A new take on the old adage “you’re known by the company you keep,” might aptly apply to women in security who’ve found success, progress and opportunities in organizations that know their value.
Take Emily Mossburg, who has been forging a path in cybersecurity for more than 20 years where she’s now a principal at Deloitte & Touche, LLP and serves as the advisory and implementation services leader for Deloitte Cyber.
Mossburg leads the development and delivery of Deloitte’s cyber solutions that are designed to better align cyber risk strategy and investments with strategic business priorities, improve threat awareness and visibility, and strengthen her clients’ ability to thrive in the face of cyber incidents. Mossburg specializes in helping clients transform and evolve their cyber programs, including implementation of new processes and solutions in areas such as data risk, incident and breach response and cyber resilience.
Deloitte Cyber has become a real pioneer in recruiting women into cybersecurity positions. Mossburg says out of the roughly 4,200 people who work for Deloitte Cyber in the United States, at least one-third are female. Many of the group’s top leaders are now female, she adds (see sidebar).
“There are any number of reasons we have such a strong showing from our group, but ultimately it’s driven from the top,” Mossburg says. “At the highest levels of leadership there’s a huge focus on diversity and inclusion. Deloitte focuses on allowing us to be our ‘authentic selves’ at work. That means some of us are mothers, some are not. And some have significant others. And some don’t. We all have different lifestyles and the freedom to express ourselves is important to our culture.”
Mossburg says because cybersecurity has evolved to touch on many different disciplines people shouldn’t think that only candidates with STEM backgrounds will succeed in cybersecurity.
“There are any number of jobs today in cyber,” Mossburg says. “From jobs that focus on process and policy, legal and regulatory, human resources, and those who work on how best to embed security into new applications and product development. The main thing I tell women looking at careers in cybersecurity is that they have to be willing to take on the tough jobs, the jobs that may not be perfectly defined – and then make them their own.”
In the Driver’s Seat at Ford
Lisa Boran, vehicle cybersecurity manager at Ford Motor Company, says the auto maker has been consistently aggressive in recruiting women by reaching out to universities, and through conferences such as “Women in Cybersecurity” events at SAE, ESCAR, the SANS Institute and the Cyber Auto Challenge. She adds that in the fall some Ford Cybersecurity personnel will attend the Grace Hopper Conference (women in technology) for the first time.
“Ford is a very progressive and open-minded company,” Boran says. “You see all kinds of different people in terms of backgrounds, culture and sex at various levels within the company. And the company is very active in many minority clubs/events, such as the Society of Women Engineers, National Society of Black Engineers, the National Black MBA Association, and the Ford Hispanic Network.”
Boran says she manages a very diverse team that includes seven women and a mix of Korean, Chinese, British, Indian, Turkish, Israeli and American employees. Some have IT enterprise cybersecurity backgrounds, others have embedded design backgrounds while still others have testing backgrounds.
“Honestly, we’re always encouraging people to get into cybersecurity,” she said. “It’s a high-demand field and it’s also hard to find talented people with the right skills. It’s very competitive. Good candidates get swept up quickly.”
Ford Motor Company also partners with local governments to develop and recruit cyber talent. Right now, the IT Recruiting Office, IT Enterprise Cybersecurity and IT Vehicle Cybersecurity participate in the Detroit IT Employer Council meetings sponsored by the mayor’s office. At these meetings, Boran says they try to determine how best to get Detroit inner-city residents some training and skills so they can be qualified to enter prominent IT workforce jobs.
Boran says she’s also participated in the local Cyber Auto Challenge event every year since 2011. It’s an automotive cybersecurity hacking event for high school and college students from all over the United States. Boran and her colleagues do some recruiting, mentoring and interacting with the students during this event to teach and encourage them to get more interested in the automotive space.
“I am also very much involved in Cybersecurity Standards development, on Cybersecurity Conference Program Committees and Cybersecurity Advisory Groups, which gives me an opportunity to network with a wide range of people,” Boran says. “I was even bold enough to go as far as stating Ford was hiring just after giving a presentation at one of the cybersecurity conferences and said if anyone was interested, to come find me. We are also very active in participating in university alliance research cybersecurity projects, where we get to meet and interact with professors and students.”
Path to the Security Field
Ford’s Boran says one of her previous part-time roles in the company was as the security attribute leader performing security assessments, triaging issues and benchmarking around traditional physical security. This included tasks such as secure packaging, module/wire tamper protection, perimeter alarm, immobilizers, intrusion sensing systems and locking strategy.
Boran says it wasn’t until around 2010 when cybersecurity awareness started to ramp up in the media and the general public. So in 2011, she joined SAE to help address common automotive industry cybersecurity issues and by 2014 (following major hacks like Target, Home Depot and Sony) her sole role in the company was around cybersecurity. She says while it was certainly different from physical security, migrating into cybersecurity was a natural progression.
“In terms of a wider Ford view, the company has been focused on in-vehicle cybersecurity since 2006 with the introduction of SYNC infotainment and Telematics into Ford vehicles,” Boran says. “But for me personally, a major eye-opener was in 2011 when the University of San Diego and University of Washington published its landmark paper, Comprehensive Experimental Analyses of Automotive Attack Surfaces.”
