Title:Barbara Lazarus Professor in Information Networking
Director, Information Networking Institute (INI)
Founding Director, Education, Training and Outreach, CyLab
Carnegie Mellon University
Number of years in the information security industry: 16
RSAC: What was your first job in the infosec industry?
Haritos Tsamitis: In 2003, I was one of the founding directors of Carnegie Mellon CyLab, the university's security and privacy research institute. Although I had a variety of technology roles in industry prior to joining Carnegie Mellon in 2000, this is where my journey in information security began. My initial focus as CyLab’s director of education, training and outreach was to raise "cyber awareness" in 10 million Internet users of all ages – inspiring the globally-recognized, award-winning MySecureCyberSpace initiative that includes a portal, game and curriculum.
That same year, in my other role as associate director of the Information Networking Institute (INI), I launched one of the first security degrees in the nation. Since 2003, the INI's Master of Science in Information Security (MSIS) has graduated 348 students who have gone on to leadership roles in the federal government, private industry and academia, including several who have launched their own companies.
RSAC: If you weren’t working in the infosec world, what would you be doing?
As director of the INI (since 2004), I’m a professor and department head at Carnegie Mellon and my work is much broader than information security. As a woman in a male-dominated field and a first-generation college student, I invest my time and passion in developing the pipeline and increasing diversity in STEM through a variety of strategic initiatives. One example is a longstanding partnership with the Executive Women’s Forum on Information Security, Risk Management and Privacy through which we offer a full scholarship to one woman annually to study information security at Carnegie Mellon. As I write this, I’m reviewing candidates for our twelfth scholarship to be announced at the EWF annual conference in October 2019.
I have focused a great deal of my attention in building an inclusive environment for my students and faculty. I’m proud to share that in fall 2018, my incoming class at the INI was made up of 42 percent women and, with recent hiring, we are now at 50 percent female faculty. This significant increase in female enrollment is not coincidental—it was the result of intentional efforts, including creating an inclusive teaching and learning culture, partnering with diversity-focused organizations in the field, and establishing a student organization, Women@INI.
RSAC: What is the biggest challenge facing the infosec industry right now?
Haritos Tsamitis: There are many misconceptions about what it means to work in infosec. The stereotype of the male, hoodie-wearing hacker shrouded in darkness and the militaristic language of cyberattacks and warfare are two examples of ways in which mainstream media have portrayed the infosec culture discouraging diverse talent to enter the field. That’s a problem, because by 2021 there will be triple the amount of cybercrime but an outstanding 3.5M cybersecurity job openings. We need to shift the conversation, correct the misconceptions, bust the stereotypes and start talking about the myriad of pathways within the field. You don’t have to be technical, love to code or follow a linear path – there are so many avenues in infosec!
I believe changing infosec culture is the biggest challenge facing the industry. Women and underrepresented minorities face unconscious bias and discrimination in our industry. Workplace culture plays a major role in attracting and retaining diverse talent. Work-life integration, fair and equitable compensation, opportunities for mentoring and guidance, advancement opportunities, access to professional development are factors that organizations should take into consideration to foster a culture that is welcoming to, and supportive of, diverse talent.
RSAC: What does the RSA Conference 2019 theme of “Better” mean to you?
Haritos Tsamitis: As an industry, we need to do better in building a diverse and inclusive workforce. Research has shown that companies with a diverse workforce perform better financially, as well as in employee productivity and performance.
Each of us can contribute to this effort. At the organizational level, leaders must make a commitment to inclusive workplace practices. As individuals, we each must treat fellow team members with respect, learn to manage unconscious bias and be open to diverse perspectives. We all play a part and I hope that attendees of the RSA Conference will embrace this opportunity. Together, we can do better.
In fact, RSA Conference has a track record for embracing better practices. In 2015, conference organizers implemented a dress code policy for vendor employees, the first of its kind in the technology industry, in response to the Equal Respect movement, spearheaded by my former CMU colleague. By banning the use of "booth babes," the conference sought to create a professional and respectful environment where all attendees would feel comfortable.
RSAC: Complete this sentence: 2025 will be the year of __.
Haritos Tsamitis: To date, millennials have been the focus of endless media attention and workplace studies. I believe that by 2025 we will be contending with up-and-coming Generation Z and grappling with the future of work. Organizations must prepare for the next generation of digital natives who are not likely to gravitate toward the typical 9-to-5 jobs. A recent report from Upwork found that 46% of Generation Z are freelancers, with 73% doing so by choice, rather than necessity.
To be competitive, organizations must prepare for this workforce disruption using lessons learned in adapting to the millennial generation that came before them.
RSAC: You’re passionate about increasing diversity in information security. What advice would you give to a young female student interested but hesitant to enter the information security field?
Haritos Tsamitis: My advice for young female students is not to be dissuaded by stereotypes and not allow misconceptions about information security hold them back. Do you like helping others, solving puzzles, being creative, keeping people safe and learning new things? Then cybersecurity could be the field for you.
Another point I want to emphasize it that there is no such thing as a “traditional” path in infosec. My own journey has been non-linear. In college, I did my time as a programmer to pay the bills and get some work experience. It was not the kind of work I envisioned for myself and I questioned whether I was in the right field. My academic advisor opened my eyes to the many different paths I could take, emphasizing that opportunities are endless and programming is a career for some and a stepping stone for others, like it was for me.
Information security is a deeply interdisciplinary field. From social engineering and open-source intelligence to risk management and privacy, there are a wide variety of pathways that require a diverse set of skills, not only those that are technical.
RSAC: Which countries are succeeding at supporting women in cybersecurity?
Haritos Tsamitis: I applaud recent efforts underway in the United States, though with women making up only 24 percent of the cybersecurity workforce, we still have a long way to go.
Last fall, I participated in a day-long working group sponsored by the National Initiative for Cybersecurity Education (NICE) that aimed at moving the needle of women in cybersecurity. About 50 men and women across the public sector, industry and academia came together to develop new strategies to attract, develop and retain women in cybersecurity.
Another great initiative underway is called Women in Cybersecurity (WiCyS). It began six years ago as a National Science Foundation (NSF) funded initiative and has grown into a wonderful alliance among academia, government and industry.
As I’ve discussed, culture is the biggest challenge facing the infosec industry and I believe supporting tech/employee resource groups (ERGs) is essential. Approximately 90%of Fortune 500 companies have ERGs, which can focus on women, racial and ethnic minority groups, veterans, LGBTQ community members and more. The youngest workers, under the age of 34, express the most interest in joining ERGs and these groups provide opportunities for peer support, talent development and networking.