‘Women are reclaiming their early influence in IT’ - Women in cybersecurity

Lead Security Researcher Tatyana Shishkova is among Kaspersky’s top experts, specializing in researching and providing detection for Android malware.

Not only does Tatyana excel at detecting and dissecting mobile malware, but she also teaches colleagues all around the world, giving webinars and presentations at cybersecurity conferences. Over the course of her eight years in cybersecurity, Tatyana has accumulated vast professional experience and developed strong immunity against gender bias in IT. We spoke to Tatyana about her choice of a so-far predominantly male profession, and her overall career path.

1in5
R&D team members

at Kaspersky are women. One-in-seven women are team leaders.

Time abroad has given Tatyana Shishkova valuable insight into how the gender balance in cybersecurity varies in different regions.

Always searching for a bigger challenge

I went to a school with an emphasis on English but figured out early that my interest in mathematics was much greater. I spent all my free time solving advanced problems — so-called assignments “with an asterisk”. Most schoolchildren have a distaste for these, but I spent hours digging into such problems. Once my mom noticed it, she had me join a chess and a math club. She did a lot to encourage and foster my love for STEM disciplines. The school curriculum was evidently not enough, so at high school I essentially prepared for my Moscow State University entrance exams on my own: I would complete a test in class in 15 minutes, and spend the remaining time solving more complex problems.

Nevertheless, as a high school student, I fluctuated between mathematics and journalism. I’d been an avid reader since childhood — we had an immense collection of classic literature at home, and I’d made my way through it by the age of 12 or so. I dreamed of publishing my own works and penned short stories “for later”. However, regardless of my still undying love for journalism and while still writing articles for a student newspaper, I eventually opted for the Faculty of Computational Mathematics and Cybernetics.

‘The Girl with the Dragon Tattoo’ led me into cybersecurity

In our year, girls accounted for no more than 30% of students. However, we were a very friendly community, and I never had to face a patronizing or condescending attitude from my male peers. They could indeed offer advice, but only because they’d been programming since childhood and had more experience. I recall only a couple of professors who might say something like, “you’ll only get credit for your pretty eyes,” but it was a rare occurrence. I know that many girls from my year went on to work in their degree field, securing positions as software developers, analysts, and project managers at IT companies. A few girls pursued an academic career.

You could say my interest in cybersecurity was sparked by popular culture. As a teenager, I watched “The Matrix” and was blown away. Later, in college, I read Stieg Larsson’s “Millennium” trilogy about Lisbeth Salander, a hacker with a dragon tattoo on her back. At the time, I was about to choose the field of my further studies, and I realized I wanted to dedicate my life to fighting cybercrime.

Naturally, movies and fiction often present a glamorized and simplified version of reality (even though we’ve seen a more realistic portrayal of hackers on the screen recently). It’s hilarious to watch a character enter a handful of commands and claim they’ve hacked into a government building, for example. Our work involves a lot more routine than the mass media shows. Nevertheless, I’m never bored and have never regretted my choice.

One of the highlights of my student years was at the Eberhard Karls University of Tübingen. I went there to learn cryptography, which is an essential part of our profession because fragments of malicious code sometimes become encrypted.

Ransomware is also a common type of threat, with attackers turning data on a hard drive into gibberish, and this type of encryption is sometimes reversible. We studied types of ciphers, how strong they are, and how they can be hacked. Studying in Germany was a fascinating experience, as I got to mingle in a multicultural community, meeting my peers from every continent. I noticed that the gender balance at the local faculty was tilted toward men too, but it was still better than back at home.

The malware I’ve defeated

I started my career at Kaspersky as an intern technical writer and moved on to become a junior malware analyst. I’d already heard a lot about Kaspersky and was excited to work for a company that had made considerable progress in the global market. I could combine work and studies and made use of my age-old passion for journalism.

Today, I’m a senior malware analyst. My responsibilities include analyzing malware that targets Android devices, while also writing Snort/Suricata rules to detect malicious network activity. The list of my most meaningful projects includes a study of banking trojans and a GravityRAT multi-platform family of targeted cyber espionage tools.

Kaspersky’s figurative malware “collection” includes a great many specimens detected over the years. You can’t help but admire some of them in terms of the ingenuity of their code. Of course, I’ve handled many of them, but there’s no point in trying to keep count.

Women of Suricata to the rescue!

As part of my work, I often participate in conferences and give workshops on detecting network penetration – that is, cyberattacks on companies. I’ve never had to deal with bias against me. However, women in cybersecurity are few and far between, and there are illustrative occurrences that demonstrate the real status quo in the industry. I remember giving a workshop to an audience of about 30 people and being the only woman in the room!

