New Women in Cybersecurity Report Highlights Voices from the Field

 

Alexandra Ross - Senior Global Privacy and Security Counsel, Autodesk and Founder, The Privacy Guru

 

download (1).png

The new 2017 report, “Women in Cybersecurity: A Progressive Movement” is a must-read for those invested in the future of diversity in the security and privacy sector. Spearheaded by Caroline Wong, CISSP, and Vice President of Security Strategy for Cobalt, the report summarizes findings from over 300 women actively engaged in a cybersecurity career.

Many of the report’s findings challenge common misconceptions about women in cybersecurity. Some surprising findings from the report include:

  • 36% of those surveyed have been working in cybersecurity for 10 or more years, suggesting women in cybersecurity is hardly a new phenomenon.
  • Fewer than 50% of respondents entered cybersecurity through a background in IT or computer science, meaning women without IT or Computer Science backgrounds should not cross a career in the industry off their list.

While never losing sight of the major diversity challenges within cybersecurity, the report also provides some encouragement looking forward. Among the key takeaways: it’s clear that women in cybersecurity are thriving, the best teams in the business are diverse, and that the talent shortage might be best addressed through a combination of broadening the hiring process while reinforcing the education pipeline.

In addition to the numbers, the survey provides direct quotes from women in a variety of cybersecurity positions, as well as an inspiring sample of free-form insights and advice from women in their own voices.

Kudos Caroline Wong and all of the women who stepped up to contribute to this timely, necessary survey.

For more information on resources for women in security and privacy, check out the WISP Resources page and be sure to connect with WISP.

Maximum Overdrive: A Discussion on Self-Driving Vehicles

 

Caroline Wong, Vice President, Security Strategy, Cobalt.io

 

Women in Security and Privacy (WISP) and KPMG recently hosted the “Maximum Overdrive: A Discussion on Self Driving Vehicles” event featuring a stellar panel of top tech, cyber, and automotive leaders. In an environment of rapidly changing regulatory requirements, industry standards, media coverage, and consumer trust, these experts helped to shed some light on what’s actually going on right now and what to expect in the future.

Sarah Pipes, Manager of Cyber Strategy and Governance at KPMG, kicked off the discussion by sharing a story of parking her own car in Brussels while working there on rotation - to the amusement of her local friend who has become used to everyone around her using their intelligent parking assist systems (IPAS).

Left to right: Sarah Pipes (KPMG), Chenxi Wang (Jane Bond Project), Steffi Bryson (Uber), Michelle Avary (Aeris) Photo credit: Caroline Wong

Left to right: Sarah Pipes (KPMG), Chenxi Wang (Jane Bond Project), Steffi Bryson (Uber), Michelle Avary (Aeris)

Photo credit: Caroline Wong

Perception versus reality

Michelle Avary, Vice President of Automotive Products & Strategy at Aeris Communications and founder of Women in Automotive in Technology, set the stage by explaining SAE International’s Levels of Automation for Defining Driving Automation in On-Road Motor Vehicles. There are five levels of automation, starting at Level 0 (No Automation) and going up to Level 5 (Full Automation). One example of Level 2 automation is autonomous parking technology, as featured on The Oprah Winfrey Show in 2006. This is the same level of automation that Sarah’s friend in Brussels uses.

The problem with the SAE system is that the levels lead many to assume that driving automation is linear, and that’s not true. Uber's Steffi Bryson says that’s actually an inappropriate way to look at it. The linear frame of mind makes people think that a fully autonomous car will be on the market in the next 5-10 years, and that’s probably not what’s going to happen. Mobility as a service is much more likely to become part of the average person’s day-to-day experience (particularly if you live in certain cities). The most common question that Steffi gets is, “What happens when all the cars turn left at the same time?” This is, of course, a highly unlikely scenario and doesn’t represent the best starting point for a fruitful conversation. Chenxi Wang, founder of the Jane Bond Project, points out that “Humans make mistakes too. In some scenarios, machines are actually smarter.” 

 

What are the risks?

The 2015 Jeep Cherokee hack exposed vulnerabilities in already existing and deployed cars. Bryson says, “We’re not talking about technology that’s going to be developed in the future. This applies to the cars people drive today.” 

