Minisite Gear

Experience the pulse of the Americas with Minisite Gear: Your go-to destination for digital news and analysis.

Technology

RootedCon: A ‘mistake’ in a talk that reveals why it is so difficult to be a woman in cybersecurity: “It was an absolute lack of professional respect” | Technology

On March 7, Gabriela García and David Meléndez gave a talk titled “Dark territory: paralyzing the railway network of an entire country” before 1,500 people at RootedCon, the largest cybersecurity conference in the Hispanic world. Everything went as planned. The talk was about a delicate railway safety vulnerability, in signaling. García is a software developer, hacker and professor, and Meléndez is an R&D engineer on the to hack from Innotec Security with more than a decade of experience in the community.

The talk, not yet available online, had some impact on blogs and media. But a few days later, García expressed a complaint that he sent as a message on “The development and explanation were @TaiksonTexas (Melendez’s nickname in X) and I was working 50%.”

That message caused a stir. It received dozens of responses and expressions of support and led the Hispanic cybersecurity world to ask a lot of questions about bias, meritocracy, and gender. What seemed apparent despite the fact that it promptly revealed a much more complex situation.

“It was an absolute lack of professional respect,” García tells EL PAÍS. “I have seen it repeated several times, it has led me to complain to draw attention to the lack of attribution of something that is mine and that can close doors for me on a professional level because it is a very striking talk also on a technical level,” he adds. EL PAÍS has consulted a dozen people in the sector. Nobody denies that there are few women in cybersecurity and that their path has its own difficulties.

There is, however, more debate about the reasons and the general difficulty of getting ahead in such a competitive sector. García explains: “Technology, and especially cybersecurity, is very competitive, full of egos, and sometimes your work is not enough, you have to be known in some way by your colleagues. It is a hostile environment in general, and for women it is no different. Technology is not a field that invites you to enter, and cybersecurity, even less so,” she says.

At the conference, the wishes with García are evident on several levels. Thus, for example, Meléndez explains what the end of her presentation was like: “They came to greet me and Gabriela barely said anything to her and they said goodbye with ‘see you later guys.’ I have been giving lectures for 13 years and I am in the soup in the sector. They can shake my hand before Gabriela because they might have seen me more,” says Meléndez.

Despite that feeling, Meléndez says that it is not just a gender issue and that he has also suffered this “ignorance” for other reasons “since it started”: “I firmly believe that, more than a gender issue, it has to be See who doesn’t like you. You see how they call you from one place, but not from another, although we occupied 1,500 places at RootedCon. In the sector, everyone knows me as the drone guy, but then it’s very curious to see how when it’s time to talk about them, literally anyone else comes to the fore, and that can only be the result of egos damaged by something you do or stop doing,” he explains to this newspaper.

The organization of RootedCon works, except in specific cases, with a rigorous commitment to the most interesting works with anonymous voting, explains Román Ramírez, co-organizer of the conference: “We have a very rigid position about not putting women under pressure in the event . We don’t want any woman to think that she has been screwed because cybersecurity is a very meritocratic sector in the most technical part,” says Ramírez. Demonstration with code is an unforgivable and widespread condition. “It’s a red line. The talks we give at RootedCon are technical demonstrations: either you demonstrate or you don’t come,” says Ramírez.

For this reason, García’s disappearance is even more flagrant. To this difficult combination of wounded egos, years in the community and the clear commitment to meritocracy is added a characteristic that complicates access to women: computing, and even more so cybersecurity, has always been an extremely masculine sector. “In the sector in general there are between 1%1 and 18% of women,” says Ramírez. “In Rooted there have been years where it has been 5%, but this year we reached 24%.”

Gabriela García, software developer, hacker and teacher, on Gran Vía in Madrid. Samuel Sanchez

After the explosion of the debate in ethical hacker and technological architect Fran de la Iglesia set up a talk of more than an hour with García and Meléndez on his Twitch channel titled The forgotten ones of ICT (new technologies). “Although we would like to apply quotas in technology, the percentage of women is so small that it would not even be technically possible,” says De la Iglesia. “There may also be something there with it being a very mathematical analytical world; After all, computing is equations and programming languages. I don’t know if maybe it has to do with that or that for a long time it has been a predominantly male site and what is needed is time for it to come to an understanding. parity in quotes,” he adds.

