September 2024 - Cybersecurity | Diversity | Women in Tech | New Work

Gender Cyber Gap: How Strong is the Glass Firewall for Female Hackers?

At eco’s Internet Security Days, Catrin Schröder-Jaross and Christiane Schmidt from adesso SE exposed the persistent gender bias in cybersecurity. Through personal stories and data, they highlighted the need for more inclusive and bias-free cybersecurity environments.

Gender Cyber Gap: How Strong is the Glass Firewall for Female Hackers?

©Wirestock| istockphoto.com

Almost daily, the world undergoes digital transformation. To address the growing challenges of cybersecurity, we need talented individuals with skill and, above all, creativity. Diversity is crucial for a cybersecurity team, as it not only helps in identifying potential threats, but also in moving beyond the entrenched biases that result in unequal treatment of women and men. However, the reality behind the screens often tells a different story. At eco’s Internet Security Days (ISD) on 11 September, Catrin Schröder-Jaross and Christiane Schmidt from adesso SE revealed a clear picture of this disparity, citing vivid anecdotes and trend data.

Catrin Schröder-Jaross: Who is Ursula Walk? Was she a pioneer? Indeed she was! On the University of Kiel’s website, she is briefly introduced. Ursula Walk was Germany’s first female programmer. In 1948, she was hired by Konrad Zuse after WWII to program for the Z4. The working conditions were far from optimal. She had to work in a basement where the Z4 was located. Her tasks were challenging.

Christiane Schmidt: Ursula Walk, who lived from 1925 to 2016, was active during the early days of computer history. In Germany, women were primarily involved in computer production while men focused on other fields. Women were invited to shape the future—at least for a while.

And on the other hand: Who is Alla Witte?

Catrin: Many are familiar with Alla Witte. She supplied parts to the Trickbot malware and Conti ransomware schemes. Alla Witte was born in Latvia and was arrested in 2021. Before her arrest, she worked for the group for six years as a programmer. In a highly recommended podcast, she mentioned that she only contributed small code segments such as a status light used in project management tools. She had some doubts about the legality of her work but brushed them aside, as she was struggling to make ends meet and even programmed for Scientology. Despite her IT skills, she found it difficult to earn a legal income.

Christiane, have you ever considered switching to the dark side yourself?

Christiane: Not really, but I did think about switching from consulting to a more technical field.

Catrin: However, from your end, you already had a well-paying consulting job. Why did you switch?

Christiane: Actually, it wasn’t that well-paid, and this was during the pandemic, so short-time work became a topic, and it threatened my livelihood. I had always wanted to switch to the technical side anyway. I was always fascinated by it—and, I thought, this is my chance.

Catrin: And, as I know you well, you already had enough knowledge to do this job.

Christiane: Thank you Catrin, but I wasn’t given the opportunity. I first spoke to the team leader of the Penetration Testing Team, explaining honestly what I could and couldn’t do, but I was confident I could learn. He agreed and wanted me on his team. However, the company’s CEO needed to sign off on it, and when I spoke to him, he quickly said “No”. In that moment, I thought, well, if we ever meet again in a professional network, I’ll make sure you regret it!

In any case, I left that company for a much better offer. I realized I should have been more assertive about my skills. I’m sure if a male colleague had said exactly what I said that day, he would have got the position in the penetration testing team immediately.

Catrin: Yes, I believe that would have been the case. This comes down to “unconscious bias.” Men often apply for jobs even if they meet only 80-90% of the requirements, while women feel they need to meet 100% of the requirements, or even more.

Christiane: That reminds me of an interview we once conducted with a female working student. In 2024, during the interview, she was standing by the coffee machine at her workplace, when a group of men a few meters away started chatting. Suddenly, one of them said loudly, “Women can’t do tech. It’s because of their female brains. This has been scientifically proven.” And the other men just laughed.

Catrin: Another interviewee told us she once attended a training session where she was the only woman. During the session, the trainer said something like, “1000 reasons come into my mind why women should earn less than men.”

