Page 1

October 2017

A SPECIAL EDITION BY

CYBER WORLD Women in Cyber Security Exerting Strength, Providing Leadership

Latest News Newest Vulnerabilities Michelle Finneran Dennedy, Cisco Theresa Payton, Fortalice Solutions Ian Glover, CREST Jo Stewart-Rattray, BRM Holdich & ISACA Laura Brent, NATO Women in Cybersecurity: Hidden Cultural Challenges Jennifer Sunshine Steffens, IOActive Magda Lilia Chelly, Responsible Cyber Pte. Jane Frankland, Cyber Security Capital Upcoming Events


CyberWorld.News


Hello. We are proud to announce the second Special Edition of Cyber World, focused exclusively on the important subject of ‘Women in Cyber Security’. Women continue to be under-represented in the cyber security industry – with only 11% of the global workforce made up by women – but the many successes and achievements of women in the field have contributed greatly to driving the success of the Industry as a whole. Without the creativity, passion, transformational leadership and innovation that women bring to the profession and teams around them, such growth would not have been possible. Secgate is a keen advocate for celebrating and building on the power of diversity – especially for achieving the highest levels of professionalism and quality and establishing powerful and lasting relationships. We are thus excited to announce this special edition of Cyber World to highlight the many achievements of women in cyber security, but also to address persistent questions such as why this gender gap continues to exist and what can be done about it. We present articles and analyses by Michelle Finneran Dennedy, Vice President and Chief Privacy Officer, Cisco; Theresa Payton, President & CEO, Fortalice Solutions; Ian Glover, President of CREST and President of Bloodhoundssc 1k; Jo Stewart-Rattray, Director of Information Security & IT Assurance, BRM Holdich, and board member at ISACA; Laura Brent, Cyber Defence Officer, NATO; Jennifer Sunshine Steffens, Chief Executive Officer, IOActive; Magda Lilia Chelly, Managing Director of Responsible Cyber Pte.; and by Jane Frankland, Founder of Cyber Security Capital. We also have an analysis on ‘Women in Cybersecurity: Hidden Cultural Challenges’. We would like to thank all our contributors for their analyses and insightful contributions, and our Readers for their interest and support. We hope you enjoy this Special Edition and look forward to your comments and feedback, which we value greatly. Please also feel free share our magazine with colleagues and friends.

Laith Gharib, Managing Director

OC TOBER 2 017 • 2


Latest News Rounding up the news

APPLE SUFFERS MAJOR DATA BREACH The details of upcoming Apple products were leaked in the largest data breach of its kind experienced by the firm. According to Apple-blogger John Gruber, relevant details that surfaced on websites 9to5Mac and MacRumors were likely to be a deliberate act rather than an accidental leak. Confirmed discoveries include details of a new iPhone X model, an Apple Watch, AirPod headphones, an alternative identification system using facial recognition technology, and the introduction of a new interactive emoji interface. Apple has yet to provide an official statement. Read more here. BRITISH GOVERNMENT WEBSITE OF HMRC COMPROMISED Two serious security flaws have recently been identified on the tax services website of HM Revenue & Customs (HMRC) in the United Kingdom. The vulnerabilities were identified and blogged by Zemnmez, a researcher who discovered them when using the site to check his taxes. Either vulnerability could be exploited by attackers to obtain confidential information through redirecting users to a malicious website, or modify tax records of taxpayers. The HMRC has released a statement acknowledging the identification of the flaws. A joint effort with the UK National Cyber Security Centre (NCSC) was initiated to address the flaws and streamline vulnerability processes. Read More here.

3 • C Y B ER WORLD


MEDICAL PUMPS VULNERABLE TO EXPLOITATION With the advent of the Internet of Things, more medical devices are utilising advanced communication technologies to achieve their functional objectives. However, the increased connectivity also exposes devices to malicious activities. The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued advice on September 7 concerning a syringe infusion pump – used in acute care and operating room settings – that could be remotely compromised by hackers. Another discovery was made by an independent security researcher, who identified eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, manufactured by Smiths Medical in Minnesota. More dangerous vulnerabilities can facilitate remote code execution or man-in-middle attacks, while medium ‘severe’ flaws can be exploited to sabotage communication or operational modules in the device. Read More here. VULNERABILITIES IDENTIFIED ON GERMAN ELECTION SOFTWARE In the run up to the recent elections in Germany that took place on 24th September, a team of researchers from German hacking group Chaos Computer Club (CCC) has identified several critical vulnerabilities in the voting software PC-Wahl. The software was historically used to capture and coordinate voting data from local polling stations across the country in all parliamentary elections for decades. Despite publishing a proof-of-concept, the manufacturer of PC-Wahl has denied all allegations about the software’s vulnerability. German Federal Election Director Dieter Sarreither has liaised with relevant state officials to undertake necessary steps to address CCC’s discoveries. Read More here. OC TOBER 2 017 • 4


EQUIFAX LEAK COMPROMISES 143-MILLION CUSTOMERS Between mid-May and July, Equifax.Inc, a provider of credit scores, suffered one of the largest data breaches in the United States. According to a public statement issued on September 7th, attackers managed to gain access to certain files including names, social security numbers and licence plate numbers of as many as 143 million consumers in the United States. Equifax is currently managing the situation with the Federal Bureau of Investigations (FBI) and hired a cyber-security firm to investigate the breach, which is expected to complete its work in the coming weeks. According to the vice chairman of the Senate Select Committee on Intelligence, U.S. Senator Mark Warner, this breach represents a real threat to the economic security of Americans given the wealth of confidential information stored by such companies. Read more here. EUROPEAN

AND

AMERICAN

POWER

FACILITIES

TARGETED Facilities in the American and European energy sectors have been targeted by a wave of cyberattacks from a group known as Dragonfly. After laying dormant since 2014, following its exposure by Symantec researchers, recent activities suggest that the group has re-emerged. Utilising sophisticated spear-phishing campaigns, the group distributes infected files that facilitate the extraction of confidential network credentials to an external sever, which are later used in follow-up attacks. On September 6, Symantec published its findings on the emergence of Dragonfly 2.0, revealing a series of indicators connecting the tools used in recent network breaches to earlier Dragonfly campaigns between 2011 and 2014. Read More here. CHINA ESPIONAGE GROUP UPDATES TOOLS Palo Alto Network Security researchers have identified an increased appearance of KHRAT, a remote access tool associated to a China-linked cyber espionage group, DragonOK. Investigations concluded that KHRAT has received significant updates, which supported new tactics, techniques and procedures (TTPs) employed by the group in 2017. These include new spear-phishing techniques and Command and Control (C2) infrastructures. The most recent recorded attack targeted Cambodian government servers, earlier in June, through masquerading as traffic from other applications. Read More here.

5 • C Y B ER WORLD


Facilities in the American and European energy sectors have been targeted by a wave of cyberattacks from a group known as Dragonfly.

OC TOBER 2 017 • 6


Newest Vulnerabilities Latest Developments and Trends

STEALTHY LINUX MALWARE ON WINDOW SYSTEMS Check Point researchers claim that the new incoming Windows Subsystem for Linux (WSL) potentially exposes Windows computers to a host of new Linux malware. Researchers argue that anti-malware solutions currently available to Windows computers are not configured to identify and manage Linuxorientated threats, thus jeopardizing users utilising the new Linux command-line shell. However, the concern is regarding the capabilities of contemporary security software rather than a specific vulnerability. According to SecurityWeek, anti-malware developer Kaspersky Lab is aware of the potential for a specialised malware targeting the incoming WSL and is researching threat detection technologies configured for such scenarios. Read more here. BLUEBORNE EXPLOITS TARGET BLUETOOTH VULNERABILITY Researchers at security company Armis have identified a collection of eight exploits, designated as BlueBorne, that enable attackers to gain access to mobile devices, computers, and other IoT-enabled devices via a vulnerability in Bluetooth. In a proof-of-concept video, Armis researchers demonstrated how they were able to identify, access, extract, and command a targeted device via its Bluetooth connection. While newer Windows and iOS users might be protected from such attack vectors, devices using older software versions remain vulnerable, and while most major electronics developers would have addressed this problem, newer and lesser known players joining the IoT market remain potentially vulnerable. Read more here. SHADOW BROKERS LEAKS NEW NSA EXPLOIT: Notorious hacking group, The Shadow Brokers, has released another NSA exploit and announced changes to its subscription plans. Dubbed UNITEDRAKE, the tool was leaked as part of its ‘monthly dump service’. According to an unencrypted user-manual, the tool contains five components that enables attackers to remotely control targeted windows computers. The tool originally made its first appearance in 2014 alongside five other pieces of malware in the classified NSA documents leaked by former contractor Edward Snowden. In addition, the group has announced its transition to ZCash (ZEC) payments, and raised their rates to nearly $4 Million for the stolen exploits. Read more here.

