Creating a Diverse CyberSecurity

ProgramDr Tyrone W A Grandison

DISCLAIMER

All opinions expressed herein are my own and do not reflect the opinions of of anyone that I work with (or

have worked with) or any organization that am or have been affiliated with.

A Little About Me

• Jamaican

Education• BSc Hons Computer Studies, UWI-Mona.• MSc Software Engineering, UWI-Mona• PhD Computer Science, Imperial College –

London• MBA Finance, IBM Academy

Experience• 10 years leading Quest team at IBM • 2 years working in startups• 3 years running companies and consulting• Now, working for the White House

Recognition• Fellow, British Computer Society (BCS)• Fellow, Healthcare Information and

Management Systems Society (HIMSS)

• Pioneer of the Year (2009), National Society of Black Engineers (NSBE)

• IEEE Technical Achievement Award (2010) for “Pioneering Contributions to Secure and Private Data Management".

• Modern Day Technology Leader (2009), Minority in Science Trailblazer (2010), Science Spectrum Trailblazer (2012, 2013). Black Engineer of the Year Award Board

• IBM Master Inventor• Distinguished Engineer, Association of

Computing Machinery (ACM)• Senior Member, Institute of Electrical and

Electronics Engineers (IEEE)

Record• Over 100 technical papers, over 47 patents

and 2 books.

The Plan

• Let’s Geek out on Diversity

• A Diverse CyberSecurity Program

• CyberSecurity Fundamentals

• The Current State Of Affairs

• Opportunities In The Space

• Diverse Team

• Execution

THINK ABOUT THIS

“Because there is no silver bullet in cybersecurity, no quick fix, we have to solve problems holistically. We need to deal with

people, process and technology. That means we need people from diverse backgrounds who

understand and relate to an array of people. And I’m not just talking about gender and ethnicity. We also really need right-brain thinkers, left-

brain thinkers, people who can come at these problems from very different angles.”

- Summer Fowler, Deputy Director, Cybersecurity Solutions Directorate, Computer Emergency Response Team, Carnegie Mellon University’s Software Engineering Institute. March 2014

Why DIVERSITY?

“Diverse group almost always outperforms the group of the best

by a substantial margin.” – Scott E. Page (2010)

More On The ImportanceOf Diversity

• Expands the Qualified Employee Pool

• Improves the Bottom Line

• Enhances Innovation

• Promotes Equality• Reflects the Customers

Source: NCWIT Scorecard: A Report on the Status of Women in Information Technology

Challenges to DIVERSITY

• Lack of knowledge about cybersecurity• Lack of awareness of opportunities• Stereotypical notion• Unconscious bias• Lack of exposure to role models and

mentors• Lack of social support

A DIVERSE CYBERSECURITY PROGRAM

Components

• Strategy–Attack versus Defend

• Topics–Compromise versus Detection

• People– Background, Expertise, Problem-Solving

Approach

• Execution

Perspectives on CyberSecurityScope of CyberSecurity

My Definition of CyberSecurity

CYBERSECURITY FUNDAMENTALS

Perspectives on CyberSecurity

• Very wide-ranging term

• Everyone has a different perspective

• No standard definition

• A socio-technical systems problem

Scope of CyberSecurity

• Threat and Attack analysis and mitigation techniques

• Protection and recovery technologies, processes and procedures for individuals, business and government

• Policies, laws and regulation relevant to the use of computers and the Internet

Cybersecurity

The field that synthesizes multiple disciplines, both technical and non-technical, to create, maintain, and

improve a safe environment.

• The environment normally allows for other more technical or tactical security activities to happen, particularly at an industry or national

scale. • Traditionally done in the context of government laws, policies,

mandates, and regulations.

SIGNIFICANCE of CyberSecurity

+Bureau of Labor Statistics

Difficulties in Defending against Attacks

Increased Sophistication of Attack Tools

Menu of Attack Tools

Corporate US LandscapeGlobal SituationCurrent Insight

The Current State of Affairs

Corporate US Landscape

Statistics from the results of an SVB survey about cybersecurity completed by 216 C-level executives from US-based technology and life science companies in July 2013

Global Situation

• 47% of companies know they have suffered a cyber attack in the past year

• 70% say they are most vulnerable through their endpoint devices

• 52% rate at “average-to-non-existent” their ability to detect suspicious activity on these devices

2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG

Current Insight

• First-Generation Security Solutions Cannot Protect Against Today’s Sophisticated Attackers

• There is No Silver Bullet in Security

• There is an Endpoint and Server Blindspot

2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG

What are the Hard Research Problems?Where are companies spending their

CyberSecurity dollars?