Christiane: Yes, we often had to put up with such comments disguised as jokes. Because ultimately, the gender pay gap is real. Just last year, in 2023, the average annual salary for male software developers was €71,000, while women earned an average of €66,500 for the same role, resulting in a difference of about 5%.

Catrin: Furthermore, in junior positions, women earn approximately 8% less than men. Also, an average female IT Manager earns 4.2% less, which amounts to €83,340 per year compared to a man’s €94,200.

Christiane: I’d like to quote from a book I read recently, which was recommended to me by a colleague. In English, the book is called “The Book Every Man Should Read.”  This has been written by a group of female as well as male authors, who name themselves “Feminist Lab”. As cited in the book: “The gender imbalance (...) can manifest in comments, looks, and jokes at the expense of women and LGBTQ+ people. These seemingly insignificant insults contribute to what we collectively accept as normal and acceptable behavior. Once someone becomes the target of such mockery, it becomes easier to objectify or dehumanize them.”

Catrin: In other words, if we don’t change anything, these smaller instances may snowball. For example, women earning less than men leads to a gender pension gap. The Federal Statistical Office of Germany published these figures in a 2023 press release. According to the releases, women aged 65 and up had gross retirement income of roughly €17,800, while men received about €25,400. Additionally, one in five women aged 65 or over were at risk of poverty, compared with only 17.5% of men. What’s more, 15% of the women of 65 or older were overburdened by housing costs, while only 11% of men the same age were affected.

Now, I’d like to shift back to the light/dark side discussion. Our thesis is that the problems women face in “White Hat” careers—i.e., traditional professional paths—are not as severe in “Black Hat” careers. I strongly believe that anonymity and flexibility are the foundations that allow more women to participate in cybercrime. It’s not so much the thrill but rather the equality offered by anonymity where bias doesn’t flourish. And, in particular, young women aren’t taken seriously enough in our conventional career paths.

Christiane: I’d like to share an interview we conducted with an incredibly intelligent, fascinating female programmer whose story really moved us.

This young woman started as a working student at her current company, alongside a group of male colleagues. In fact, she was the only woman on her team. When they started, all the team members had roughly the same level of knowledge. The male colleagues were all assigned interesting projects, while the young woman was assigned all of the mundane tasks like fixing paper jams in the printer and other general busywork.

We all know that in IT, the big money comes from projects. It’s where our work is customer usable, therefore billable, and through this we generate invoices. That’s where promotions are granted. But many of us have worked those small jobs fixing printers, packing forensic kits, preparing hardware, shipping packages, etc.

The young programmer, after her student job, moved on to full-time employment at the company. However, while her male colleagues were hired as programmers, she was hired as a trainee, under the distinction that she lacked project experience.

Catrin: Another interviewee shared a similar story. She performed an apprenticeship as an IT specialist and was the only woman in her class.

As part of the program, the class had to complete a group project, which was supervised by two teachers. On the first project day—the day the tasks were to be assigned—it turned out that the male colleagues had already met beforehand without her and had distributed all of the tasks. They informed her on the day of the assignment that there were no more tasks left for her. They told her she could handle the documentation. The instructors just shrugged it off, suggesting that it would suffice.

Christiane: It’s heartbreaking how women are often sidelined and diminished. And these aren’t isolated anecdotes. From American authors on the topic of “Potential and the Gender Promotion Gap”, as well as a  blog from Luisa Zhou, we’ve found alarming statistics to support these stories. For example:

  • Women are 14% less likely to be promoted than men;
  • In technical manager positions, for every 100 men that are promoted, only 52 women are;
  • 30% of women in tech remain in junior positions in their mid-30s, compared to 5% of men.

In employee reviews, women are frequently rated as performing better than their male colleagues but are still assessed as having significantly lower potential. Consequently, women have much fewer chances of getting promoted or attaining leadership positions.

This allows young men to quickly surpass women on the career ladder. In one of our interviews, someone shared, “My last male teamleader was 20 years younger than me, and in last year’s review, I was told again that I wasn’t ready for promotion. When I started working in IT, he was still in elementary school.”

