Afternoon Cyber Tea with Ann Johnson 12.14.21
Ep 41 | 12.14.21

The Next Cyber Defender


Ann Johnson: Welcome to "Afternoon Cyber Tea" with Ann Johnson, where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what should be top of mind for the C-suite and other key security decision-makers. I'm Ann Johnson.

Ann Johnson: And today I'm joined by Jessica Gulick, an MBA, a CISSP and a PMP. Jessica is a 20-year veteran in the cybersecurity industry who understands how to successfully lead cross-functional cyber teams. Jessica has co-authored NIST special publications and has launched wildly popular, epic cybersecurity games and tournaments. Jessica is passionate about cybersecurity as an esport, where players, fans and companies can collaborate and strongly advocate for diversity in the workforce. This is why she is also the president of the board of the Women's Society of Cyberjutsu and a member of the Bay Path University Cyber Security Education Advisory Council. 

Ann Johnson: Welcome to "Afternoon Cyber Tea," Jessica. 

Jessica Gulick: Thanks, Ann. It's great to be here. 

Ann Johnson: So, Jessica, several years ago, you approached me to be a judge of the Wicked6 Cyber Games in Las Vegas, and it was going to be the first time that I'd ever experienced live cybersecurity gaming. And I have to tell you, it was really invigorating and inspiring for me to see these teams of young people from universities across the country. They were working together to solve and overcome all the different cybersecurity challenges. 

Ann Johnson: And I also remember there were several members of our Microsoft DART team that were there watching the students. And they were quite animated during the play calls, as if they were cheering along some of their favorite sports teams. It felt like that kind of event and environment. 

Ann Johnson: So I would love if you could talk to our listeners a bit about the background for Wicked6, where it came from, about cybersecurity gaming competitions and share why these events are so important for the next generation of cyber talent. 

Jessica Gulick: Absolutely. First, let me start by saying thank you for being part of our first year. That was way back in 2019. Can you believe it? We were at the last day of Black Hat, first day of DEF CON in Vegas at the esport arena there - which really provided a wonderful experience - that is often used for esports, but we were using it for cyber games in order to raise funding for the Women's Society of Cyberjutsu, a nonprofit really kind of focused on advancing women and girls in cybersecurity. 

Jessica Gulick: I just remember we took a very unique approach that I think quite a few cyber games since then have started to mimic, which is wonderful, and that is we were blending cybersecurity with esports for a cause, right? So it was coed, even though the fundraising was for women and girls. And it was exciting. 

Jessica Gulick: What we did differently and made it more esport-ish, if you will, is that we had shorter games, right? It wasn't like four to eight hours of cyberplaying. It was 45-minute games. And we had six teams competing from six different colleges. And I remember one of the teams were all girls. Each one of the teams had to at least have one girl on it. It was really exciting. 

Jessica Gulick: It was great to then have shoutcasters talking about, what does it take to be a cyber athlete? You know, how do we create high-performing cyber teams and - which is what the value of cybersecurity gaming is, right? We get to use some of the best practices, if you will, tried-and-trues from the athletic community and from the esport community and bring it to cybersecurity to bring kind of fun and excitement and learning all together in one environment. It was just a really wonderful experience for me. 

Jessica Gulick: But that was 2019. And what it did was it really kind of reignited a passion that I had started way back. I don't know if you remember back as far as - I think it was 2007, when the first CyberPatriot pilot came out. I was out there, and I remember being excited about cyber games and part of that initial crew that was running it. And then we had the Maryland Cyber Challenge that came out. And these were more traditional tournaments. 

Jessica Gulick: So we've come a long way to now in terms of moving beyond the months and months lead-up to a game that runs for anywhere from eight to 16 hours. And I'm really quite excited about what that means for our workforce at all different levels. 

Ann Johnson: You know, it was great for the cyber companies, too, because these live gaming tournaments allow us to see talent, right? We're all competing for the same talent. As you know, there's this huge talent shortage. 

