Like the hidden figures of NASA, tons of amazing and ingenious women have helped pioneer and progress the information security (infosec) industry over the decades, without always receiving their fair share of credit and recognition. Though the number of women in cyber security has risen to 20 percent over the last five years, that’s still far too small of a percentage. The need for diversity is especially acute in cyber security, since a wide variety of experiences usually results in novel and ground-breaking solutions.
There are probably a number of factors contributing to the under-representation of women in infosec, and unfortunately sexism remains one of them. However, the seeming lack of visible mentors and role models may also contribute to the problem, as young women—like anyone else—are more likely to join a field when they see representative pioneers they respect and idolize making a difference. The good news? There are plenty of amazing and pioneering female leaders who have transformed the security industry for the better, if only you look. In honor of International Women’s Day and Women’s History Month, I’d like to share a few of the rad women of cyber security.
Before diving in, it’s worth mentioning that selecting the “raddest” women in cyber security is almost an impossible task, because there are so many to choose from! In this list I limited candidates to women whose work I have followed or who I have heard speak at various infosec conferences over the years, plus a few historical and special exceptions. For every woman I mention here, there are hundreds, if not thousands of other worthy female security leaders I’m missing.
Agnes Meyer Driscoll – Cryptographer
Let’s start with some historical context. Similar to the book and movie, Hidden Figures, women have played a key role in infosec from the start—you just may not have heard much about it. If you missed Hidden Figures, it was about the many black women mathematicians that helped the United States win the space race during the 1930s through 60s. Many, like me, didn’t realize how much these women contributed to NASA’s success, since institutional racism and sexism prevented that story from being told properly until recently.
The same seems to apply to early female cryptographers. During World War I and II, the US finally allowed woman to enlist in the military in non-combative roles including cryptanalysts or code breakers. During these wars—especially WWII—emerging computer or code machine technology allowed our adversaries to create very strong encryption algorithms to secure their military communications and manuals. Female code breakers like Agnes Meyer Driscoll were pivotal in cracking many Axis encryption systems. Driscoll herself is credited for leading successful attacks on many Japanese ciphers and coded manuals. She had a long career as a US Naval cryptanalyst, and later joined the National Security Agency (NSA), where she still holds a place of honor. If you’d like to know more about Driscoll, and many other female cryptographers you may not have heard of, I recommend reading Code Girls by Liza Mundy.
Joanna Rutkowska – Computer Security Researcher
Joanna Rutkowska is one of the first female computer security researchers I had the pleasure of hearing in person at a Black Hat security conference in 2006, when she released her team’s seminal research about “Blue Pill,” a hardware hypervisor rootkit (you can listen to that presentation here). Despite my current executive role, I always most admired “assembly ninjas,” or deep technical researchers who are as comfortable reading machine code in disassemblers as they are higher level languages. Creating a hardware hypervisor rootkit not only requires ingenuity, but technical system and kernel-level skills far beyond what an average coder might have. Rutkowska demonstrated that and more to the Black Hat audience that year. She went on to help create a secure, containerized operating system (OS) called Qubes OS and now focuses on cloud security as the CSO of Golem Network.
Parisa Tabriz – Google’s Security Princess
Self-titled “Security Princess” for Google, Parisa Tabriz not only runs the team that pen tests Google’s own security, but is also responsible for keeping Google users and customers safe, especially when it comes to Chrome. I recently saw her give one of the opening keynotes at Black Hat 2018, where she talked about throwing out the rule book to break the status quo in the security industry and the importance of trying to find new ways to win the digital security war.
Eva Galperin – Director of Cybersecurity, EFF
.jpg)
I’ve been a long-time fan of the Electronic Freedom Foundation (EFF), a non-profit organization that fights for everyone’s digital privacy, security and internet civil liberties. Eva Galperin is EFF’s Director of Cybersecurity and a digital privacy and free speech warrior for the world. Among many things, she ran EFF’s Tor Relay Challenge, a campaign to get more people to set up and run Tor relays in an effort to ensure the tool can protect your privacy online. More recently, Galperin (and team) spoke at Black Hat 2016 about government-sponsored attacks and malware.
Window Synder – CSSO of Intel’s Platform Security Division
Window Synder has lead the security efforts of many of the largest technology corporations in the US, serving as the Chief Security Officer (CSO) of companies like Mozilla, Apple, Fastly and now Intel’s Platform Security Division. I first became aware of her back when Microsoft had just started getting serious about security. During the 2000s, Microsoft launched their Trustworthy Computing division to start to create a culture of security in their organization. In 2006, Snyder organized Microsoft’s Blue Hat Security Conference, which was their way of opening a transparent dialog with security researchers by sponsoring a Microsoft hosted Black Hat-like event. Since then, Snyder has also been pivotal in helping many other huge companies increase the security of their products, and has helped the industry embrace external security researchers who help improve your company’s products.