In that report the university researchers determined that the external exploitation of a car’s network is feasible via a broad range of attack vectors, including mechanics tools, CD players, Bluetooth and cellular radio. As the industry moves to autonomous vehicles that are loaded with tech goodies, cybersecurity will only grow in importance.
Lisa Plaggemier, now chief evangelist at Infosec, says her first entrée into IT security was creating security awareness training programs during her 12-year career at automotive supplier CDK Global. During that time, she also helped establish the CDK Global Security organization as a thought leader in the industry.
But getting to the point where she pursued a career with confidence took time – and a boss who saw her potential.
“Probably the person who had the biggest impact on my career was a man who understood how to manage women,” Plaggemier says. “I find that when men are asked to take on a challenge they will jump right in, but for a women, if she doesn’t feel 100 percent confident then she will say no to an opportunity.”
Plaggemier says more than anything, the industry has to create a climate in which women are encouraged to speak up.
“I think that’s a shortcoming of my generation of women,” he says. “If we saw something wrong in the workplace we wouldn’t speak up, We’d think that we’d get ahead based on our merits and how well we did the job, but that’s not always the case.”
And there are pay equity issues as well. (ISC)2 research found that women cybersecurity professionals still face an uphill climb with compensation. When asked about their previous year’s salaries, 17 percent of women say they earned $50,000 to $99,999, a full 12 percentage points less than men (29 percent).
The study found that some of this inequity may be explained by age and years of experience in the field. If female security pros as a group are younger than men, fewer have worked in the field as long as many male counterparts, so that may be a cause for some discrepancy. But according to the study, this doesn’t erase the reality in which women in cybersecurity managerial positions earn about $5,000 less than men.
So while the IT security industry has to do better on equal pay for equal work, that’s not much different than most other industries. Sen. Kamala Harris, D-Calif., has made this issue a cornerstone of her Presidential campaign, pointing out that most women still only make 80 cents on the dollar and African-American and Hispanic women make only 60 cents on the dollar.
It may not be a popular notion, but Plaggemier may have it right. It will require a change in culture, but it will also take a lot more middle-age white guys to understand the special needs of women and give them a shot.
“During my CDK years we were prepping for an automotive cybersecurity conference and all of a sudden my boss said, ‘Lisa, you should do this,’” Plaggemier says. “Well, his vote of confidence lead to my long career speaking at industry conferences such as RSA, SANS and Gartner.”
For Sydney Klein, CISO at Bristol-Myers Squibb, the company’s commitment to diversity was a significant factor in her decision to join the business.
“I was specifically looking for a company that authentically values diversity,” says Klein, whose father was a naval officer and held a technology leadership role in the private sector post-retirement. “It was evident during the interview process that Bristol-Myers Squibb people really lived the concept. To create a workforce that responds to the rapidly changing global environment, we intentionally recruit diverse populations while fostering a “culture of inclusion” to maximize our innovative capabilities.”
Klein says Bristol-Myers Squibb truly believes diversity and inclusion drives business performance – and they back it up with data. In fact, in the company’s last employee survey, 95 percent of the company’s employees indicated that they understand how diversity drives business performance. They also use advanced analytics to measure the impact of the company’s initiatives and determine which initiatives will have the greatest ROI.
The results are palpable. In the past six months, Klein has hired six people for the cybersecurity team. Of those, three are women and two are from unrepresented employee groups. Her five-person leadership team also includes two women and two people from unrepresented employee groups.
As for recruiting young women into cybersecurity, Klein says she regularly reminds women that cybersecurity is a growing profession and it doesn’t have enough qualified candidates to fill roles that exist. For cybersecurity programs to succeed, diverse views and experiences are critical and women’s voices are vital to protecting companies.
“We have an opportunity to fill this shortage of professionals by looking in tangential fields such as risk, governance, compliance, and many more,” Klein says. “By expanding our view of critical skills, we can build the talent we need and create a diverse workforce.” N
Where to Learn more
Cybersecurity has become such a hot field these days, there are numerous avenues for people to get involved and learn about cybersecurity. Here are some ideas:
• University programs: University of Michigan, University of Maryland University College (online), University of South Florida and Drexel University Online all have cybersecurity programs
• SAE Cyber Auto Challenge
• CyberTruck Challenge
• Standards groups such as SAE, ISO, IEEE
• Cybersecurity Conferences such as ESCAR, Blackhat/DEFCON, SANS, and Women in Cybersecurity
• Training courses around cybersecurity topics; SANS Institute, Vector, GRIMM, OWASP
Deloitte Cyber’s Leading ladies
Here’s a rundown of some of the leading women with top jobs at Deloitte Cyber:
Cyber Risk Management
Programs and CISO Programs Leader
Cyber Marketing Leader
and Sector Leader for Insurance
Cyber Talent Leader and
Principal, Deloitte Cyber
Diversity and Inclusion
Leader for Deloitte Cyber
Deborah Golden: U.S. cyber leader for
Cyber principal in Life
Sciences and Health Care focused on
Medical Device Security
Mossburg: Advise and
Implementation Services Leader,
Williams: Former Deloitte CISO
and principal in Deloitte Cyber