Ann Johnson: And, you know, one of the things about the event in Vegas - and, you know, we say a long time ago because it feels like it's been like two - what I say - two dog years in the past two years. But the governor was there, if you remember. I was so impressed that, you know, you had this public-private partnership, and the governor of Nevada showed up to actually, you know, talk to the audience. And it was amazing to me. You did an exceptional job of building such awareness around that event. 

Jessica Gulick: Oh, thank you. It was definitely a team effort. And it was great to have an advisory board and you on it, amongst quite a few others, that really helped to reach further into the community, spread the word and also talk about the importance, which I think really has ignited several cyber games since. If you look over the last two years, they really are coming out of the woodwork in every way, shape and form across the globe, which is really exciting. 

Jessica Gulick: One of the things that I would say about the pipeline is that while these games help with the traditional recruiting process for the young, if you will, early career professionals, there's a lot of opportunity there for boomerangs, for veterans coming back from the military looking to get into the commercial space, for people that currently have a security job and looking to explore new skill sets. It really provides a safe haven to hack, a safe haven to practice skills, be immersed in your business, if you will, to experience firsthand what does an attack look like, feel like, what are the indicators and to work as a team. So I think that it has quite a bit to offer the community. 

Ann Johnson: Well, and if you think about, you know, the cyber talent - right? - Microsoft just announced an initiative where we're going to work with community colleges across the U.S. to train 250,000 students in cybersecurity. We actually have a military veteran retraining program under our military academy that actually retrains folks. And I love training veterans, by the way, to cyber careers because they know how to work on a team. They know how to work under stress. They've been some just fantastic hires for us. 

Ann Johnson: But, you know, those efforts aside and along with those efforts, what other types of proactive measures do you think tech companies need to consider to help maintain and build this pipeline of the future cyber talent we're going to all need? 

Jessica Gulick: So it's interesting. I love what you're saying about community colleges, by the way. I was just last week at NOVA, the Northern Virginia Community College here, obviously, in Virginia. With Virginia Tech, they just announced a big program where you can start at the community college, but you can finish with a bachelor's from Virginia Tech right up here in the northern Virginia area without going to Blacksburg. And we were talking about why that's so valuable to the cybersecurity community. 

Jessica Gulick: And exactly what you're saying - the community colleges have a way of being affordable, approachable. And you're getting a lot of folks that have that day job, right? So they have some maturity under their belt. They've seasoned in a different industry, and they're bringing that fusion of knowledge into cybersecurity, which I think is fantastic and something that our community is definitely in need of. 

Jessica Gulick: But when I look at what other things we can do, I really think that we need to start looking at the talent shortage being way beyond just the top of the funnel. It's more than just kids coming out of college. It really is time for us to put some programs at our various different corporations that help to elevate people within their job to the next position and move them around with purpose in order to create new opportunities because we have this great funnel of wonderful candidates coming into our job community. But all those open jobs that we talk about - I think it's 4 million globally - they're not all at the entry level. 

Jessica Gulick: That's the dilemma. So we almost need to make room, right? We need a make room campaign, maybe, where we can elevate and use diversity as a focal point as we start to elevate people to different positions. And that's the beauty, also, of cybersecurity. As you know, you don't always have to go nontechnical as you move up the chain. You can stay quite technical and still have a career your entire life in cybersecurity and not have to be a manager, right? So I think it's just looking at opportunities for us to create space within our company so that we can move people in and move people up. 

Ann Johnson: You know, I think that makes a lot of sense. We're going to be filling the pipeline from the junior talent, right? And we're - a lot of folks are making a lot of initiative there. But to actually make room, make space for folks that - maybe they are a developer. Maybe they are a network analyst. Maybe they're in some - maybe they're a SQL person - right? - or a database person in some completely other part of the org but very technical but want to be in cybersecurity. And that lateral movement and training and moving people up and then letting - and I agree with you. That opportunity to build a fully technical career to a very senior level in cybersecurity is there. And we do need to recognize those folks and invest in them also. 

Ann Johnson: When we think about things like artificial intelligence and robotic process automation and machine learning, we often say we can automate, you know, 90% of the most mundane cybersecurity attacks. But I don't think we're going to be able to outsource or manage our way out of the sizeable gap. You know, we need to have in-source cyber talent. So if there's one thing that every organization could do today to help alleviate this broad talent shortage, what is one recommendation you would make to them? 

