Week 1 of National Cyber Security Awareness Month has a focus on educating and getting people involved in cybersecurity - including careers.
You've probably noticed there aren't a lot of women in information security. This is presumably for the same reasons there aren't many women in technology in general: it's partly a pipeline problem and partly because women get frustrated with the unfriendly culture and leave. Some progressive organizations, like WISP and TiaraCon, are working to change this, and even Facebook's CISO has talked about the need to make women feel more welcome. At Security Innovation, we're trying to do our part by running web security hackathons for women, to help them build their security skills and get newcomers excited about the field. (We're co-hosting the next one with RSA security on October 18th. At the hackathon we ran with WISP in June, about 100 women from a variety of different backgrounds attended to test their hacking skills, learn, listen, share, and interact. When I talked to the participants afterwards, they were clearly ready and eager to keep learning about security.
But organizations like WISP and hackathons for women can't change a culture by themselves. To build a truly inclusive InfoSec community, we need to actually listen to women's ideas, value their contributions, and acknowledge their expertise. We need to treat them like full participants in the community.
The good news is that most of the InfoSec community seems to be on board with that goal. So here are a few suggestions for having better conversations with other people - especially women - in information security:
Assume they belong there. By default, treat everyone you meet at a security conference or other industry event like they're a security professional or enthusiast, not a salesperson, journalist, or someone's girlfriend.
Avoid telling them things they already know. It is very embarrassing to spend five minutes explaining SQL to someone and then realize they're a database administrator. It's also frustrating for the person being explained to. A quick "So, how familiar are you with SQL?" will make life better for both of you. (Also, if all your interactions are explaining things to people, see next point.)
Listen at least as much as you talk. Lots of people in InfoSec (including me!) like to be the Teacher, the Explainer, the Person with All the Answers, but that means you'll never learn anything – and it's frustrating for the person you're talking to. Try to learn from the person you're talking to, and not just demonstrate what you already know. Ask about her job, or her side project, or a topic she knows more about than you do.
Follow the Recurse Center's social rules. The Recurse Center (formerly Hacker School) has a short list of rules for social interactions: no feigning surprise when someone doesn’t know something; no "well-actually's," or minor corrections that show off the speaker's knowledge without furthering the conversation; no backseat driving, and no subtle -isms (racism, sexism and so on). The rules make it easier for people to learn, ask questions, and admit when they don’t know things.
Amplify women's voices. If you're in a conversation where a woman is being interrupted, ignored, or talked over, give her a chance to talk. "Hang on, Bob, I wanted to hear the rest of Alice’s point.” “That sounds really interesting, Bob. So, Alice, what are you working on these days?" Another strategy: when a woman makes a good point, reiterate it and give credit for it.
Don’t ask them to speak for a whole demographic. I don't know why women don't study CS/drop out of STEM careers/don't appreciate your brilliant Arduino-controlled kegerator, because I don't have a direct telepathic link to all the other women in the world. Besides, I'd rather be noted for my technical skills than my gender. Treat women in security like experts on security, not experts on being women.
Remember there's more to diversity than gender. Black and Latino people are also underrepresented in the security industry, but that's discussed much less than the gender gap. These suggestions are based on my experience as a white woman in InfoSec, so they don't speak directly to the challenges other groups face - I hope these are also good suggestions for interacting with people of color, LGBTQ people, and other marginalized groups in tech, but the perspectives of people who are actually in those groups. (People of Color in Tech, Why Diversity is Difficult, and Which Women in Tech? are more relevant than mine.)
These are suggestions for everyone, not just men - I make a conscious effort to follow them whenever I'm running a training or having a technical conversation, although I don't always succeed. And most of them aren't really about talking to women in particular. They're about building a community where exchanging ideas is better than grandstanding; where asking questions is encouraged; and where we recognize that everyone has something to bring to the table.