As you’re probably aware, the job titles and accompanying responsibilities that fall into the information security spectrum run the gamut—from threat analysts and network engineers to penetration testers and chief information security officers. While there may be "magic" quadrants that define each role and the unique functions that fall into them, Infosec Insider decided to reach out to these subject matter experts themselves to get a better sense of how their professional journeys have evolved to earn them their role today.
Summer Craze Fowler is the Technical Director of Cybersecurity Risk & Resilience at CERT at Carnegie Mellon University, a Fellow in Advanced Cyber Studies at the Center for Strategic and International Studies (CSIS), and faculty at Heinz College. With a wide range of knowledge and achievements, Fowler knows security and risk inside and out. But she didn’t start out that way. Fowler’s interest in infosec began almost on a whim. Early in her career she realized that her individual background lent itself to a growing field, and she leveraged her skills to navigate through various roles and responsibilities to get to where she is today. Infosec Insider sat down with Summer to hear her perspective on the industry and learn what she’s doing to advance cybersecurity within her organization and outside in the larger community.
You’re a security executive. How did you get to where you are today?
My path to security was not traditional, but few are in this space. Before working at the University of Pittsburgh Law School as an undergrad I had every intention of becoming an attorney. After that experience I decided law was not the field for me. Luckily, at the time I had a roommate who was in Computer Science, so I gave it a try and fell in love.
My strength is being a “people person” in the tech space, so moving from software development to technical management and then into leadership was a natural transition. I would be remiss if I did not recognize that I am able to do my job because of a history of good mentors and sponsors, and a husband who takes on (sometimes more than) 50% of our household and family activities/responsibilities. This support makes all the difference.
As a Technical Director at a research and educational organization, how does your role differ from security professionals in other industries?
I feel like I won the lottery when it comes to careers! My position straddles three key areas that are important to me:
- Supporting the Department of Defense allows me to contribute to the security of the nation.
- Working at Carnegie Mellon University and as a member of CERT faculty School of Information Systems and Management at Heinz College lets me engage in the academic community with other faculty and staff.
- In the CERT Division of the Software Engineering Institute I work with world-class cybersecurity engineers on cutting-edge challenges.
I love that I get to solve the cybersecurity challenges of today while being empowered to identify and find solutions to problems we haven’t even uncovered yet.
What are the biggest challenges you face as it relates to your role?
Right now the biggest challenges are hiring and retaining engineers. Security is an extremely competitive field, and we have a negative unemployment rate. All types of organizations are fighting for the best and brightest, and supply can’t currently meet demand. Because of this, the industry needs to expand the field of cybersecurity and start to include/consider a more diverse set of engineers—this means diversity of thought in addition to diversity of race and sex!
Diversity is greater than gender and skin color; our field needs more people who can examine problems from different angles and provide alternative solutions to challenges. Hiring people from diverse backgrounds and experiences can help with that, plus expanding our definition of eligible candidates will help fill the staffing gap.
What does your typical day look like from the moment you arrive at the office?
Every single day is different and very self-directed—two other things I love! There are about 50 people on my team, and my priority is making sure that they are able to do their jobs in supporting research and development for our dozens of customers. This means that my day can range from working on “mundane" tasks like reviewing contracts or financial issues, to the excitement of rolling up my sleeves and working on the development of cybersecurity measures and metrics. I do a good amount of public speaking and presenting, which means that I am often in learning mode so that I can be an evangelist for my team’s work.
As a woman in an industry that’s primarily male-dominant, what needs to happen for more women to join the industry?
As I noted in the challenges above, diversity is certainly an issue in cybersecurity. With an increasingly interconnected world, the beauty is that we can include cybersecurity in activities that more women or girls might be interested in rather than trying to convince women to be engineers or scientists at the expense of other interests.
Today, one would be hard-pressed to find any discipline that does not have an intersection with the digital world. For example, my 10-year-old daughter plays piano and really enjoys it. Instead of trying to convince her to stop playing piano and start writing code, I show her apps for pianists and let her play with them. Then we discuss how cool it would be for her to add features to the app that musicians would love or how to make sure it is secure so that the songs she composes remain confidential. This intersection of music and software lets her explore both options, and I would love to see us add the technology element to more of our everyday curriculums in schools.
Additionally, we need to give the industry a bit of a makeover from the “tech bro” culture. The medical field used to look very similar to today’s cybersecurity industry. In the 1970s only 11% of doctors were female! The implications of this were very real (e.g., experiments using only male rats, which produced non-optimal results for decisions about women’s health), and women’s healthcare suffered. Today we see as many female doctors as male doctors practicing medicine, and women’s healthcare has improved by leaps and bounds. Although I do not have scientific evidence of this, I do believe that a shift in focus to patient care and not just the science of medicine contributed to more women becoming doctors (in addition to concerted recruiting efforts).
Melinda Gates noted that more women and underrepresented minorities are needed in fields like artificial intelligence since this field is shaping the world around us. With cybersecurity becoming increasingly important in more aspects of our lives, I think that we will see more women showing interest in making the world around them more secure. But this won’t happen by accident—we need to encourage and support this shift!
Based on your conversations with other security managers, what’s their single biggest challenge and what do you think they can do about it?
The shortage of a qualified workforce is a big challenge for everyone. But I also think that keeping pace with the risk environment and knowing where to spend the next dollar are critical challenges as well. To maximize the impact of cybersecurity investments, security teams must align with the goals of the organization. There are basics such as understanding business objectives, learning risk appetite and tolerance ranges, being able to identify and manage critical services and assets, and striking a balance between protection (stopping bad things from happening) and sustainment (being able to operate through a disruptive event). The majority of these are business activities and decisions and are not technical in nature.
Other critical activities include understanding the threat environment and implementing a plan which includes the processes, procedures, and technical controls to keep the organization operating within that threat environment. This is where the technical details come in—creating and implementing the cybersecurity strategy. It also requires strong analytical and decision-making skills to distinguish capabilities in a world where new vendors emerge daily.
What should practitioners today focus on to improve the security their organizations, and why?
Focusing on operational resilience rather than solely on cybersecurity is critical. Operational resilience is the ability to achieve objectives before, during, and after a disruptive event, and then return to normal operating condition as quickly as possible. We do not want to protect our digital assets for the sake of protection alone—we are doing this in support of business/organization objectives. Cybersecurity should not be a “bottom up” activity, and it should start with the top organizational mission/objectives. Bridge the gap between business and technology using risk-informed decision making!
This is part 3 of Infosec Insider's "Day in the Life..." series. Click here for part 2.