While the highly publicized story generated a fear in the public that Bryson argues has been associated with self-driving cars in a way that’s not accurate, everyone on the panel seemed to agree that the industry as a whole did learn lessons from the demonstration and have since adopted more security best practices. In August 2015, the Auto-ISAC was formed by automakers to establish a global information sharing community to address vehicle cybersecurity risks.

Whether we’re talking GPS routing, info-tainment, or safety critical systems, things don’t really become interesting until there’s connectivity involved. Consumers love connectivity. Wang warns, “Connectivity is orthogonal to autonomy. For security discussions you need to take that into consideration.” Wang believes that the most common risk does not actually lie in remote attacks, but rather in the integrity of the automotive software and the software supply chain controls that may or may not be in place. Just as cars source physical parts from different suppliers, software is often composed of many different third party components. “How do you know that the manufacturer who gave you this piece of software actually did their job in proper vulnerability management, security updates, etc.? All of that becomes a security risk.” 

Hypothetically speaking, consider a scenario where a group of company executives are being transported in a self-driving car. This presents a potential opportunity for that company’s competitor to conduct a denial-of-service (DOS) attack on the car in order to cause those execs to be late to an important meeting, or worse.

As in every type of consumer software, there’s often a trade-off between ease of use and security. What happens when your car asks you if you want to install a software update? Do you choose to do it now or later? Hopefully you pick a time when the car is not moving. The slower, more expensive option would be to drive the car to the dealership every time you need a software update installed.

Avary adds, “You’ll never get the software right the first time. You can [and will have to] patch it later.” Over the air updates from car manufacturers present an interesting case. A car’s electronic control unit ultimately decides if a new software update is trusted or not. It is critically important that access to the keys controlling new software updates is appropriately restricted and does not make itself into the hands of a malicious individual or group. The scariest piece of the puzzle here is not the technology, it’s the human who controls it.

 

How to secure autonomous vehicles

As with any software product, the best approach to reducing the risk of software connected vehicles and vehicular systems is to assess and monitor during the product development lifecycle. “Are you doing pen testing? Are you bringing in outside experts to look at and assess the security before the system or vehicle is released to the public?” Wang asks. “To a security person, these things are common sense.” Monitoring to track software patterns and anomalies is also an important component to ensuring the security of automotive software while it’s in operation.

Another key security principle is to shut down access where it’s not absolutely necessary. One of the main vulnerabilities exploited in the Jeep hack was an open port on the Harman Uconnect system. “It was left open to allow access for testing, and should have been closed,” Avary mentioned. The Harman system contained the ability to communicate over Sprint’s cellular network, and the hack leveraged vulnerabilities existing on the wireless network that should also have been locked down.

Wang stresses the importance of the zero trust principle - “Just because this communication came from the system right next to you, treat it as a suspicious internet connection.” She recommends that vehicle technology makers vet and authenticate connections with the same security controls in place that are required for dealing with an untrusted internet connection.

 

What do we have to look forward to?

“The first time you experience an autonomous vehicle probably won’t be when you buy it,” insists Bryson. The cars we see on the road right now are not non-autonomous; they are not completely manual. Many of them already have capabilities that are connected, semi-autonomous, or assisted. Lane assist, parking assist, collision warning and avoidance systems, anti-lock brakes, cruise control - all of these features are widely available in cars right now.

Individuals who do not own a car will be able to get around a lot easier with the help of autonomous vehicles. Mobility services will especially benefit the elderly and the disabled. Car ownership is expected to decrease. “A lot of people won’t own cars anymore,” says Bryson. “Today, a privately owned vehicle costs about $1.60 per mile. That cost is expected to drop to $0.08 per mile for shared mobility as a service.”

Join WISP at Hacker Summer Camp 2017!

Every year, security professionals, hobbyists, and aficionados take on Las Vegas for what’s come to be known as “Hacker Summer Camp,” built around three primary conferences: Black Hat, DEF CON, and BSidesLV. Over the years, more events including Queercon and TiaraCon were added, creating a 10-day period of talks, trainings, workshops, and networking in a variety of settings. 

