Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Creating A Diverse CyberSecurity Program


Published on

CyberSecurity has multiple facets. This talk will cover the various aspects. This talk will also highlight the fundamental problems in the space; from the technical, policy and personnel perspectives. A diverse agenda with a singular, focused mission needs to have multiple voices and cultures at the table. Thus, this talk will focus heavily on bias and ways of addressing them in the effort of creating a world class cybersecurity program.

Published in: Technology

Creating A Diverse CyberSecurity Program

  1. 1. Creating a Diverse CyberSecurity Program Dr Tyrone W A Grandison
  2. 2. DISCLAIMER All opinions expressed herein are my own and do not reflect the opinions of of anyone that I work with (or have worked with) or any organization that am or have been affiliated with.
  3. 3. A Little About Me • Jamaican Education • BSc Hons Computer Studies, UWI-Mona. • MSc Software Engineering, UWI-Mona • PhD Computer Science, Imperial College – London • MBA Finance, IBM Academy Experience • 10 years leading Quest team at IBM • 2 years working in startups • 3 years running companies and consulting • Now, working for the White House Recognition • Fellow, British Computer Society (BCS) • Fellow, Healthcare Information and Management Systems Society (HIMSS) • Pioneer of the Year (2009), National Society of Black Engineers (NSBE) • IEEE Technical Achievement Award (2010) for “Pioneering Contributions to Secure and Private Data Management". • Modern Day Technology Leader (2009), Minority in Science Trailblazer (2010), Science Spectrum Trailblazer (2012, 2013). Black Engineer of the Year Award Board • IBM Master Inventor • Distinguished Engineer, Association of Computing Machinery (ACM) • Senior Member, Institute of Electrical and Electronics Engineers (IEEE) Record • Over 100 technical papers, over 47 patents and 2 books.
  4. 4. The Plan • Let’s Geek out on Diversity • A Diverse CyberSecurity Program • CyberSecurity Fundamentals • The Current State Of Affairs • Opportunities In The Space • Diverse Team • Execution
  5. 5. THINK ABOUT THIS “Because there is no silver bullet in cybersecurity, no quick fix, we have to solve problems holistically. We need to deal with people, process and technology. That means we need people from diverse backgrounds who understand and relate to an array of people. And I’m not just talking about gender and ethnicity. We also really need right-brain thinkers, left- brain thinkers, people who can come at these problems from very different angles.” - Summer Fowler, Deputy Director, Cybersecurity Solutions Directorate, Computer Emergency R ’s Software Engineering Institute. March 2014
  6. 6. Why DIVERSITY? “Diverse group almost always outperforms the group of the best by a substantial margin.” – Scott E. Page (2010)
  7. 7. More On The Importance Of Diversity • Expands the Qualified Employee Pool • Improves the Bottom Line • Enhances Innovation • Promotes Equality • Reflects the Customers Source: NCWIT Scorecard: A Report on the Status of Women in Information Technology
  8. 8. Challenges to DIVERSITY • Lack of knowledge about cybersecurity • Lack of awareness of opportunities • Stereotypical notion • Unconscious bias • Lack of exposure to role models and mentors • Lack of social support
  10. 10. Components • Strategy –Attack versus Defend • Topics –Compromise versus Detection • People –Background, Expertise, Problem-Solving Approach • Execution
  11. 11. Perspectives on CyberSecurity Scope of CyberSecurity My Definition of CyberSecurity CYBERSECURITY FUNDAMENTALS
  12. 12. Perspectives on CyberSecurity • Very wide-ranging term • Everyone has a different perspective • No standard definition • A socio-technical systems problem
  13. 13. Scope of CyberSecurity • Threat and Attack analysis and mitigation techniques • Protection and recovery technologies, processes and procedures for individuals, business and government • Policies, laws and regulation relevant to the use of computers and the Internet
  14. 14. Cybersecurity The field that synthesizes multiple disciplines, both technical and non- technical, to create, maintain, and improve a safe environment. • The environment normally allows for other more technical or tactical security activities to happen, particularly at an industry or national scale. • Traditionally done in the context of government laws, policies, mandates, and regulations.
  15. 15. SIGNIFICANCE of CyberSecurity + Bureau of Labor Statistics
  16. 16. Difficulties in Defending against Attacks
  17. 17. Increased Sophistication of Attack Tools
  18. 18. Menu of Attack Tools
  19. 19. Corporate US Landscape Global Situation Current Insight The Current State of Affairs
  20. 20. Corporate US Landscape Statistics from the results of an SVB survey about cybersecurity completed by 216 C-level executives from US-based technology and life science companies in July 2013
  21. 21. Global Situation • 47% of companies know they have suffered a cyber attack in the past year • 70% say they are most vulnerable through their endpoint devices • 52% rate at “average-to-non-existent” their ability to detect suspicious activity on these devices 2013 Cyber Security Study - What is the Impact of Today ’s Advanced Cyber Attacks? - Bit9 and iSMG