Where Are The Opportunities?

Hard Problems (TEN Years Ago)

1.Global-Scale Identity Management

2. Insider Threat

3.Availability of Time-Critical Systems

4.Building Scalable Secure Systems

5.Situational Understanding and Attack Attribution

6. Information Provenance

7.Security with Privacy

8.Enterprise-Level Security Metrics

INFOSEC Research Council (2005)

Hard Problems(SIX Years Ago)

1. Global-scale Identity Management

2. Combatting Insider Threats

3. Survivability of Time-critical Systems

4. Scalable Trustworthy Systems

5. Situational Understanding and Attack Attribution

6. Provenance

7. Privacy-aware security

8. Enterprise-level metrics

9. System Evaluation Life Cycle

10. Combatting Malware and Botnets

11. Usable SecurityINFOSEC Research Council (2009)

2014 Spending

2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG

TEAM

Diversity Dimensions

• Age• Gender• Ethnicity• Expertise• Other

– Income, Sexual Orientation, Religion, Region, Body type, Dress, Pregnant Disability, Education level, Introverted or Extroverted, Language, Vocabulary, Hair color, Body art, Political party, Diet, Club memberships, Body odors ….

Cybersecurity Workforce:Age Distribution

- 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.

CyberSecurity workforce:Retirement Eligibility

- 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.

WORKFORCE COMPOSITION

• Women– 50% of US workforce– 25% of IT workforce– 8-13% of cybersecurity workforce

• Hispanics– 6.4% of IT workforce– 5% of cybersecurity workforce

• African Americans– 8.3% of IT workforce– 7% of cybersecurity workforce

- NIST Panel on Diversity in CyberSecurity, 2013

Women in Cybersecurity

• 13 percent of US CyberSecurity professionals are women — which is higher than in Europe and Asia (2006 IDC Survey)

"Women are historically very underrepresented in computer science and in computer security. When I

started in computer security 25 years ago, the field was 20% to 30% women. Now it's between 5% and 10%.

That's obviously going in the wrong direction." - Jeremy Epstein, board member of Applied Computer Security Associates

(ACSA)

UMUC Cyber Team

Army Research Lab Cyber Team

UTSA Cyber Team

BYU CyberSecurity Research LAb

UMBC Center for CyberSecurity

Areas of Focus Today

How many times did you change jobs in my career?

Skills in Demand Today

Skills in demand in next 2 years

EXECUTION

INTERNALLY

• Define Program Outcomes• Define Program

– Risk Management – Critical and Inventive Thinking – Research and Writing – Attack & Defense Tool Construction and Use – Ethics

• Create network– External Collaborators– Alumni– Mentors

• Identify Ways for Increased Visibility – Of the program, lecturers and students

INTERNALLY & EXTERNALLY

• Reduce Unconscious Bias– Start by testing yourself – Project Implicit at Harvard – Teach Tolerance

– Focus on Hiring a Balanced & Diverse Workforce

• Engagement– Top-Down, Bottom-Up– Building Recruiting And Inclusion for Diversity (BRAID)

Initiative

• Support Network

Tackling Unconscious Bias

• Set realistic expectations. • Provide appropriate time for the training.• Provide the training in person. • Be careful in selecting the right facilitator.

Incorporate unconscious bias assessment tools.

• Focus the training on specific, real situations, such as reviewing resumes, conducting interviews, responding to customers etc.

Tackling Unconscious Bias

• Address the topic of in-group favoritism and how it operates in the organization.

• Identify those situations in which our implicit biases run contrary to our organizations’ explicit values.

• Use proven successful simulations, role-plays, and other interactive exercises.

• Have groups discuss the words, phrases, symbols, jokes, and other symbolic representations of their group that they find offensive and why.

• Provide de-biasing, counter-stereotyping activities – Such as making associations that go counter to existing

stereotypes (male nurses, female scientists, elderly athletes).

CONCLUSION

• CyberSecurity is an important field– Workforce needs– Growing market– Job Security– Significant potential harm

• Diversity in creating a CyberSecurity program is critical to its success. – Varied thinkers

– Differing groups and populations

– Balance of strategies and focus area

• The path starts today. – Look to the University of Technology – Jamaica as a model.

tgrandison@proficiencylabs.com

Thank You