Yet, much like the security industry as a whole, diversity and inclusion remain serious challenges for the world’s largest security gathering. WISP is committed to changing that by encouraging women to take a more active role and we’re partnering with a few other organizations to bring more women-centric opportunities to Hacker Summer Camp.

Below is this year’s schedule of WISP-hosted events. 

Please use our discount code for $200 off Black Hat badges: WISPus17

Cybersecurity Diversity Foundation Reception (Co-hosted with the Women’s Society of Cyberjutsu, and International Consortium of Minority Cybersecurity Professionals.)

Tuesday, July 25
5:30pm - 7:00pm
The Border Grill, Mandalay Bay
Registration required (Sign up here


Women in Cybersecurity Mixer (Co-hosted with Optiv)
Wednesday, July 26
6:30pm - 8pm
RM Seafood Lounge and Bar, Mandalay Bay
Registration required (Sign up here)

Enjoy cocktails and light appetizers while our distinguished panel of experts from Optiv and LogRhythm leads us in a discussion on the growth and development of women in security. 

Enter a drawing at the door for a chance to win great prizes, including an Apple Watch, Beats Solo3 wireless headphones, and more!

$5 will be donated to Girls Who Code on behalf of every attendee. 


WISP Peer-to-Peer Mentoring
Thursday, July 27
2:30pm - 3:30pm
Black Hat, Banyan D, Level 3

Join Women in Security and Privacy at Black Hat to mingle and network with privacy and security professionals. Also, consider becoming part of WISP Tandems, a peer-to-peer mentorship program that connects you with people from different background, expertise, and a different network. Every woman brings unique value, knowledge, and experience to her peers at every level of her career. Find your Tandem partner at Black Hat or sign up to be matched in our next round of the program, starting in September!


DEF CON Hackathon (Co-hosted with Security Innovation)
Friday, July 28 and Saturday, July 29
10am - 6pm both days

Security Innovation and Women in Security and Privacy (WISP) are teaming up to bring you two new vulnerable websites that participants will be competing to find vulnerabilities in. We'll have easy vulns and reference material for beginners as well as more difficult challenges to stump experienced hackers. The sites contain over 100 vulnerabilities including XSS, SQLi, password cracking and more. Vulnerabilities are automatically detected and award points when they're exploited. 

Becky Bace, President/CEO, Infidel, Inc.; Chief Strategist for the Center for Forensics, Information Technology, and Security (CFITS) at the University of South Alabama

The WISP career series highlights extraordinary women working on security and privacy issues.  The third installment in this series features Rebecca “Becky” Bace and her career path, work, and advice to young professionals.

When most of us think of universally celebrated mathematicians, an early figure that comes to mind is Hypatia of Alexandria. Hypatia made her way past traditional societal norms to become the first known woman philosopher, mathematician, and academic. In addition to being a widely respected figure, Hypatia never ceased learning and being curious.  Similarly, against all odds, Becky Bace from the small town of Leeds, Alabama forged a path for herself to become a leading mathematician and computer scientist.  She started on her path as the only woman in the School of Engineering at the University of Alabama at Birmingham in 1973 to becoming a widely respected analytical thinker, mathematician, and academic – and most important of all, she has never ceased to learn and stay curious. 

Career Path

When Bace first began her education, she focused on becoming a doctor.  However, one thing that Bace could not ignore was that she always excelled at math.  Although Bace was not interested in being a career mathematician, she decided to pursue engineering in her desire to explore other careers related to mathematics.  During her first year, one of her professors took her under his wing and suggested that she learn programing, specifically how to run then state-of-the-art computing on IBM mainframes for nuclear energy.  Although Bace completed most of her degree in civil engineering, she always felt drawn to courses in math, analytics, and computing – so she switched paths and finished her degree in computer science instead of civil engineering. 

After graduation, Bace came across an ad in Byte magazine for a role with her skillset –for what turned out to be a job at the NSA.  Bace later transferred to the Department of Defense’s National Computer Security Center (NCSC), a branch that conducted a lot of fundamental work on computer security and policymaking, including releasing the Rainbow Series.  At the time, most security solutions focused on security by design and advanced math modeling.  Noting a gap in the primary focus on front-end solutions and use of math concepts, Bace came upon a project at the NCSC on intrusion detection systems (IDS).  Bace tackled the project and reached out to one of her mentors for advice - Jim Anderson, the person who had built the initial IDS architecture.  This early work and mentorship helped to Bace’s career, and her focus on IDS, to take off.   