Jessica Gulick: Do I get to answer, play more games (laughter)? 

Ann Johnson: Yes. 

Jessica Gulick: So that - I say that kiddingly, but it's true. I think that games in different formats have a lot of power behind them, whether they're tabletop exercises or you call them cyber ranges or tournaments or hackathons. I think that that helps people learn new skills and have a variety of different skills. And it creates excitement and increases morale, improves morale in cyber companies or in cyber teams within companies. So I think that's definitely one of them. 

Jessica Gulick: It's fascinating to me because AI and RPA often come up and say, hey; we can make this faster. And now what are you going to - you can save money on stuff, or you can reskill them or that kind of thing. 

Jessica Gulick: But the reality is the problem, I think, is getting so big. What we need to start doing is - I think it was about what we were just talking about, Ann, and that's that senior technical person. Really start looking at some of the skills that are in between the gaps in the skills once you get past a certain level because I think what we're going to find is that - we just went through this pandemic where we had this huge rise in cybersecurity ransomware and threats, et cetera. 

Jessica Gulick: You know, I think that it's really matter of - it's the age of the CSO now, the senior security leader, whatever title you want to put on there, and their senior team and figuring out new strategies and not trying to do everything the traditional way. But actually, you know, step away from the fire for a minute and look at, how can we reresource our team, reallocate our focus, use tools when we can and put people on the right tasks? 

Jessica Gulick: And how do we - I hear people call it human aspect of cybersecurity a lot. How about the human power into cybersecurity? And I'm talking about more of the thinking - right? - more of the X factor into how we can come up with new ways of looking at things. And maybe that's infusion of different industries. I don't know. What - do you have thoughts on that, Ann, in terms of - like, maybe we bring in psychology or social-ology (ph) into cybersecurity? 

Ann Johnson: Yeah, I - well, yeah. We talk about that a lot, by the way, that we say, you know, our teams need to be as diverse as the problems we're trying to solve. And I - you know, we'll talk about gender diversity and other things in a minute, but I'm talking about people with different backgrounds, right? You know, if you have everyone in - at the table is a STEM graduate and has, you know, seven years of experience in, you know, doing forensics, you're going to get the same answer to a problem. 

Ann Johnson: If you bring in people with sociology backgrounds and psychology backgrounds and liberal arts backgrounds, you're going to get people who think differently. They're going to look at the problem differently and contribute to the solution differently. I think that's incredibly important that you do need those deeply technical people, but you also need folks that are actually thinking about problems in a very different way. 

Ann Johnson: And, of course, as security becomes - as the role of the CSO now becomes someone who's speaking to the board and more of a business leader, you actually need to bring the business in very early and get them on board so as you're launching solutions, they have security natively built into them, right? 

Ann Johnson: So I think all of those things will contribute to helping the next generation of cyberdefenders, but also to helping the talent shortage 'cause you're looking at talent differently and thinking about talent differently. 

Jessica Gulick: I agree. 

Ann Johnson: Yeah. So let's talk about just pure diversity for a second. Look; I've been in tech over 30 years, security over 20 now. You know, I understand you have a daughter. I have a daughter. So I'm hyperaware that there's still a significant gender gap, that there's still a significant gap with, you know, minority populations within cybersecurity and that we have a long - we've come a long way, but we have a long way to go. 

Ann Johnson: So if you're thinking - let's just be really specific. If you're thinking about bringing more women into the field, what do you think we need to do as leaders to help them come into the field, but also to stay? 

Jessica Gulick: And I think that's the important piece. I think when we look at the numbers and why more women - we don't have higher numbers of women coming into the cyber field, I think it's the attrition rate. I think we have a lot of women leaving the cybersecurity field at the same time, and those are keeping the numbers low. 

Jessica Gulick: But in terms of cultivating a more - I like to say inclusive company - right? - versus diversity, which is what we can bring the company - but being more inclusive, I really think it starts from the top. I do. I know everybody has said it for years, but I think that we need to as a society start to define our perspective, if you will, our ideas on what leadership looks like, on how leadership acts like and really start to explore a more inclusive leadership and performance model that helps not just women, but everybody from a diverse background have an opportunity to become a leader in that organization, if you will. 

