Women in Cybersecurity (WiCyS) 2016
Value, mentorship, and opportunity: women in cybersecurity.
Three clear themes emerged from 2016's Women in Cybersecurity Conference: recognition that cyber security is part of any business's value proposition, the importance of mentorship in career choice and development, and, finally, the reality that ability to recognize and pursue opportunity is far more important than detailed career planning.
Organized by The Cybersecurity Education, Research and Outreach Center at Tennessee Tech in partnership with The University of Texas, Dallas, the conference was very well attended by around 750. University students at all stages in their education were particularly well represented. Also well represented were employers of cyber security talent (including many well-known brands), the diversity of whose lines of business—financial services, consulting, IT, security, research and development, etc.—offered some direct confirmation of the first theme: businesses increasingly recognize that cyber security unavoidably figures as part of their value proposition.
The conference played host to many serious technical discussions that necessarily lie outside the scope of this general overview. But the talent on display in panels, workshops, presentations, and discussions was of a notably high order. The technical topics included exploit development, reverse engineering, cyber criminology, perspectives on research, cyber-physical system security, and big data analytics. Other professional sessions covered tools and strategies for education as well as workshops oriented toward specific career tracks in cyber security.
Here, then, follows a summary of some of the conference's keynotes.
The business of cybersecurity.
Jillian Munro (Senior Vice President, Enterprise Cybersecurity, at Fidelity Investments) delivered the conference's opening keynote, and she made a point to emphasize how central cyber had become to businesses of all kinds. Cyber builds trust in products, and thus forms an enormous part of the value proposition.
The bad actors—criminals, insiders, hacktivists, nation states—are the cyber business drivers. Munro noted the continuing dramatic rise in data breaches' cost per record. This represents a direct cost to a business, but it can be too often overlooked that hacks degrade customer trust in businesses. Target, she pointed out, reported $162 million in direct expenses incurred to address its 2013 point-of-sale data breach. But its costs in lost business don’t even figure into this amount, and those costs were very high.
So cyber must be understood as a business issue, not merely a technical one. Cyber security is increasingly embedded in all processes. "Cyber security equals trust which equals revenue," as Munro put it. People who work in cyber security have to help the larger business understand what cyber means to it, and they must work to make cyber security a vital part of revenue-generation.
Munro also answered some questions about her own career path, which she characterized as "opportunistically managed." There are many business-focused roles for cyber security practitioners: finance, communications, human resources, and more—essentially any business role can and should have a cyber dimension. She stressed the importance of confidence in pursuing a career that might lead to a senior management position. "You should jump in with both feet, but you should also understand you need other people's help. Get to know other people who can help." And, in conclusion, she left her audience with this advice: "When you get in a position to bring other women along, do it."
From the incident response mines.
Google's Heather Adkins spoke at midday. She began with a personal note that illustrated the third major theme emerging from the conference—being able to recognize opportunity and being willing to seize it are more important than detailed career preparation and planning. Adkins's academic background is in medieval studies, with a particular emphasis on German and Carolingian topics. This is by no means any one's idea of conventional preparation for a career in cyber security, but the lesson's an important one—students' academic specialties by no means limit their career choices as much as their campus experiences may have led them to believe. And a second lesson: your studies, if seriously and intelligently pursued, have in all likelihood given you far better preparation than you (or your interviewers) may initially suspect. For example, someone with an academic background like hers, someone who's been exposed to paleography and languages, who's learned how to research the history of books and rare manuscripts, learn forensic research skills that prove valuable in cyber incident response. So, have confidence, and be willing to give it a try. (And it's also fine to remain interested in your academic specialty throughout life—Adkins talked about Carolingian history with one of our stringers in between sessions, and it's obvious her studies weren't just a meandering way into a career in security.)
Adkins has extensive experience running incident response at Google, and she's found it immensely gratifying. She began by discussing the value to effective incident response of discerning the attackers' motives, and she reviewed how those motives played out among several familiar categories of threat actors. The first class of hacker they have to deal with is the conventional criminal. To illustrate the severity of the criminal cyber threat, Adkins notes that business email compromise has been responsible for some $13 billion in losses over the last two years. A second class of hacker ("my favorite people") is comprised of those who hack for fun and curiosity. " The whole industry's seeded with such people." Google's bug bounty program is designed to move these hackers to side of the good.
The third class of hackers engage in espionage, and these, of course, are the state-sponsored hackers. China is most frequently mentioned in connection with cyber espionage, especially with respect to industrial espionage. Google's experience of being on the receiving end of a government-sponsored attack goes back to 2009-2010. This campaign has come to be known as "Operation Aurora," and it began with the attackers seeking answers to two questions: who works at Google, and what software do they use? Over a period of seven days, attackers got their answers, then moved laterally through the networks to achieve their goals. "It was a professional operation," Adkins noted. "So Google's response was to put an equally professional security team in place."
Adkins alluded to the proliferation of ransomware, which she called "coercive profiteering." Google is now thinking more, however, about the risk of "coercive destructive hacking." And for really destructive coercion, she cited Stuxnet (which, by the way, she pointed out was distributed by a USB drive).
Where does incident response fit in? At Google, they collect and process, petabytes of information, applying machine learning to the data collected and processed. From these data emerge the incidents they address. "Most of them are minor, like CryptoLocker. But now and then you get a big one, like Aurora." For the big ones, they stand up an Incident Command System to deal with forensics, monitoring, intelligence, restoration. Adkins especially commended incident response as a career field. She's found that it enables people to use all their skills, and to work with varied groups on new issues. She also pointed out that incident responders are highly valued by the organizations they serve. "No one complains when the fireman shows up."
