These women want to fix cybersecurity’s massive gender gap

After years of uncomfortable interactions at the world's largest hacker gathering, these women are making their own opportunities.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
7 min read

Leigh Honeywell hosting her fourth Ally Skills workshop alongside Defcon at Caesars Palace.

Alfred Ng/CNET

Last year, Leigh Honeywell got a stark reminder of why she stopped going to the Defcon hacker convention.

The security expert, whose background at companies like Microsoft, Symantec and Slack brought her to the show for nearly a decade, was waiting for a friend at Bally's Las Vegas Hotel and Casino, which played host to the conference. She had been standing there for a little more than 30 minutes before a man with a Defcon badge started hitting on her.

Honeywell told the stranger she wasn't interested, but the pickup attempts just came on stronger.

"I ended up having to make a scene and be like, 'back the fuck up, get away from me,'" Honeywell said, recalling the incident. "And this was midday, he was stone-cold sober and thought it was appropriate to get in my face. Life is just too short to put up with that kind of thing."

This year, Honeywell decided she was above Defcon. Literally. She hosted her annual Ally Skills workshop 60 floors up in a massive suite at Caesars Palace, site of this year's show. A large screen sat in the center of the room, with slides on how to improve diversity and acceptance in security ready to go. A glance out of the two-floor suite gave you a grand view of the Las Vegas strip.

About 20 people showed up this year, which Honeywell said was a great turnout.  

Her workshop is one of many alternative events that have started popping up at Defcon, which some women don't consider a safe environment. Silicon Valley already wrestles with sexism, with women in technology fighting uphill battles against pay gaps and lack of representation, and one former Google employee advancing the notion that women aren't as biologically suited to be in the field. But the security field and Defcon stand as particularly glaring examples of the problem.

Women in cybersecurity make up only 11 percent of the workforce, and all of them earned less than men at every level in 2016, according to the Global Information Security workforce study.

More than half of women in cybersecurity have reported discrimination, according to the same report. Honeywell had experienced enough to stop going to Defcon entirely four years ago.

"I don't know if it was a single moment, more so an accumulation of paper cuts over the years," Honeywell said.

Taking initiative

So instead of putting up with Defcon's problems, Honeywell decided to host her own event during the conference, inviting people who were also sick of the same issues and wanted somewhere better to be.

This year Honeywell hosted her fourth Ally Skills workshop, which she also teaches at conferences around the country. People sat attentively as she talked about what it meant to be an ally, tackling privilege in security and guiding others to help make the cultural shift.

There's also the Diana Initiative, which Cheryl Biswas co-founded at Defcon this year. The convention has its history of side events devoted to promoting women in security, like Tiaracon in 2016.

The program hosted a series of speakers, workshops and parties during Defcon, also in a suite several floors above the hacker gathering. It featured workshops on reporting sexual harassment to human resources and creating an inclusive environment for start-ups.

Biswas helped create the Diana Initiative, whose name is partly a tip to Wonder Woman, as a response to the "frat house"-like behavior she had seen at Defcon, which she saw made the few women who attended uncomfortable. Many others just decided to stay home because of the stories they had heard, she said.

"You have a lot of people, late nights, there's going to be guys behaving really badly and creating more examples of why women do not enjoy being at Defcon," the cybersecurity consultant said.

On Defcon's second day, a Friday night, the Diana Initiative hosted a tiara hacking competition, followed by an after-party. Tiara hacking was a spin on the traditional badge-hacking events that go on at Defcon, where attendees try to create the most creative badges to wear -- many that have flashing lights and screens as a display of technical prowess.

A tiara with a screen and an RFID reader won first place before the party kicked off.

Next door, the Diana Initiative had its own lockpicking village, in case you needed some practice breaking into doors. It also featured a job fair. This year the Diana Initiative hosted more than 500 people.

Biswas said people enjoyed going to the Diana Initiative's events because they provide a more intimate space for respectful conversations than parties at Defcon might have.

"So many guys came to join us and told us 'this is the best party they've ever been to' because they could actually talk to people and enjoy themselves," Biswas said.

Honeywell said she gets the same reactions after her workshops, which can go for up to two hours.

At the boys' club


Hacker Jeopardy kicks off at Defcon.