Jessica Gulick: I think that also - you probably heard me say this before. I don't know who created the 40-hour week, but can we get rid of that now, please? It's like, I don't know a woman around who really can work a 40-hour week. Sometimes I can work a 30-hour week. Sometimes I work a 60-hour week. Sometimes it's even higher than that. 

Jessica Gulick: But I think that we need to be a little bit more flexible with our benefits and our hours. And unfortunately, even if a company offers part-time employment, they usually treat them like part-time employees versus, you know, treating them like employees. So I think there's opportunity there. 

Jessica Gulick: Women like freedom because we handle a lot. We've always got a lot of balls in the air, you know, trying to figure out what we can do for the dental visits and the unexpected errands that need to be run. 

Jessica Gulick: But I think keeping women in security is also about providing them opportunity, letting their voices be heard. One of the best reports I ever saw done on women in cybersecurity goes back to, I think, 2015, and it was a Gartner (ph) report. And unfortunately, with Gartner reports, they never, like, make them public and free. You have to have, like, a Gartner subscription. But they did a wonderful analysis, and they did a lot of background surveys on men and women, et cetera. 

Jessica Gulick: It came down to women get discouraged in cybersecurity because they feel they're not heard. They're not heard in meetings. They'll say something that they think has value. Somebody next to them will say the same thing, and they'll get heard. And they're like, what? I just said that. You know? 

Jessica Gulick: So I think we have to work on quite a few areas. And I think it's that unknown bias. And I hate to really push on that, but I hear this a lot from women as part of our Women's Society of Cyberjutsu. It's not that the men in the organization are against women - not at all. It just they just don't understand what it is that they're doing when they do it that really puts us at a disadvantage. Does that make sense? Like, the conversation continues into the bathroom. And they're not doing it on purpose. It's just - basically happens. It's how they phrase things. It just puts us at a disadvantage. 

Jessica Gulick: And I think there's just awareness, and it goes back to having her be heard. I think we have to teach the next generation of women what I don't know about you, but I didn't learn until my 30s, and that's how to be heard. 

Ann Johnson: Yeah. I'll give you an example from earlier in my career. I was in a big meeting, and I had said something. And a few minutes later, a man in the room repeated it, and the woman sitting next to me leaned over and said, but that's what you said. I said, you know what? I said, I don't care as long as the idea gets out there - right? - 'cause it's a good idea. And she said, yeah, but he's just repeating you. And it struck me, and it was like this odd moment of awakening, of striking me of, like, well, maybe I should care that I wasn't heard when I said the same thing, and when he said it, it was like, this is the best idea ever. 

Ann Johnson: And I do think we need to teach the next generation of women and, you know, and other folks coming out of college that they need to understand how to be heard in a meeting. They need to understand how to effectively communicate. They need to understand how to be crisp. 

Ann Johnson: I was talking to somebody - I can't remember. It was an internal thing this week, and talking about - or actually, I was talking to one of these other groups that I work with on education. And I made the comment that we can teach all the technical skills in the world, but we actually need to teach people how to communicate effectively in business in both a written and oral manner. And that can't be overstated. I know it shows up on every job description, but it can't be overstated that you have to communicate effectively, even if you are a technical person. 

Jessica Gulick: Yeah, absolutely. I would also share with you that I recently went to Prague for - it was the finals for the European Cyber Challenge. And I got to meet with a lot of the different coaches and directors over there in cybersecurity trying to build their own cyber teams, right? And what I realized is the problems we're having here in the U.S. on trying to recruit technical women and then keep them in the field - they're having the same issue. 

Jessica Gulick: And part of it is a numbers game. I've noticed personally that when you have one woman on the team, yes, it affects some change, but she gets a lot of pushback. When you have two or three, all of a sudden, the dynamic in the room changes drastically and becomes more equal in many ways. And so it's about trying to get more women onto the team, if you will. It doesn't have to be 50-50, and there's no forcing of it. But I think that the more women we can bring and keep them, you know, so they're supportive and can help each other, I think that helps the world as well. 

