As CSO of Auth0, Joan Pepin is responsible for the holistic security and compliance of the company's platform, products, and corporate environment. She brings over 20 years of experience to the role, with a career that has spanned a wide variety of industries, including healthcare, manufacturing, defense, ISPs, and MSSPs. Previously, Pepin served as Business Information Security Officer (BISO) at Nike, Inc., CISO, and VP of Security at Sumo Logic, and held different positions at Guardent/Verisign/Secureworks organization. She holds a patent for developing a methodology to assess whether a communication contains an attack.
She is also is a well-recognized thought leader and has spoken at major events, such as RSA, WhiteHat Security Summit, and Forrester Security Summit, and is frequently called upon for her expertise and commentary in Cloud Security and Compliance in large-scale and DevOps/CI environments.
Here, we talk to Pepin, who has focused her time on mentoring and advocating for women in cybersecurity and technology, working to reconstruct the notion that women should only work within their bounds, and encouraging women to reach higher and challenge the status quo. She actively supports, advises, and works alongside women in the cybersecurity industry including participating in organizations, like Women Who Code and Women in InfoSec.
Security magazine: What are the challenges and barriers that women face with a career in cybersecurity?
Pepin: The worst trend I’ve seen over the years in cybersecurity is the inclusivity problem, especially for women and those in the LGBTQ community. The issue largely stems from the fact that only 11% of information security practitioners are women according to a recent (ISC)[^2] study. As a community, cybersecurity professionals need to be more welcoming. Generally speaking, there’s a pervasive attitude in the field that if you don’t already know everything, you don’t belong here. It’s a self-defeating behavior, and we need to encourage and support people trying to break into the field, especially with the huge amount of jobs to fill.
Security magazine: What advice do you have for cybersecurity/tech companies when it comes to being more inclusive to transgender employees?
Pepin: First and foremost, companies need to bring in an educator or educate themselves on the issues, so they can answer initial questions, instead of leaving it to the trans person to be a spokesperson for the transgender community. When a trans employee comes out, it’s important for leaders and managers to have a discussion without the person present, so teammates can ask questions that might otherwise be awkward or sensitive. Having someone make the announcement for you and establish the rules of engagement makes the process tremendously easier.or example, “this is the person’s new name and pronoun, and we expect you to use it.”
When I first came out, I had the support of an HR business partner who had gone through a transition with an employee at a previous job, and helped me navigate issues in the workplace. A compassionate HR partner is critical. It’s a huge bonus if management throughout the company is engaged and compassionate, and can listen, understand, be supportive, and take appropriate action anywhere in the chain of command.
Companies also need to do a better job of encouraging trans people to apply for jobs in the first place. Show up at local LGBTQ and women-centric events. Make sure your job postings aren’t biased. Bring T-shirts in appropriate sizes. These are all ways to show you’re able to walk the walk, and diversity isn’t just a checkbox.
Security magazine: Since starting your career in cybersecurity 20 years ago, would you agree with the statement that diversity has become more important and necessary to the security space?
Pepin: Absolutely. As an example, over two years ago I called out the RSA Conference for the lack of keynote speaker diversity at the largest and arguably the most influential Information Security conference in the world, specifically citing their lack of women speakers. In 2018, women made up only 11% of the cybersecurity workforce, but since then that’s improved. According to a recent (ISC)[^2] study, pay disparity remains, but women now make up roughly 24% of the cybersecurity workforce. After a lot of press and social media response, RSA announced a Diversity Initiative that included expanding its advisory board, greater outreach during the call for speakers, and the elimination of all-male panels in the keynotes stages.
Countless studies have proven the benefits of diverse teams and leadership, including a recent one from BCG which found that companies with above-average diverse leadership also brought in a 20% increase in innovation revenue. Real diversity results in diverse thinking, which benefits the bottom line. The visibility of these studies may be part of what drove sponsors like Microsoft to send a woman to RSA recently. It may also be that more women have risen to powerful roles, or that the shame of negative press just wasn’t worth it. But since RSA changed its rules and specifically said that they support diversity, the change is there. That means sponsors were required to meet those standards. While there is still a lot of change to be made, good progress has been seen in recent years due to both pressure and a desire to change for the better across the board by companies.
Let me be clear: The issue of finding an equal number of female speakers or diversifying the industry isn't a numbers game. Rather, it's critical to the expansion, growth, and sophistication of our industry and trade. Diversity isn't just different appearances or labels. It's beyond that. It's about diversity of thought, the differences in our problem-solving processes and perspectives — and it is a critical component of true innovation.
Security magazine: In your opinion, and as a mentor and advocate for women in security (and tech), why should security leaders work to reconstruct the notion that women should only work within their bounds, and instead, encourage them to reach higher and challenge the status quo?
Pepin: Cybersecurity companies have a monetary motivator to make changes around inclusivity for women in-house, but there’s also a pragmatic and moral responsibility (which circles back to why shaming works). We need a diverse set of people and perspectives (skills), and since tech is one of the Gold Rushes of our time, we should endeavor to make sure that opportunity is distributed fairly. This is one of those moments where we can do a lot of good easily, and be a part of the start of something incredible which allows women to overcome bias/sexism and enables them to reach their potential within cybersecurity.
Security magazine: How important is mentorship to women and diverse individuals?
Pepin: Based on my experience and what I’ve seen in the space over the years, mentorship is extremely important. I was really fortunate to have a mentor while I was starting out as a security engineer who saw that I had potential for management and leadership. That person managed to drill into my head that since impact was really what I wanted to have, there was only so much of it I could ever have with only my two hands. No matter how grandiose my designs were, I'm still one person working with my own two hands. To really have an impact on the company I was working for at the time, he convinced me that I needed to manage people. I now formally mentor a number of people, mostly women, but not exclusively, and I'm a change agent in the companies I work for. This is something that is very important to me personally and professionally, and I love being able to help others going through similar experiences as me.
Security magazine: Reflecting on your own experience, what guidance can you offer young women or those in the LGBTQ+ community, or those who have recently started their cyber careers?
Pepin: I've had to do a lot of fighting perceptions throughout my career, with many of those being about women. I've also had to fight perceptions about queerness and trans-ness, which can often lead to issues faced to advancing your career to where you want to be.
If you are an entry-level professional in the space and you have an aspiration in the back of your head someday to be, it can be daunting to look from where you are to that role and imagine how you're going to get there. But what if you just look at your boss and say, "Could I do that job? Do I want to do that job?” If I feel like I can do that job, then what's my path to get there? How do I get that job? If I don't feel like I'm ready for that job, what am I missing, what are the skills that I need, and can I ask my boss, 'Hey, boss, if I were to have your job, what do I need to know, what do I need to learn, what don't I know right now that you do?'" If you can't build that relationship with your boss, find someone else with a similar role that you can build that relationship with, and ask those questions.
Do your own personal gap analysis and fill those gaps, which leads to the career progression. That's the skill. Since my teens, I have always looked at my boss and said, "I could do that." Honestly, it wasn't until I think I was reporting directly to a CEO that I looked at my boss and said, "Oh, I don't even know if I want to do that." So making that a little more of a bite sized chunk, one step at a time. How can I get that next position?