The company you keep | DigitalMunition
A new take on the old adage “you’re known by the company you keep,” might
aptly apply to women in security who’ve found success, progress and
opportunities in organizations that know their value.
Take Emily Mossburg, who has been forging a path in
cybersecurity for more than 20 years where she’s now a principal at Deloitte
& Touche, LLP and serves as the advisory and implementation services leader
for Deloitte Cyber.
Mossburg leads the
development and delivery of Deloitte’s cyber solutions that are designed to
better align cyber risk strategy and investments with strategic business priorities,
improve threat awareness and visibility, and strengthen her clients’ ability to
thrive in the face of cyber incidents. Mossburg specializes in helping clients
transform and evolve their cyber programs, including implementation of new
processes and solutions in areas such as data risk, incident and breach
response and cyber resilience.
Deloitte Cyber has
become a real pioneer in recruiting women into cybersecurity positions.
Mossburg says out of the roughly 4,200 people who work for Deloitte Cyber in
the United States, at least one-third are female. Many of the group’s top
leaders are now female, she adds (see sidebar).
“There are any number
of reasons we have such a strong showing from our group, but ultimately it’s
driven from the top,” Mossburg says. “At the highest levels of leadership
there’s a huge focus on diversity and inclusion. Deloitte focuses on allowing
us to be our ‘authentic selves’ at work. That means some of us are mothers,
some are not. And some have significant others. And some don’t. We all have
different lifestyles and the freedom to express ourselves is important to our
culture.”
Mossburg says because cybersecurity has evolved to touch
on many different disciplines people shouldn’t think that only candidates with
STEM backgrounds will succeed in cybersecurity.
“There are any number of jobs today in cyber,”
Mossburg says. “From jobs that focus on process and policy, legal and
regulatory, human resources, and those who work on how best to embed security
into new applications and product development. The main thing I tell women
looking at careers in cybersecurity is that they have to be willing to take on
the tough jobs, the jobs that may not be perfectly defined – and then make them
their own.”
In the Driver’s Seat at Ford
Lisa
Boran, vehicle cybersecurity manager at Ford Motor Company, says the auto maker
has been consistently aggressive in recruiting women by reaching out to
universities, and through conferences such as “Women in Cybersecurity” events
at SAE, ESCAR, the SANS Institute and the Cyber Auto Challenge. She adds that
in the fall some Ford Cybersecurity personnel will attend the Grace Hopper
Conference (women in technology) for the first time.
“Ford is a very progressive and open-minded company,”
Boran says. “You see all kinds of different people in terms of backgrounds,
culture and sex at various levels within the company. And the company is very
active in many minority clubs/events, such as the Society of Women Engineers,
National Society of Black Engineers, the National Black MBA Association, and
the Ford Hispanic Network.”
Boran says she manages a very diverse team that includes
seven women and a mix of Korean, Chinese, British, Indian, Turkish, Israeli and
American employees. Some have IT
enterprise cybersecurity backgrounds, others have embedded design backgrounds
while still others have testing backgrounds.
“Honestly, we’re always encouraging people to get into
cybersecurity,” she said. “It’s a high-demand field and it’s also hard to find
talented people with the right skills.
It’s very competitive. Good candidates get swept up quickly.”
Ford Motor Company
also partners with local governments to develop and recruit cyber talent. Right
now, the IT Recruiting Office, IT Enterprise Cybersecurity and IT Vehicle
Cybersecurity participate in the Detroit IT Employer Council meetings sponsored
by the mayor’s office. At these meetings, Boran says they try to determine how
best to get Detroit inner-city residents some training and skills so they can
be qualified to enter prominent IT workforce jobs.
Boran says she’s also
participated in the local Cyber Auto Challenge event every year since 2011.
It’s an automotive cybersecurity hacking event for high school and college
students from all over the United States. Boran and her colleagues do some
recruiting, mentoring and interacting with the students during this event to
teach and encourage them to get more interested in the automotive space.
“I am also very much involved in Cybersecurity Standards
development, on Cybersecurity Conference Program Committees and Cybersecurity
Advisory Groups, which gives me an opportunity to network with a wide range of
people,” Boran says. “I was even bold enough to go as far as stating Ford was
hiring just after giving a presentation at one of the cybersecurity conferences
and said if anyone was interested, to come find me. We are also very active in
participating in university alliance research cybersecurity projects, where we
get to meet and interact with professors and students.”
Path to the Security Field
Ford’s Boran says one of her
previous part-time roles in the company was as the security attribute leader
performing security assessments, triaging issues and benchmarking around
traditional physical security. This included tasks such as secure packaging,
module/wire tamper protection, perimeter alarm, immobilizers, intrusion sensing
systems and locking strategy.
Boran says it wasn’t
until around 2010 when cybersecurity awareness started to ramp up in the media
and the general public. So in 2011, she joined SAE to help address common
automotive industry cybersecurity issues and by 2014 (following major hacks
like Target, Home Depot and Sony) her sole role in the company was around
cybersecurity. She says while it was certainly different from physical
security, migrating into cybersecurity was a natural progression.
“In terms of a wider
Ford view, the company has been focused on in-vehicle cybersecurity since 2006
with the introduction of SYNC infotainment and Telematics into Ford vehicles,”
Boran says. “But for me personally, a major eye-opener was in 2011 when the
University of San Diego and University of Washington published its landmark
paper, Comprehensive Experimental Analyses of Automotive Attack Surfaces.”
