Security Professionals: Time to Step UpPurdue's Eugene Spafford on Challenges Facing the Profession
As with other computer science fields, the information security space lacks female executives. And Eugene Spafford says there are several big reasons why women remain a minority in the sector.
"They are in such a minority that they don't always get the treatment, the attitude, of being full peers in design [or] response teams, even in management," says Spafford, a professor at Purdue University, in an interview with Information Security Media Group [transcript below]. "If they are not very aggressive about getting their opinions known, they get run over by others who are pushing their opinions."
On the other hand, Spafford suggests that if women are more aggressive, their behavior is viewed negatively because it doesn't match with the social image applied to females.
He says that at professional gatherings, such as RSA Conference, there are often few or no women on panels, even though the field is full of talented and accomplished women. "That's [partly] because the program committees and deciders are men, and they automatically tend to think of their friends when looking for speakers."
Spafford also points out that without many women, the field will lose perspective about how to approach things. "On design teams, if you have a couple of women, you're more likely to get some discussion about privacy side effects [and] human computer interface," he says. "Solutions very often are better because no one person can think of all of these things. Having a diversity of views and experience always leads to better results."
In an interview conducted at RSA 2014, Spafford discusses:
- The dangerous intersection of information security and government;
- Why information security professionals need to understand policymaking;
- How to grow the profession.
Besides being a computer science professor, Spafford serves as executive director at Purdue University's Center for Education and Research in Information Assurance and Security. Widely considered a leading expert in information security, Spafford has served on the Purdue computer science faculty since 1987. His research focuses on information security, computer crime investigation and information ethics.
Government and Security
TOM FIELD: Can you lay out some concerns you have about when security and government meet?
EUGENE SPAFFORD: We have a lot of people who work in the technology aspects of the industry. We are very accomplished. We think in terms of ones and zeroes, of safe and not safe. Policy makers and government officials don't think in those terms; they think in trade-offs, in value propositions. They think in terms of fundamental belief structures that people have and how to accommodate them. All we have to do is look at some of the news items of other things outside of technology, and we kind of wonder how in the world they come up with those conclusions. It is because of the trade-offs. We don't have a lot of technologists who think about policy issues, who understand what goes into those complex policy decisions.
I have a worry that over the longer term, we're going to have more intrusion by governments, more policy makers scrutinizing what we do, trying to set standards such as mandatory skill or certification levels where we don't really have sufficient data to justify them. It's going to be international as well. We're going to have different nation-states who are either interested in opposing other structures, or in resting control away from those who have them. As technologists, we can't simply say this is a bad idea and then talk about computing or those ones and zeroes kinds of things, we have to understand the nuances. We have to understand more value related arguments. That also means that we have to do a better job in our design of systems to respect values such as privacy, rather than simply accomplishing goals. Over the longer term, people who have only learned technology [and] haven't really mastered cyber security as a profession to be able to actually project forward, that is a concern that I have.
Talking to the Board and Government
FIELD: Are we now telling people they need to know how to talk to the board and the government?
SPAFFORD: [We are], but not everybody does. We're beginning to develop a more stratified view of what the field is. We have the technicians who are going to execute on various tasks that they are supposed to do. Then we have those who need to have a better-rounded view of many issues, and those are more of the professionals, with a capital P. I was having a discussion with William Hugh Murray, who is a real pioneer in the field about this. He was saying that profession with a lower case "p" can include a lot of people who know the technology, have good training, and know how to do things. But the professionals, the ones with a well-rounded education, the professionals with a capital "p," those are the people who can work without supervision and actually understand the nuances of what they do. I'm very much in agreement with that. For instance, we have a lot of programs both in industry and government urging more training. Well training produces the professionals and technicians, the professionals with a lower case p. But it really requires a broadly based educational program, the kind that we've been offering at Purdue, to give someone that greater insight into the structures in which computing operates.
Women in Information Security
FIELD: What do you see as the biggest challenges that women face in the security profession?
SPAFFORD: I would hesitate to say there is a biggest challenge, because there are several that loom large and I have heard from students and colleagues. One of them is that, they are in such a minority that they don't always get the treatment, the attitude, of being full peers in design [or] response teams, even in management. If they are not very aggressive about getting their opinions known, they get run over by others who are pushing their opinions. Certainly in the security arena, we tend to have people who are aggressive and push forward for solutions. So that could be to their disadvantage.
On the other hand, if they are more aggressive, that is viewed negatively because that doesn't quite match with the social image we have for women. When we look at professional meetings such as the RSA conference, we see sometimes few or no women who are on panels [as] featured speakers, even though the field is full of very talented and accomplished women. That's [partly] because the program committees and deciders are men, and they automatically tend to think of their friends when looking for speakers. Those are two of the problems. The results of [those] not only tend to keep women out or cause them to leave the field at a greater rate, but we don't get their opinions as fully integrated in some of what we need to do. This is a tragedy for us generally as a field, because we know that we don't have enough personnel coming into [it]. Individuals, no matter what they look like, have minds, imagination, and talents that we can put to use, and we need to be more accepting of that.
A second issue is that at least in the U.S. as a cultural issue, women in general...it's always...there are specialties, but in general have a slightly different perspective about how to approach things. On design teams if you have a couple of women, you're more likely to get some discussion about privacy side effects, human computer interface, [and] those value issues that I was just talking about. Solutions very often are better because no one person can think of all of these things. Having a diversity of views and experience always leads to better results. So for those of us who really care about the field and results, we should be working very hard to try to make sure that anyone who wants to get into this, no matter what their particular appearance or behavior is, get a chance to be involved.
FIELD: What can we do to grow the profession and create more opportunities for women, minorities, and qualified people?
SPAFFORD: My experience with this has been that we have to be approaching our students at an earlier level, making them understand that some of the things they view as 'hard topics' in grade school are not optional. That it does require work. That math and science and logic and writing well, being able to speak are things that they need to master. They are not options. And at the same time, present to them how mastery of those items can lead to personal reward, and I'm not talking finance necessarily but a sense of accomplishment. Most of the people we have teaching at K-12 do not choose that because they are excellent in technology. If they do they go into the field themselves. Those of us in the field need to do a better job of finding ways to expose those young people to good ideas and technology. To get them excited early on and then don't kill that excitement by telling them as they get older that, oh you wouldn't be able to handle engineering or you couldn't get into that school. Having people from industry for instance, go into junior high and high schools to work with students or talk to them about what's involved. Those are all things that will lead to better success is getting students interested and eager to come into it.
Then at the college level, we have to do a better job of providing exposure to interesting problems, not just forcing people to sit down and berate [ph] those programming problems or have them all believe that writing computer games or websites is all there is to the field. So top to bottom, we need to do a better job of presenting what really is there, encouraging them to rise to challenges, and keep the field seen as something other than just capture the flag, or hacking contest, because that is a very minor part of what we do. But instead portray it really as a rich field that has a lot of intellectual stimulation and social opportunity.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.