Catrin: We have another topic underlining our thesis, that cybercrime might be more popular to women than cybersecurity: lookism. Lookism is probably unfamiliar to some—it’s a term combining “look” and “-ism” (as in sexism, racism, ageism). Lookism refers to the discrimination against someone based on their physical appearance.

Christiane: We found an impressive example of lookism on Wikipedia, and here I’d like to share one of the findings: Attractive people have greater success in the job market. Lookism also involves “pretty privilege”—the idea that people are expected to look a certain way. This contradicts the popular belief that everyone is born with equal opportunities. Lookism is closely linked to other forms of group-based discrimination, like racism, sexism, ageism, and hostility towards the disabled. And yet, lookism, unlike these other forms, is not legally prohibited.

Many of our interviewees also told us that attractive, well-dressed women are consistently preferred. These interviewees missed out on promotions and were denied opportunities to move into other fields. Colleagues who may not have been more competent but were more attractive and better dressed didn’t face such issues.

While 88% of all men don’t give much thought to their dress code at work, a quarter of all women have heard unwanted comments about their appearance at the workplace.

Catrin: Here’s one instance that I found particularly shocking. One interviewee told us that she wanted to switch inside her company to a technical field in which she only had basic knowledge. When she joined this new field, her male colleagues made it very clear: “We don’t have time for one-on-one training and you’ll have to figure it out on your own.” Unnecessarily harsh, for sure. But when a new, attractive female colleague joined the team, those same colleagues suddenly found the time to train her—although she didn’t even need it because she was already very experienced in the field.

Christiane: I’m also familiar with that kind of situation. It is so predictable that it’s almost boring! Here’s a question: How must the new colleague have felt? Her competence was questioned just so the male colleagues could have a reason to be around her and spend time with her. This is clearly sexism.

Catrin: And in addition, it’s a waste of resources. The male colleagues could have spent time helping the female colleagues who actually needed assistance—it would have been far more effective and efficient.

Christiane: Instead, the male colleagues reported to the next higher level of management that the female colleague—our interviewee—wasn’t useful in the department, claiming she hadn’t gained enough knowledge. And, poof! She was gone.

Catrin: Which is a shame, because if someone is genuinely interested in switching to an area like IT security, that should be encouraged.

Christiane: Exactly. This was about digital forensics, an area where people who are truly passionate shouldn’t be excluded—otherwise, they might just switch to the “dark side.”

Overall, our recommendation is therefore to adopt the freedoms observed in cybercrime into the cybersecurity sector. These freedoms are:

  • Flexible working hours
  • Flexible work locations
  • Flat organizational hierarchies
  • Focusing on skills, not gender, appearance, or age

We don’t need special treatment, we don’t need special promotion. What is needed is to remove the obstacles and overcome the prejudices. Women must be included in decision-making, and not just when it comes to discussing options that have already been decided in networks among CIS-men!

For as long as men continue to assume that women “can’t do tech because of their female brains,” or invent countless reasons why women should earn less than men, and as long as the world keeps talking about our “biological clock,” and as long as women are chosen for projects because of their looks rather than their technical competence—we’re still far from gender equality.

 

Christiane Schmidt and Catrin Schröder-Jaross have more than 50 years of experience in the field of IT and are active as IT consultants at adesso SE. 

Christiane specializes in the analysis of hacker attacks and social engineering. Her focus is on incident response, business continuity management, and disaster recovery. She is also intensively involved in the IT sector and is a member of the Haecksen. She supports the Chaos Computer Club at major events and is actively involved in hackspaces.

Catrin started her career as a software developer in 1999 and has since occupied all positions in software development. Her professional focus is on identity and access management, as well as on the planning and implementation of digitalization and automation projects. She is also intensively involved in the IT sector and is a member of the Haecksen. In her podcast Mind The Tech, Catrin also educates people about the lesser-known aspects of digitalization.

Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s or interview partner’s own and do not necessarily reflect the view of the publisher, eco – Association of the Internet Industry.