Black Hat has established its reputation as a world-famous hacker conference by drawing attention to the complex problems in cybersecurity that no one else has solved, or even noticed. For the last two decades, its packed discussions, known as briefings, have made headlines by featuring highly technical experts revealing previously unknown security vulnerabilities. In recent years, hackers have demonstrated their ingenuity in overcoming a smart gun’s protections, tampering with voting machines, and shutting down critical city infrastructure.
But last week, for the first time in Black Hat’s history, the conference invited speakers to address gender discrimination, sexual assault, mental health, and substance abuse. The conference’s inaugural Community Track briefings provided a window into problems in the cybersecurity world that have long been hidden in plain sight. At the Mandala Bay Convention Center in Las Vegas, certified rape crisis counselors spoke alongside engineers and emergency physicians about some of the challenges facing hackers as people.
Many leading cybersecurity conferences, such as Black Hat, Def Con, and RSA, have seemed reluctant to outgrow their beginnings as boys’ clubs, even as their attendees have become more professional and diverse. Over the last decade, journalists, hackers, and advocates have documented a range of abusive incidents at these events. Earlier this year, I spoke to two dozen women who worked in cybersecurity, many of whom had reported incidents of harassment only to be dismissed or ignored by organizers of these events. Some said that the systemic nature of sexism at these annual events felt like a feature, not a bug. In this landscape, Black Hat’s Community Track — along with an expanded range of initiatives to support working mothers, survivors of sexual assault, queer hackers, and recovering alcoholics, among others — represented a welcome step.
Cybersecurity is, by all accounts, an emotionally demanding field. In a briefing on burnout, depression, and suicide in the hacker community, Christian Dameff, a physician, and Jay Radcliffe, a security researcher, explained the unique stressors that often accompany jobs in the information security sector, such as social isolation and abnormal sleep schedules. They cited an Information Systems Security Association study from 2018, in which 68 percent of respondents described work-life balance as a major problem. Contributing to this, they said, was a talent shortage that increased demands on an already overworked staff. The field’s self-image of strength and toughness, Radcliffe said, could also serve to further isolate employees from seeking help.
In her talk on addiction in infosec, Jamie Tomasello, an engineer at Duo Security, detailed the relationship between stress and alcoholism. She described the particular ways in which the imperative to drink overlapped with career opportunities — and an occasionally toxic conference culture. “I built rapport, trust, and respect while drinking,” she said. “I was included in conversations and projects that I wouldn’t have been in without that glass in hand.” As a recovering alcoholic, she noted, it could be difficult to attend conferences like Black Hat that were fueled by networking and afterparties at bars. She offered alternatives for managers and companies hoping to organize more inclusive events for employees struggling with alcoholism, and praised the introduction of sobriety meetings. Employee wellness programs, she stressed, needed “to extend beyond health, food, gym memberships.”
In their respective talks on the importance of neurodiversity, Joe Slowik, a veteran with post-traumatic stress disorder who now works in network defense, and Rhett Greenhagen, a senior security researcher for McAfee’s Advanced Programs Group who has Asperger’s, each echoed this call for empathy. Slowik said that he had “rage-submitted” his talk, “Demystifying PTSD in Information Security,” to the conference after coming across an article that failed to distinguish between burnout, high stress, and an actual PTSD diagnosis. He pushed back against a “one-size-fits-all” approach to dealing with survivors of sexual and military trauma. Alienation, depression, and disengagement were common symptoms, he said, and he described his daily work as giving him his confidence back. “Don’t shun, ignore, or pity. Engage,” he advised those who might work with colleagues with PTSD.