In that report the
university researchers determined that the external exploitation of a car’s
network is feasible via a broad range of attack vectors, including mechanics
tools, CD players, Bluetooth and cellular radio. As the industry moves to
autonomous vehicles that are loaded with tech goodies, cybersecurity will only
grow in importance.
Lisa Plaggemier, now
chief evangelist at Infosec, says her first entrée into IT security was
creating security awareness training programs during her 12-year career at
automotive supplier CDK Global. During that time, she also helped establish the
CDK Global Security organization as a thought leader in the industry.
But getting to the point where she pursued a career with
confidence took time – and a boss who saw her potential.
“Probably the person
who had the biggest impact on my career was a man who understood how to manage
women,” Plaggemier says. “I find that when men are asked to take on a challenge
they will jump right in, but for a women, if she doesn’t feel 100 percent confident
then she will say no to an opportunity.”
Plaggemier says more
than anything, the industry has to create a climate in which women are
encouraged to speak up.
“I think that’s a shortcoming of my generation of women,”
he says. “If we saw something wrong in the workplace we wouldn’t speak up, We’d
think that we’d get ahead based on our merits and how well we did the job, but
that’s not always the case.”
And there are pay equity issues as well. (ISC)2
research found that women cybersecurity professionals still face an uphill
climb with compensation. When asked about their previous year’s salaries, 17
percent of women say they earned $50,000 to $99,999, a full 12 percentage
points less than men (29 percent).
The study found that
some of this inequity may be explained by age and years of experience in the
field. If female security pros as a group are younger than men, fewer have
worked in the field as long as many male counterparts, so that may be a cause
for some discrepancy. But according to the study, this doesn’t erase the
reality in which women in cybersecurity managerial positions earn about $5,000
less than men.
So while the IT
security industry has to do better on equal pay for equal work, that’s not much
different than most other industries. Sen. Kamala Harris, D-Calif., has made
this issue a cornerstone of her Presidential campaign, pointing out that most
women still only make 80 cents on the dollar and African-American and Hispanic
women make only 60 cents on the dollar.
It may not be a popular notion, but Plaggemier may have it
right. It will require a change in culture, but it will also take a lot more
middle-age white guys to understand the special needs of women and give them a
shot.
“During my CDK years we were prepping for an automotive
cybersecurity conference and all of a sudden my boss said, ‘Lisa, you should do
this,’” Plaggemier says. “Well, his vote of confidence lead to my long career
speaking at industry conferences such as RSA, SANS and Gartner.”
For Sydney Klein, CISO
at Bristol-Myers Squibb, the company’s commitment to diversity was a
significant factor in her decision to join the business.
“I was specifically looking for a company that
authentically values diversity,” says Klein, whose father was a naval officer
and held a technology leadership role in the private sector post-retirement.
“It was evident during the interview process that Bristol-Myers Squibb people
really lived the concept. To create a workforce that responds to the rapidly
changing global environment, we intentionally recruit diverse populations while
fostering a “culture of inclusion” to maximize our innovative capabilities.”
Klein says
Bristol-Myers Squibb truly believes diversity and inclusion drives business
performance – and they back it up with data. In fact, in the company’s last
employee survey, 95 percent of the company’s employees indicated that they
understand how diversity drives business performance. They also use advanced
analytics to measure the impact of the company’s initiatives and determine
which initiatives will have the greatest ROI.
The results are palpable. In the past six months, Klein
has hired six people for the cybersecurity team. Of those, three are women and
two are from unrepresented employee groups. Her five-person leadership team
also includes two women and two people from unrepresented employee groups.
As for recruiting young women into cybersecurity, Klein
says she regularly reminds women that cybersecurity is a growing profession and
it doesn’t have enough qualified candidates to fill roles that exist. For
cybersecurity programs to succeed, diverse views and experiences are critical
and women’s voices are vital to protecting companies.
“We have an opportunity to fill this shortage of
professionals by looking in tangential fields such as risk, governance,
compliance, and many more,” Klein says. “By expanding our view of critical
skills, we can build the talent we need and create a diverse workforce.” N
Where to Learn more
Cybersecurity has become
such a hot field these days, there are numerous avenues for people to get
involved and learn about cybersecurity. Here are some ideas:
• University programs: University of Michigan, University of Maryland University College (online), University of South Florida and Drexel University Online all have cybersecurity programs
• SAE Cyber Auto Challenge
• CyberTruck Challenge
• Standards groups such as SAE, ISO, IEEE
• Cybersecurity Conferences such as ESCAR, Blackhat/DEFCON, SANS, and Women in Cybersecurity
• Training courses around cybersecurity topics; SANS Institute, Vector, GRIMM, OWASP
Deloitte Cyber’s Leading ladies
Here’s a rundown of some
of the leading women with top jobs at Deloitte Cyber:
Taryn Aguas:
Cyber Risk Management
Programs and CISO Programs Leader
Julie Bernard:
Cyber Marketing Leader
and Sector Leader for Insurance
Sharon Chand:
Cyber Talent Leader and
Principal, Deloitte Cyber
Jamie Fox:
Diversity and Inclusion
Leader for Deloitte Cyber
Deborah
Golden: Government and
Public Sector Cyber Leader
Veronica Lim:
Cyber principal in Life
Sciences and Health Care focused
on
Medical Device Security
Emily
Mossburg: Advise and
Implementation Services Leader,
Deloitte Cyber
Fiona
Williams: Former Deloitte CISO
and principal in Deloitte Cyber
Gloss