7 • C Y B ER WORLD


MOBILE DEVICES CRITICALLY VULNERABLE TO PERSISTENT THREATS Nine security researchers from the University of California Santa Barbara developed an investigative tool called BootStomp, which identified several critical zero-day vulnerabilities in mobile bootloaders from multiple different devices using Android operating systems. This included a known and already patched vulnerability (CVE-2014-9798) in older bootloader versions. Researchers postulated that these vulnerabilities allowed attackers to obtain persistent root-access to the device, which could be exploited for illicit data extraction or to initiate a denial-of-service attack. All vulnerabilities were reported to the affected vendors and a series of mitigation strategies can be found in their research paper entitled ‘BootStomp: On the Security of Bootloaders in Mobile Devices’. Read More here. WINDOWS FLAW LIMITS THREAT DETECTION Researcher Omri Misgav from American endpoint security provider, enSilo, has identifed an inherent flaw in the Microsoft Windows operating systems from Windows 2000 to Windows 10, which is limiting the threat detection effectiveness. According to Misgav, the error stems from a mechanism called PsSetLoadImageNotifyRoutine, which delivers notifications during module loading, supporting the identification of malicious activity. Misgav postulated that the error could be exploited to ignore select files. This allows attackers to fool the mechanism and embed malware. However, Microsoft engineers have determined that the alleged error does not pose a security threat upon review, and no security patch release was scheduled. Read More here. CRITICAL FLAW IDENTIFIED IN APACHE STRUTS Security researchers at LTGM have identified a critical vulnerability (CVE-2017-9805) in Apache Struts, a popular open-source framework for Java-based web-application development, allowing the attacker to remotely execute malware on targeted servers. According to researchers, the vulnerability resides deep within the Struts programming, and how it handles data from unknown sources. Exploitation can be easily accomplished through submitting a malicious XML code in a specific format to initiate the vulnerability. This would enable the attacker to gain remote access and control over the targeted server, facilitating further penetration into neighbouring systems on the same network. Read more here. OC TOBER 2 017 • 8


When Women Happen to Things, Things Happen Michelle Finneran Dennedy

9 • C Y B ER WORLD


About the Author: Michelle Finneran Dennedy is Vice President and Chief Privacy Officer at Cisco. She is responsible for the development and implementation of global data privacy policies and practices, working across business groups to drive data privacy excellence across the security continuum. Before joining Cisco, Dennedy founded The iDennedy Project, a public service organization to address privacy needs in sensitive populations, such as children and the elderly, and emerging technology paradigms. Dennedy is also a founder and editor in chief of a new media site – TheIdentityProject.com – that was started as an advocacy and education site focused on the growing crime of Child ID theft. She is a co-author of The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value. Follow her on Twitter @mdennedy.

Accomplished people rarely sit back and let things

wondered what it would mean for the technology

happen to them. They go out and happen to things.

to make a positive difference in people’s lives. This

And now is the time for women to make things

early experience was the beginning of a lifelong

happen.

fascination with self-efficacy and the way we

We’ve knitted together a digital world from millions of connected devices modelled after our own human brains. Every new technology opens the

might use technology to solve human and worldly challenges. More importantly, it set into motion a passion for bringing kindness and humanity to an

door for greater expansion and innovation but also

industry traditionally governed by uniform thought.

breeds new challenges to solve, including security

As

and privacy. Yet, we are not innovating fast enough

technologies and develop innovative ways to break

to counter these challenges. We have a ton of work to do and a significant shortage of more than one million cybersecurity professionals in the industry. Even more staggering, women comprise only 11 percent of the cybersecurity workforce. I think women are one of the largest untapped reservoirs of talent in the world today and that

malicious

actors

continue

to

test

our

down our security and privacy barriers, those of us in cybersecurity need to be creative and expand beyond traditional roles and technologies. We can fight for and win back trust in technology, communities, and ourselves. This must include growing the talent pool to include and embrace diverse perspectives.

they should seize the opportunity to contribute to

Increasing the number of women in the cybersecurity

a cybersecurity industry that is impacting how each

profession broadens the spectrum of ideas brought

of us lives and works.

to the table and strengthens every company’s

My own career story began as an undergraduate student in psychology at the Ohio State University. I worked in the educational robotic department and documented the behavior of students as they

position in combating the most sophisticated attack methods. But it doesn’t stop there. Retaining talented women is just as important as getting them through the door.

manipulated robotic arms. As I watched nearly

If every experienced professional in the industry

every one of my fellow students get a laugh out of

selected one person to coach and inspired them

their ability to hack into and reset the machines, I

to stretch beyond their limiting beliefs or surpass OC TOBER 2 017 • 10


We cannot afford to exclude major pools of job candidates, which is why it is crucial for companies and leaders to build inclusive and respectful work environments.

the barriers holding them back, it would take only

data and the human stories people remember about

half a generation to have enough competent people

each one of us. We in the industry need to extend a

working in a respectful environment to develop an

helping hand to people on their journeys and build

abundant, innovative workforce. At Cisco, we call

a more cohesive cybersecurity ecosystem. Let’s join

that the Multiplier Effect.

together and “happen to things.” Humanity depends

With each new technology and subsequent attack

on it.

method, the cybersecurity industry is growing at an exponential rate. We cannot afford to exclude major pools of job candidates, which is why it is

This article was originally published on Cisco Blogs.

crucial for companies and leaders to build inclusive and respectful work environments.

Michelle Finneran Dennedy

After all the bugs are patched, the gear is installed

Vice President & Chief Privacy Officer

and the lights are blinking, the only thing left is the 11 • C Y B ER WORLD

Cisco


CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security market CREST provides internationally recognised accreditation for organisations and individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST Member Companies undergo regular and stringent assessment; while CREST qualified individuals have to pass rigorous examinations to demonstrate knowledge, skill and competence. CREST is governed by an elected Executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security market. CREST also supports the industry by providing in-depth guidance material and commissioning detailed research projects. All CREST research is provided to the industry free of charge and is available from the CREST website. Visit our website for more information on CREST membership and examinations, to find an accredited service provider or to download our research: www.crest-approved.org Follow us on Twitter: @crestadvocate

Company Membership Demonstrable level of assurance of processes and procedures of member organisations

Professional Qualifications Validate the knowledge, skill and competence of information security professionals

Knowledge Sharing Production of guidance and standards. Opportunity to share and enhance knowledge

Professional Development Encourage talent into the market. Provision of on-going personal development

OC TOBER 2 017 • 12


No More Hoodies: Why We Need to Attract More Women to Cyber Theresa Payton

About the Author: Theresa Payton served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and the 3,000+ members of the Executive Office of the President. Currently, Theresa is CEO of Fortalice Solutions, an industry-leading security consulting company, and cofounder of Dark Cubed, a cybersecurity product company.

