Creating A Diverse CyberSecurity Program
-
Upload
tyrone-grandison -
Category
Technology
-
view
255 -
download
0
Transcript of Creating A Diverse CyberSecurity Program
DISCLAIMER
All opinions expressed herein are my own and do not reflect the opinions of of anyone that I work with (or
have worked with) or any organization that am or have been affiliated with.
A Little About Me
• Jamaican
Education• BSc Hons Computer Studies, UWI-Mona.• MSc Software Engineering, UWI-Mona• PhD Computer Science, Imperial College –
London• MBA Finance, IBM Academy
Experience• 10 years leading Quest team at IBM • 2 years working in startups• 3 years running companies and consulting• Now, working for the White House
Recognition• Fellow, British Computer Society (BCS)• Fellow, Healthcare Information and
Management Systems Society (HIMSS)
• Pioneer of the Year (2009), National Society of Black Engineers (NSBE)
• IEEE Technical Achievement Award (2010) for “Pioneering Contributions to Secure and Private Data Management".
• Modern Day Technology Leader (2009), Minority in Science Trailblazer (2010), Science Spectrum Trailblazer (2012, 2013). Black Engineer of the Year Award Board
• IBM Master Inventor• Distinguished Engineer, Association of
Computing Machinery (ACM)• Senior Member, Institute of Electrical and
Electronics Engineers (IEEE)
Record• Over 100 technical papers, over 47 patents
and 2 books.
The Plan
• Let’s Geek out on Diversity
• A Diverse CyberSecurity Program
• CyberSecurity Fundamentals
• The Current State Of Affairs
• Opportunities In The Space
• Diverse Team
• Execution
THINK ABOUT THIS
“Because there is no silver bullet in cybersecurity, no quick fix, we have to solve problems holistically. We need to deal with
people, process and technology. That means we need people from diverse backgrounds who
understand and relate to an array of people. And I’m not just talking about gender and ethnicity. We also really need right-brain thinkers, left-
brain thinkers, people who can come at these problems from very different angles.”
- Summer Fowler, Deputy Director, Cybersecurity Solutions Directorate, Computer Emergency Response Team, Carnegie Mellon University’s Software Engineering Institute. March 2014
Why DIVERSITY?
“Diverse group almost always outperforms the group of the best
by a substantial margin.” – Scott E. Page (2010)
More On The ImportanceOf Diversity
• Expands the Qualified Employee Pool
• Improves the Bottom Line
• Enhances Innovation
• Promotes Equality• Reflects the Customers
Source: NCWIT Scorecard: A Report on the Status of Women in Information Technology
Challenges to DIVERSITY
• Lack of knowledge about cybersecurity• Lack of awareness of opportunities• Stereotypical notion• Unconscious bias• Lack of exposure to role models and
mentors• Lack of social support
Components
• Strategy–Attack versus Defend
• Topics–Compromise versus Detection
• People– Background, Expertise, Problem-Solving
Approach
• Execution
Perspectives on CyberSecurityScope of CyberSecurity
My Definition of CyberSecurity
CYBERSECURITY FUNDAMENTALS
Perspectives on CyberSecurity
• Very wide-ranging term
• Everyone has a different perspective
• No standard definition
• A socio-technical systems problem
Scope of CyberSecurity
• Threat and Attack analysis and mitigation techniques
• Protection and recovery technologies, processes and procedures for individuals, business and government
• Policies, laws and regulation relevant to the use of computers and the Internet
Cybersecurity
The field that synthesizes multiple disciplines, both technical and non-technical, to create, maintain, and
improve a safe environment.
• The environment normally allows for other more technical or tactical security activities to happen, particularly at an industry or national
scale. • Traditionally done in the context of government laws, policies,
mandates, and regulations.
SIGNIFICANCE of CyberSecurity
+Bureau of Labor Statistics
Corporate US Landscape
Statistics from the results of an SVB survey about cybersecurity completed by 216 C-level executives from US-based technology and life science companies in July 2013
Global Situation
• 47% of companies know they have suffered a cyber attack in the past year
• 70% say they are most vulnerable through their endpoint devices
• 52% rate at “average-to-non-existent” their ability to detect suspicious activity on these devices
2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG
Current Insight
• First-Generation Security Solutions Cannot Protect Against Today’s Sophisticated Attackers
• There is No Silver Bullet in Security
• There is an Endpoint and Server Blindspot
2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG
What are the Hard Research Problems?Where are companies spending their
CyberSecurity dollars?
