Should the EC-Council Remain a Standard in Cybersecurity After Sexist Poll?
Earlier today, The EC-Council found themselves in troubled waters on social media. Early today, the EC-Council published a poll promoting an upcoming webinar through LinkedIn asking “What according to you are the most common challenges faced by women in the cybersecurity domain?” along with three options. Of those options, two were sexist, while the other said “women aren’t encouraged enough“. As you can hope in cases like this, the industry didn’t generally take too appreciative of the poll.
Industry professionals from all over immediately denounced the poll, questioning the intention and calling out the language used, and asking the organization to do better and be more responsible.
Um @ECCOUNCIL were all of these answers intentionally wrong? The issue is ACTIVE discrimination, toxic behaviors in the tech industry, and systemic forces that push or keep women out. Simply “encouraging” women isn’t going to fix it. A bad look for EC-Council right here. pic.twitter.com/KjULhP5GhI
— Alyssa Miller – 🌈Rainbow Teamer🌈 (@AlyssaM_InfoSec) April 9, 2021
As the day progressed, the EC-Council appeared silent in the calls to address the poll, but began blocking women who were constructively criticizing the poll while not blocking men, adding insult to an already tone-deaf poll. While eventually, they began blocking a handful of men, the gravity of that fact that women were seemingly the primary target cannot be dismissed. This led many in the industry who were already starting to second guess their relationship or potential relationship with the EC-Council, to take their concerns further with their HR and Recruiting departments, and others even reaching out to their affiliated educational providers or institutions to ask them to reconsider their relationship.
It was just around 5 pm Eastern that the EC-Council finally broke their silence, via a reply to @AlyssaM_InfoSec apologizing for the poll, and their blocking of people. As of the writing of this article, however, they have yet to formally address this entire situation with a direct post on their actual Twitter or LinkedIn. It also leaves a lot of questions unanswered, and things left unaccounted for. People assembled direct evidence that their blocks were largely pointed at women while men, could continue to criticize the organization.
So, Why Does This Matter?
This matters for a number of reasons. The most prominent is that women already face being disregarded, discriminated against, and subject to toxic behaviors that depreciate their valuable contributions because they aren’t seen as proficient, capable, technical, or stable. Like PoC and LGBTQ persons, women often have to go further to prove themselves, often having more credentials and knowledge than the position necessitates or that their colleagues would have in a similar position, just so they can be taken seriously. It’s absolutely exhausting. The idea of solving it through encouragement is a further disregard for the experiences women face. It leads to isolation and even amplification of harm because you are still insinuating that the person is the problem, not the industry. Why would someone want to work in a toxic environment?
The second reason this matters is that as an industry certification provider, EC-Council is representing our industry. Their certifications are recognized or even required by educational institutions and employers. An organization such as the EC-Council should be setting the example on how the industry should be more Diverse, Equitable, and Inclusionary. When you are trying to address these kinds of situations, you cannot be disconnected from the reality that people face. At the point where this became active on social media, they could have acknowledged that they deleted the earlier poll, recognized the response they received and will make a statement. Instead, they left the poll up for hours and began blocking people as the heat intensified.
The third and final reason this matters (in my mind) is that when they finally did acknowledge their actions, it wasn’t done in a way that would show they were holding themselves accountable for their behavior, and instead, apologizing directly to a few of the people. While certainly, they should directly apologize to those they intentionally blocked because they didn’t want to address the criticism, that’s not evidence to me that the organization is actually sorry. Apologizing only to those who directly called you out ignores those who didn’t call you out and began feeling the EC-Council is not one who should represent them in their career, their employers, or their educators. Maybe the EC-Council will post a more direct apology to the entire industry in the coming day, but I’m not holding my breath given their behavior thus far. It can’t help but feel as if the same ethics they require for those they certify, seems not to apply to their staff or vendors. If that’s the case, then how can I trust that the EC-Council will hold others in the industry accountable?
Sadly, yes. As one can expect, when the spotlight is placed on something, this can lead to a number of additional potential insights as to the history of the EC-Council. One of the most interesting I saw was this photo from a book published in 2015 outlining a dress code they expect certified professionals to adhere to. While what is “professional” is subjective, what really gets me is the specific shoe requirement for women.
Other reports on social media, I was unable to qualify enough to speak to as of the writing of this post, so I will leave them for you to discover and come to your own conclusion. Feel free to comment on your experience below.
At the end of the day, I expect any organization that represents an industry, that violated the trust of their own industry and possibly the public, to hold themselves accountable quickly and appropriately to their actions. Accountability is a core tenant of security because that directly relates to trust. If you cannot hold yourself accountable, you cannot be trusted. If you cannot be trusted, then your ethical statements are not worth the paper they are printed on, and it’s time we reconsider how the industry recognizes the EC-Council moving forward. I think it’s time we reconsider. I will personally be opting out of any EC-Council certification unless they make significant progress.
Want to Read More?
(Update 4/12/21) Check out a newer article written by Eleanor Dallawy on her perspective on this, posted over at InfoSecurity Magazine which also includes newer details on this developing situation: The Story of the EC-Council Gender Survey Scandal: Survey Creator Says “It Was Written by Women so it Can’t be Sexist”
(Update 4/24/21) The EC-Council has formally posted a page outlining their efforts to improve after this situation. You can view it at: https://www.eccouncil.org/diversity/