What image flashes in your mind when you hear the

Optics is one of the biggest hurdles we face as

word cybersecurity? Is it a room filled with happy,

cybersecurity professionals, and the hurdle is even

diverse, productive people making a difference in

greater for women in security. Generally speaking,

the world around them? Sadly no. More than likely,

women are more drawn to careers where they can

it’s a guy hunched over his computer wearing a dark

use their intellectual, emotional and interpersonal

hoodie with some ones and zeros floating above his

skills, and cybersecurity does a terrible job

head. Or maybe it’s a cold room in a basement filled

promoting itself in those areas. What if I told you

with rows and rows of computer servers. If you’re

that cyber can be an extremely emotionally charged

a woman looking at the next 30-40 years of your

field? Yes, it’s logical and yes, it’s technical – but the

life, would you pick a career that looks so ominous?

beauty is that we use those skills in conjunction

Probably not.

with softer skills to truly help people.

13 • C Y B ER WORLD


As CEO of Fortalice Solutions, I work directly

forget passwords, and they will do unsafe things

with the government, corporations and people to

to get their jobs done, such as use free, unsecure

protect what’s most important to them, including

WiFi. Haven’t you? Women’s natural intuition

intellectual property, financial assets and healthcare

and emotional intelligence to see themselves in

information. And perhaps the most rewarding of

someone else’s shoes is exactly what we need to

all, I work frequently with law enforcement to use

combat this problem.

innovative technology to combat human trafficking and childhood sexual exploitation. We need to demystify cybersecurity and talk plainly about how our field helps people, in real tangible ways. For example, I’ve often said that security is inherently flawed because it is not designed for the human psyche. Today security is not only an afterthought, security designs have zero empathy for the human. Do you know any non-technical professionals who profess a deep fondness for strong passwords? You don’t. Passwords are designed for the technology, and we ask the human to conform. According to cybersecurity best practices, people will share and

To be more inclusive of women in cybersecurity, at least three things need to happen. First, hiring managers need to expand their criteria and qualifications. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in future employees. While this might be one indicator of a successful hire, it is not the only indicator. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating

OC TOBER 2 017 • 14


I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED Talks, and even YouTube.

the adversary. Take a chance on a different degree

there aren’t enough women role models in cyber.

and background and invest in cross-training. Some

While connecting with other women has had its

of my best cybersecurity team members started out

challenges, there are wonderful women in cyber

in a different field and are now some of the best,

today – look at KT McFarland, Deputy National

most well-rounded cybersecurity professionals we

Security Advisor and Ambassador to Singapore, and

have on the front lines of fighting cybercrime.

Keren Elazari, a global speaker on cybersecurity and

Second, an April 2013 survey of Women in

ethical hacker out of Israel.

Technology found that 45% of respondents noted a

I’ve been very lucky to work with wonderful,

“lack of female role models or [the encouragement

inspiring women in cyber, but I recognize that my

to pursue a degree in a technology-related field].”

exposure might be more than women starting

It’s been proven that professional mentorship and

their career. This brings me to my third point: I

development dramatically increase participation

recommend all cyber practitioners, and especially

in any given field, so the lack of women in

women, take advantage of all the amazing free

cybersecurity is really a compounding problem –

tools out there from RSA, TED Talks, and even

we don’t have enough women in cyber because

YouTube. You can watch speeches from veteran

15 • C Y B ER WORLD


cybersecurity professionals about their careers,

must be a constant student of your profession in

hear their advice on how to succeed, and learn new

this field.

skills to keep you competitive in the workplace. Consider free online courses in cybersecurity (a few possibilities are Codeacademy, Coursera, Khan Academy, Udemy, MIT open courseware, and check locally for free bootcamps) or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack. There are some excellent security frameworks and guidance available for free online such as the NIST Framework, CIS Critical Security Controls, SSÅE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You

It’s true that there is a shortage of women in cybersecurity, but there isn’t a lack of talented and strong women in this world. Cybersecurity requires a general shakeup, and perhaps women are the ones to do it. I’m grateful that I can talk about my industry, and I hope more women join this exciting field – they can even wear their favorite hoodie. This article was originally published in Security. Theresa Payton CEO Fortalice Solutions

OC TOBER 2 017 • 16


Closing the Gender Gap in Cyber Security Ian Glover

About the Author: Ian Glover, President of CREST, has over 30 years’ experience working in the information technology industry. He was one of the founding partners of Insight Consulting and when the business was sold to Siemens Ian sat on the Board of Siemens Communications. Ian also established the CLAS Forum with CLAS as a partnership linking the Information Assurance knowledge of the UK Government with the expertise and resources of the private sector. Ian was the Chairman of the Forum until April 2012.

It is no secret that the cyber security industry suffers

keep coming up with the same approaches and

from a lack of gender diversity and it is estimated

solutions.

that only 10% of the global information security workforce are women. Increasing the number of women in cyber security is not simply for diversity’s sake, but for the sake of the industry. With the industry facing a skills shortage, recruiting more people into the cyber security sector is increasingly important across the globe and by consistently taking people from the same backgrounds, we’ll 17 • C Y B ER WORLD

The industry has begun actively addressing the issue, with major industry players coming together to discuss the main obstacles to gender diversity and, more importantly, what is needed to resolve them. Last year CREST, the not-for-profit accreditation and certification body representing the technical information security industry, released


a report outlining the details and conclusions

when talking about cyber security and a lack of

from its Diversity Workshop looking into closing

understanding around what the industry is, and

the gender gap in cyber security. It analysed why

what skills are required. It’s not just technical skills

diversity is an increasingly important issue, what

that drive the fight against cyber criminals.

is deterring women entering the industry, how to make a difference, who to target and how to get the message out there. The first step is to work out why women are not entering the industry. One of the major challenges

Whilst it is important to address the current diversity challenges that the sector faces, we need to establish ways to facilitate change. This includes: •

connections with schools, running initiatives

we face is that despite cyber security being very

to engage school children in workshops,

welcoming to women, the impression from the

classes and demonstrations to inspire them

outside is much the opposite. We have to correct

to strive for cyber security careers. Fighting

the perception for women to want to come into

for time in the curriculum is tough, so we

it. There is a misconception that the industry

need to target and incentivise head-teachers

is simply boring and just for techies, when it’s actually exciting, diverse, innovative and financially rewarding. But no-one hears about the good stuff. This can often be due to the language adopted

Education - Industry should have stronger

to lead from the top. •

Raise awareness - Overtly promoting cyber security careers and opportunities available

OC TOBER 2 017 • 18


to women – and telling them it is a career

in the profession. Mentoring schemes and

that they can embrace and enjoy – is an

improved networking opportunities would

essential first step.

improve the support network for women in cyber security. Offering support to women

Industry perception - The marketing of

either returning to the sector or converting

the cyber security industry needs a lot of

from elsewhere is also important, be it

further consideration to ensure the sector

financially or emotionally.

is portrayed in an accurate, positive way. Ensuring all messaging is gender-neutral

Promote role models and ambassadors -

and attracts both sexes is essential. This of

Raising the profile of successful females in

course also means attracting people from all

cyber security would be really encouraging

different backgrounds and ethnicities.

for

Support - Whilst it is imperative to recruit new women into the industry, it is also important to support and retain the women currently

19 • C Y B ER WORLD

women

considering

entering

the

industry. There is a lack of female role models, and appointing ambassadors and


promoting women would inspire the younger

groups alone will not solve the short-term problem.

generation.

If the campaign was to only focus on schools, it

Removing barriers for entry - The cost of training can often act as a barrier to entry for people wanting to start or return to careers in cyber security, so supporting women financially through the availability of underwritten loans could act as one solution.

