Barbara Endicott-Popovsky is the founder and lead instructor for the Certificate in Information Security & Risk Management. She also teaches cybersecurity in several UW degree programs and is the executive director of the Center for Information Assurance and Cybersecurity, responsible for developing cybersecurity curriculum and programs. She won a Teaching Excellence Award from UW Professional & Continuing Education in 2008 and received the University Professional & Continuing Education Association’s Excellence in Teaching Award for their West Region in 2014. In an exclusive interview with Augustin Kurian of CISO MAG, Barbara talks about her journey, evolution of cybersecurity, and representation of women in the space.
Tell us about your journey so far. You are a veteran in the space. How did you become a trainer for cybersecurity at a time when information security space was relatively unknown?
Out of college, while working for a major manufacturing firm, I spotted a man-in-the-middle attack on a local area network. When I reported it to leadership, they told me that I had a great career ahead of me but that I should keep observations like this quiet or people would think I was overly suspicious. This was in 1985 and it was really the start of the era of distributed processing, when IT departments would redirect computing power from the perimeter defenses of mainframes and move it on the factory floor, causing unknown vulnerabilities in the process. That realization sparked my interest in cybersecurity and made me curious about the blind spots that other people had regarding the unintended consequences of policy choices we’d made.
Tell us about the changes and evolution you personally witnessed in the sector?
The average person doesn’t realize we are in a state of war online. That’s the context in which we carry out personal financial transactions online – shop, pay our mortgage, whatever. This has changed who needs to know about cybersecurity and what they need to know. It’s no longer just about keeping the bad guys out of our systems because, truth be told, they’re living there now. The probability of being hacked and losing data is so great that it’s simply a function of how valuable what you own is to the other party. I like to say, ‘the probability is 1.’
A career in cybersecurity can lead you down so many different specialized paths due to its reach: for example, you could specialize in compliance, legal, or privacy. What’s great about this is that it means it’s a field that’s now attracting people with a wide diversity of interests. The expansion of cybersecurity pathways also means you don’t have to be deeply technical, which seems to be the imagined barrier to entry that everyone has in mind. Myriad people in different careers could enter this field simply be reskilling, upskilling, etc., which is why we offer both degree programs, as well as professional certificate programs in cyber-related fields at the University of Washington.
Tell us your thoughts about the upcoming CCPA and how it is set to be the GDPR for the United States? Do you think it was high time the U.S. had its own GDPR of sorts?
In short, yes, I do. I appreciate the European GDPR. Culturally, the Europeans were far more skeptical and aware of individual privacy issues, and companies have had to follow suit. For example, Microsoft is a U.S. company, but it’s international and they can’t have corporate privacy regimes for each country. The Internet doesn’t work that way. You must build the systems to the most stringent standards, and GDPR raised the bar.
Having said that, I appreciate the coming of new privacy standards to the U.S. Please realize that regulations are lagging the advance of technology and, therefore, implementation of these new regimes will not match perfectly. Individuals can’t expect regulations to keep them safe. It will require that all of us take measures to safeguard our data and do business online advisedly. Every human online should perform good cybersecurity practices.
Tell us a bit about the role of certifications. What type of careers in government and industry do cyber certificates prepare one for?
Learning in cybersecurity is never-ending given how the field is evolving so quickly. The notion of earning a degree each time you change roles isn’t feasible. That’s why professional certificates are ideal – they’re a fast and affordable way to close a skill gap you may have – and if they’re dispensed by a credible provider, they are meaningful to a current or prospective employer. At the UW, programs such as our Information Security and Risk Management professional certificate provide students the foundation for jobs in the full range of cybersecurity pathways.
Women in cybersecurity have been a widely discussed topic. Yet, women only make up 11% of the global cybersecurity workforce which has been a stagnant figure since 2013. What do you think are the reasons for the trend?
In the United States, I’ve observed that women consider the field to be too technical, preferring to work with people rather than technology. I don’t see that same reluctance among my international female students. I have to think it must be something tied to the culture—a meme that ‘girls don’t like this work.’
Some say that women don’t like the culture of cybersecurity organizations—they are too rough, too male, unfriendly—perhaps intimating bias. I’ve only had to address a couple of instances of clear female bias in my career; it may have been more prevalent, but my nature is goal-driven and curious, so I don’t allow myself to be distracted from my goals. In my experience, if you are passionate about what you are doing, distracting nonsense fades into the background. Find your passion, know how to prepare yourself, and then the rest of this resolves in the background.
Several studies around women in cybersecurity point out how many a time, the disparity traces its root back to school. How can this be changed?
Lack of awareness among those advising students/girls of the many opportunities in high paying cybersecurity careers is at the root of the problem. Colleagues who have held cybersecurity events specifically for young women have found a huge interest can be developed. The field is fun, exciting, ever-changing—like being a sleuth, tracking down adversaries, putting a puzzle together.
This field wasn’t here 20 years ago when educators and advisors were getting prepared to teach and counsel. We need targeted programs to raise awareness among educators from K-12 through bachelor’s degree programs. We need a pipeline.
In the meantime, there is a move toward developing shorter-term programs, like our certificates, that jump start those in mid-career who want to transition to a lucrative, exciting field.
Diversity in the information security space. What are drawbacks of not having more participation from women? Do you also think more participation from women will efficiently close the massive skill-gap that has marred the cybersecurity space?
Let me start by explaining why I think having more women in cybersecurity makes us all safer. In cyber, you need diverse points of view or you’ll miss potential threats. You must be right 100 percent of the time. The flaw hypothesis methodology – with which I fully agree – ensures having a diversity of perspectives when you form a vulnerability assessment team. This diversity is critical because if your organization recruits people with similar backgrounds, you’ll end up seeing everything the same way; however, if you have a diversity of views, then your organization will benefit from a wider situational awareness of possible flaws in the system.
What I would really recommend women do is set their sails and don’t look back. As I mentioned, there are 33 different pathways in cyber according to the NIST National Initiative for Cybersecurity Education. There is something for everybody – pathways range from purely managerial to deeply technical. Go through the framework and find what you’re interested in. Think about your gaps and how to fill them with further education and training. I encourage women to do what they’re passionately interested in and be persistent in pursuing their goals.