Women cybersecurity leaders: RSA Conference can't find you

A major security event has 20 keynote speakers, and only one is a woman. Experts say recruiting at events that exclude women keeps the field male-dominated.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
6 min read
Cisco Chairman and CEO John Chambers delivers a keynote address during the RSA Conference in 2009. Chambers stands to the right, pointing. Behind him, a video screen shows his mirror image pointing back at him. This year, 19 out of 20 keynote speakers will be men.

Cisco Chairman and CEO John Chambers delivers a keynote address during the RSA Conference in 2009. This year, 19 out of 20 keynote speakers will be men.

Justin Sullivan/Getty Images

At a major cybersecurity event in April, the only woman out of 20 keynote speakers will be a social commentator. 

Her name is Monica Lewinsky, and she advocates to prevent cyberbullying.

The other 19 keynote speakers and moderators, who will present during the four-day RSA Conference in San Francisco, are men. Of those men, all but one are cybersecurity experts.

The lineup has frustrated people in the cybersecurity field, with Facebook's chief security officer, Alex Stamos, taking to Twitter to criticize the conference organizers for leaving women out of RSA's top speaking roles. By Monday, Stamos and Google security expert Parisa Tabriz had organized Our Security Advocates, an alternative event with a panel of speakers featuring women and minorities. OurSA is scheduled to for April 17, the first day of RSA Conference keynotes. 

Stamos had said last Wednesday that he'd like to set up just such an event, where he'd hand out popcorn.

Lewinsky said on Twitter that she found out about the all-male lineup last week, and told USA Today in a statement that she's asked organizers to do better. "I'm disappointed by this oversight but RSA has about six weeks until the conference, so I'm optimistic that the matter will be rectified by then," she said.

RSA Conference vice president and curator Sandra Toms said the lineup is not finalized and that more women could join the list of keynote speakers before the event begins. US Homeland Security Secretary Kirstjen Nielsen has been invited, for example, but isn't yet confirmed to speak. Other invitations to women keynote speakers are still pending, Toms said.

"We strive each year for a diverse speaking panel," Toms said. 

The dustup reflects a persistent problem in tech that happens to be even worse in cybersecurity. Women work in just 11 percent of jobs in this field (PDF). That's bad because security companies say they can't hire skilled people fast enough. Alienating women with the potential to excel at cybersecurity could make us all less safe, especially as hackers continually hammer computer networks to steal our sensitive information.

It also comes as tech conferences continue to take heat for gender bias. In January, organizers of CES , a giant consumer electronics trade show in Las Vegas, caught criticism for excluding women from their slate of speakers, too. And in 2016 at Defcon, a major hacking conference in Las Vegas, women complained of a hostile atmosphere that left them feeling unwelcome. 

Who's responsible?

But who exactly is to blame for the lack of women at tech conferences and in cybersecurity jobs around the world? Well, nobody's raising a hand to take sole responsibility for that one.

A woman looks at a smartphone as other people rush by.
Pau Barrena/Getty Images

Toms said the lack of diversity overall in cybersecurity makes it hard to find women for the conference. "We acknowledge that there is a lack of women in cybersecurity and it's part of a larger lack of diversity in the larger tech space." 

So, it's the fault of the tech industry at large that RSA organizers couldn't fill any of those roles with women cybersecurity and tech experts. While that could sound like a dodge, it's not not true -- just look at the companies sponsoring the event. 

After all, that's where most of the keynote speakers come from, including companies like Microsoft , Symantec and McAfee , plus RSA Security, a cybersecurity company owned by Dell that sponsors the conference but isn't the same entity that organizes the event. The SANS Institute is an educational sponsor, which Toms said was an "in kind" arrangement in which the organization offered training presentations in exchange for space on the sponsor list.

Most of the speakers come from senior leadership positions in those sponsor companies. That senior leadership is in every instance a group that's mostly men. Here's how the leadership breaks down at each company that's sponsoring the event and sending a keynote speaker:

  • Juniper Networks: Zero women.
    No women in an 18-person leadership team.
  • SANS Institute: Zero women.
    No women in a six-person faculty.
  • Symantec: 11 percent women.
    Two women in a 18-person leadership team.
  • RSA Security: 13 percent women.
    One woman in an eight-person leadership team.
  • Akamai: 13 percent women.
    Two women in a 15-person leadership team.
  • Microsoft: 19 percent women.
    Three women in a 16-person leadership team.
  • Cisco: 22 percent women.
    14 women in a 64-person leadership team.
  • IBM: 29 percent women.
    Six women in a 21-person leadership team.
  • McAfee: 30 percent women.
    Three women in a 10-person leadership team.

Neither IBM nor McAfee responded to requests for comment. Akamai, Juniper, Microsoft, and Symantec didn't provide a comment for this story. The SANS Institute, a cybersecurity education organization, didn't provide its own comment, but two women with the organization reached out to CNET over the weekend to express support for the organization's efforts to train and hire women cybersecurity experts. 

"It is true that there are no women in the top SANS faculty, but I have personally experienced how SANS is committed to making sure this won't be true in the future," wrote Mandy Galante, a high school teacher who received free training from the SANS Institute as part of their program for advancing women in cybersecurity careers and who now works with the organization on a hacking competition for high school girls.

Cisco didn't provide a comment on the lack of women keynote speakers at the conference, but a spokeswoman said the company recognizes the shortage of women in the cybersecurity industry.

RSA Security (the company, not the conference) responded with the following statement from a spokeswoman. "RSA recognizes the need for diversity in the technology industry in general, which includes cybersecurity," the spokeswoman said. "We believe in creating a global business that harnesses the power of the best and brightest talent, regardless of their gender, background, religion, nationalities and race."

The conference organizers don't seem to be limited to keynote speakers from sponsor companies, though. Three keynote speakers don't appear to have direct ties to sponsor companies. Two of them are cryptography experts. Whitfield Diffie helped lay the groundwork for what would become known as the RSA public-key system, a tool that lets users send a coded message that only the intended recipient can read. Moxie Marlinspike is the creator of Open Whisper Systems, the company behind the encrypted chat app Signal.

The recruiting cycle

There could be a direct connection between how welcoming a conference is to women and who gets recruited to work at a cybersecurity company. In a report from last week on women in cybersecurity, business analysts at Forrester said companies currently "focus on recruiting from industry events that have been proven unwelcoming to women." 

That creates a vicious cycle in which companies hire few females, which, in turn, could cause conferences to have a hard time finding women experts to speak at the next event.

Toms said the audience at RSA is typically 20 percent women, which is higher than the general population of women cybersecurity workers. What's more, its two events for young professionals and students attract even higher rates of women.

Cisco spokeswoman Robyn Blum said the company is a sponsor of the Women in Cybersecurity event taking place in March and is hosting an event next week focused on bringing young women into tech careers.

In a blog post about improving diversity in the cybersecurity workforce, Cisco's chief security and trust officer, John Stewart, said women still face too many obstacles in the field. "We have a long way to go for talent, skills and character to overcome gender as a qualification," he said, "especially in leadership and executive roles."

First published March 3, 9:44 a.m. PT.
Update, March 5 at 1:00 p.m.: Adds information on the OURSA alternative conference and comments from a SANS Institute affiliate.

Solving for XX: The tech industry seeks to overcome outdated ideas about "women in tech."

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.