Cybersecurity Needs to Do More Than Preach to the Diversity Choir
Lessons I learned from two summers at Hacker Summer Camp
It was a week out from DEF CON 27, and I was a bundle of nerves.
I’d been to DEF CON before, but this year, I had my own community that I was excited to see and my own set of responsibilities at Hacker Summer Camp, an affectionate name for a series of hacker conferences all occurring in the same city during the same week.
I had been invited to speak on three panels during Camp week. One panel on diversity and inclusion for BSides Las Vegas, one on raising awareness for women’s resources for The Diana Initiative, and one on leadership and career advice for Women in Security and Privacy (WISP). I was also a lead for the 2019 scholars of WISP DEF CON, which comes with its own set of responsibilities. On top of those commitments, I wanted to attend BSidesLV, Black Hat, DEF CON, and The Diana Initiative, which were all occurring during the same week.
I navigated through the conference in total and complete awe of everything.
Last year, my first year at DEF CON, I attended on scholarship from WISP. Though not new to the industry, I was definitely new to the security community and what it had to offer. I had just accepted my first position as the sole security analyst for a retail company, which is a cute way of saying I ran security for the entire retail company. DEF CON was a conference I had wanted to attend since I first heard about it in 2014. I mean, the idea of mingling with hackers of all hats made my baby techie heart flutter.
I navigated through the conference in total and complete awe of everything. Me, a new friend, and my summer camp roommate, who was also a fellow scholar, spent the whole conference experiencing as much as humanly possible. We were exposed to new things like Capture the Flags (CTFs) and an inclusive conference with more technical women in one room than I had seen my whole career. I left DEF CON both energized and hopeful that the next year would be bigger, better, and more fun than the last.
I went on to have a very interesting year filled with opportunity and learning and growth, hence the super packed week I had planned. You could say I had a Shonda Rhimes “Year of Yes.” And this was all possible because of the encouragement of my mentor, Keirsten Brager, the support of a new community I found through WISP and The Diana Initiative, and the warm embrace of InfoSec Twitter, a mostly positive online community dedicated to lifetime learning, support, and goofing around.
I’ve had many positive Hacker Summer Camp experiences because of the diversity and inclusion efforts of others. However, one bad apple can sometimes ruin the bunch, if you let it. And I had one particularly bad apple of a situation.
During the planning phase of Hacker Summer Camp, I was invited to speak on a panel. Happily, I agreed. The proposal was accepted, the panelists and the moderator and I all celebrated and made plans about what to discuss. But when the schedule came out, I saw that I was not listed as a speaker. On top of that, I found that I would not be receiving any speaker privileges due to a rule the conference had made to combat speaker fraud. The solution? I was offered a plus-one badge that would exclude me from speaker privileges and speaker events. My fellow panelists expressed disappointment, but no action was actually made until I opted to bow out of the event.
It would have been an insult to mentors, women of color who came before me, and my peers to accept less than what was acceptable. Being the “only” in any space comes with a certain responsibility to others you may never meet. You want to make sure you make the right choices and perform well so that others coming after you can have a chance or be empowered by your example.
In the end, I reached out to one of the conference organizers via Twitter and that resulted in me receiving speaker privileges. However, it brought up a personal question: When people talk about diversity and inclusion, are these just buzzwords? Are they just focusing on one subset of people or do they want to make sure that the entire industry shifts for the better?
It’s not enough to speak on panels and write blog posts about diversity. It needs to be in the very fabric of your behavior. Those with more privileges than others need to really do a mental deep dive to find ways they are being intentionally or unintentionally exclusive and make lasting and meaningful changes. If your POC panelist is not receiving privileges, that should be a major problem. If your POC co-worker is being targeted, that should be a major problem. If your woman-identifying friend is constantly being talked over, that needs to be your major problem.
Diversity and inclusion efforts need to be action-oriented, not word-oriented.
Getting all gussied up for the cameras to talk about diversity and inclusion is fine, but at the end of the day, as one audience member from the panel pointed out, we are most likely speaking to a choir that has already heard the sermon. We need to also speak to those that would never attend a diversity and inclusion talk. This means getting uncomfortable on a daily basis and standing up for those less privileged than ourselves. It would have meant bowing out of the presentation unless we all had the same privileges. It would have meant expressing more concern about the inequality. It would have meant taking steps to transfer privileges.
Diversity and inclusion efforts need to be action-oriented, not word-oriented. We have the power to change the landscape of the industry, but that involves taking steps to make that change in any way possible, like WISP and The Diana Initiative. Let’s try our best to walk the walk as much as we talk the talk.