Even though Bace did not come from a traditional career path, she flourished once she embraced her interest in computing.  Bace went on to serve as the Deputy Security officer at Los Alamos National Laboratory and held a number of roles in the private sector, including as the Lead Faculty on IDS at the Institute for Applied Network Security; the Chief Strategy Officer of Neohapsis; as a venture consultant for Trident Capital; and the Vice President of the Security Practice at In Q Tel.  Bace is currently the Chief Strategist at the Center for Forensics, Information Technology and Security at the University of South Alabama and the President/CEO of Infidel, Inc.

Advice to Young Professionals

Bace acknowledges that it is hard to advance in your career alone.  While perceiving a problem in the traditional approach to security, Bace not only tried to solve it herself, but like a philosopher hosting a salon, she built up a network of peers to join her in her journey and discuss relevant issues to learn about diverse perspectives. Her efforts in community building not only helped her create a shift in information security and the use of IDS, but also on a personal level and in her career.  Bace says that both “peer support is extremely important” as well as “having a mentor.” When she faced adverse situations in her life, she was able to overcome them with the support of her “community of peers” – people that will “stay longer with you than your employer.”  A few of those strong mentors present throughout Bace’s career were Robert Abbott (who led the first commercial security practice, as modeled in the movie Sneakers, and a senior scientist at Livermore National Labs) and Ruth Nelson (a mathematician whose work includes much of the formal mathematics underlying secure protocol design).

Career Advice to Women in Security and Privacy

For women interested in the field, she provides candid advice stating that it’s important to “balance between mastering the theoretical view of security and understanding the math.” Pulling from her own experience, she points out that “you don’t have to be pinpoint focused to be successful” because most careers require a “broader swath of expertise and exposures.”

Becky Bace is a pioneer for women in security, having been mentored from the creators of early computing systems and some of the first women in the field.  With the experience of a professional and ease of a strategist, she has bridged together math and theory to create and advance solutions that have been a boon to the security industry.  In line with WISP’s principles of advancement and inclusion, Bace advises WISP members to keep in mind: “professional links make all the difference.”

 

Data Minimization and Anonymization: Essential Tools for Reducing Privacy and Security Risk and Enhancing Trust

This post will examine a couple of case studies in data innovation, specifically companies that have developed new ways of using data minimization and anonymization to address regulatory requirements, as well as potential security and privacy concerns of their consumer base.

Equal Respect Speakers Bureau

Equal Respect and Women in Security and Privacy are proud to partner together to launch the Equal Respect Speakers Bureau. This joint initiative seeks to foster diversity for professional conferences in the security and privacy fields. Register as a potential speaker or request a speaker for your upcoming event.

A Note From Our Head of WISP Tandems

Dear WISP Community, As the Head of WISP Tandems, I am happy to share the story of our Tandem Program, the vision behind it, and exciting news about the future of Tandems. Our peer-to-peer mentoring program connects security and privacy professionals who have different backgrounds, expertise, and different networks. Why? We believe that you bring unique value to your women peers, no matter which career stage you’re at.

Hacking for Security

On June 21st, Women in Security and Privacy (WISP) partnered with Security Innovation, Inc. (SI) and the Wikimedia Foundation to put on a fun, educational “find the vulnerabilities” game. The “Hackathon” was a technical workshop on web application security, with a hands-on approach geared at teaching effective website security and secure coding habits to WISP members.  

WISP - From 7 to 700

Dear WISP Community, WISP’s seven founders first convened in 2014 to further a shared mission – promoting the development, advancement, and inclusion of women in the information security and privacy fields. In two short years, with the dedicated support of our membership community, WISP now has over 700 members nationwide. We’re excited by this growth and the potential it holds for WISP’s future. As WISP Project Director, I’m proud to announce another critical milestone. WISP has achieved official status as a fiscally sponsored project of Community Initiatives, an SF Bay Area 501(c)(3).