Greenhagen described the ways in which being a person with Asperger’s gave him an interest in pattern recognition — “It is extremely hard for us to not solve a puzzle,” he noted — and a major leg up as a network security analyst. While the evidence is chiefly anecdotal, it is suspected that there is a prevalence of hackers on the autism spectrum. But for all the pleasures of the demanding work, Greenhagen also acknowledged some serious downsides to working on a team. Sensory distractions and small talk interfered with his ability to do his job — an experience that was echoed by hackers with an autism spectrum disorder diagnosis who took part in an informal survey conducted by Stacy Thayer, a psychologist who spoke alongside Greenhagen. “I don’t think I’ll ever have a normal social interaction with other co-workers,” Greenhagen said. “Either there were people who absolutely adored me, even if they found stupid crap I did hilarious. Or there were people who couldn’t stand me. What made it livable was that it wasn’t a huge percentage. I had more people stand up for me and realize I have shortcomings.”
The briefings focused on mental health were by turns moving and vexing. Some of the men emphasized soul-baring, engaging their captive audience in a personal story, at the expense of skill-building. Race was notably absent as a topic of discussion. So too were the ways in which diagnoses such as alcoholism, PTSD, burnout, and Asperger’s might differently affect people across genders and identities. Given the graphic nature of the discussions about suicide in the PTSD and burnout talks, trigger warnings would have been prudent. But it was precisely the elementary nature of some of these discussions that testified to their novelty in the community — and hence their necessity.
The Community Track’s strongest talks focused on gender. As several of the speakers noted, cybersecurity companies still have a long way to go in cultivating diverse talent, centering the experiences of marginalized employees, and preventing their burnout. Attrition is common for talented women programmers, especially as one looks up the ladder.
The lack of women at Black Hat has long served as a striking reminder of the lack of women in cybersecurity, a field in which women make up around 11 percent of the workforce. But a robust analysis of the reasons for their absence was, for the first time, part of the event’s main programming.
One of the most crowded sessions on the Community Track was dedicated to the problem of hiring — and keeping — women in cybersecurity. Ashley Holtz, a programmer at Crowd Strike and diversity advocate, drew on several empirical studies to document the myriad gaps between men and women in the industry — from degrees awarded to positions to salaries to retention. Three decades after earning their undergraduate degrees, just 19 percent of women stayed in the engineering industry compared with 39 percent of men.
The future doesn’t look much brighter. According to a National Center for Women in Technology study, even while three quarters of women report loving their work, over half leave mid-career — twice the quit rate for men. The top barriers in the workplace cited by women include a lack of mentors, lack of role models, gender bias, unequal growth opportunities compared to men, and unequal pay for the same skills. “If unequal pay is the only problem you have in your organization,” Holtz noted, “you’re very, very lucky.” Changing a number, she pointed out, was easier than changing an entire culture. Hostile male behavior creates a negative feedback loop: Companies and conferences become less diverse as they acquire a reputation for being hostile to diversity. Some women, she said, were less likely to join teams in which they would once again be the only woman.
So what to do? Holtz broke down the three main areas through which women might be blocked from staying or coming into an organization: hiring, retention, and promotion. “When you’re trying to get people you don’t usually have, you have to try a little harder to target those people,” Holtz said. She emphasized the importance of using inclusive language in job descriptions, sending recruiters to college groups and meetups, and building the company’s track record. A lot of the time, she said, women accepted job offers not just because of the salary on offer but also because of how they were treated during recruitment. Holtz hears from women who felt mistreated or condescended to in the interview process by men more eager to show off their own skills than assess those of the candidate.
At the conference’s informal meetups and affinity groups for women in cybersecurity, some of which were established well before the introduction of the Community Track, women confirmed the wisdom of many of Holtz’s recommendations. The majority of women I spoke with had encountered some female colleagues in sales or in administrative jobs, but had never worked with another woman on their technical team. Many traded stories about the lack of mentorship at their jobs — often because their male colleagues networked without them over late-night drinks, what one called “a buddy thing with guys.” Others said that viable male mentors ignored them because they were afraid of any one-on-one mentorship meetings appearing inappropriate.
