Cisco’s Marc Blackmer takes us through some of the highlights and his observations from the Black Hat and DEF CON conferences, including some strides made on higher numbers for women in cyber.
Now that I’ve had a week to adjust to my native time zone - and humidity - I’m finally able to reflect on all that I’d absorbed during my week in the desert. There are often some common threads throughout the sessions and the trend that I noticed this year was the focus on people.
Gender imbalance in cybersecurity, and in science and technology more generally, is an issue. It has been for some time, and correcting this imbalance will not happen organically. It’s going to take sustained effort from professionals and employers, alike. So it was encouraging to see the increasing presence of organizations such as Women in Security and Privacy (WISP), the Diana Initiative, and Cisco’s Women in Cybersecurity.
Anecdotally, many noted on social media that there were more women in attendance at DEF CON this year compared with any previous year. DEF CON does not track demographics, or even names, of its attendees, so there is not an official count. But if the steady rise in participation of meetups like IOActive’s Women, Wisdom & Wine are any indicator, then this is a good sign.
Bia from BiaSciLab at Def Con 2018
Here’s another good sign. An 11-year-old, whose alias is BiaSciLab, presented a packet capture session for her r00tz Asylum peers. Impressive, right? Well, she also presented a session for adults on her WaterBot project in the DEF CON Biohacking Village. She was also one of the kids who made international headlines by exploiting a vulnerable voting machine. This is the kind of early-stage grooming of women in cyber that can make the difference in a decade.
People often use the term security community, and I believe that security practitioners make up a community. We are all working to beat the bad guys, and to be successful, we are interdependent. The more we can support one another and mentor those who wish to join us in that effort, the better off we’ll all be.
Check out the links above to see how you can get more involved. Some of our Women in Cybersecurity team will be at the Grace Hopper Celebration in Houston, too, so come by and learn more about joining us at Cisco.
When it comes to security practitioners, demand outstrips supply. We estimate the deficit could amount to about 2 million security professionals worldwide in the next few years. This situation may signify a buyer’s market for those looking to get into security, but what pressure does this put on those working in the field today to make up for the deficit?
This year’s Black Hat included four different sessions focused on the psychological well-being of defenders. The session that I attended was presented by two National Security Agency (NSA) researchers who had focused on measuring different stress-related characteristics of NSA tactical operations staff before and after an operation. Their findings noted the effects of stress on fatigue, frustration, and cognitive workload. They also found that their operators still pushed through adverse conditions to successfully complete their operations. The question was, at what psychological cost?
Of course, not all of us are tasked with defending the sovereignty and security of a nation. But that doesn’t make the issue any less relevant for defenders across the spectrum. I’ll share some perspectives on this in a later blog post, but here’s the short story. Maintaining a work/life balance needs to exist, and not just be paid lip service. While keeping your organization safe from exploitation or theft is a priority, a higher priority must be maintaining the mental health of those you depend on to defend the organization in the first place.
If you’re worried about Skynet, you can relax for a while . . . quite a while. The reality of machine learning (ML) is that it’s hard. Like, really hard. Quality results depend on humans with domain expertise to “teach” the algorithms with appropriate data sets and to mitigate biases. You also need experts with domain expertise to interpret the outputs from machine learning algorithms. The optimal response to a malware outbreak in a data center, for example, may differ greatly from one within a manufacturing plant’s control network. Expert humans are still needed to make those calls and to understand the context of these environments.
Don’t get me wrong. I think ML brings great value—when applied appropriately. We recently released a perspective paper and have published blog posts on the topic, so I won’t belabor the point here. You can download the perspective paper here.
We humans aren’t going anywhere anytime soon. In fact, we need more humans in the security space, and the more we can do to encourage, train, mentor, and empower our fellow humans, the better we’ll all be for it.
Marc Blackmer is a technologist, blogger and cybersecurity professional who has spent 20 years assisting some of the world's top energy producers, financial institutions, and governments worldwide in defending their critical assets from cyberthreats.. Blackmer is also the founder of 1NTERRUPT, a nonprofit program developed to introduce students to cybersecurity, hacking, and entrepreneurship, and is a member of the steering committee for the Central Massachusetts STEM Network.