infosecEditor @drjessicabarker thanks for raising, booth babes are indeed a step backwards for the industry which is why our contracts expressly forbid this. We've addressed this directly with the company involed #womenintech #infosec18
Having received notification, I thought that was the end of it. Unfortunately, it wasn't. After Newsweek ran the story, an online backlash ensued and I became a major target for online abuse and harassment. People from outside our industry joined in – everyone from CEOs, CTOs, university lecturers, consultants, practitioners and so on – men and women. When trolls came out in force and Twitter had to remove comments and suspend individuals, people phoned and messaged me to check I was OK. They told me they felt too afraid to comment online or were concerned they'd just be fanning the flames. I understood and recommended they keep quiet rather than be attacked, especially as the accusations became more and more non sensical. It became crystal clear that women who showed support were targeted more than men, too.
Naomi Wu (@RealSexyCyborg) was outraged with my tweet and extremely vocal online about it. But, when she suggested I ask for the photo to be removed from the Newsweek article and I was open to it, it resulted in us having a private dialogue. I explained why I did what I did, and she understood. As she said, “Good fight. Bad battle.” We discovered we had shared goals. We worked hard to find a resolution. With her influence, five subsequent tweets and the Newsweek image that was kindly removed by James Murdock, the journalist who'd featured the article, she managed to put a stop to further online abuse (in respect of this issue). I was thankful. It showed unity, fast action and that bridges could be built particularly between women.
New comments and hearted tweets came in. Einor Peterson tweeted:
Kudos for getting together and persevering in the quest for an amicable solution and being respectful of the involved parties.
Then Brian Heaton added:
I'm very heartened to see adult conversation, understanding, and willingness to modify one's position based on new information/understanding lead to positive change. This is how things get better.
And, when Dr Jessica Barker saw that we’d established shared goals and found a resolution, she said,
This exchange between JaneFrankland and RealSexyCyborg is inspiring – this is how we will make progress # rolemodels.
According to my friends, who were still at Infosec on Thursday, the women were instructed to wear coats over their red ball gowns. They worked for the three-days so should have been paid. Sadly, they were subjected to comments, sniggers and discourteous behaviour from many who passed by their booth. That was wrong. The women were not at fault. Radar Services should have protected them. Better still, if they'd have had men present, alongside them, perhaps dressed like James Bond, the women in red ball gowns would have fitted in. But, this didn't happen. Instead they stood out like a sore thumb. Radar Services' campaign was lame. It felt like the pretty women in red ball gowns were there just to lure male buyers to the stand – like it had been in the ‘good old days' – and a step backwards for women in security.
Journalist Kate O'Flaherty, when talking to Newsweek, summed it up nicely,
It didn't fit with the tone of the event at all. Plus, it reinforces the view that women aren't technical enough to work in the sector—that they are just there for marketing and promotions.
Having gone to Infosec for years, I remember how it used to be. Around the early 2000s, at Infosecurity Europe, one of my penetration testing firm's competitors had former porn stars on their stands. They employed them for their evening session, too, so they could entertain their clients and prospective clients. Sexual objectification was a huge problem during those times and since then, women in security have worked hard to be taken seriously. When I was talking to one of my female CISO friends I told her about this and what had gone on this week. She said,
I went to Infosec years ago. I didn't get a fraction of the notice or respect from the majority of the vendors. I'm a career woman, so at Infosec I want equality in conversation not to be treated as a stereotype being peddled to sell products. I can't go back to the old days.
The whole affair has left a bitter taste in my mouth, as I work so hard to support women in security. As I wrote in my book, IN Security, women are under intense pressure and to judge each other. They’re being scrutinised all the time and their identities and personal styles come under constant attack. I firmly believe there's no right or wrong way to be a woman in cyber security. Women shouldn't have to be a cyber punk with coloured hair, tattoos and piercings, or wear hoodies and black lace-up boots, or stilettos and designer suits. (But there’s nothing wrong with it, if this is the woman’s choice).
Women shouldn't have to take on a masculine persona, or shy away from their femininity in order to thrive. They shouldn't have to talk like a techie either. Women in cyber security should be able to dress and speak however they want, be whatever they want, and be accepted for it. Their identities as women should not be at stake.
However, in 2018, this is not the case. Yet.
I posted about the women in red ball gowns was because many people in security are working really hard to change gender stereotypes. Women are under-represented and still viewed as an abnormality in the industry. With global representation at 11% and a fraction in leadership positions, more women are leaving the profession than entering it. Women are still viewed as violating norms and breaking the code. And, the ugly truth of the matter is that they're still not expected to work in anything other than marketing or PR. Of course, there is no issue if women want to do this, but in general, women are still being underpaid, under promoted, exploited, and worse still, sexually assaulted. They're still being silenced, told to conform, kept down and made to stay under the radar. Women in security, for all the political rhetoric of encouraging gender diversity, are still threatening the system.
How do I know? Because I get contacted daily about this.
This is NOT right.
Now, I'm not saying there aren't opportunities for women in security, as there are. Or that it's not a wonderful industry, because it is. And, I'm not blaming men either. It's the system that's at fault.