Alfred Ng/CNET

Things were a little different 15 floors below the tiara hacking contest.

While standing in line, one of Defcon's volunteer staff, affectionately called Goons, yelled out, "is anyone here easily offended or under 18?" He told them to turn around now if they were.

This was Hacker Jeopardy, a mixture of the popular trivia game show and hacker knowledge peppered with raunchiness. Last year, the competition garnered mixed reviews after listing one of the categories as "Dicks" and featuring women who would take off clothes each time a contestant got a Double Jeopardy question correct.

This year was a bit toned down, but there were two categories impishly titled "Balls Deep" and "More Pussy." Unlike last year, the racy categories were more double entendres, with questions relating to things with the word "deep" in it and to cat trivia.

The event oozed with a fraternity-like feeling though, as chants of "Don't fuck it up!" would roar through the room as women in skimpy clothes spanked players if they got double jeopardy wrong.   

Hacker Jeopardy organizer G. Mark Hardy wants the focus of Hacker Jeopardy to be about the questions, not the antics that come with it. With the innuendo-laced categories, Hardy was quick to point out that the questions had nothing to do with sex.

He felt that a lot of people were taking the game too seriously and said they needed to keep the show interesting for the audience.

"That's the question writer having fun with the audience, where they think they'll see something naughty," Hardy said. "It's good for laughs."

The event has gotten more tame each year after Hardy took over in 2013, but it still tries to hold onto parts of its tongue-in-cheek past. One of the teams competing the first night was EternalBlue Waffle, named after a combination of the leaked National Security Agency hacking tool and an internet hoax of a disease that turns vaginas blue.

This time around, contestants poured beers over their heads when they answered wrong. One loser was punished by wearing a gimp mask. Someone in the audience took his shirt off and stood up when the host was looking to give away a free shirt.

It used to be a lot worse, Honeywell said. She had competed in several Hacker Jeopardys when she still went, but said she couldn't keep supporting the inappropriate behavior, even if the questions were "getting more technical and less douchey."

But it'll take more than a toned down Hacker Jeopardy to get more women to come to Defcon, she said. It'll take an entire cultural shift over several years.

Creating opportunities

The brash nature of the hacking community, the creepy "what happens in Vegas" vibes and drunken, rowdy behavior create a hostile environment for a lot of women, both Honeywell and Biswas said.

"These are people in this industry who don't feel comfortable in their own community," Honeywell said. "There are a lot of women who enjoy that atmosphere, but I think the reality of the situation is that there are a lot of women that don't even show up in the first place because of that expectation."


Leigh Honeywell hosting her Ally Skills workshop.

Alfred Ng/CNET

Honeywell hopes that her workshop will help create that cultural shift to make Defcon a more inviting place for women, by giving people the tools to call out misogyny and bias when they see it.

Biswas said she hopes women in security can move beyond harassment, and take on a male-dominated industry.

These issues aren't exclusive to Defcon, or even cybersecurity -- but they do represent a major roadblock for women getting hired in the industry, said Ruth Chandler Cook, the founder of HireHer.

While Defcon is a massive gathering for briefings and parties, it's also a vital networking event. When women are less likely to attend because of an unfriendly environment, it can lead to fewer opportunities, Cook said. Just look at the lack of women in cybersecurity.

Cook's startup pushes for more women in technology. She's noted that at Defcon, it's been a pattern of bad behavior, and a slow fix.

"You know this is a problem," Cook said. "You know this is sexist bullshit, and yet you still allow this behavior to continue."

But Biswas knows that change will come soon. She's seen the massive support from the security community, who helped save the Diana Initiative from falling apart before it even got started. With her side event, she's not interested in complaining about a bad situation -- she sees it as an opportunity to make changes.

"One of our challenges is breaking into the entrenched 'old boys' network and get our seats at those tables," Biswas said. "But, we're getting there. There's more women pushing harder and proving the point really well, and we're creating our own opportunities."

First published Aug. 18 at 5:00 a.m. PT.
Updated Aug. 24 at 11:20 a.m.: Clarified details about Tiaracon and the Diana Initiative.

Solving for XX: The tech industry seeks to overcome outdated ideas about "women in tech."

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.