Jessica Gulick: We put too much focus on the one woman that makes it to the top. We saw this with the Olympics, right? You put so much pressure on her because she's the woman. She's the top cybersecurity leader. She better not fail. You know, don't stumble. Don't cry. So much mental pressure. The only way we're going to alleviate that is to increase the numbers so it's not special anymore, even though we're still really good. 

Ann Johnson: Completely - by the way, completely agree. It's just too much pressure on those women. 

Ann Johnson: So like you mentioned, Prague - I'm always impressed. You have a lot of things going on all the time. Can you tell our listeners a little bit about the projects you're working on right now? 

Jessica Gulick: Absolutely. So we founded this year US Cyber Games. This is very different than your normal CTF. This is a traveling sports team, just like if your kids had soccer, right? What we are doing is we're recruiting each year to come up with the top 15 US Cyber Team players ages 18 to 26. And then what we do is we compete against different countries. So we have our U.S. team. You can check it out at And we will be competing in Athens, Greece, in June against eight other teams around the world. And that's pretty great. 

Jessica Gulick: We do have a virtual match coming up, what we're calling the Global All Star. Kudos out to Hack The Box, who's providing the platform for the battleground. And that will be December 17. We have 16 countries competing. Two of their best players are going to compete in these 30-minute battles, and we're going to be livestreaming it. So a lot of great activity happening internationally. 

Jessica Gulick: Another one that we're just now about to now announce - so don't even think I've done it officially yet, Ann, but it seems like it makes sense to bring it up here because you were a part of the first one. I'd love to get you a part of the second one as well. We're going to bring Wicked6 to RSA. 

Ann Johnson: Yay. 

Jessica Gulick: And we're going to do it slightly different. Our goal is 1,000 women in Discord playing cyber games. And so we're going to do follow-the-sun format, so a 24-hour format, where we have two-hour segments here and there, variety of different games for women to play from all over the world and hopefully featuring some speakers from all over the world. And then we will cap it off at RSA on - at the end with a nice panel discussion. So love to chat with you if you're going there and see how we can get you involved. 

Ann Johnson: I will be there part of the week, and we will definitely talk on that. I would love to participate. 

Ann Johnson: The last thing, Jessica, is we like to leave our audience with just a couple of pieces of optimism at the end, something tangible. So, you know, we've seen - it's been a rough couple of years, right? And it's been a rough couple of years for cyberattacks, also. But what keeps you hopeful and optimistic about the future of cyber? 

Jessica Gulick: It's a great question. I am truly hopeful. I believe 2022 is going to be fabulous for cyber. I think that what we're going to see is a focus on the technical areas of cybersecurity and a lot more movement in terms of public-private relationships that help us to really move the needle. 

Jessica Gulick: I think that we're coming of age now, and there are so many folks that have been playing cyber games for a number of years. I think it's almost 10 years now. And, you know, whether it's CCDC or some of these bigger programs, we have professional cybersecurity gamers and defenders out there that can do amazing things. 

Jessica Gulick: And the collaboration that I'm seeing at the global level, across international lines is also really exciting. 

Jessica Gulick: Not to mention, I think that we're going to see a lot of growth. You know, everybody's talking about the infrastructure bill. There seems like there's quite a bit of funding that's going to come to cybersecurity, and I think that bodes well for our nation. 

Ann Johnson: Agree completely. I completely agree. And thank you so much, Jessica, for joining me today. 

Jessica Gulick: Thank you. It was a pleasure to be here. 

Ann Johnson: And many thanks to our audience, as always, for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I chose Jessica for this episode because she has this, like, amazing passion and energy and drive toward educating cybersecurity professionals and the next generation through these gamified experiences that is so unique and so compelling. 

Ann Johnson: And the work she does - she's always working on something. But, you know, all the way from doing things like the Wicked6 event at Black Hat and coming up at RSA, through the work she's doing with a national cybersecurity team that will compete internationally for the U.S., I just thought it was such an interesting topic, and I wanted to highlight her work and highlight her, but also just talk about the things we can do to be creative to get the next generation of cybersecurity talent.