Where Are The Opportunities?
Hard Problems (TEN Years Ago)
1.Global-Scale Identity Management
2. Insider Threat
3.Availability of Time-Critical Systems
4.Building Scalable Secure Systems
5.Situational Understanding and Attack Attribution
6. Information Provenance
7.Security with Privacy
8.Enterprise-Level Security Metrics
INFOSEC Research Council (2005)
Hard Problems(SIX Years Ago)
1. Global-scale Identity Management
2. Combatting Insider Threats
3. Survivability of Time-critical Systems
4. Scalable Trustworthy Systems
5. Situational Understanding and Attack Attribution
6. Provenance
7. Privacy-aware security
8. Enterprise-level metrics
9. System Evaluation Life Cycle
10. Combatting Malware and Botnets
11. Usable SecurityINFOSEC Research Council (2009)
2014 Spending
2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG
Diversity Dimensions
• Age• Gender• Ethnicity• Expertise• Other
– Income, Sexual Orientation, Religion, Region, Body type, Dress, Pregnant Disability, Education level, Introverted or Extroverted, Language, Vocabulary, Hair color, Body art, Political party, Diet, Club memberships, Body odors ….
Cybersecurity Workforce:Age Distribution
- 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.
CyberSecurity workforce:Retirement Eligibility
- 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.
WORKFORCE COMPOSITION
• Women– 50% of US workforce– 25% of IT workforce– 8-13% of cybersecurity workforce
• Hispanics– 6.4% of IT workforce– 5% of cybersecurity workforce
• African Americans– 8.3% of IT workforce– 7% of cybersecurity workforce
- NIST Panel on Diversity in CyberSecurity, 2013
Women in Cybersecurity
• 13 percent of US CyberSecurity professionals are women — which is higher than in Europe and Asia (2006 IDC Survey)
"Women are historically very underrepresented in computer science and in computer security. When I
started in computer security 25 years ago, the field was 20% to 30% women. Now it's between 5% and 10%.
That's obviously going in the wrong direction." - Jeremy Epstein, board member of Applied Computer Security Associates
(ACSA)
INTERNALLY
• Define Program Outcomes• Define Program
– Risk Management – Critical and Inventive Thinking – Research and Writing – Attack & Defense Tool Construction and Use – Ethics
• Create network– External Collaborators– Alumni– Mentors
• Identify Ways for Increased Visibility – Of the program, lecturers and students
INTERNALLY & EXTERNALLY
• Reduce Unconscious Bias– Start by testing yourself – Project Implicit at Harvard – Teach Tolerance
– Focus on Hiring a Balanced & Diverse Workforce
• Engagement– Top-Down, Bottom-Up– Building Recruiting And Inclusion for Diversity (BRAID)
Initiative
• Support Network
Tackling Unconscious Bias
• Set realistic expectations. • Provide appropriate time for the training.• Provide the training in person. • Be careful in selecting the right facilitator.
Incorporate unconscious bias assessment tools.
• Focus the training on specific, real situations, such as reviewing resumes, conducting interviews, responding to customers etc.
Tackling Unconscious Bias
• Address the topic of in-group favoritism and how it operates in the organization.
• Identify those situations in which our implicit biases run contrary to our organizations’ explicit values.
• Use proven successful simulations, role-plays, and other interactive exercises.
• Have groups discuss the words, phrases, symbols, jokes, and other symbolic representations of their group that they find offensive and why.
• Provide de-biasing, counter-stereotyping activities – Such as making associations that go counter to existing
stereotypes (male nurses, female scientists, elderly athletes).
CONCLUSION
• CyberSecurity is an important field– Workforce needs– Growing market– Job Security– Significant potential harm
• Diversity in creating a CyberSecurity program is critical to its success. – Varied thinkers
– Differing groups and populations
– Balance of strategies and focus area
• The path starts today. – Look to the University of Technology – Jamaica as a model.