Breaking the glass firewall

IT women are gravitating to information security, where cross-disciplinary skills are key.

Women are a distinct minority in IT overall, but many women are finding success as information security managers, a field that combines pure technological know-how with business acumen and managerial skills.

At least that was the premise behind the first Alta Associates Executive Women in Information Security Forum, which recently attracted more than 100 women to Fort Myers, Fla.

Attendees at the three-day event included chief security officers, senior vice presidents and CEOs from Fortune 500s such as AT&T, MCI, Oracle  and Time-Warner, and consultancies such as Guardent Technologies and Sanctum.

Although statistical data is hard to come by, a 2002 salary survey of more than 6,000 IT professionals found that women make up about 12% of the security workforce, and 22% of those women are managers. (To see the full report, click here .)

“Women are suited for these jobs because they can see the win-win between technology and business,” says Joyce Brocaglia, CEO of security headhunting firm Alta Associates. “They’re good at communication, relationship management, team-building and multitasking – all of which are essential traits for executive-level positions.”

David Foote, co-founder of the market research firm, Foote Partners, agrees. He says information security organizations will blend technology, communications and behavioral sciences, so more leadership positions will be filled by women with an education in the technical and social sciences.

Knowing their business

Such communication and people skills were evident during the 10 hours a day of seminars at the conference, where these busy executives learned from one another’s experiences.

Rhonda MacLean kicked off the conference by jolting everyone awake with a single sentence.

“I’ve been able to raise my security budget by 1,000% in the last seven years,” said MacLean, senior vice president and director of corporate security for the $35.1 billion Bank of America.

She has proven with each new project that it added value to the entire company.

Take access controls, for example. Using a process-improvement methodology, she proved how the company’s new systems reduced the manpower needed to handle millions more access requests, while at the same time improving the speed of handling those requests.

“My unit competes with every other business unit in the company for staff and budget,” said MacLean, who’s also financial services cybersecurity sector liaison for Homeland Security. “My boss saw my metrics and, after learning about our process improvements, said ‘You’re either very good or underfunded.’ I said we’re both.”

People skills

Discussion gravitated toward firing, hiring, and managing people, even in crises such as the Sept. 11 terrorist attacks.

“We lost an employee who was on one of the hijacked planes Sept. 11. Then we lost three in a nightclub fire. In a company our size, that’s a huge hit,” says Maria Cirino, CEO and chair of Guardent.

Cirino doesn’t think being female made her any more suited for managing in such crises. “Anyone would manage with compassion in a situation like this,” she says.

But firing employees is something particularly wrenching for women, said Elaine Price, CEO and co-founder of CYA Technologies, a secure business continuity company. “You need to have a thick skin,” she said. “You have to think about what’s best for the company.”

For example, she said during the dot-com bubble she had three men on staff who were poisoning morale. The board of directors recommended them, so there wasn’t much she could do.

But as soon as the bubble popped, Price laid off the three of them without waiting for the board’s approval. CYA then took advantage of the slow economy and recruited talented, career-minded team players who fit into the corporate culture.

Atypical career paths

By evening, everyone piled aboard the Harbor Princess Yacht. Over dinner, Joan Grewe told how she got into information security during her 20-year military career. She ultimately became MCI’s liaison for the federally mandated emergency response program called Telecom Service Priority.

“I started out in a traditional female role as an Army personnel officer,” Grewe said.

Over the next decade, she picked up a master’s degree in business, had two children, and held two commands. Then one day, her superior officers told her the Army needed more automation specialists, so they put her through a four-month IT training boot camp.

She served on the joint staff of Command, Control and Communications under retired Gen. Colin Powell, and was the deputy chief of staff of the Defense Information Systems Agency from 1994 to 1995. Then, as a lieutenant colonel, she commanded 1,200 troops that deployed the IT backbone for the NATO operations in Bosnia.

By Sept. 11, she was already in her emergency liaison position at MCI. She can’t reveal how she brought the MCI backbone online in three working days. “It’s classified,” she said.

Women of vision

Becky Bace, partner at Trident Capital, and CEO of Infidel, a security consultancy, got into information security through the National Security Agency (NSA), where she worked from 1984 to 1996.

“Information security was the first area in which I worked where I was not bored,” Bace said.

Even as a little girl, Bace bucked traditional female roles. At age 8, while growing up in Leeds, Ala., she drove tractors, built ammonium nitrate charges and blew up stumps for her father’s farmlands.

“My family didn’t think a girl ought to do things like that,” she said, as she received one of the top-five achievement awards for her life’s work in information security from Information Security magazine.

While at the NSA, Bace helped produce the first generation of intrusion detection by supporting fund research in IDS and cryptography at universities and government research labs.

She also assisted the FBI and other agencies by providing training materials in computer forensics, which aided in the 1995 arrest of hacker Kevin Mitnick.

She later left the agency to work as computer security officer for Los Alamos National Laboratory, before going into venture funding, where she’s seeded and mentored a half-dozen start-up companies, including Qualys and Sygate Technologies.

Same time next year

Diana Kelly, security strategist for Computer Associates , who spoke at the conference about wireless security, said she enjoyed the blending of business and technology that she hasn’t found at any other security conferences she’s attended.

Renee Guttmann, senior director of information security at Time magazine, expressed similar sentiments. “These are women who are important, and their passion for what they do is contagious,” she said.

Topics up for discussion at next year’s conference include business continuity, audit and compliance, and single sign-on.

For the last topic of discussion, Brocaglia asked, “Do we want any men on the panels next year?”

The audience responded with a resounding, “No way.”

Patty Edfors, vice president of enterprise security for AOL, explained that the women want at least one place where they can discuss topics that are relevant to their work – and their gender – in a depth they don’t usually go into conferences with men.

“People come here feeling isolated and stressed out,” Brocaglia says. “Now they feel invigorated and ready to go back and tackle their challenges.”