A historical gap

“The gender gap in cybersecurity persists due to historical male dominance in the field,” says Elena Casado, head of cyber intelligence operations at Deloitte. “Women face additional barriers, such as man explaining and, in many cases, the need to work twice as hard to be recognized as professionals,” he says.

Marta Barrio, engineer at Oracle Netsuite, is co-founder of Securiters, an outreach project created in 2021 and one of its initiatives is to create a space where more women in the community get to know each other. Like other engineers with years of experience, Barrio explains that she has not felt made invisible by her colleagues. But there is something that is more difficult for women and that they define as “three barriers.” “At first you saw a woman give a talk and you automatically thought: ‘be careful, she is going to tell something interesting, because to have been selected she is sure to be good,’” says Barrio. When there were more women they began to verse in a different way, she says: “’They must have caught her for being a woman and thus improve her percentages,’ I have heard many times,” she adds. This reaction to the growth of women created this triple barrier: “The first is mental, of believing yourself that what you are going to tell has value. The second, exposure and speaking in public, but we still had a third imposed, ‘I have to prove even more so that they don’t think that I am here because I am a woman’, which implies extra pressure and that many people are not willing to expose themselves because of that fear,” he says.

‘You didn’t look like a speaker’

That barrier of having to make it perfect so that no one believes that a woman’s presence is due to a quota has obviously harmed its growth. Even more so if, as in the case of Gabriela García at RootedCon, when she does everything as her community demands, they then “forget” about her. “From what they told me, I ‘didn’t seem like’ a speaker,” she wrote in one of her messages on X. It is the height of invisibility: meeting all the requirements and still being undervalued.

This situation has consequences that are difficult to measure because it depends on the character and confidence of each person. Cybersecurity is not that different from the rest of society, but the lack of female presence creates a circle that is difficult to break: “I know girls who are very reputable technicians and they are still there, but it is true that they are few and they agree that they have a strong character . with a quite imposing personality,” says Iris Martín, cybersecurity specialist.

“But in general, the girls who work in areas with many men, we do not present or publicize until what we do is three times better than our colleagues. Or in job offers, most guys if they see a job offer and ask for ten things, they apply if they have two or three, but most of us, if we don’t fulfill nine out of ten, we don’t apply. Because of this pressure, many of the girls who started as technicians went to management areas because they were more comfortable or because they paid more,” adds Martín.

This distinction is evident even for a newspaper article like this one. EL PAÍS has had to contact twice as many women until it had a sufficient group that wanted to give their opinion on this situation. All the men contacted responded quickly and without precautions. “It is because of the culture itself that we are involved in,” says Rafa López, professor and cybersecurity specialist. It is assumed that since there were very few girls in the race, their background will be “not very technical and more philosophical”: “There is a prejudice that that person is not going to give me a technical talk because I am a woman and because being a woman is associated with that you don’t come from a technical career,” López clarifies.

The pressure to keep up extends throughout the technology sector, beyond the strict scope of cybersecurity. Azahara Fernández Guizán comes from health biology, where she has a doctorate, and then became a software developer. Even co-workers in her case assume that her duties are not technical: “You already know that I am a technician, that I do not have any management role. “Who do you think does my work on a day-to-day basis,” Fernández Guizán, who has won a Microsoft programming award three times, responds. Now she will publish a book: “I have some nerves,” she says. “I told my editor, to see what is going to happen and what they are going to say. Maybe they tell me that the technical part of the book is wrong, or how they are going to approach it. It is always a very big double standard,” she adds.

You can follow EL PAÍS Technology is Facebook and x or sign up here to receive our weekly newsletter.

Subscribe to continue reading

Read without limits

_