For any initiative to achieve short and long-term success, establishing who to target is vital. It is important to get the message across all ages, cultures and regions. Secondary school children are probably the most important group to target, followed by graduates. However, focusing on these

would be eight years before any tangible changes became visible. Perhaps the most over-looked group is the returners and career migrators, but it’s certainly the category with the potential for the most quick-wins. This group already has the skills, but just need support, guidance and training tools to move into, or be welcomed back into, cyber security. To effectively get the message out there it’s important to harness a variety of methods. The media must play a significant role with more female coders and cyber security experts in TV shows and

OC TOBER 2 017 • 2 0


Re-enforcing the idea that women in cyber security is somehow strange or abnormal only continues to put women off, resulting in a self-fulfilling prophecy.

movies – younger girls need to feel validated. This

only continues to put women off, resulting in a

is poignant, because the message absolutely needs

self-fulfilling prophecy. We need to stop getting

to reach girls that this career is for them. TV and

hung up on how few women there are and what

radio campaigns, print advertising, social media

the challenges may be, but instead focus on the

campaigns and online adverts are all useful to reach

success stories and talk about why cyber security

the masses, but direct marketing and more intimate

is an amazing career. It’s about fighting cybercrime,

networking events will also have a great impact

it’s innovative, it’s interesting, and let’s not forget

in a smaller group. Graduate fairs and schools are

to point out that it’s well paid, and a career for

obvious targets, but to make a significant impact,

everyone, technical or non-technical.

the activity should be continual, or periodical, as opposed to a one-off event. Schools have limited time and the competition for air-time is enormous.

Read the full ‘Closing the Gender Gap in Cybersecurity’

It is therefore imperative to collaborate with

report here.

existing initiatives in order to make the biggest

For more information on CREST, click here.

possible impact. Regardless of the media used to distribute the messaging, momentum and positivity are absolutely key to success. Re-enforcing the idea that women in cyber security is somehow strange or abnormal 21 • C Y B ER WORLD

Ian Glover President CREST


Global Visitors

S : r IS M te r M RO is T F in P te N’ TE y M e M oun ce DO NO urit llac l C eren Y c a ba f KE Se n W Glo Con UK Be ne ism y O ror Da Ter

10,000+

250+ 100+ High-End Countries Exhibitors

Represented

LONDON HOSTS WORLD CLASS INTERNATIONAL SECURITY EVENT TOPICS COVERED: Global Counter Terrorism Protecting Crowded Places Critical National Infrastructure Designing Out Terrorism Major Events & Stadiums Building & Facilities Management Aviation & Borders Transport Security Cyber Security UK SECURITY EXPO

250+ High-End Exhibitors, 250+ Sessions & 200+ World Renowned Speakers

WOMEN IN SECURITY WORKSHOP

LIVE DEMONSTRATIONS

NEW CYBER INTELLIGENCE ZONE

In association with:

In association with:

In association with:

REGISTER A FREE VISITOR PASS NOW N www.uksecurityexpo.com/cw Global Counter Terrorism Conference Pass start from just £199 + VAT. Quote code UKSEC15 to save 15%


Women in Cyber Security Must Not Be Made to Feel Alone Jo Stewart-Rattray

About the Author: Jo Stewart-Rattray is board director of ISACA, chair of ISACA’s Women’s Leadership Council and director of information security and IT assurance at BRM Holdich.

The

underrepresentation

the

conference, it can be an uncomfortable dynamic,

technology workforce, and particularly in cyber

and one that should not be underestimated when

security, is complex and multilayered, yet for some

sizing up the many reasons for the gender gap –

women, it may be as simple as the discomfort

make that gender gulf – between men and women

caused by walking into a room and being the only

in technology-driven professions such as cyber

woman.

security.

Whether that occurs at a staff meeting, an

In my role as board director for global business

appointment with clients, or at an industry

technology association ISACA, I’ve had the pleasure

23 • C Y B ER WORLD

of

women

in


of participating in several networking receptions

must realize that they have tremendous value to

aimed at elevating and empowering women in the

add to the profession, which will quickly become

tech workforce. These gatherings are invariably

evident to their male counterparts. For their part,

upbeat, well-attended and have facilitated many

it is incumbent upon men to make women feel

valuable connections for those participating. They

comfortable and respected in all settings. A friendly

also have shed insights on why many women are

smile or moment of small talk can go a long way.

reluctant to enter, or remain in, the cyber security profession.

Another common thread from many of my conversations about why many women pass on

So, what can be done to overcome that ‘only-

cyber security is the stigma that the field is, for lack

woman-in-the-room’ hurdle? The ultimate solution

of a more elegant descriptor, too geeky. Stubbornly

is for many more women to enter the cyber

outmoded perceptions linger that cyber security

security field so that being surrounded by men

practitioners are socially awkward, still-living-in-

is a much less likely scenario. That, however, is a

mom’s-basement types, when the reality is that

longer-term proposition. In the meantime, women

cyber security has become a board-level business

OC TOBER 2 017 • 24


priority for all organizations in today’s digital economy. Cyber security professionals are coveted, well-compensated and often need excellent people skills to successfully collaborate with their business partners. Organizations should clearly convey that messaging in the way that they advertise job postings and reach out to prospective candidates. All of these concerns tie in with recent research from ISACA on breaking down gender barriers in the tech workforce, in which a lack of mentors and role models, workplace gender bias, unequal growth opportunities compared to men, and unequal pay were identified by survey respondents as top barriers faced by women in technology. ISACA’s SheLeadsTech programme aims to address the underrepresentation of women in technology, taking many of these factors into account. Revealing conversations like the ones I have had at the programme’s networking events provide an excellent starting point to understanding the challenges ahead. As daunting as the outlook may seem – Payscale notes that only 21% of executives in the tech industry are women – there are many ways we can make a positive impact, such as participating in mentorship programmes, creating scholarships, pushing HR departments to adopt best-in-class hiring and retention policies (including offering flexible working arrangements), and countless other efforts that can make the cyber security profession more hospitable for women. Generations of women have faced hurdles in being valued and respected in the workplace, but by standing up to the status quo, meaningful change has and must continue to take place. If we are resolved to make progress, I have no doubt that the day will come when talented, tech-savvy women will regularly be surrounded by empowered, female colleagues in our classrooms, offices and boardrooms. Jo Stewart-Rattray Director of information security & IT assurance BRM Holdich 25 • C Y B ER WORLD


“

Generations of women have faced hurdles in being valued and respected in the workplace, but by standing up to the status quo, meaningful change has and must continue to take place.

OC TOBER 2 017 • 26


Why Are We Still Talking About ‘Women in Cyber Security’? Laura Brent About the Author: Laura Brent has held cyber policy roles in both the public and private sectors. Currently, she is a cyber defence officer on the NATO International Staff, where she helps develop and implement cyber policy on behalf of the Alliance. Previously, as a manager at EY, Laura conducted cybercrime investigations and assessed clients’ cyber security programmes and maturity. Prior to EY, Laura served at the U.S. Department of Homeland Security, working on a broad range of security issues including cyber security and critical infrastructure protection.

SHOULD WE STOP TALKING ABOUT WOMEN

because we, as a field, ultimately don’t care enough

IN CYBER SECURITY?

to fix the problem.

It is easy to dismiss the discussion of ‘women in cyber security’ as a boring one – the story doesn’t ever seem to change. Blog after article upon study repeatedly demonstrate that women in technology

WE SHOULDN’T GIVE UP YET. Before women accept permanent minority status, though, we should ask: Do we really understand the

generally and cyber security specifically continue

problem?

to be underrepresented in an environment that

Though it is clear women are underrepresented in

favors men. In 2017, women represented 11% of the global cyber security workforce – the same low percentage as in 2013. Frankly, given that this state of affairs continues despite the attention it has gotten, it’s tempting to believe that female representation in cyber security isn’t changing

27 • C Y B ER WORLD

technology, continuing research is giving individuals, educators, and employers a better understanding of why women are underrepresented in technology. While it is beyond the scope of this article to argue what ‘adequate’ or ‘good’ representation looks like, it’s hard not to agree that the situation


is bad: In 2017 in the United States, only 14% of

Though the general challenges of women in

information security professionals were women,

technology have been long known within the field,

while women represented 48% of the workforce

every year more is unquestionably being done

overall. Moreover, more, and more specific, data

to rectify the issues. Big companies are spending

are now available on the significant hurdles women

big amounts to make diversity a priority. Intel has

face at school, during the hiring process, and in the

allocated $300 million for diversity efforts; Apple

workplace.