Student conferences are also predominantly male. Women who consider building a career in IT or infosec can find support in communities that don’t show prejudice across gender, race, ethnicity, status, sexuality, or age. Enthusiasts from such communities often organize engineering workshops for female audiences, which, in my opinion, is helping to change the situation.

I, for one, am a member of the Women of Suricata, a community founded by female members of the Suricata IDS non-profit project. In brief, Suricata IDS is an open-source system detecting network penetrations. Its development began 12 years ago with the Open Information Security Foundation, a non-profit established by a handful of enthusiasts.

Today the project has gained support from like-minded enthusiasts all over the world. Most of them work at cybersecurity companies, and, of course, most of them are men. A while ago, I started writing detection rules for Suricata IDS and giving presentations and workshops on the matter once I’d gained some experience. I finally got to meet the team at a conference organized by OISF developers. Even though the number of women on the OISF team was increasing (as many as three new female members joined last year, including two Outreachy program interns), we decided to encourage more kindred spirits to join us and founded a dedicated community last year: Women of Suricata. Its purpose is to unite women contributing to Suricata IDS, educate them about career opportunities in cybersecurity and open-source software development, and, of course, offer mutual encouragement in all our endeavors. We communicate a lot, sharing professional experiences and personal stories.

This helps us navigate both the cybersecurity expert community and our primary work environment. For instance, a newcomer in a predominantly male team may feel shy about admitting that she doesn’t understand something. In our community, she can feel free to ask any question and get the answer she needs.

There are similar professional communities that also convene on a regular basis like we do. In other words, if you’re a girl with a passion for cybersecurity in general and Suricata IDS in particular, let’s get to know each other and stay in touch. Don’t hesitate to message us at info@oisf.net and follow our Twitter account for updates on upcoming events.

Me vs. stalking

Unfortunately, modern women face numerous problems besides the lack of confidence in their IT expertise and career prospects. One such problem is stalking, which can be done through the victim’s mobile devices. This behavior is called cyberstalking, and the applications used for such purposes are called stalkerware. Admittedly, men aren’t safeguarded from such harassment either, but the statistics show that male abusers are responsible for most installations of spying software.

They can use such applications to track their victim’s every step, from moving around town to correspondence, social media activities, and messaging apps. Kaspersky’s security solution for Android warns its users about the installation of such a program on their mobile devices. My job is to detect stalkerware programs, classify them, analyze their functionality, and consider ways of enhancing the detection of such applications.

This is how I contribute to the international Coalition Against Stalkerware initiative. The coalition brings together cybersecurity vendors like Kaspersky and organizations helping home abuse victims. Our goal is to raise awareness about the issue, protect the victims of stalking, help them identify when they are being stalked, and educate them on how they should proceed if their suspicions are confirmed.

The core of the problem today is that the majority of such programs are widely distributed online on a commercial basis or even sold under the guise of parental control or employee monitoring tools. Many countries do not treat such software as illegal, making it fairly easy to purchase and download it. Removing such a program, however, means risking violence at the hands of the person who installed it, because they receive an immediate notification of the uninstallation. The Coalition website offers guidelines on what to do and where to seek help in such a situation. This is an extremely pressing issue, and our latest statistics confirm its urgency.

My work for the Coalition is a humble contribution to combating domestic abuse – a cause that unites human rights organizations worldwide.

Taking IT back to its roots

The cybersecurity industry can only benefit from gender diversity. Any problem can be solved more quickly and efficiently if the people solving it have different perspectives. Besides, women are often more likely to be more careful and meticulous, paying attention to the tiniest details.

As a result of Kaspersky’s Safeboard internship program, I see more and more girls among our interns each year. By following this program, they get the opportunity to pursue a career with Kaspersky. I also know many women who occupy managerial positions at other Russian cybersecurity companies.

Why should girls consider a career in IT or cybersecurity? It’s a promising field that pays well, and you can work from any corner of the world – all it takes is internet access. I’m living proof of the fact that a woman interested in cybersecurity has every chance of realizing her potential.

I can’t help but wonder sometimes why IT is considered to be a male prerogative. How did that happen? It’s well known that the first programmer was female: the English woman Ada Lovelace, whose name was commemorated in one of the programming languages. As late as the middle of the 20th century, when computers occupied entire halls and the user interface was limited to punch cards, programming was viewed as a woman’s profession rather than a man’s. My grandma also worked as an electronic computer programmer!

What brought about the change? That’s a question for a separate discussion, but we can and should change this imbalance. In fact, it’s already happening.