MY TAKE: Here’s how diversity can strengthen cybersecurity — at many levels

By Byron V. Acohido

Of the many cybersecurity executives I’ve interviewed, Keenan Skelly’s career path may be the most distinctive. Skelly started out as a U.S. Army Explosive Ordnance Disposal (EOD) Technician. “I was on the EOD team that was actually assigned to the White House during 9/11, so I got to see our national response framework from a very high level,” she says.

Today, Skelly is Vice President of Global Partnerships and Security Evangelist at Circadence®, a distinctive security vendor, in its own right.

Related: How ‘gamification’ makes training stick

Circadence got started in the 1990s as a publisher of one of the earliest massively multiplayer online games. It adapted its gaming systems to help the U.S. military carry out training exercises for real life cyber warfare. That led to a transition into what it is today: a leading supplier of immersive “gamification” training modules designed to keep cyber protection teams in government, military, and corporate entities on their toes.

I met with Skelly at Black Hat USA 2018 and we had a thoughtful discussion about a couple of prominent cybersecurity training issues: bringing diversity into AI systems and closing the cybersecurity skills gap. For a drill down, please listen to the accompanying podcast. Here are key takeaways:

Diversifying AI

Discussions are underway in the technology sector about how Artificial Intelligence could someday eliminate bias in the workplace, and thus engender a more meritocratic workplace

“We’re starting to see Artificial Intelligence and machine learning in just about every space and every tool,” Skelly observes.

Diversity in emerging AI-infused security systems – or, more specifically, the lack of it – is a rising concern. Here’s why: The experts with the knowledge to tweak the algorithms for automated detection systems, at this moment, comprise a very narrow talent pool. The concern is that this could constrain the development of broadly effective security-focused AI.

“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Skelly says.

Hiring imperative

Imagine assigning a dozen 50-year-old American males to monitor and tweak the machine learning algorithms in a threat detection dashboard. The results, over time, would be much different than if the human overseers were of different ages, genders and cultural upbringings.

Skelly

“What we really have to do – and large companies like IBM and Microsoft are already working toward this – is to make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI process,” Skelly says.

Engineering processes eventually will emerge to account for a wide spectrum of biases. But that’s a ways off, especially in cybersecurity. “I think we’re going to get there, but right now the biggest thing we can do is make sure we’re hiring diverse teams, as we’re building the AI,” she says.

Closing the skills gap

That’s all well and good. However, in order to assemble diverse teams, there needs to be a broad pool of security specialists to draw from. At this juncture there happens to be a shortage of cybersecurity talent. It’s estimated that 1 million to 2 million security positions will go unfilled over the next couple of years.

This gaping cybersecurity skills gap is a widely recognized issue, and there are any number of laudable initiatives striving to close the gap. One of the longstanding ones is the CyberPatriot games, a national program created by the Air Force Association (AFA) to attract K-12 students to STEM disciplines generally, and cybersecurity careers, specifical

A national competition pits teams of high school and middle school students, role-playing as newly hired IT pros in charge of managing the network of a small company. In the rounds of competition, teams must find and deal with vulnerabilities, while maintaining critical services.

Skelly, a CyberPatriot coach, told me an anecdote that underscores the misperceptions young people hold about cybersecurity. It involved a young woman Skelly describes as “one of the best coders I’ve ever known in my life. She knew six coding languages and was super brilliant.”

When the conversation pivoted to pursuing college, the student professed that “she didn’t want to get into cybersecurity or computer science because she didn’t feel like it was the right environment for her. She really had this perception of the guy in the hoodie with the Mountain Dew and the Cheetos and she just didn’t really see that fitting for her.”

Improved messaging

That encounter hit home. “As a cybersecurity community, we have to get better at messaging that cyber is everywhere,” Skelly told me.

She’s absolutely right. Consistent, truthful messaging that cuts through other distractions is really the only way to convey to our best and brightest youngsters that there is a cybersecurity component to every profession one could name in science, technology, medicine, finance, law, accounting, engineering, you name it.

“Cyber is in everything we do,” Skelly says. “Every job has some element of cyber. So for young people to not realize that a security track is available to them, in these other professions, means that we have a messaging problem.”

Women, in particular, need a larger presence in technology fields, generally, and cybersecurity, in particular. One just has to look around at the throngs attending the RSA Conference, Black Hat or any cybersecurity conference to witness the scale of gender inequality.

Skelly and other female technology professionals recognize how detrimental this is to both the profession and society as a whole, but the women in the field have been doing what they can to raise awareness of the issue.

“We’ve actually reached out to some wonderful women, CEOs of companies, CISOs with computer science backgrounds and security backgrounds . . . and we had them come in and talk to the young girls, and it really changed their perception, on what was out there and what was available to them,” said Skelly.

Any and all such efforts to proactively increase diversity, in the technology and human talent components, should be encouraged and supported. It’s part of what we must do to make digital commerce as safe as it needs to be.


(Editor’s note: Last Watchdog has provided consulting services to Circadence.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone