Sergey Nivens - Stock.Adobe.com
Around a third of cyber security professionals say they have had personal experience of in-person and online abuse and harassment during the course of their work, according to research data commissioned by Respect in Security – a newly established scheme that is urging organisations to pledge their support in making workplaces, and the security community, free from harassment and fear.
Sapio Research polled 304 cyber professionals across multiple age groups and levels of seniority from small and medium-sized enterprise (SME) level through to large businesses. It found that while the vast majority of employers operate anti-harassment policies, nearly half of respondents believed their employers could be doing more to make it clear what harassment is and what acceptable behaviour looks like.
Out of those that reported experiencing in-person harassment, most said it came at industry events (36%), in the office (47%) or work socials (48%), while online harassment was most likely to have occurred on Twitter (44%) or via email (37%).
“Harassment comes in many forms. It might be online or in-person, physical, verbal or non-verbal, and involve direct communication or deliberate action to exclude individuals. It violates personal dignity and can create an intimidating, hostile, degrading, humiliating or offensive environment for the victims,” says Rik Ferguson, vice-president of security research at Trend Micro.
The Respect in Security initiative was conceived by a group including Ferguson and Red Goat’s Lisa Forte following an online panel session on harassment and abuse earlier in 2021 at the Cyber House Party event at which Forte was speaking. Ferguson tells Computer Weekly he was “blown away” by what Forte told them she had experienced.
“As individuals, we had no idea. Of course, we were aware that abuse happens within the home and within relationships,” he says. “But what was super shocking to us is that even within personal circles with peers and colleagues in industry, really it’s no better and sometimes can even be worse.”
The two talked after the event and the initiative was born out of these conversations. “It was out of a desire to actually do something to change and challenge the status quo rather than saying, ‘That’s awful, I feel really bad for you’,” says Ferguson. “We wanted to be able to do more than that.”
A massive problem
It is quite hard to gain a true picture of the scale of the problem with regard to security – in part because a good deal of abuse and harassment, whether online via social media or in-person in the workplace or at industry events, goes unreported and unchallenged, says Forte, who founded Red Goat in 2017 following a successful career in counter-terrorism and law enforcement.
“There have been lots of reports from lots of different people, men and women, who have suffered from harassment, and very concerning conduct of people at conferences,” she says.
“Some people have had death threats, rape threats, stalking, their names dragged through the mud – individuals who both Rik and I know have had fake profiles made in their name to try to discredit them. It’s every shade imaginable, really.”
Forte says she had previously thought that harassment was limited to sexual harassment against women – but as the study shows, abuse and harassment in the cyber community is not strictly split by gender, with those who had been targeted fairly evenly split between respondents identifying as male, female, and non-binary.
“This is not just about protecting women in tech. We’ve had guys come up, people from all different races, religions, genders – it’s something that transcends all of that,” she says.
Forte says it’s not necessarily accurate to state that individuals in the cyber security community are more likely to be abused or harassed than those working in other parts of the IT sector, such as software development or the channel, but there are some factors in play that may amplify its prevalence.
“For example, our community is very, very heavily focused on being online. That’s a huge part of the security community,” she says. “Anonymity is another factor in the infosec/hacker community.”
Ferguson adds: “Due to the kind of work that we do and the kind of skill sets that people within this industry have – and our pursuit of ever more knowledge, ever more contact, ever wider circles – we are hugely predisposed to living a large proportion of our working day, if not the whole day, online, whether that’s on social networks or in closed groups.
“That aspect of being connected all the time, and having a very globally wide social and professional circle, does make us more prone to instances of harassment, because people are more connected, talking and engaging more with people who they may not really know that well, and opening themselves up to lots of other people that they do not know at all.”
Where individuals become involved in a so-called online pile-on, where somebody is attacked by a large group of people for something they have said or done on social media, security pros may join in with the best intentions, such as defending a friend, only to contribute to the online drama in a negative way.
“There’s an activist side to the infosec community as a whole that probably lends itself more to people wanting to take action ”
Lisa Forte, Red Goat
“I do think there’s an activist side to the infosec community as a whole that probably lends itself more to people wanting to take action and do something than perhaps there are in other industries,” says Forte.
And such blow ups can happen over the most mundane things – sometimes not even related to cyber security at all, she adds.
“I posted, a few months ago, a picture of a cute monkey and I wrote some sort of tag saying ‘Look how cute’ or something like that, and within probably 10 to 15 minutes I was accused of supporting animal trafficking and being some sort of organised crime lord. All from a picture of a monkey,” says Forte.
“That’s not something that’s going to ruin my day – in fact, in some ways it’s laughable – but the point is there are so many people now who say, ‘When I go to write a tweet, or a LinkedIn post, I stop and think, what are people going to say, how am I going to be criticised, where is the abuse going to come from?’.
“And sometimes they think, ‘I’m not going to share that image or this idea or this question because the consequences are going to be bad’, so the net effect of that is actually the community is silenced.”
Taking the pledge
Respect in Security is calling for companies to come forward to sign a pledge, more details of which can be found at its website, that commits the organisation to working towards a workplace environment that is free from harassment and fear both inside and outside the business.
Ferguson says this will go beyond established codes of conduct around workplace harassment and bullying by making it clear who has signed up and the precise commitments that they have signed up to. This is important because unlike internal anti-bullying policies, the security community is spread across thousands of vendors and service providers and millions of individuals and end-user organisations.
“Hopefully most companies have an internal mechanism for dealing with harassment and bullying, but that doesn’t cover if Person A from Company 1 is being targeted by Person B from Company 2,” says Ferguson. “Where do they go? Who do they speak to?
“We want the victim to know that they do have a recourse, they do have somewhere to go. They will know if that company has signed the pledge, they will know they will be taken seriously, that they will be listened to, and that there is a structure in place to deal with those kinds of incidents.”
Ferguson draws parallels to how Trend Micro would deal with a security researcher who has discovered a vulnerability in one of its products and wishes to responsibly disclose it.
“We have a documented, externally available procedure for what you do – here is the email address you write to, the timeframes we will respond in, and what you can expect from us. I want that same kind of structure and confidence in the process around harassment complaints,” he says.
Respect in Security hopes to sign up around 50 companies during the course of 2021, and to grow the programme out from that point. The founders are also keen to hear from interested parties and organisations in other countries that may be interested in localising the scheme for their geographies.
But it doesn’t stop there. The initiative also plans to have a way for individuals to pledge their personal support to eliminate abuse and harassment. “That’s not going to be about calling people out or reporting them. We’re not creating a Stasi-like movement within the industry,” says Forte. “But it’s going to be about sharing and saying, ‘I am a supporter of this movement’, and it’s going to be about personal accountability.”
Ferguson concludes: “We want to encourage people and organisations to build a more respectful environment, we’re not going to go out and be the Respect in Security enforcers. But we are certainly there to give people the comfort and the security of knowing that the profession that they have chosen to work in and hopefully the employer that they have chosen to give their effort to believes in a fair and respectful environment free from fear and harassment.”
Read more from the Security Interviews series
- As chair of the new UK Cyber Security Council, Claudia Natanson is in a superb position to develop professional standards in IT security and she intends to fundamentally reimagine what a security job actually is.
- Kyle Hanslovan started Huntress to give back after a career in the intelligence sector. After US authorities took action to help people hit by the Microsoft Exchange attacks, we discussed how governments can ‘hack for good’.
- Screening inbound emails is an accepted part of an organisation’s security posture, but the topic of securing outbound traffic is less often discussed. Zivver’s Rick Goud is on a mission to change this.