Looking back at RSAC 2018: Professional Development
At RSAC 2018, RSA Conference blogger, Tony Kontzer, sat in on a number of sessions. Check out the posts below on professional development sessions to see what happened at last year’s Conference and to give you a taste of what you can expect at RSAC 2019!
Gospel From the Women of Israel's Unit 8200: Confidence is the Key to Careers in Cybersecurity
Any woman working in the cyber security field can relate to what Maya Pizov told RSA Conference attendees during a panel discussion Tuesday.
Pizov, VP of business development for endpoint security provider enSilo, was sharing an all-too common experience female security practitioners have upon walking into a meeting.
"You're one of the few women, if not the only woman, in the room," she said.
Pisov was one of three panelists who shared their perspectives on how serving in Israel's legendary Unit 8200—the intelligence unit that's the country's equivalent of the U.S.'s National Security Agency—helped them to overcome the anti-female biases that effectively keep women from choosing careers in cyber security.
It's become a painful reality for woman in the field that they're part of an extreme minority. Panel moderator Avivah Litan, a VP and distinguished analyst at Gartner, shared the grim statistics: Just 11 percent of cyber security jobs are held by women, a number that's been stagnant for years despite security's growing profile, and woman in director positions or higher earn on average $5,000 a year less than their male peers. Even worse, women make up just 4 percent of investors in cyber security companies.
That said, the women on the panel—all of whom joined Unit 8200 out of high school and learned cyber security skills they didn't even know they could attain—were in agreement that gender biases and the statistics that illustrate their predominance are artificial barriers that women can rise above.
All of them in some way said that it all comes down to confidence, which is something Unit 8200 gave them in spades. And the way they see it, confidence breeds more confidence.
"It doesn’t matter if you're a man or a woman—if you have something to say, you speak up about it," said Shira Shamban, data analysis project lead for cloud security firm Dome9 Security. "Everything you're doing today will make a difference for the women who will join your company in the future."
What's more, that confidence doesn't have to be based on applicable experience. Rather, it stems from knowing that everyone has something valuable to contribute, and coupling that with a desire to do a good job. Too often, the panelists suggested, women are scared away from security because they simply don't think they're well suited for the field.
For instance, Lital Asher-Dotan, senior director of research and content for Cybereason, another endpoint security provider, said she was terrified when the Israeli military approached her about joining Unit 8200, believing she wasn't geeky enough to succeed. It didn't take long for her to realize that was folly.
"You don't need to be a coder to be in cybersecurity," said Asher-Dotan. "Maybe girls are not attracted to begin with into this career, but once they're introduced into the industry, I'm sure that will release the bottleneck."
Unlike men, women have to prove themselves beyond their credentials. Shamban said that informing male coworkers that she had served in Unit 8200 does little to inspire respect for her capabilities. In fact, she said men still make the same inappropriate jokes and comments despite her background.
But when she stands up for herself, displaying that ever-critical self-confidence, everything changes.
"After five minutes of talking to me, they know I don't take shit," she said, eliciting laughter from audience.
Still, a woman with all the confidence in the world is still just one woman. The key, said the panelists, is to pave the way for other women. In the absence of opportunities such as the one Unit 8200 presents to young Israeli women, that can mean mentoring younger female employees, encouraging teenage girls to consider careers in the cybersecurity field, or, perhaps most powerfully, hiring women and providing them with a platform to contribute.
"Give them a seat at the table, and let them show what they’ve worked on," said Asher-Dotan. "That would result in huge movement."
Golden Advice to Women Looking to Work in Cyber Security: Rise Above Your Self-Doubts
As she described the experience of being a woman in the male-dominated world of InfoSec, Nascimento shared that she often hears a critical voice inside of her head that tells her she's not good enough, not skilled enough, and doesn't belong.
"I've given this voice a name—Vicky, because she's always the victim," Nascimento said, drawing a healthy laugh from the nearly packed room. "She's even with me now, saying, 'I can't believe you're saying this out loud!'"
Why this revelation was important became apparent during the session: That little voice, which everyone has in some form, is most likely wrong. And as Nascimento and her co-panelists made abundantly clear, they aren't looking for women with the biggest piles of skills, longest records of experience, or even a burning desire to be in cyber security.
They're simply looking for the best people to work with. In the case of Robin Stuart, principal threat researcher for Salesforce.com, that means someone who's a strong team player, even under the most stressful circumstances.
"It gets ugly (in security)," said Stuart. "If you don't have a sense of humor, if you're not somebody we can count on to be there when the you-know-what hits the fan, then you're of no use to us."
The panel's moderator, Caroline Wong, VP of security strategy for penetration testing vendor Cobalt, had numbers to bring home just how big an obstacle mindset can be for women in cyber security. Wong posted a survey on social media last year, targeting women in the field, and hoped for 100 responses. She got 313, and some of the findings were eye opening.
For instance, 52 percent of respondents said they wished they had more technical skills, while 43 percent said they struggle with managing the expectations they have of themselves. Both of these numbers speak loudly to the self-doubt women in cyber security carry through their jobs.
Stuart told the audience that she got two pieces of advice early in her career that helped her to overcome those self-doubts: It's okay to change your mind, and it's okay to make mistakes. (She did add that the second piece of advice was followed by a caution not to make the same mistake twice, and to make her next mistake bigger, thereby demonstrating a willingness to take risks.)
