������Ƶ

Ever tried to assemble a panel of experts? It gets complicated fast. Aside  from the crapshoot of aligning schedules, managing to balance an array of backgrounds and experiences is its own version of three-dimensional chess. And just in case we aren’t having enough fun yet, imagine arranging a diverse and inclusive panel in an industry that is .*

But in the midst of these planning challenges, it’s easy to forget about the impact of panel-planning on the panelists themselves, particularly women. And particularly women who are invited on the panel because they’re women…sometimes to break up a manel, other times to talk about diversity in cybersecurity.��

Female experts who step away from their day jobs to advance diversity discussions face a more pernicious challenge than just additional demands on their time. In a field constantly seeking knowledgeable champions willing to take on the issue of gender diversity, those cybersecurity experts that can speak with authority on what it means to be a woman in this space tend to get typecast into that role. This effectively forces women who already must constantly prove their expertise in their field to then also battle the well-intentioned but unhelpful trend of being known as “the woman who talks about being a woman.” While that role is important, women who have fought their way into a position of influence in information security rarely want their personal brand to be “the gender diversity lady.”

And beyond being a career-trajectory hazard, constantly asking an expert to talk about an issue that isn’t her area of expertise takes takes a mental tax. And so can asking her to talk only about her gender. “It […] can be extremely frustrating as I get asked what it’s like to be a woman in cybersecurity much more frequently than I am asked about my expertise,” Endgame Chief Social Scientist Andrea Little Limbago. In a prior Humans of Cybersecurity post, Limbago described “gender fatigue,” the worn-out feeling that stems from the implicit assumption that women alone will furnish the time and effort to correct cybersecurity’s gender imbalance by serving on panels, spearheading workplace initiatives, or becoming role models. “It is extremely difficult for the 10% to be expected to change the entire industry, on our own,” she .��

And sometimes, putting a woman on a panel, if it’s done to fill a “token” slot, can have a major negative backlash. Have there been times that our team has had to dig through our collective rolodex looking specifically for a woman to break up a manel? Yes. Definitely. However, we have always taken as a guiding principle that anyone invited to speak, male or female, should be more than just an expert on cybersecurity generally; they should be the right expert for the panel, which is to say well-matched in terms of seniority, depth of experience, and specific focus on the topic. Paraphrasing Kiersten Todt, a cybersecurity community leader who served as the Executive Director of the Obama Administration’s Commission on Enhancing National Cybersecurity, the worry is that if you put a woman on a panel who is not as knowledgeable as her fellow panelists just because you are trying to avoid an all-male panel, then it perpetuates the myth that women are not as competent as their male colleagues.

It’s also really obvious to the women receiving the invitation that they are the tokens, and to the audience: When the only woman on a panel specializes in a tangential topic, is less experienced than the others on stage, or is otherwise a significant outlier to the rest of the panel, it is not hard to guess what happened.��

What’s  the correct response for a female invitee in such a situation? Folks who have never been in the situation (and many who have) often suggest, “just decline the invitation if it makes you uncomfortable.” But it’s more complicated than that, because—much as we all would rather take a hard pass on the tokenism—most of the women in this space really do feel personally committed to serving as a role model for younger women, and passing on the invite means forgoing that chance.

It is not fun to weigh the value of being a role model against the concerns of being treated as anything other than an expert. Katie Moussouris—hacker par excellence, an organizer of the Pentagon’s bug bounty program, and ������Ƶ Cybersecurity Policy Fellow—put it succinctly in a this summer: “…when I get an invitation to speak somewhere, not based on my work, but because they want a ‘strong FEMALE speaker,’ I die a little more.” She points out that it may not be especially beneficial to be a role model for young women in cybersecurity when that effort only serves draw them into a field that consistently undervalues contributions by women.��

Her argument is at odds with a stark reality: work on gender diversity is essential, and needs to continue. The critically in-demand cybersecurity workforce can’t afford to ignore the female talent pool. And we can’t afford to stop having conversations about how to engage more women and girls, which will often involve… women and girls (and, of course, many terrific male allies). At the same time, there are still plenty of things that event organizers—and everyone—in the cybersecurity community can do to make sure women aren’t unduly burdened with the diversity problem—and that their expertise, beyond gender, is highlighted.��

1. Make sure that the experts you invite to speak at an event know exactly why you think their expertise is relevant and optimally placed to contribute to the discussion. If you can’t find a single female expert to contribute to your panel, don’t invite a woman that happens to be an expert in a related-but-different topic. If you can’t have an inclusive conversation on a given topic, it’s a good sign that you would benefit from rethinking the framing of your event.��
2. Prepare for cancellations. If you only have one female speaker scheduled to participate in your event, Murphy’s Law guarantees that she is the one who will get called in to the office to deal with an urgent crisis. It comes with the territory. Since we target leaders doing critical work in their fields, it is naturally the case that sometimes they will have to go do that work, and your panel will have to adjust. There are a number of ways to do this. The most straightforward is simply to have more than one female panelist. But a longer-term plan is cultivating a reputation for consistently providing a platform to qualified women not just as a pro forma consideration, but because it makes the programming better. That credibility, built over time, makes it much easier to stand on a stage and candidly inform your audience that “two of our (female) speakers are dealing with national security emergencies today, and we’re delighted to have their deputies join us.” Because when crises emerge and we lose a panelist, we prefer to know that the important women in our network are out doing their critical work.
3. Be deliberate about giving women in your orbit an opportunity to speak about their area of specialty. Mulling a general topic and trying to find just the right framing for an event? Consider approaching the topic in a way that specifically showcases the expertise of your colleagues.
4. Move the needle forward with every event you host on gender diversity in cybersecurity. Yes, there are some (…a few) people out there who have never seen a panel of women answer the very broad question, “what does it mean to be a woman in cybersecurity?” Those three people may find value in the simple solidarity of hearing their experiences reflected. But there is every reason to aim higher. Be specific and targeted in defining your topic and push your panel to seek out actionable next steps (by giving them questions to think about well before the event). This helps your speakers give concrete commentary, rather than trying to summarize the whole of their professional experience as a human female.

Attracting and retaining women in cybersecurity careers is really hard; we shouldn’t expect that crafting discussions around the problem will be easy. There are real challenges in addressing gender diversity that simply do not have good solutions. At ������Ƶ, we constantly run up against issues like respectful manel-busting and framing meaningful conversations on well-worn topics, and we don’t always have the right answers. To us, the important thing is to continue the discussion about how to do this right—even when it gets uncomfortable or complicated.

* I write here specifically about gender dynamics in cybersecurity, but there are certainly parallel considerations in other aspects of diversity. No one wants to be the token person of color, the token person with a non-conventional education, et cetera. I leave those conversations to the people who have lived them rather than trying to address them myself, but readers are certainly encouraged to seek out these perspectives.