Respect in Security initiative aims to build reporting lines for infosec bods suffering harassment at work, conferences and online
Some of the stuff going on in the industry is completely out of order
A new initiative aims to make it easier to report personal abuse and harassment within the information security industry – without the involvement of social media mobs.
Respect in Security, launched today with support from Trend Micro's veep of security research Rik Ferguson, Lisa Forte, a partner at Red Goat Cyber Security and other notable folk from the UK infosec scene, aims to set up a "vulnerability style" reporting scheme for infosec professionals to flag up harassment and abuse to abusers' employers.
Research commissioned by Respect in Security said about a third of 302 industry professionals had experienced harassment at work while online and in-person, with a significant amount of in-person harassment occurring at industry events and during work socials.
Ferguson told The Register: "I was relatively shocked to find that professionals within the cybersecurity industry think it's OK to abuse other people within the industry... because of the way they look, the way they act, who they are, or to bring into question the level of their professionalism."
While it's easy for some to dismiss this kind of thing as coming from individuals unable to handle robust disagreements with other pros in a competitive industry, RiS aims to tackle behaviour that everyone agrees is completely unacceptable.
Forte shared her personal experience of the kind of harassment she hopes the initiative will tackle: "A gentleman in the industry printed out my profile photo, cut a hole where my mouth was, and then proceeded to film himself doing obscene things to that and send that to me on LinkedIn with his name and his company attached to it. And that's... Well, yeah, a what the fuck moment."
On a call with The Register, Ferguson read aloud a similar story, of a woman working in infosec who had connected on LinkedIn with a C-suite level infosec person at a large, non-infosec company. They swapped numbers so they could speak on the phone. Ferguson said:
He sent her an initial message saying could she send a picture of herself because her LinkedIn profile picture and her WhatsApp profile picture looked very different, so could she clarify… Then he started asking how tall she was. So it's not immediately perverted. But again, slightly off base. "He started calling me sweetheart, told me I'm very fuckable" and she at this point was "questioning whether you'd ever heard of the Me Too movement" and tried to steer the conversation back to cybersecurity, not wanting to lose out on the opportunity to learn from someone…
"Your voice is very agricultural... I think your voice is very agricultural, darling. Do you like [explicit sexual question]?" My response was along the lines of sorry, what the fuck did you just say on what level? Is this appropriate? I thought we were talking about cybersecurity. "Oh, sorry, darling. That was terribly naughty of me. I bet you're quite naughty. I'd love to talk to you about Cyber Essentials while I'm [obscene gerund followed by further disgusting suggestions]."
The conversation then moved to recorded voice messages being sent to the woman's WhatsApp account. All with the perp's real name attached.
RiS' aim is to encourage reporting of harassment directly to employers. Rather than calling for sackings, it aims to provide a way for people receiving this sort of thing to raise it through an appropriate channel. After all, if you're engaging in this sort of behaviour on a social media platform with your employer's name attached to it and sending it to somebody who's supposed to be a professional contact, it's not difficult to say that your employer ought to know about it.
Importantly, RiS aims to sidestep the social media that have become part and parcel of life in the 2020s. Forte told us: "People screenshot [posts containing horrible material], they put it on Twitter, they write some big sentence about how, you know, this is horrendous, look what this person's written. Then a large quantity of community members start going 'you need to block this person, do this, do that'. And that isn't appropriate."
RiS wants cybersecurity companies to sign a public pledge saying they are "committed to the preventions of all forms of harassment within our industry". So far Trend Micro, Red Goat Cyber Security, Custodian360 and more have signed within the first few days of the pledge's existence. It aims to have 50 organisations signed up by the end of this year, and to create a "diverse advisory board".
Though it is currently a UK-dominated organisation because of its origins in the Cyber House Party online social event, RiS' founders hope it will expand to become a global initiative. It is also seeking advisory members from human resources, legal, technical and marketing backgrounds.
Ferguson pointed out that harassment in cybersecurity can affect anyone, saying: "We've had people approaching us – not just exclusively women, we've had men and women approach us with stories of abuse and humiliation that are nowhere near that gray area… people creating fake social media profiles, in order to call into question your integrity or basically to to defame you."
Four out of five of those polled by RiS (82 per cent) said their organisation has an anti-harassment policy and complaints procedure, though nearly half (45 per cent) argued that their employer should do more to ensure all employees understand what constitutes harassment and what acceptable behaviour looks like.
The initiative is also open to non-infosec companies. As Forte put it: "This is for end users as well, because a large company may have a SOC, they may have a very large security team employing a large quantity of security professionals." ®