Delegating computation.
Yael Kalai, of Microsoft, spoke about a new age of cryptography. She began, as have several other presenters throughout the conference, by offering an account of her own career for such lessons as the students in the audience may draw from it. She found that she had to decide, early, that her education would be an investment, and that she would not let small things distract her from making that investment. She could only attend to important things--her family and her career--by ignoring the unimportant.
She said she found it gratifying that people understand there should be more women in cyber. "Take advantage of this recognition," she said, and she encouraged women to take advantage of opportunities to be mentored. "To live this way is to live as an investment. It's a long journey. Don't let little things interfere."
Having offered this advice, she turned to her specialty, cryptography. "Once upon a time," she began, "cryptography was about sending messages and protecting communication." But this is changing. Over the last five to ten years, Kalai observerd, cryptography has evolved from securing communication to protecting computation. This is, fundamentally, because the way we do computation has changed and continues to change. Now, devices often delegate both data and computation to the cloud.
This shift has produced four major challenges. The first challenge is privacy. We want the cloud to do computation, but how should it do so when data are encrypted? Fully homomorphic encryption (FHE) appears to be the answer, enabling you to compute with encrypted data. "We're getting close to FHE."
But this doesn't meen, Kalai added, that "now can we do cloud computing happily." Sometimes you need the cloud to learn something in order to help you, and FHE can hide too much. But functional encryption may offer some prospects of success at meeting the second challenge: constructing secure and efficient computation.
The third challenge is program obfuscation, which offers the prospect of solving many problems by decrypting, filtering, and re-encrypting. "We're now able to see the prospect of constructing secure and efficient program obfuscation schemes," she said.
The fourth challenge is integrity. "How do we know that our computations in delegated computing have integrity?" Kalai asked. "So we want a proof of correctness. This is what is called delegating computation." Verifying should be easier than computing, and, despite all the progress made in the field, much work remains to be done.
From law to cybersecurity: what I've learned in my journey.
Shelley Westman, who leads IBM Security, was asked to speak in particular about her own career. She prefaced her description of her career arc with a brief description of IBM Security: a business unit that has some seven thousand practitioners worldwide managing sixteen billion events in well over one hundred countries.
That background provided, Westman turned to her own story. Her goal from childhood had been to become a lawyer—it seemed interesting, exciting, and well adapted to someone who liked to argue. So she attended (and loved) law school, but upon leaving law school she found she didn't care for the practice of law. Westman joined IBM's contracts department, then moved to procurement, and eventually got interested in making as opposed to managing deals.
An opportunity for promotion moved her to development operations, then to a brand role in power organization where she had an opportunity to grow a solutions business. She moved to a vice-presidential position in the hardware division where she was able to oversee strategic planning, thinking three-to-five years out. And then she wanted to, and was able to, move back to security.
Westman drew three key lessons from her career path that she wanted to share, particularly, with the students in attendance. First, "what you think you want may not be what you in fact want." By all means try it out, but don't be afraid to change course. Second, "don't be afraid to learn new things and take on new responsibilities." And third (this illustrated with a personal example, and Westman asserted with reason that everyone at some point in their life will easily be able to supply similar personal examples) "there will times when you feel your life is falling apart, but the only choice is to move forward." Girls still often find themselves, she said, the only girls in their tech class. "We tend to tell them, when they have difficulty, oh, well, why don't you try something else that's not too hard for you," Westman observed, and that this may be well intended, but it's not necessarily helpful. Boys, in contrast, get told to buck up and buckle down, to work harder.
She pointed out that women need men, who'll stand up and support them, as allies. Most of her mentors have been men. "They tend to think differently, and thus can provide perspective."
She closed with a call to everyone in attendance to commit to doing one particular thing to help women advance in cyber security when they return home. There's no shortage of opportunities to help.
Students and their work.
2016's Women in Cybersecurity conference featured poster sessions and other presentations by students from a wide range of colleges and universities. We'll describe one of them, and let hers stand as an exemplar for the rest. On the final day of the conference the CyberWire spoke with Komal Bansal, a graduate student at Minnesota's Winona State University. Her work is on the US Children's Online Privacy Protection Act (COPPA), the act's implementation by the Federal Trade Commission (FTC), and its implications for enterprises operating online.
COPPA protects children under thirteen years of age. It requires every website that collects personally identifiable information (PII) on a child to do four things: (1) obtain parental consent, (2) provide a very descriptive privacy policy, including an account of any sharing with third parties, (3) maintain the data's confidentiality, and (4) state explicitly the data retention period.
COPPA compliance, Bansal noted, is challenging. The FTC has approved seven third-parties as "safe harbors" for enterprises whose activities fall under COPPA. These safe harbors audit participating websites, report on their compliance, and remediate any issues the audits discover.
Bansal has been conducting visibility studies with parents. Her hypothesis is that parents are generally unaware of the regulations in place to protect their children, and her interim conclusions suggest the importance of educating children about online safety.
Bansal will soon be completing her studies, and she'll begin a career at PWC in Minneapolis this August. Congratulations and good luck to her, and to all the other students (and their prospective employers) who participated in 2016's Women in Cybersecurity conference.
Summing up: women in the cybersecurity sector.
The lessons from the conference are broadly applicable. Everyone can serve as mentor to someone, or accept someone's mentorship. Everyone who studies seriously learns something that can have surprising relevance to a career. And, finally, everyone can be aware of career opportunities that can take them down unanticipated but very gratifying paths.