Monica Lewinsky is the only female keynote speaker at next month’s annual RSA Conference cybersecurity event.

Personally, I’m a fan of her activism against online harassment and her resilience. But she’s not a security professional. And although women occupy only 11 percent of the cybersecurity positions, according to Forrester Research, it’s hard for me to fathom that RSA couldn’t find even one to give a keynote at the industry’s biggest annual security conference.

Granted, RSA isn’t alone in its lack of female voices at the show. For the second year in a row, CES 2018 featured an all-male keynote lineup.

But it turns out a lot of other people, women and men, felt the same about RSA’s omission. And after blasting RSA on social media (Facebook’s Chief Security Officer Alex Stamos tweeted a list of 16 women “who could give a great keynote”), some of them decided to organize an alternative event that includes women and minorities as speakers. Our Security Advocates (OURSA) is a one-day event that will also be held in San Francisco, like the RSA conference, on April 17.

Parisa Tabriz, engineering director of Google Chrome, is one of the event’s organizers.

“I was inspired to help make something happen after seeing all the discussion on Twitter, so I reached out to Alex [Stamos] and a few others to help set things in motion,” she said. “If you’re building security and privacy for everyone, you have to account for a huge spectrum of people’s circumstances and concerns about their data. You also need to take advantage of the full spectrum of talents and perspectives available if you want to come up with the best solutions. Today, women and other marginalized groups are regularly underrepresented, across the industry. We have to do better.”

It seems the industry is (slowly) starting to realize this and taking some promising steps toward inclusion.

Shortly after the social media backlash, Sandra Toms, VP and curator of RSA Conference, posted a blog titled, “Addressing Diversity at RSA Conference and in the Cybersecurity Industry.”

“The Conference leadership team is made up of women, like myself, and we’re very much aware of the importance and value of bringing more womens' voices, perspectives and experiences to the forefront of conversations in all industries, not least of all our own,” she wrote.

RSA Conference organizers extended invitations to potential keynote speakers who were women, and “the vast majority declined due to scheduling issues,” Toms said, adding that the keynote lineup is not yet final.

Keynotes notwithstanding, the cybersecurity conference will feature more than 130 women speakers, she said. “And while 20 percent of our speakers at this year’s conference are women, we fully recognize there is still work to be done,” Toms wrote.

On March 8, International Women’s Day, the Security Industry Association (SIA) established the SIA Women in Security Forum. Its goal is to support women in the security industry through programs, professional development, and networking events.

“The SIA Women in Security Forum will also inevitably provide an invaluable forum for mentorship of our future women leaders,” said Emily Corazza manager, technology partnerships and strategic alliances at Vectra, an automated threat management vendor, in an email. “This isn’t just about women, it’s about creating accepting environments for diversity across the board.”

These are promising first steps toward increasing the number of women in security. But as the RSA Conference organizers and everyone else acknowledges, there is still much work to be done.

“We need to end the false assumptions that 1) women aren’t interested in cybersecurity and 2) you need to be masculine in order to excel in this industry,” said Forrester analyst Claire O’Malley in an email.

O’Malley authored the recent report that found women hold only 11 percent of cybersecurity jobs. She said this lack of representation stems from direct and indirect sexism that leads to poor recruitment and retention efforts.

“From the recruiting angle, hiring managers often limit their searches to pools that traditionally have more men, such as computer science majors or military backgrounds,” she said. Women made up just 18 percent of computer science majors in the U.S. in 2016 and 10 percent of armed forces.

“Also, many job listings and media portrayals of cybersecurity show a limited scope of what working in the industry actually entails — thus not attracting all potentially qualified applicants,” O’Malley added.

On the retention side, “repeated mistreatment, harassment, and toxic cultures (both in the office and at conferences)” drive women out of these jobs, she said.

Fixing the problem starts with companies identifying sexism within their own organizations.

“It could be lurking in outdated policies, bad management, or a toxic corporate culture,” O’Malley said. “To do this — apart from calling out any and all instances — security leaders should collect historical data about their applicants, hiring, retention rates, and performance reviews to identify where these biases may be.”

This can provide a baseline from which to measure the effectiveness of future efforts — for example, recruiting at more diverse security events and from schools that enroll higher percentages of women.

“It’s definitely a long-term project,” O’Malley said.

Efforts like adding women to the keynote lineup at conferences and working with groups like the SIA Women in Security Forum are improvements. But only time will tell if they make a long-term difference.