Nascimento, having bared her self-critical alter-ago, clarified that while some level of skills is necessary, she's willing to hire someone who only possesses half the skills she's looking for if they bring enthusiasm. She also said she looks at Myers-Briggs assessments to make sure she's hiring people who complement her team. In other words, if she has a lot of introverts, she looks for an extrovert to balance things out. Likewise, if she's surrounded by strategists, she'll look for someone tactical.
As for the best advice she'd received, it was that her success would be a product of her relationships. While working hard and meeting goals is clearly important, she deduced that what was more important was to listen more than talk, and to pick up and read cues, especially when two parts of a business aren't working well together.
The ability to bridge such gaps can often be the most important skill a security professional can possess, and one that's in short supply. It also appears to be a strength women believe they possess, as 74 percent of respondents to Wong's survey said that they bring value by being able to communicate effectively across cross-functional teams.
Those kinds of communications skills are exactly what the third panelist, Patricia Titus, CISO and CPO at Markel Corp., said she looks for. Titus said she often picks people who aren't traditional security hires, but rather demonstrate they understand Markel's cultural values, and demonstrate an ability to meld into that culture and be part of the team.
"When I have to go out and talk to someone in the business, I better be able to speak the business vernacular," she said.
Given that Titus is a self-avowed Girl Scout for life (she sits on the board of the national organization), it's not surprising that she places a lot of value on loyalty, which is why she prefers to hire from within the company's ranks whenever possible. Obviously, whenever it's possible, those hires are women, reflecting one of the key pieces of advice she received: Namely, lift as you rise.
"As you move up in your career, turn around and lift those around you," she said.
More than anything, Titus said she tries to be a cheerleader for women considering cyber security careers by encouraging them not to be afraid of it.
"It is such a cool field," she said. "How could you not want to be in it?"
RSAC Panel: No Easy Fixes for Cyber Security Staffing Crisis
It's no secret that finding good employees is one of the biggest challenges cyber security executives face today. And there are plenty of reasons to believe that the dizzying flow of security incidents is only going to get more dizzying, putting even more of a premium on having a strong staff.
Meeting that challenge and finding the best employees requires turning over every rock and marshaling every resource at your disposal. Fortunately for attendees of the recent RSA Conference in San Francisco, a panel of security leaders from the government, nonprofit and private sectors offered up plenty of advice on what to look for and where to look when positions need to be filled.
One of the challenges cyber security leaders may have created themselves has been the lumping of all security jobs together under one gigantically general umbrella. That, said k Jeanette Manfra, assistant secretary for cyber security and communications for the Department of Homeland Security, has led to a lot of new employees having mismatched skill sets for the jobs they were hired to do, often because they apply for positions they really aren't suited for.
"Some people have what look like good resumes, but they get on the job and are woefully unqualified," said Manfra. "It's our job to be very clear about what the expectations are."
Manfra said that there's often a temptation to take a chance on someone who interviews well and seems to know their stuff. But she's added another layer by subjecting applicants to simulated scenarios and seeing how they handle them. Doing so is helping her to find people who have the skill sets she wants to add.
"I don't need a lot of people who can push a button," said Manfra. "I need a lot of people who can think critically."
Valecia Maclin, director of cyber security and special missions for Raytheon Co. has widened her hiring net through outreach efforts such as a web site the company has sponsored the last few years for Millennial prospects. The site targets 18- to 26-year-olds, seeking to gauge what they want out of their employment experiences, and to make itself a more attractive potential employer.
For instance, Maclin has learned that the desire to make an impact on the community, enjoy life and do challenging work all are near the top of most employee wish lists, which helps her to establish attractive job parameters. On the other hand, Maclin also has learned that young prospects are greener than they need to be, and that she's much more interested in someone who's got a little experience in IT or intelligence work, and has demonstrated top-flight problem-solving skills, than she is with someone with a fresh degree but no experience.
The answer, she suggested, is for Millennials to get opportunities to gain any experience they can before hitting the job market.
"We have to start much earlier introducing the field to the next generation," said Maclin.
Rodney Petersen, director of the National Initiative for Cybersecurity Education (a program of the National Institute of Standards and Technology), said that while programs like his are doing a great job of ensuring that there's a stronger pipeline of young cyber security workers come out of schools down the line, that doesn't help with the hiring crunch organizations are feeling today.
Petersen believes some of the skills gap that's holding back cyber security teams is due to a lack of investment in employees after they're hired. He said that too often, employees are hired and then simply left to their own means, which ultimately proves ad disservice of employer and employee alike.
"Government and industry need to think of their workers as continuous learners," said Petersen. "You have to invest in the constant development and expansion of skill sets."
That said, education holds the biggest key to a stronger cyber security workforce in the future, and that's where Petersen's efforts are focused. Along those lines, programs like the National Collegiate Cyber Defense Competition, which pits teams from universities together and brings the winners to Washington, D.C. to tour defense agencies, or the National Science Foundation's Scholarship for Service, which offers financial assistance to draw would-be cyber security professionals into working on protecting critical infrastructure, are helping to attract more Millennials to the field of cyber security.
The panelists had fewer answers for more complex issues, such as how to get more young people in poverty-stricken and at-risk communities interested in careers in cyber security.
Manfra, for one, did have a strong message for her cyber security peers, who she feels haven't demonstrated the fortitude it will require to seed and maintain a healthy pipeline of hungry young cyber security prospects.
"I feel like we spend a lot of time talking about these problems but not doing a lot to address them," said Manfra. "We have the potential for a tremendous workforce, but it's going to take an effort, it's going to take some money, and it's going to take time."