Cultural Toxicity in the Cybersecurity Industry
In 2007, my wife and I chose to rid our personal and professional lives of toxic people and companies. We ‘fired’ a couple of our large toxic clients and ~15% of other clients we considered toxic to our business and mental well-being, happily relinquishing income and also providing substantial refunds. For our sanity and karmic balance, it was the right thing to do; we chose to run business culture where decency reigned over money. Felt good, and we still relish the resulting peace.
Similarly, between 2016-2021, we cleaned up our social contacts, including friends, acquaintances, and family members, who spewed offensive rhetoric, hate-filled suggestions of violence against my wife, rejected science in favor of unsubstantiable beliefs, and displayed a lack of respect and decency towards the common good of society. It sucks to have to do that, but we have always been compelled by the overarching Spockism, “the good of the many outweighs the good of the one.”
Today, I am faced with a similar dilemma: Should I distance myself from EC Council and Hacker Halted because of what I and others perceive as their contribution to toxicity in cybersecurity?
Let me explain.
On 9 April 2021, EC Council posted an incredibly offensive diversity survey on LinkedIn that has since been referred to by my colleagues as pure sexism, misogyny, and patriarchalism and garnered a powerful industry response.
This was followed by an even more egregious blocking of some EC Council Twitter accounts,(See Fig. #3), which were apparently held exclusively by women who were critical of EC Council. As you read through the links below, you will see a further tone-deaf EC Council statement, with suggested dress-codes for women from 2015. (See Fig. #5)
Admittedly, I was unaware of this event until an equally offensive plagiarism event was made public by the highly respected Alyssa Miller on 28 June 2021. Was this another case of sexism or misogyny because of Alyssa’s gender or a complete lack of ethical oversight by management? I find either reason unacceptable.
The plagiarism issues brought against EC Council a decade ago seem so distant, yet those relevant, perhaps forgotten, memories are revived in the midst of the current crises facing EC Council.
I have since been asked by many colleagues whether I will appear at the upcoming Hacker Halted event. The difficult answer to that question is compounded by the fact that the event is being held in Georgia, where significant citizens’ rights of other kinds are presently under serious and much publicized hate-filled attacks.
Having been an active supporter of EC Council and Hacker Halted for many years, I have developed mutually respectful and productive relationships with many of the front-line people, whom I now suspect are asking themselves equally awkward career-altering questions. As a white male, I cannot pretend to have ever experienced such treatment. However, I can at least empathize and attempt to put myself in their shoes.
After 38 years in ‘my’ industry (our collective community, of course, which I have loved for going on five decades), I have a choice: quietly decline appearance at Hacker Halted and end further support for EC Council and other organizations and events that toxify our industry, or to speak out, and encourage others to come forward, especially those who have likely faced greater moral challenges than my current situation/decision.
My soul tells me silence on core issues such as these that affect our industry is an abdication of moral and ethical responsibility. If I allow the wrongs I see to continue unchecked, I am as guilty as those who perpetuate them. History has taught us silence is not an option.
Therefore, in response to all those who have asked, it is with profound disappointment that I have decided to suspend dealings with and support for the EC Council. I will not attend Hacker Halted, physically or virtually. I will not speak at their events or support their industry efforts. I hereby resign from my volunteer advisory position. An organization’s leadership must do more than say, “I’m sorry”, blame interns, or offer platitudes and promises of adding diversity to advisor groups.
EC Council needs a reboot. Especially at the top where the roots are laid.
Will the EC Council survive this?
Maybe. But not if current leadership remains and maintains the current toxic culture, and if it doesn’t replace declarations of ignorance and blame with meaningful actions.
Maybe not. Not if the cybersecurity industry, from sponsors to attendees and speakers and certification adherents, shouts loudly, as a unified voice, “Enough is enough.”
Marginalization of anyone is both toxic and patently unacceptable; be it race, gender, or any other descriptor that has been used to differentiate and divide us as a people.
The first difficult step is recognizing the need, for your own mental health, to remove toxicity from your life. It is not easy, I promise you. I’ve been through it in two industries. Then, removing that toxicity, personal or professional, can be even more tasking. Removing it from our industry is an imperative, especially given other culturally toxic industry environments we have regrettably permitted to fester through inaction. It’s never simple to make tough, wise choices in life and in business. But it is necessary.
One lone voice is all that is needed to initiate change. Groups of us, though, can indeed create a tsunami of cultural renaissance for the cybersecurity industry. We must collectively hold organizations accountable for ingrained and cultural toxicity by removing support and sponsorship. That’s only a start. There is much to do, as this is not a new issue. I recall the anti-Booth-babe stance many in the industry took beginning after RSA in 2013. sHow little progress we’ve seen in a decade. Le Sigh.
Finally, knowing how tough decisions like this can be, recall what Dumbledore said in Harry Potter Vol. I. “There are all kinds of courage. It takes a great deal of bravery to stand up to our enemies, but just as much to stand up to our friends.”
Only you can choose what is right for you and our cybersecurity community.
Winn Schwartau, FRSA
(These are my personal, individual views and choices. They do not represent those of any organization with which I am associated.)
A few references. Please continue your own research and come to your own conclusions.