  22. 22. Current Insight • First-Generation Security Solutions Cannot Protect Against Today’s Sophisticated Attackers • There is No Silver Bullet in Security • There is an Endpoint and Server Blindspot 2013 Cyber Security Study - What is the Impact of Today’ s Advanced Cyber Attacks? - Bit9 and iSMG
  23. 23. What are the Hard Research Problems? Where are companies spending their CyberSecurity dollars? Where Are The Opportunities?
  24. 24. Hard Problems (TEN Years Ago) 1.Global-Scale Identity Management 2.Insider Threat 3.Availability of Time-Critical Systems 4.Building Scalable Secure Systems 5.Situational Understanding and Attack Attribution 6.Information Provenance 7.Security with Privacy 8.Enterprise-Level Security Metrics INFOSEC Research Council (2005)
  25. 25. Hard Problems (SIX Years Ago) 1. Global-scale Identity Management 2. Combatting Insider Threats 3. Survivability of Time-critical Systems 4. Scalable Trustworthy Systems 5. Situational Understanding and Attack Attribution 6. Provenance 7. Privacy-aware security 8. Enterprise-level metrics 9. System Evaluation Life Cycle 10. Combatting Malware and Botnets 11. Usable Security INFOSEC Research Council (2009)
  26. 26. 2014 Spending 2013 Cyber Security Study - What is the Impact of Today’s Advanced Cyber Attacks? - Bit9 and iSMG
  27. 27. TEAM
  28. 28. Diversity Dimensions • Age • Gender • Ethnicity • Expertise • Other – Income, Sexual Orientation, Religion, Region, Body type, Dress, Pregnant Disability, Education level, Introverted or Extroverted, Language, Vocabulary, Hair color, Body art, Political party, Diet, Club memberships, Body odors ….
  29. 29. Cybersecurity Workforce: Age Distribution - 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.
  30. 30. CyberSecurity workforce: Retirement Eligibility - 2012 Information Technology Workforce Assessment for Cybersecurity (ITWAC) Summary Report. National Institute for CyberSecurity Education. March 4, 2013.
  31. 31. WORKFORCE COMPOSITION • Women – 50% of US workforce – 25% of IT workforce – 8-13% of cybersecurity workforce • Hispanics – 6.4% of IT workforce – 5% of cybersecurity workforce • African Americans – 8.3% of IT workforce – 7% of cybersecurity workforce - NIST Panel on Diversity in CyberSecurity, 2013
  32. 32. Women in Cybersecurity • 13 percent of US CyberSecurity professionals are women — which is higher than in Europe and Asia (2006 IDC Survey) "Women are historically very underrepresented in computer science and in computer security. When I started in computer security 25 years ago, the field was 20% to 30% women. Now it's between 5% and 10%. That's obviously going in the wrong direction." - Jeremy Epstein, board member of Applied Computer Security Associates (ACSA)
  33. 33. UMUC Cyber Team
  34. 34. Army Research Lab Cyber Team
  35. 35. UTSA Cyber Team
  36. 36. BYU CyberSecurity Research LAb
  37. 37. UMBC Center for CyberSecurity
  38. 38. Areas of Focus Today
  39. 39. How many times did you change jobs in my career?
  40. 40. Skills in Demand Today
  41. 41. Skills in demand in next 2 years
  42. 42. EXECUTION
  43. 43. INTERNALLY • Define Program Outcomes • Define Program – Risk Management – Critical and Inventive Thinking – Research and Writing – Attack & Defense Tool Construction and Use – Ethics • Create network – External Collaborators – Alumni – Mentors • Identify Ways for Increased Visibility – Of the program, lecturers and students
  44. 44. INTERNALLY & EXTERNALLY • Reduce Unconscious Bias – Start by testing yourself – Project Implicit at Harvard – Teach Tolerance – Focus on Hiring a Balanced & Diverse Workforce • Engagement – Top-Down, Bottom-Up – Building Recruiting And Inclusion for Diversity (BRAID) Initiative • Support Network
  45. 45. Tackling Unconscious Bias • Set realistic expectations. • Provide appropriate time for the training. • Provide the training in person. • Be careful in selecting the right facilitator. Incorporate unconscious bias assessment tools. • Focus the training on specific, real situations, such as reviewing resumes, conducting interviews, responding to customers etc.
  46. 46. Tackling Unconscious Bias • Address the topic of in-group favoritism and how it operates in the organization. • Identify those situations in which our implicit biases run contrary to our organizations’ explicit values. • Use proven successful simulations, role-plays, and other interactive exercises. • Have groups discuss the words, phrases, symbols, jokes, and other symbolic representations of their group that they find offensive and why. • Provide de-biasing, counter-stereotyping activities – Such as making associations that go counter to existing stereotypes (male nurses, female scientists, elderly athletes).
  47. 47. CONCLUSION • CyberSecurity is an important field – Workforce needs – Growing market – Job Security – Significant potential harm • Diversity in creating a CyberSecurity program is critical to its success. – Varied thinkers – Differing groups and populations – Balance of strategies and focus area • The path starts today. – Look to the University of Technology – Jamaica as a model.
  48. 48. Thank You