SAN FRANCISCO — Tiffany Rad is turning software- industry gender stereotypes on their head.
Rad is a white hat, a hacker who specializes in looking for security holes so that they can be fixed. The attorney turned her computer-hacking hobby into a career in 2008, when she submitted a research proposal to an underground security conference in New York. Rad’s talk there propelled her into the industry, and she is now manager of threat research for ThreatGrid, a specialist in malicious software analysis that Cisco Systems bought in May.
“To be able to present at these conferences has been fantastic in jump-starting my career,” said Rad, who speaks regularly at security events and has worked for top cyber- security firms. “Now I meet many more women doing the same.”
Over the last decade, women like Rad have become increasingly prominent in white hat roles at technology companies, including Apple, Microsoft and startups, reflecting the rising profiles of females throughout the security-technology industry. Several have taken leadership positions, including Heather Adkins, who joined Google in 2002 as one of the founding members of the company’s security staff and now manages the team that responds to hacking attacks against its corporate networks.
Women outnumber men in the specific jobs of analysts and advisers working on preventing breaches and strengthening technology defenses, according to 2011 and 2013 studies from the International Information Systems Security Certification Consortium, or ISC2. Female attendees at security conferences have also risen to hundreds or more at key events like Black Hat and DefCon, from nearly none 15 years ago, according to organizers of the events.
That contrasts with trends in the larger technology industry, where 74 percent of U.S. workers in computer and mathematical occupations last year were men, according to the Bureau of Labor Statistics. Silicon Valley companies including Google and Facebook have recently been embroiled in a debate over the lack of female employees, releasing data that show women make up less than 40 percent of their workforces.
In the early days of hacking conferences, “it was really rare if there were maybe a couple of women involved who were credible and knew their stuff,” said Jeff Moss, who founded DefCon in 1992 and Black Hat in 1997 and advises the U.S. Department of Homeland Security. “Nowadays there are too many to mention.”
Helping to drive the rise of women white hats is the meritocracy of security-technology conferences, where participants present papers and discuss flaws in code. That helps show their chops immediately, as opposed to other technology gatherings where companies hawk their wares and don’t give attendees opportunities to discuss their findings. Female trailblazers also have helped set a precedent for counterparts to enter the industry as mounting concern over cybersecurity lures a rush of investment and creates jobs.
In total, the security industry will top $85 billion in worldwide revenue in 2016, up 68 percent from $51 billion in 2010, according to Gartner Inc.
“The number of women in leadership positions in security is growing dramatically,” said Julie Peeler, director of ISC2′s foundation in Clearwater, Florida.
Among Rad’s white hat female counterparts today are Adkins at Google; Window Snyder, who has held security roles at Microsoft, Mozilla and Apple; Katie Moussouris, who had senior positions at Symantec, Microsoft and is now chief policy officer at a startup called HackerOne; Joanna Rutkowska, founder and chief executive officer of Invisible Things Lab, a research organization in Poland; and security consultant Jen Savage.
“In the security industry, you are judged on your skills alone,” said Nico Sell, a DefCon organizer and CEO of Wickr Inc., a San Francisco-based company that makes a smartphone application for sending encrypted messages. “This offers an opportunity for smart women because there is no denying your talent,” she said.
The security industry still suffers from some of the same gender disparities as the rest of the technology world. Women make up just 11 percent of information-security staff worldwide, according to the ISC2. In addition, of the 80 biggest publicly traded security companies worldwide, only one has a female CEO, according to data compiled by Bloomberg Rankings. Eva Chen, a University of Texas-educated MBA and master of management information systems, co-founded and worked in senior positions at Tokyo-based software maker Trend Micro Inc. for 16 years before becoming CEO in 2004.
Yet at the white hat level, there are now more women following the trajectory of Google’s Adkins. The 37-year-old got into security while working as a systems administrator in the late 1990s, when the first waves of mass Internet attacks forced her into online hacker forums to obtain information.
The forums were initially swamps of sexism where people would refuse to engage in technical discussions, Adkins said. She picked a neutral-sounding screen name to avoid being discriminated against.
“At the time, it was notoriously gender-biased and confrontational,” Adkins said.
Today, she sees more respect for women’s technical skills in security. While she still encounters biases — at conferences that she attends with her fiance, she said, some people assume she’s just the wife — such incidents have become less common.
“People have moved on and it’s more inclusive,” Adkins said.
Rad, the ThreatGrid manager, said since she entered the security field in 2008, she has had many opportunities. She was part of a team that showed in 2011 how hackers could open and close security doors, suppress alarms and manipulate video- surveillance feeds inside jails and prisons — without ever setting foot on the properties.
She also worked until this year for Russian antivirus- software maker Kaspersky Lab and until 2013 for Battelle Memorial Institute, an Ohio-based research organization where her job was finding ways to hack into automobiles.
Prejudice still appears toward women white hats in small ways, she said. While waiting in line to get her speaker’s badge at a conference several years ago, Rad said, she was told to go to the press line by someone who assumed she was in the wrong place.
Still, she sees more women getting into the field. For the past decade, Rad has taught a class at the University of Southern Maine on information-security law and ethics. During the first two years, there were no women students.
Now, almost half of the class is female.