Amanda Rousseau – Offensive Security Researcher at Facebook
Known online as “MalwareUnicorn,” Amanda Rousseau is a malware reverse engineer and forensic expert, who has researched malware at many premium malware security companies like FireEye and Endgame. I greatly admire the deep, system-level knowledge required to reverse engineer sophisticated malware today, and Rousseau has that in spades. She likely gained some of that great experience working as a forensic examiner for the Department of Defense. You most recently could have seen her sharing her Xori research at Black Hat and DEF CON 2018 (more about Xori here). As an aside, to help earn her alias, she is known for placing unicorns in her error code. Smart and cheeky… the perfect malware research combination.
Ambareen Siraj – Founder and Chair of the Women in CyberSecurity Initiative
Last, but certainly not least, is Dr. Ambareen Siraj, a professor of Computer Science at Tennessee Tech University (TTU). Siraj works largely behind the scenes doing one of the most important jobs in infosec—educating, mentoring and inspiring the next generation of women in cybersecurity. She is the director of the NSA/DHS accredited Cybersecurity Education, Research and Outreach Center at TTU, and also founded the Women in CyberSecurity Initiative (WiCyS) a non-profit organization dedicated to bringing women together in cybersecurity and mentoring the next generation. While I’ve never had the pleasure of seeing her speak in person, I greatly admire her for tackling the most important job for the future of our industry.
This list only represents a fraction of the many female leaders who are tackling complex security problems using their diverse range of personal experiences. Security leaders should remember, diversity—whether of gender, sexual orientation, race or religion—is one of your most impactful security assets. Creating a diverse environment will improve your ability to think outside the box and find new solutions to complex security problems. In honor of International Women’s Day, WatchGuard would like to thank these amazing individuals, as well as the endless list of other rad women of infosec!
Someday we won’t have to highlight gender as being something to even mention or have a month celebrating. As a woman in technology, I rather don’t like special months or days that essentially say “hey, look at you go!” This might be shocking to some to hear but it is kind of demeaning in a way but understand that it is well-intended by the sensitive who don’t want to leave anyone out and wish to encourage more women to look at technology as a career. It would be best to celebrate the mind and accomplishments and not try and elevate people based on gender. This isn’t good for any one person or society. Let’s get back to looking at merit. I don’t want special considerations. No one in my world has been sexist (as mentioned in the article) or prevented me from pursuing what was in my heart to do. It is really up to the person. It comes down to determination and maybe men just have more guts than women to dare and take risks where their career is concerned – and really other things. I have learned a lot from men in this regard, which may be why I have succeeded in my career. I feel comfortable saying this as a woman who recognizes reality as I see it. But, thanks for the thoughtful article and the kindness and encouragement that is intended. I’d like to see a men’s history month or even an international men’s day. Why should they be left out of the celebrations? It’s a glaring omission! Let’s hear it for the boys!
I am not a women, so frankly my opinion doesn’t matter in this regard as much, but I think we still need to have these days or months until there is true equality in everything, including pay. You are right that in a truly equal society we should not have to have any month celebrating a gender, race, religious, or whatever. However, that is not yet the case for women as they statistically still get paid less than the other gender (just look at the US Women’s soccer team, for example). So I personally believe these “months” aren’t to demean any particular group, but to keep the conversation open until society honors true equality. While I personally don’t mind a men’s month, just cause I love attention (kidding), men do seem to have more of the benefits from society already, so we don’t really need a month to point out inequalities since we don’t have them. In short, these sorts of months tend to be designed for groups that society still hasn’t totally treated fairly. It makes no sense to have them for the group that already enjoys all the benefits society rains down on them. I look forward to a day where we might stop women’s history month or black history month, but only because we have reached a point where society does treat all those groups fairly. By the way, this is just my personal belief and doesn’t necessarily reflect anyone else’s here.
You might want to add Dr. Jeanna Matthews of Clarkson University to your list. She has given presentations at DEFCON and other confabs.
Thanks for the suggestion. The problem with this article, as I stated early one, is there are so many deserving women in Cyber Security (included many that work here, at WatchGuard), so to try to make it easier for me, I relegated mostly to Women I’ve personally seen speak. Now that you’ve made me aware of Jeanna Matthews though, perhaps I will get to see her talk if she speaks at BH/DC again.
Hello and I posted a comment some time ago here that wasn’t approved apparently. Sad that women who feel like I do that drawing attention to our womanhood and intelligence in a “look at you go” way can be offensive isn’t acceptable as an opinion with Watchguard. I also realize this wasn’t the intent, but wanted to raise awareness. As a very long-time customer I am rather annoyed by this slight and wonder if Watchguard’s politics are getting in the way of their primary focus, security, by even writing articles like this. Just sayin’.
Kristy,
I do not see any other comments from you regarding this article. I did see a comment from a “Kristin,” which would be strange to come from you as it’s a much different email address and IP. In this day and age where people of any gender can make fake throwaway accounts, it’s sometimes hard to know who is “real” or not. In any case, I have approved “Kristin’s” comment, but it seems you are referring to that one as yours? Otherwise, there is no other comment from this email, and you might understand why we feel it strange that two different names and emails seem to be referring to the same thing as their own.
I’m afraid I don’t agree with out about this article being a slight. It’s something I personally believe in, and in no way affects our security.