has dedicated $50 million to get more women and

Take schooling, for example. A recent study in Israel demonstrated that teachers, when grading math tests of their own 6th grade students, gave boys higher grades and girls lower grades as compared to a group of independent teachers grading the same tests with the names removed. Another study showed that though women earn approximately 37% of U.S. undergraduate degrees in Science, Technology, Engineering, and Mathematics (STEM) overall, they account for only 18% of computer science degrees. While these studies do not represent great news for women in technology, they point to real and specific areas to target for improvement. In other words, we are getting better at getting the problem.

minorities into the technology industry; and Google spends $150 million a year on its diversity initiatives. There are also organizations devoted to assisting companies to recruit and retain women: The Anita Borg Institute, for example, has created the datadriven Top Companies programme, which helps pinpoint specific indicators and tangible strategies that allow companies to ‘[build] workplaces where women technologists can thrive.’ WE ARE THUS DOING MORE...BUT THERE’S STILL MORE TO DO. All hope is not lost: people continue to better understand the causes of under-representation as well as devote increased resources to addressing them. But, as we said at the beginning: female representation

in

technology

is

still

deeply

OC TOBER 2 017 • 28


These are huge and complex challenges, encompassing everything from bias in the classroom to workplace cultures that drive away women…

suboptimal. Thus, the real question is: have we

diversity is thus not only the moral choice, but the

actually done all we can to improve?

smart business decision.

The simple answer is no. These are huge and

As companies do attempt change, it’s important

complex challenges, encompassing everything from

to realize that first solutions might not be last

bias in the classroom to workplace cultures that

solutions. Unconscious bias training, for example,

drive away women; more data and more money

has become one of the most popular Silicon Valley

are key, but they are insufficient without long-

programmes: Individuals learn to recognize the

term, serious commitment to change from the top.

‘stereotypes, both negative and positive, that exist

Once problems are identified, organizations must

in [their] subconscious and affect [their] behavior.’

transparently measure their progress and then hold

Recently, however, some research has contended

management accountable – in real ways, including

that unconscious bias training can, in fact, worsen

financially – for their success in hiring, retaining,

behavior – if everyone recognizes that all people are

and promoting women. Company leadership needs

biased, there’s less incentive to change a behavior

to buy in – and demonstrate loud and continuous

that’s now firmly the norm. Some are already taking

commitment to declared policies. Studies have

on the challenge to improve, rather than discard,

compellingly shown the tangible business value of

this training.

more gender-balanced companies; such focus on 29 • C Y B ER WORLD


Finally, as the push for more women in technology

attacks that have affected industries from shipping

continues, it is also critical to recognize that there

to healthcare, costing hundreds of millions – if not

are real strains of active opposition to change. In

billions – of dollars. The possibility of a devastating

September 2017, the New York Times published

attack on critical infrastructure remains all too

an article, ‘Push for Gender Equality in Tech? Some

real. The Euro-Atlantic security community now

Men Say It’s Gone Too Far’, detailing how some men

definitively recognizes that a cyber attack can be

have begun to assert that the relatively modest

just as harmful to a society as a conventional attack.

efforts to level the steeply unequal playing field have already been excessive. Sadly, for some, the current gender balance seems to be a feature, not a bug. GETTING BETTER ISN’T OPTIONAL.

In the midst of this crisis, industry is depriving itself of an enormous potential talent pool. Ultimately, the organizations that take meaningful action to hire and retain women first will be better positioned than their peers for success.

One has only to glance at the front page of a

Laura Brent

newspaper to understand the importance of cyber

Cyber Defence Officer

security. In 2017 alone, there have been global

NATO

OC TOBER 2 017 • 3 0


Forest

Intelligent Cy

31 • C Y B ER WORLD


t Tree

yber Defence

OC TOBER 2 017 • 32


33 • C Y B ER WORLD


Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.

OC TOBER 2 017 • 3 4


Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●

Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?

35 • C Y B ER WORLD


OC TOBER 2 017 • 36


37 • C Y B ER WORLD


Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.

OC TOBER 2 017 • 3 8


Forest

A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo

39 • C Y B ER WORLD


t Tree

st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at: Info@secgate.co.uk

OC TOBER 2 017 • 4 0


Women in Cybersecurity: Hidden Cultural Challenges In an international economy which is becoming

ninjas, specialised events (i.e. Ally’s Skill workshop)

increasingly dependent on technology (i.e. Smart

that raise awareness amongst mid-senior level

Grids, Cryptocurrency, Biometrics), the increased

professionals, expert-panel discussions (i.e. Palo

demand for skilled professionals is rapidly exceeding supply. Amidst this general trend, the cybersecurity industry is also suffering a critical gender disparity problem. According to a recent GISWS (Global Information Security Workforce Study) analysis on Women in Cybersecurity, the number of female professionals in the industry has remained stagnant at 11%, despite the global expansion of the cybersecurity industry.

Alto, Black Hat USA) guiding c-level executives,

and even a Women in Cyber Security Steering Committee. Despite these initiatives and the abundance of research available, the statistical stagnation of 11% still comes as a discouraging blow. Especially when viewed against a projected workforce gap of 1.8 million vacant positions by 2022 looming ever closer. Which begs the question, did we miss

Realizing the value of attaining corporate diversity, achieving gender-equality has been a major focus

something?

and discussion topic over the last several years.

RINSE AND REPEAT

This has resulted in multiple initiatives designed to

The unhelpful yet simple answer is yes. Almost

increase industry awareness and encourage women

all available investigations tale a ‘rinse and

to join the cybersecurity profession. These initiatives

repeat’ approach when identifying the challenges

range from sponsorship programmes (i.e. Raytheon

associated with gender diversity in cybersecurity.

Women’s

Cross-examining different research articles ranging

Information

Security

Scholarship

Program; Rebecca Gurley Bace SWSIS Scholarship)

from cybersecurity to human resources, common

seeking to cultivate the next generation of cyber-

challenges identified include:

41 • C Y B ER WORLD


negative work environments (i.e. Chauvinistic

to greater diversity and gender equality at the

Marketing Tactics);

workplace.

discrimination (i.e. Tokenism);

opaque and intimidating recruitment tactics;

According to a YouGov investigation in 2015, which

inconsistent or delayed career experiences

examined the attitudes of 24 countries regarding

CULTURE, GENDER AND TECHNOLOGY

(i.e. Pay Gap, Delayed Promotions); and •

cross

media

Entertainment,

misrepresentations News,

and

(i.e.

Industry

Conferences).

gender progressiveness, several European countries displayed more progressive attitudes towards gender equality than their American, Asian, and Middle Eastern counterparts (see full poll results). One explanation for such an outcome is that

While it is regrettable that such challenges

contemporary gender perceptions simply evolved

persist, most investigations often neglect to

from attitudes historically engrained deep within

explore associated factors outside of mainstream

local cultures.

cybersecurity and business development. This limitation is actually indicated on page 6 of the widely referenced 2017 GISWS report as part of its introduction, questioning whether ‘cultural issues, discrimination, access to education, or a combination thereof are contributing factors’. It is important to stress at this point that it seems that various cultural traditions and outdated gender perspectives remain the greatest impediments

For

example,

Sweden

displayed

the

most

progressive attitudes towards gender equality. Recent discoveries at a Swedish burial site identified the potential existence of female Viking warriors, although the role of warrior was predominantly perceived as an exclusively male domain in ancient Viking communities that existed across the Fjords, or modern-day Scandinavia. According to Charlotte

OC TOBER 2 017 • 42


Hedenstierna-Jonson, the leader of the excavation,

region. According to a report by Channel News Asia,

‘the gender roles may have been more fluid…and

even in countries like Singapore, which possesses a

that…women may have been regarded as socially

highly international profile, women are still facing

male…able to assume positions of military leadership’.

