Like the hidden figures of NASA, tons of amazing and ingenious women have helped pioneer and progress the information security (infosec) industry over the decades, without always receiving their fair share of credit and recognition. Though the number of women in cyber security has risen to 20 percent over the last five years, that’s still far too small of a percentage. The need for diversity is especially acute in cyber security, since a wide variety of experiences usually results in novel and ground-breaking solutions.
There are probably a number of factors contributing to the under-representation of women in infosec, and unfortunately sexism remains one of them. However, the seeming lack of visible mentors and role models may also contribute to the problem, as young women—like anyone else—are more likely to join a field when they see representative pioneers they respect and idolize making a difference. The good news? There are plenty of amazing and pioneering female leaders who have transformed the security industry for the better, if only you look. In honor of International Women’s Day and Women’s History Month, I’d like to share a few of the rad women of cyber security.
Before diving in, it’s worth mentioning that selecting the “raddest” women in cyber security is almost an impossible task, because there are so many to choose from! In this list I limited candidates to women whose work I have followed or who I have heard speak at various infosec conferences over the years, plus a few historical and special exceptions. For every woman I mention here, there are hundreds, if not thousands of other worthy female security leaders I’m missing.
Let’s start with some historical context. Similar to the book and movie, Hidden Figures, women have played a key role in infosec from the start—you just may not have heard much about it. If you missed Hidden Figures, it was about the many black women mathematicians that helped the United States win the space race during the 1930s through 60s. Many, like me, didn’t realize how much these women contributed to NASA’s success, since institutional racism and sexism prevented that story from being told properly until recently.
The same seems to apply to early female cryptographers. During World War I and II, the US finally allowed woman to enlist in the military in non-combative roles including cryptanalysts or code breakers. During these wars—especially WWII—emerging computer or code machine technology allowed our adversaries to create very strong encryption algorithms to secure their military communications and manuals. Female code breakers like Agnes Meyer Driscoll were pivotal in cracking many Axis encryption systems. Driscoll herself is credited for leading successful attacks on many Japanese ciphers and coded manuals. She had a long career as a US Naval cryptanalyst, and later joined the National Security Agency (NSA), where she still holds a place of honor. If you’d like to know more about Driscoll, and many other female cryptographers you may not have heard of, I recommend reading Code Girls by Liza Mundy.
Joanna Rutkowska is one of the first female computer security researchers I had the pleasure of hearing in person at a Black Hat security conference in 2006, when she released her team’s seminal research about “Blue Pill,” a hardware hypervisor rootkit (you can listen to that presentation here). Despite my current executive role, I always most admired “assembly ninjas,” or deep technical researchers who are as comfortable reading machine code in disassemblers as they are higher level languages. Creating a hardware hypervisor rootkit not only requires ingenuity, but technical system and kernel-level skills far beyond what an average coder might have. Rutkowska demonstrated that and more to the Black Hat audience that year. She went on to help create a secure, containerized operating system (OS) called Qubes OS and now focuses on cloud security as the CSO of Golem Network.
Self-titled “Security Princess” for Google, Parisa Tabriz not only runs the team that pen tests Google’s own security, but is also responsible for keeping Google users and customers safe, especially when it comes to Chrome. I recently saw her give one of the opening keynotes at Black Hat 2018, where she talked about throwing out the rule book to break the status quo in the security industry and the importance of trying to find new ways to win the digital security war.
I’ve been a long-time fan of the Electronic Freedom Foundation (EFF), a non-profit organization that fights for everyone’s digital privacy, security and internet civil liberties. Eva Galperin is EFF’s Director of Cybersecurity and a digital privacy and free speech warrior for the world. Among many things, she ran EFF’s Tor Relay Challenge, a campaign to get more people to set up and run Tor relays in an effort to ensure the tool can protect your privacy online. More recently, Galperin (and team) spoke at Black Hat 2016 about government-sponsored attacks and malware.
Window Synder has lead the security efforts of many of the largest technology corporations in the US, serving as the Chief Security Officer (CSO) of companies like Mozilla, Apple, Fastly and now Intel’s Platform Security Division. I first became aware of her back when Microsoft had just started getting serious about security. During the 2000s, Microsoft launched their Trustworthy Computing division to start to create a culture of security in their organization. In 2006, Snyder organized Microsoft’s Blue Hat Security Conference, which was their way of opening a transparent dialog with security researchers by sponsoring a Microsoft hosted Black Hat-like event. Since then, Snyder has also been pivotal in helping many other huge companies increase the security of their products, and has helped the industry embrace external security researchers who help improve your company’s products.
Known online as “MalwareUnicorn,” Amanda Rousseau is a malware reverse engineer and forensic expert, who has researched malware at many premium malware security companies like FireEye and Endgame. I greatly admire the deep, system-level knowledge required to reverse engineer sophisticated malware today, and Rousseau has that in spades. She likely gained some of that great experience working as a forensic examiner for the Department of Defense. You most recently could have seen her sharing her Xori research at Black Hat and DEF CON 2018 (more about Xori here). As an aside, to help earn her alias, she is known for placing unicorns in her error code. Smart and cheeky… the perfect malware research combination.
Last, but certainly not least, is Dr. Ambareen Siraj, a professor of Computer Science at Tennessee Tech University (TTU). Siraj works largely behind the scenes doing one of the most important jobs in infosec—educating, mentoring and inspiring the next generation of women in cybersecurity. She is the director of the NSA/DHS accredited Cybersecurity Education, Research and Outreach Center at TTU, and also founded the Women in CyberSecurity Initiative (WiCyS) a non-profit organization dedicated to bringing women together in cybersecurity and mentoring the next generation. While I’ve never had the pleasure of seeing her speak in person, I greatly admire her for tackling the most important job for the future of our industry.
This list only represents a fraction of the many female leaders who are tackling complex security problems using their diverse range of personal experiences. Security leaders should remember, diversity—whether of gender, sexual orientation, race or religion—is one of your most impactful security assets. Creating a diverse environment will improve your ability to think outside the box and find new solutions to complex security problems. In honor of International Women’s Day, WatchGuard would like to thank these amazing individuals, as well as the endless list of other rad women of infosec!