But, what I am saying is that sometimes it takes a knee jerk reaction – the posting of a tweet – like I did, to draw attention to something in order for change to occur. Other times it takes someone to react – to speak up – to call it out – for change to be made. Either way, it draws people out. Nothing will change unless something is done. Too many people are content to passively object.
After the #MeToo campaign we witnessed a change. Whilst people remain divided on it, it demonstrates that we have great power when we pull together. Right now, this ‘booth babe' incident at Infosec could do something similar. Good can come from it if we're open to it and make it happen.
Before I suggest how, let's look at 11 lessons I learnt from the women in red ball gowns at Infosec.
11 Learning lessons
- Think things through before taking action. Don't post in haste. You have a responsibility especially when you have influence and a large, online following. When you post online, scrutinise every word you use. In some cases, you may want to check with others just in case your message can be misconstrued. Even when the words are written down, clarification can be done by re-stating how you heard the other person’s words in your head and by asking them if you understand them correctly. And, if there's an opportunity, share as much as you can about yourself (who you are, why you're doing/ saying what you are) so it puts it in context and builds your case.
- Seek first to understand rather than to attack. Words have power. Whilst I understand ‘a fool finds no pleasure in understanding but delights in airing his/ her own opinions,' and we have a special culture in security where the default practice is often to attack, I believe that if we're to evolve in security we must encourage the principle of ‘seek first to understand, then to be understood.' To help you to do, know about the Five Ws or 5W1H. These are questions whose answers are considered basic in information gathering or problem solving. They're often used in journalism (cf.news style), research, and police investigations.
- Ensure you're being respectful and courteous even if you're maddened by a comment. I know it's easy for me to get annoyed when I witness elitism and an avid intolerance for any form of diversity, be that thinking, experience, background, age, gender, ethnicity, race and so on, but I know to stop myself and calm down before I respond. As someone once advised me, ‘Be quick to hear, slow to speak, and slow to anger.'
- Assume the best in others. It’s easy not to do this but the more insight and empathy you have, the more trust and goodwill you can have, which enables a swifter resolution of issues or differences of opinions.
- Show humility but don't reveal weakness. Research, check your facts, understand the emotions and behind-the-scenes thinking of the person sharing them, and present sound logic. If you can't, don't get dragged into an argument online.
- Be attentive to online comments but know that you don't and shouldn't have to answer all of them. Silence can be power, and trolls will taunt you for a response. They attack people with more followers as a way of getting attention, and as a means to increase their profile. Don't give them your energy or the opportunity.
- Rise. Even when you get knocked down, know that you can get back up and when you do you'll be stronger and wiser for it. Just as Maya Angelou said in her poem, Still I Rise…
- Right the wrong. Be attentive. Work hard. Search for a resolution. Admit a mistake if you've messed up. Had I not done this, I'd probably still be dealing with adverse comments online. Instead, I've made new friends and have increased respect in my network.
- Speak up. Don't let others silence you. We have freedom of speech. If you witness something that you believe is wrong, it’s completely appropriate and necessary to speak up about this. This is the only way to invoke change. Just remember, when you do, have a support network at the ready.
- Show creativity as an event exhibitor. One of the best stands I saw this year was at RSA Conference in San Francisco. It was from F.A.K.E Security. They had salesmen dressed up selling all manners of security snake oil, from machine learning liniment to tincture for advanced persistent threats.
- Have a Code of Conduct for your event that is clear and enforced. Whilst Infosecurity Europe investigated the booth with the women in red ball gowns, and took action, it only began on the afternoon of day two of a three-day event. Changes and an apology came on the final day. Had they walked the event floor on day one, they'd have seen there was a violation of their terms and would have been able to deal with it immediately. Furthermore, many of us would have been able to avoid the online abuse that followed.
Here's what I want you to do next…
I am determined for something positive to come from this and to ensure we avoid further incidents, be they ‘booth babes' or sexual assault.
Please join my next IN Security event. On 28th June, 2018, we'll be examining Codes of Conduct at events and in the workplace. We'll look at how to develop effective cultures, what's unacceptable behaviour plus how to deal with it. By the end of the evening, through collaboration, our aim is to create a new Code of Conduct for events that we can share with our community. In an intimate, safe, setting, this evening is guaranteed to be another special night that you won't want to miss.
Register here – http://bit.ly/2JkGduJ
PS. Over 75% of the early-bird tickets have gone already. This is an in-demand event. Leaders are coming and are in support. Don't miss out.
Final note and thanks
Many thanks to everyone who has shown support. Special thanks go to Sam Humphries (@safesecs) for her tireless defence online and support, plus Kate O'Flaherty (@KateOflaherty) and Dr Jessica Barker (@drjessicabarker) for theirs including peer reviewing this post.
‘Booth babe' is a term that's mostly used to refer to women employed by brands to staff booths at trade shows. When I use the term ‘booth babe' I don't mean it as a derogatory term refering to the women themselves, but rather to the practice of hiring women to work on stands purely for their physical appearance.