Frankland entered the industry 20 years ago as a young entrepreneur, launching her own business with a colleague. Back then, people “fell” into security, she says, and the role and the industry evolved alongside the person. Within five years the company was specialising in penetration testing, and she owned and ran this business for 16 years, before pausing for 18 months.
Yet, when Frankland returned to the security industry it wasn’t the same industry she knew. She picked up a 2015 ISC2 report and was immediately concerned by two figures: first, the low number of women in the industry in general, and secondly, the decline. In 2008 19% of security professionals were females, and this was down to 10% in 2015.
Frankland was so disturbed she felt compelled to write about it, describing her own experiences in the industry, and striving to promote the value of women in IT. She pressed ‘Post’ on LinkedIn and took her dog for a walk, concerned by the response she might receive, but recognising she needed to be brave and discuss the topic. Happily, the response was incredibly positive and even weeks and months later she was still receiving supportive feedback.
Consequently, she saw she could deliver value to the industry — to men and women alike — by expanding her article, adding guidelines, and interviewing others, and turning it into a book. She launched a KickStarter campaign and the book — “InSecurity - Why a failure to attract and retain women in cybersecurity is making us all less safe” — was fully-funded in five days, and subsequently published at the end of November 2017.
During her research, Frankland saw what she describes as “well-intentioned, but inadvertent” mistakes in the industry that ultimately worked against bringing women into IT in general, and security specifically.
An example is the language used in marketing roles and the messages sent out. Technology is no longer a hard-core technology field, she says, with many diverse roles and opportunities that span a rich set of skills and experiences. Instead of copying and pasting job specifications to replace roles, Frankland advocates they be written from the ground up, putting thought into what was the person who had this job like when they first came into it, rather than someone ready-made, and performing a better job of explaining the job specifications in gender-neutral language.
“Everyone is biased,” she says, “but we can all do something about it. Everyone can be empowered. Nobody has to be a victim. You can do something, you can take ownership."
Frankland also supports having appraisals and exit interviews to find out why people are leaving, and looking at culture and leadership, with the goal of making the environment best for everyone.
While Frankland says it is the lack of women in the industry which motivated her, her driver is ultimately to have systems and improvements in place which constrain bias and assumptions and attract the best and most suitable candidates for jobs, no matter if they are men or women.
She opposes what she describes as “an addiction to drama”, and is similarly concerned by people who would say “I’m a woman and it’s not fair".
In reality, she states, women do not want to be singled out, but simply wish to get on and do their job. Sometimes women are reluctant to get involved in certain, well-meaning initiatives to support women in technology because they do not wish to be differentiated. “If you are, then you are singled out and that can be divisive and make us vulnerable. It’s very tricky and complex.”
The Code of Conduct, Frankland’s current project, is shaped by this same thinking – making events a better environment for everyone, no matter gender or orientation or race or other factors.
This was occasioned by Frankland’s attendance at a UK InfoSec event where she came across the typical “booth babes” at an exhibitor stand, where models had been hired, dressed in red ball gowns. She sent a tweet to the event organisers to bring it to their attention, and both the organiser and exhibitor apologised and resolved the matter swiftly.
However, the story went to press, described as “Cyber firm blasted using booth babes” and received a flurry of attention. “I was trolled on Twitter for four days,” Frankland says. She received criticism as well as support, as did people contributing to the Twitter thread, with men and women attacking other men and women on all sides of the dialogue. “Some of the discussion got quite vicious and some people were suspended by Twitter.”
The explosion was surprising and shocking and once it settled down, Frankland turned her mind to what are the lessons, and how the industry could learn from this.
Following this event, Frankland reports a woman was groped at a security event by an influential man while he was under the influence of alcohol, and then further security events where again “booth babes” were employed.
The industry needed a code of conduct, she determined. While various conferences have published their own individual codes, Frankland could not see any that had a process, explaining, “here’s our commitment, what you can expect, if you have feedback regarding harassment or bullying here’s how you report it and how we will acknowledge and investigate it.”
None of this existed, so she set about to create it, providing a model code of conduct for the industry so event organisers can use it and provide a safe environment for attendees.
Already ISC2 has said it is behind the code, as has Cybersecurity Challenge in the UK.
Frankland is now working on her second book, “InPower,” looking at what it means to be in power in the industry.
She will be delivering a keynote speech at the AISA Cyber Conference in Melbourne, in October.
Returning to cyber security, she notes: “Our adversaries are not tied to regulations. They seek to fulfill their obligations which are usually stealing, manipulating or corrupting data. Our job is not the same as theirs. We have a very difficult job to do, and the industry can do a better job if it looks at things in a different way.”