multiple challenges when climbing the corporate

If her inferences are accurate, it corresponds with

ladder in the technology industry. This could be a

the contemporary development of gender neutral

result of ‘sticky cultural factors’, a concept proposed

schools and the general progressive views towards

by Dr. Astrid Tuminez, the Regional Affairs Director

gender equality in Sweden and other Scandinavian

for South-East Asia at Microsoft, and Philip Brett,

countries such as Norway. Whilst gender issues

president of TBWA\Asia, in their article for The

still regrettably exist, the OECD (Organization for

Drum, commemorating International Women’s Day

Economic Development) Education at a Glance

2017. A similar argument can easily be identified

research revealed greater empowerment of women

in Mihoko Matsubara’s 2015 article for Palo Alto

in STEM (Science, Technology, Mathematics,

Networks on the limited number of Japanese

and Engineering) degrees in these geographical

women in the tech industry. Her investigations

regions. However, if we apply a similar investigatory

concluded

framework to the Asia-Pacific, we see a slightly – if

regarding ‘confrontation’ can further discourage

not vastly – different story.

women from entering the tech industry, let alone

In comparison to other developed regions, the AsiaPacific is still suffering from an inherent gender

that

inherent

Japanese

traditions

undertake leadership positions and becoming rolemodels for future generations.

imbalance, attributed to many of the traditional

Regardless of how globalised an enterprise, regional

roots of the multiple ethnicities populating the

leaders must learn to work within local cultural

4 3 • C Y B ER WORLD


It is important to stress at this point that it seems that various cultural traditions and outdated gender perspectives remain the greatest impediments to greater diversity and gender equality at the workplace.

paradigms. Only after a degree cultural intelligence

unified identity, such as an industry culture. In the

is cultivated, can regional leaders begin removing

context of diversity, where does CQ fit in within the

unconscious

gender discussion in cybersecurity?

biasness, improve attitudes

and

sustainably empower local female talent. CULTURAL INTELLIGENCE, DIVERSITY AND STRATEGIES Cultural Intelligence or cultural quotient (CQ) is a theory in organizational psychology which posits that it is an essential skill to be able to interpret unfamiliar actions, behaviours and motivational elements in a similar way as a person’s immediate compatriots would. In business, academic and government research, the term is used to represent one’s

ability

for

cross-cultural

adaptability.

The answer is: In its solutions. According to a Dark Reading article by Jodie Nel, it remains difficult for women to break into both the security or technology sectors. According to the research mentioned earlier, the inherent masculine representation of the field, and accompanying chauvinistic culture, is thought to be the main cause of discouragement amongst women. As such, most solutions and strategies suggested to executives tend revolve around three main objectives: •

education and exposure;

According to Livermore, understanding other cultures can underline workplace cohesiveness through shaping how potential diversity-related barriers are handled, and is especially important in the context of stressful situations. We are briefly

Encourage the incoming generation through

Raise awareness amongst existing staff; and

Empower existing female professionals to dispel existing misrepresentations.

reminded that the term ‘culture’ can also refer to a

OC TOBER 2 017 • 4 4


Most of these solutions inform and have flourished

workforce gap of 1.8 million vacant positions by

in the various scholarship programmes, discussion

2022, there have been positive developments in the

panels and workshops mentioned earlier in this

pursuit for greater gender diversity in the field. In a

article. However, it remains the uncomfortable

recent report developed by cybersecurity veteran

truth that not all organisations are as progressive, or

Caroline Wong titled ‘Women in Cybersecurity:

have the equity for such initiatives. Ergo, they could

A Progressive Movement’, women are actually

begin their own path towards better workplace

thriving in the profession and are feeling valued at

gender-diversity through employing the BCIQ

their workspace. Whilst her study mostly comprises

(Business Cultural Intelligence Quotient) developed

of female executives with over 5 years’ experience

by IIan Alon, Michele Boulanger, Judith Meyers

in the field, it still signifies a positive outcome.

and Vasyl Taras at the University of North Carolina. The BCIQ framework enables the assessment and measurement of cultural appreciation within a workspace. The scalable nature of BCIQ allows workforce managers at all levels to measure gender diversity trends within their relevant industries. A key benefit of the BCIQ is that is data is generated from observation and direct measurement against a preestablished standard at the company level. Unlike the self-reporting nature of most CQ frameworks, this significantly increases the accuracy.

Understanding the limited amount of perspectives from women at the entry-level in the cybersecurity industry, a few small interviews were conducted with women aged 22-26 who have just joined the industry less than a year ago. Whilst the abundance of research has stressed the importance of technical demands, it still boils down to supply-and-demand. Once enough STEM professionals exist, coding and other technical skills might just become the next ‘Blue Collar Job’ – according to Wired. Therefore, one of the respondents believed that

PROGRESS, NOT PERFECTION

with the rapid expansion of the field: ‘there will be

Whilst the statistical stagnation of 11% is

more opportunit[ies] for women in cyber if a wider

particularly discouraging in the light of the projected 45 • C Y B ER WORLD

range of backgrounds…[as most women] often


Change is happening, however slow it remains. It is with hope that by updating our current initiatives – by accounting for cultural influences at localised levels – that we can increase the efficiency of how solutions are executed.

come from backgrounds such as audit, intelligence,

The takeaway point here is literally ‘Progress, Not

forensics, physical security, and ISMS experience.

Perfection’. The road towards gender equality has

With the new GDPR legislation I believe the field

been treaded, with many ups and downs and often

will need lawyers with cyber competence too’. In

far too slowly, by other communities, industries and

the context of the negative landscape portrayed in

even governments for many decades. In addition,

much contemporary research, this is a very positive

the gender problem is part of a wider diversity issue

response coming from a young professional who feels

plaguing the cybersecurity industry on a whole.

that opportunities remain plenty. CONCLUSION In this article, the various elements of ‘culture’ were examined. We have explored the correlation between gender perceptions and traditions being passed through history. We examined how inherent ‘sticky cultural factors’ can undermine the effectiveness and confidence of women interested in the technology and cybersecurity sector. We have explored the importance of cultural intelligence and even proposed a highly scalable framework for organizations. Finally,

Change is happening, however slow it remains. It is with hope that by updating our current initiatives – by accounting for cultural influences at localised levels – that we can increase the efficiency of how solutions are executed. As one of the interviewees mentioned, the cybersecurity sector is rapidly expanding. With the advent of the GDPR and incoming Chinese Cybersecurity law, industries will require more talent from a much broader background to support its technical operations, which will hopefully provide further opportunities to narrow the gender gap.

we learned that it is not all negative, and that women in both senior and entry level positions in the industry are feeling optimistic about their place in the industry and the opportunities arising from its expansion.

Secgate Research & Development

OC TOBER 2 017 • 4 6


Want a Diverse Workplace? Think Culture, Not Compliance Jennifer Steffens About the Author: Jennifer Steffens is Chief Executive Officer at IOActive, responsible for all aspects of the company’s global business and strategic vision. Steffens has a wealth of industry and business experience, including having been an early stage member of several successful startups. Previously in her career, Steffens was a Director at Sourcefire, where she helped build and grow the business from $250K to over $35M in run rate in just four years.

One of the core truths of cybersecurity is that

workforce, ultimately embracing every facet of

regulatory compliance isn’t enough. I’ve emphasized

diversity.

this point before, and so have many others.

Here too, compliance box-checking won’t cut

The logic here is straightforward: Regulations –

it. If you’re just looking to satisfy the regs, you’re

necessary as they may be – are too inflexible and

essentially telling your team that diversity is a hassle

too slow to address the full spectrum of potential

to be managed with minimal effort.

hazards.