The wide range of ages and experiences present at these meetings was striking. Senior engineers sat alongside teenage MIT sophomores: What brought them together was a desire for comrades. At the Women in Security and Privacy meeting, Eugenia Barkova, a Russian-born engineer who had worked only with men, said she was there “to find people who know the industry well enough who can help. I spend a lot of time on research I wouldn’t have to do if I just knew someone I could get a coffee with who could explain it,” she said of her work. “And I don’t like to waste my time.” A woman from Bellingham, Washington, told a story about working on a team of all men at her previous job. “They kept addressing the team ‘you guys’ in official communications, and I wanted to know, ‘Does this mean me?’”
At the Executive Women’s Forum meetup, I spoke to Sondra Schneider, the CEO of a cybersecurity certification school who had been attending Black Hat since its founding in 1997. She said that even as the number of attendees has grown over the last two decades — to nearly 19,000 people — the proportion of women has continued to hover around 10 percent. She had never been to a networking event before but came to finally meet what she called the “young women of cyber.” Allison Taylor, the CEO of Thought Marketing, agreed. “In the past, I admit, I was kind of a snob,” she said of the idea of women’s networking. But she, like Schneider, had been pleasantly surprised. “I feel like it’s really different with these events. You get to actually help people and it’s not a drain.”
Many have traced the field’s gender disparity — startling even for the male-saturated tech sector — to the cultural norms of hacking. Sarah Jeong, writing in The Verge about the information security community’s response to sexual harassment, has noted that “hacking, after all, also valorizes the nonconsensual violation of boundaries. Hacker culture has long placed the onus on the target to not get hacked in the first place — victim-blaming is deeply baked into that subculture’s values. … If you get hacked at a hacker conference, well, you were warned. If you get raped at a hacker conference, well, you were warned.” Several women told me that there were certain conferences they would no longer attend because of their lack of faith in top-down efforts to transform this culture. At the Women in Security and Privacy meeting, one woman told a group that a friend had told her not to leave her room after 8 p.m. The group said they had heard similar warnings.
Although all of the major conferences have implemented codes of conduct with anti-harassment provisions, enforcement is still spotty. But some are optimistic that in the wake of the industry’s #MeToo moment, which has included the removal of prominent cybersecurity experts accused of rape from positions of power, change is slowly arriving. “Learning how to reach out and support survivors — this is something we don’t talk about in our communities and workplaces at all,” explained Mackenzie Peterson, a certified rape crisis counselor and director of the wellness program at Cornell University College of Veterinary Medicine. Her briefing, “How Can Communities Move Forward After Incidents of Sexual Harassment or Assault?” represented a major effort from the conference to address the toxic culture head-on.
To an audience of about 30 people — half of them women — Peterson described the spectrum of gender-based violence from “boys-will-be-boys” excuses to outright rape. “Sexual violence never occurs out of nowhere,” she said. “It is built and sustained on a lot of things.” She explained how to support a friend who has been assaulted — as well as how to support one who has been accused. She also highlighted the erasure of male survivors and recommended that conferences and companies center all survivors in the accountability process.
Peterson hopes that discussions of sexual violence will be even more prominently featured in the coming years. She felt that her talk had been a little rushed, having been scheduled to run at only 25 minutes at the end of a long day. She was excited to be giving a longer version of her presentation later that week at the Diana Initiative, a woman’s cyber meetup hosted alongside the Def Con conference. Still, she added, “Black Hat could be a model. We often let the perfect hinder the idea of progress in the feminist movement. I will take the progress we make.”
Melanie Ensign, the security and communications lead at Uber, was also hopeful. An organizer on Def Con’s conference committee, she was working with local experts in Vegas to expand resources available to those who had reported assault and had helped to establish the first-ever crisis hotline for its event. “There is a tendency in the security industry to wax poetic about how difficult the problems are. But this is a problem we could solve right away, and so many other problems become easier to solve once you diversify,” she said. For instance, it was not possible to solve the industry’s projected labor shortage, and the accompanying burnout to which it gave rise, without first addressing the attrition of women. In her view, instituting a Community Track was a no-brainer; so was introducing a transparency report of incidents at the end of each Def Con. “It’s the people you’re protecting. The technology stuff does not matter if it doesn’t exist for people. Otherwise, who are you building this for?”