In many cases, this results in lowering the bar for

If you’re looking for real security, you need to build

hiring practices to achieve compliance – and not in

it from the inside out, weaving it into every layer

the development of a thriving and diverse team.

of your organizational culture. That way, smart security practices emerge naturally – no matter what happens. In a sector as fluid as ours, it’s the only way to play. This principle holds true for another swiftly evolving business challenge: How to help traditionally male industries recruit and retain a more diverse 47 • C Y B ER WORLD

Diversity should be seen as a must for cybersecurity firms – and a company’s failure to establish such a culture should be seen as a threat both to its own future viability and to its clients’ security. That’s a pretty strong statement, I know. But here’s why I say it: The cyber realm is ever-changing and


ever-evolving, and the threats never sleep. The only

This became apparent to me early in my career. I

way to keep up is to maintain a workplace culture

got lucky. I spent my early days in cybersecurity

that is totally open to new ideas and diverse voices.

marketing with some really solid – and entirely male

And by ‘totally open’, I don’t mean ‘kinda open’. I mean so open that you’re willing to accept the mistakes, bad ideas, and occasional outright failures

– research teams that just didn’t care that I was a woman. They cared about whether I knew my stuff; it’s how they judged everyone around them.

that inevitably happen whenever you’re genuinely

Once I met that bar, these colleagues invested

challenging the status quo. I mean so open that

generously in my professional development. It was

you’re actively destroying all barriers – both

all very empowering – and very illuminating.

obvious and subtle – to the emergence of genuinely innovative thinking.

Unfortunately, time and time again I have heard stories from other women of early-career

I know our sector mouths such nostrums all the time.

experiences that shattered their trust, set back their

But look around. How many companies are acting

progress, and in some cases chased them out of the

on the realization that one of the biggest barriers to

tech sector entirely.

innovation is the chronic underrepresentation of so many talented pools of potential innovators? (That would be the all pools except the male one, in case you’re wondering.)

These women are not incompetents or shrinking violets who deserved to be weeded out of a competitive marketplace. They are highly talented individuals with much to offer, and the ultimate

It’s quite likely that a lot of companies are avoiding

losers are the companies that treated them so

this because it requires an awful lot of work. Well,

shabbily.

I won’t lie to you – it does. But I can tell you from firsthand experience that the effort is totally worth it.

When I became CEO at IOActive nine years ago, I was determined to instill an inclusive, status-quochallenging mentality throughout the team. For us, it’s an absolute imperative. We have offices (and OC TOBER 2 017 • 4 8


clients) around the world, and literally cannot afford

I’m reminded of this every time I go to a

to allow any barriers to the open flow of information

cybersecurity conference. As a woman, I am a

and ideas – from anyone and anywhere.

minority in almost every room I step into. I’m also

The approach we’ve taken is less about ‘diversity programmes’ per se, and more about a culture that abhors all blockages to the development and dissemination of good ideas, no matter the source. In such a culture, communication is of paramount importance. As an executive team, we try to talk to everybody as much as possible so that we are aware of any formal or informal practices that might make our company less hospitable to smart ideas – and smart people, regardless of gender identity. For instance, we often use meeting facilitators to make sure that good ideas aren’t getting suppressed or shoved aside just because the people who have them happen to be introverted, soft-spoken, or otherwise inclined toward a communication style that male business cultures traditionally disfavor. It’s just one way of ensuring that all participants – of all genders and backgrounds – can present ideas for broader consideration. This not only widens the aperture for worthwhile thinking; it signals our seriousness about maintaining an open, welcoming corporate culture.

reminded of it when I go to a CEO roundtable and folks from other companies initially assume I’m one of the event planners. It has happened more times than I can shake a laser-pointer at. Are these experiences a bit frustrating? Sometimes more than a bit frustrating? Sure. But over time I’ve come to a resolution: My best response is to be myself; to own my identity without apology; and to know that my voice has purpose. And that’s what I want for everyone in our company. It’s also what I want for everyone in the cybersecurity sector. We need wholly inclusive business cultures that sustain and propagate themselves, and that organically generate superb outcomes for the daunting task at hand. This matters, because our work matters. At a time when our skills and ideas are more urgently required than ever, we need to see all artificial barriers to talent for what they truly are – a threat to our companies, a drag on our sector, and a dangerous impediment to the attainment of security in cyberspace.

As a female executive, I obviously have a personal interest in seeing the cybersecurity field become more open to women. And make no mistake: While I’ve seen vast improvements throughout my career, there is still plenty of room for improvement. 49 • C Y B ER WORLD

Jennifer Steffens CEO IOActive


OC TOBER 2 017 • 50


Secret Diary of a CyberFeminist Hacker: How to Handle Challenges in Cyber Magda Lilia Chelly

About the Author: Magda Lilia Chelly is the Managing Director of Responsible Cyber Pte. by day, and a cyber feminist hacker by night. Magda spends most of her time supporting chief information security officers in their cyber security strategy and roadmap. She reviews technical architectures, cloud migrations, and digital transformations. She is continuously raising cyber security awareness & diversity at a global scale.

When my father encouraged me at first to go to an

and followed my tech-calling. What I did was not

engineering school, I did not know the challenges

common, but it was not that uncommon either.

that I would have to face over the course of my

What I did not see coming was that it was still not

career.

widely accepted in various cultures around the

Coming from a multicultural background, with traditional and conservative views on the roles of women and men, I deviated from that pre-

world for a woman to BE a female leader in tech, and especially in cyber security. That only 11% of of the cyber workforce are women speaks for itself.

determined life path that was meant to be. I was,

When I started my preparatory school to become

from the youngest age, a problem solver, passionate

an engineer, I had comments like: ‘But you don’t

about mathematics as well as physics. When I had

look like a ‘geek’’. And, I did not for many reasons.

my first computer in 1995 I felt very comfortable

I did not fit the stereotype that the majority was

navigating, and discovering a totally different

expecting: I loved fashion, I loved fast cars, I loved

universe. I then embarked on my new journey,

partying, and I loved computers.

51 • C Y B ER WORLD


When I think about my experience, from my

Women all know this challenge. By the age of 15,

engineering studies to my PhD, and then during

girls tend to be less confident, and lose interest

my professional journey, I realise that I have always

in mathematics, according to the statistics. I have

been around mainly male colleagues. Women were

talked to many young graduates in cyber security,

the clear minority in my industry. At my very first

and all are fabulous, smart, and motivated. You can

important meeting, I was asked to bring coffee. I

definitely see the passion that is there. However,

definitely felt uncomfortable: ‘Hmm, I am the one

only a few of them continue their technological

doing the demo about an indoor positioning system

careers in general, and even less in cyber security.

in complex environments.’ It was absolutely bizarre,

The previously mentioned percentage of 11% did

and as I was at the beginning of my career, it was

not suddenly materialise over the past few years,

not so encouraging.

and there are various reasons for it.

Over the years, I got used to represent the minority,

In fact, there are now more job openings in cyber

and I discovered that there are many reasons why

security than there are cyber security professionals.

these situations happen, including unconscious

The demand will only increase in line with the

biases; and not only negative intentions. We all

growing maturity of companies in the cyber space.

have unconscious biases, and when you get used to

The world needs skilled cyber security talent,

meet only men in a meeting room when addressing

including women — and that’s why I consider myself

the subject of security, you tend to be surprised

having a mission, inspiring more women to get into

when it’s actually a woman leading the meeting.

cyber security, and follow in my footsteps.

OC TOBER 2 017 • 52


Will that be easy? Maybe not. So, what? Life is

You will be challenged by everyone – So,

not easy. But everyone can do it, and especially a

what. No one is perfect and we all make

motivated, talented woman.

mistakes. Get your act together and make something great.

Let’s be clear here what this statement means: You will get to face some of the below challenges: •

Your opinion will not be heard in meetings – So, what. Speak Up. Find Allies to Support You.

You will be refused contracts – So, what. You will find someone else who believes in you. The world is small, but big.

You will be appraised differently – So, what. Believe in yourself and find ways to prove your knowledge.

53 • C Y B ER WORLD

You will be told that you can’t make it – So, what. Of course, you can make it. You know it.

Earlier this year, I launched a new initiative, ‘Woman In Cyber’, to help inspire, educate and encourage more girls and women to start a career in cyber security. It does address the issue of diversity differently,

through various

gadgets,

t-shirts,

and even thongs to address the topic in a fun and different way. With my company, I promote and raise awareness of these efforts around the


world, through free mentoring, support, and

diversity will crack, not only the code but also cyber

encouragement.

security.

I absolutely realise from my own experience how

Becoming an engineer, and a cyber security

important it is to have ‘that person’ supporting

professional has absolutely fulfilled me and made

your choices, no matter who they are. In my case,

my career. It allowed me to become a recognized

my father has always been supportive of my

leader in the space. If you’re considering a career in

choices, even when not approving. He was my

cyber, I encourage you to go for it!

mentor. Everyone should have that opportunity, and have a mentor. That is what women and girls need nowadays in order to continue to pursue their interest in cyber security, but also to climb the career ladder, even if the doors are initially closed.

And, if you’re passionate about promoting women in cyber to others, look at our articles on womanin-cyber.com and spend time inspiring other young women, helping them in their career. We can only make a difference together.

Mary Barra, Chairman and Chief Executive Officer at General Motors, said in one of her articles that ‘Diversity Will Crack the Code’. I believe that

Magda Lilia Chelly Managing Director Responsible Cyber Pte

OC TOBER 2 017 • 5 4


How to Use Men to Balance the Numbers of Women in Cyber Security Jane Frankland

About the Author: Jane Frankland is the Founder of Cyber Security Capital and the IN Security movement. She is an award-winning entrepreneur, speaker, author, consultant and CISO advisor. She’s also one of the top 50 influencers in cybersecurity in the UK. Jane has over 19-years’ worth of experience in the industry, has built and sold her own global penetration testing firm, been an SC Awards judge for Europe and the USA, advised boards, and held senior executive positions at several large security consultancies. As an ambassador for cybersecurity she’s passionate about diversity in the workplace and her book, ‘IN Security: why a failure to attract and retain women in cybersecurity is making us all less safe’, is due for release in 2017.

I’ve got a bee in my bonnet and I feel compelled to

For almost a year I’ve been writing a book on women

write about this. This blog won’t be a long read, but

in cyber security, which comes from the premise of

hopefully it will add value and be insightful.

how a failure to attract and retain women in our field

I’m not looking to score brownie points with anyone for writing it. Nor am I looking to antagonise anyone. But if I do the latter, I apologise in advance. I just need to draw your attention to something. Chances are you’ll know this already, but just in case you don’t.... Here goes. Deep breath. Feel the fear, and all that.

55 • C Y B ER WORLD

is making us all less safe. It’s nearing completion now, which I’m excited about, as are others. As you may also know, the topic of this book wasn’t something I planned on writing. It happened by chance, following a blog I wrote in November 2015 after reading an (ISC)2 report. And, it was the most non-strategic thing I’ve done in my life. How life’s laughing at me!


Yet, since then, I’ve found it’s become my whole

As research suggests that women think differently

world, and I’ve been championing women in cyber

to men, I firmly believe that women must play a

security daily – whether that’s been writing the

fundamental role in helping us in cyber security to

book; interviewing women (and men) about the

perform to a higher standard. When cyber crime,

challenge; speaking at events about it; mentoring

cyber terrorism and cyber warfare are on the rise,

women (and men); sponsoring women (and men);

and attacks are becoming more sophisticated

connecting them to people in my network, who

we need to do something differently. After all,

can help them more than me; or helping them to

businesses, economies and lives are at stake.

transition into our field.

As people are the foundations of good security

In fact, last year I was invited to speak at 35 events

and one of the components of the golden triangle

– all over the world, largely about this issue, and this

(people, processes and technology), I do wonder

year I’m scheduled to speak at 30 events already,

why so many are looking to exclude one group –

and [at the time of writing] we’re only half way

men.

through April. I was also nominated for five awards, short listed for four, and received two.

Yet, ‘women-only’ groups, even when men are welcomed, are doing just that. The words signal that

Anyway, I’ve enjoyed the work I’ve been doing

men aren’t welcome, or that this group isn’t for you

immensely, as I’m passionate about increasing

if you’re a man.

the numbers of women in cyber security. Yet, the reason why isn’t purely because I believe in treating all people fairly and because it’s just. It’s more to do with performance.

Words are so important. They’re powerful, and change always begins with words, in language. A while ago I was honoured to keynote at JP Morgan, in London, as part of Women’s History Month. I OC TOBER 2 017 • 56


spoke about my 19-year journey in cyber security,

them until the system that was originally engineered

and how I transitioned from being nominated as

by men for men evolves.

a Young British designer in my twenties to one of the UK’s top cyber security influencers. I shared my failures, and ten important lessons I’d learnt along the way. I also spoke about how men ARE a big part of the answer to redressing the gender diversity balance in cyber security. Although there’s a lot of talk about equality or better still equity, women are perceived as belonging to the outside of power. You can hear this in the words that are used - in shared metaphors like ‘knocking on the door’; ‘storming the citadel’, or ‘smashing the glass ceiling’, and so on. Sadly, phrases like these undermine women, as they imply that women have to break down barriers, or alternatively that they’ve to take something that doesn’t quite naturally

I don’t blame men for this. Until things change, women need to learn how to play the system (or game, as I like to call it), which is entirely possible, as it’s flawed. But, we also need to accept that we cannot hope to change things permanently without the backing of men, and that means educating them and including them. In cyber security men are 90% of our industry, and they are the key to helping us transform the balance. Men are the change makers. But, only if ‘women-in’ and the division ceases. It has to stop being about ‘them and us’ – men and women. When I entered the industry nearly twenty years ago it was never like this. No one actually cared if you were a man

belong to them.

or a woman.

Women can’t be fitted into the workplace and reap

I believe if we’re going to change things and alter

all of the opportunities that could be afforded to

57 • C Y B ER WORLD

the balance, it has to be about performance, and as a result I believe men should NOT be excluded.


“ As a mother of two sons and a daughter, and someone who loves working with men and cool women, I know that good men – the majority of our industry – want to help. I know that many have daughters and wish them bright future careers where they’re able to fulfil their potential. I also know that many men are being inadvertently ostracised with some of these well-meaning initiatives and made to feel

I believe if we’re going to change things and alter the balance, it has to be about performance, and as a result I believe men should NOT be excluded.

To conclude, I firmly believe: That we’re ONE team in cyber security. That we’re stronger TOGETHER. That there’s no ‘them and us.’ No men verses women. And, that no one sex is better than another. However, I do believe that men and women are different. And, that’s a GOOD thing.

like they’re the problem. I even witnessed a man at an event recently apologising for this. So let’s be clear. Men are NOT the problem. They’re the SOLUTION. The problem is the SYSTEM. I know that men want to change the system for themselves too. They not only want more women

Jane Frankland’s upcoming book ‘IN Security: why a failure to attract and retain women in cybersecurity is making us all less safe’ will be published by RETHINK PRESS. For more information on the book, please click here.

in the industry, as it’s more fun and normal, but they want to improve their situation. They want more of a work-life balance, to be around for their children, and to stop being penalised for wanting to take paternity leave, or to take time off with their children or families.

Jane Frankland Managing Director Cyber Security Capital

OC TOBER 2 017 • 58


Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk 59 • C Y B ER WORLD


Upcoming Events

CSX NORTH AMERICA hosted in Washington DC, USA, 2nd to 4th October 2017 Read more here. INFOSECURITY NORTH AMERICA hosted in Boston, USA, 4th to 5th October 2017 Read more here. IP EXPO EUROPE 2017 hosted in London, UK, 4th to 5th October 2017 Read more here. SIXTH ANNUAL FUTURE OF DATA PROTECTION FORUM hosted in London, UK, 5th October 2017 Read more here. ISSA INTERNATIONAL CONFERENCE hosted in San Diego, USA, 9th to 11th October 2017 Read more here. CSX EUROPE hosted in London, UK, 30th October to 1st November 2017 Read more here.


61 • C Y B ER WORLD


About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clients’ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.

www.secgate.co.uk info@secgate.co.uk

Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom

OC TOBER 2 017 • 62


6 3 • C Y B ER WORLD

Cyber World October 2017  

A Cyber World special edition on 'Women in Cyber Security'.