Now a discussion on Workforce Diversity in the Cyber Security industry posted by new america. It is one hour and a half. Es this is an hour and a half. [inaudible conversations] hello. Welcome and good morning. Thank you. We are happy to see this morning. Im laura bates and i work on Development Issues at the Cyber Security initiative. It is my pleasure to thank you all for being here this morning. I know for any friday morning, particularly friday morning in the middle of summer, were thrilled to see this level of turnout. I think it speaks for itself, the level of interest in the topic. I also want to say a particular thank you to palo alto came with us the original idea and provided the breakfast with is critical to success for a friday morning. [laughter] here at new america we spent a lot of time talking about workforce to bowman and how to increase the pipeline of workers in the industry. Of course a critical part of that is expanding the number of people in the types of people we think of as fit in the industry. We have our humans of cyprus the project online that incorporates individuals and with passthrough and telling their stories and putting into evidence the fact that there are a range of backgrounds and ranges of experiences. We are thrilled to give you the Current Panel and im happy to introduce ian wallace, director of the Cyber Security initiative to moderate. Thank you ian. Thank you very much. Before i start, let me commend to you lauras work on both on diversity and workforce issues with Elizabeth Weingarten and i would encourage you to go on and follow it through. As laura said, the purpose of this event is to potentially challenging times make it a positive take on diversity and Cyber Security. New america one of the things we want to deal with is very important to storytelling. Making Public Policy through listening to people with their stories and their experiences and lessons we can learn from those. We also, however, point to point out the Cyber Security is an emerging field for which there are many parts both in and within. I think listening to some of the stories we will hear today that will get a glimpse of that. We also are a Public Policy think tank and there are some policy issues that sit behind some of these issues. As we go on, i think, given that we have a Statistic Group of women we will have to dig into some of those issues, as well. To introduce the panel briefly i will be brief because i know i tend to talk about their own careers. We are joined by deborah, in her past life was a director of information at the National Security agency and was a Senior Advisor on some of the diversity type issues that we will talk about too busy on the National Security council. Next to deborah we have the Vice President at capital one and fairly recently left the department of Homeland Security where she was Deputy Director of the National BudgetSecurity Communications center and chief Information Security officer for the transportation we dont do acronyms. Affect next to her is the chief Security Officer for japan and palo alto network. Shes had a career that has taken her into the Japanese Ministry in japan. On the end is a senior manager but previous to that on the National Security council where she was the director for the critical infra structure section and a career at the department of energy. As you can tell, we have people who have experienced the private sector and Public Sector but in and a range of roles. I will begin by asking a series of questions to the panelists and i will move into a moderated discussion and then will open it up to the floor. Please have your questions ready. To kick us off. Deborah, how did you get into Server Security . When you hear all of these what is the one thing you can tell that were doing here right now . To you for the invitation to be here. Its my pleasure. I got into Cyber Security because of the foundation of National Security agency where i started my career in the mid 1980s working first as an Intelligence Analyst when cyber was just a dream. No one was much talking about it and moving into the 90s which was when things like y2k hit the airwaves and raised concerns nationwide, worldwide about security and functionality of information systems. It was from their that i did that y2k representational activity at the federal level and came back to nsa and ended up ultimately going to the white house and doing Cyber Security policy. I would say that was the period of time 1998 and 2001 was really the time with things like the i love you virus and some of the early viruses that we began to worry about on a National Level and i happen to be working at the National Security council and working in transnational threats which was, at this time, Cyber Security was happening and being born. Programs like cyber core and i got to stand up and run from the white house. It awesomely brought that explains back to nsa which has a robust and one of the earliest robust cyber admissions from a security perspective but also from. [inaudible] the rest is history. I moved from that system working on the expedition side and ultimately my career on the Security Side serving as the insurance director. The one piece of advice, i think, when people think about Cyber Security i hear from lots of folks particular reports retirement they are asking what kind of certifications do i need, what technical competence do i need, how do i gain those experiences. Thats all really critical and important but i say its ever security we need lots of technical people. We also need lots of folks can think from a policy perspective and thats the message i believe. We need folks can write policy who can envision and think about International Norms and what we might need to do to contribute to the development of those norms in cyberspace and you can lead people and organizations and those who can lead through difficult and exciting and challenging times. That would be the biggest message i would say is that cyber is a lot of Technical Work to be done and theres a lot of work to be done on the policy and even on the legal side. How did you get to where you are now and what is your advice . Ill pick up in the middle of where debbie was speaking. My story is more one of timing. Right place, right time with the background that matched. I majored in criminal justice and Computer Science was my minor the George Washington university. That was my fathers influence was an it executive recruiter said do something in Computer Science because thats the future and thats where it will go. I wasnt the best programmer so i made it my minor and it served me well. Given that Technical Foundation to be able to go after a brandnew field where cyber didnt exist back when i graduated. It was it and Information Assurance and security, cyber wasnt in the lexicon. While i was pursuing my masters degree in Computer Fraud investigation i approached professor it was a masters degree designed the working professional so i did it on weekends and i approached professor about working parttime and i got a job at fannie mae as an intern in the Risk Management division which will talk more about this later but i truly believe that cyber is all about Risk Management from the technical sense, for the policy sense, in every sense of it. If you have that underline Risk Management it will take you far. Its understanding how to enable in a risk appropriate way without their risk there is no cyber. Thats a big lesson ive learned along the way. From there i thought areas i got into government right away i was working at the contractor after fannie mae into my client called me up and said would you be interested in my position and i encourage you to apply. Thats how i started in government. What separated me on the path was always looking for areas where the biggest challenge was. Every boss i had, what is your weakest challenge and where can i help thats what set me apart. Also medications. That would be the biggest piece of advice that i have. Technical credentials are necessary, policy piece of it is critically important, the ability to communicate in every way imaginable, up, down, acro across, that will separate you from those that cant. There are many who just are not comfortable with it and i encourage, if you are one of those and it resonates to practice. Step out of your comfort zone, take the class, learn how to speak and learn how to communicate what it is you are trying to say because then you will become that go to person and you will open up doors for yourself that you might have known were there. You build your career out of the United States. You have similarly focused and taken you from government can you talk about how you got where you are and what advice you might have . Thank you so much for this opportunity. Im so excited about talking about innovation in diversity and Cyber Security. I came to walk in the Cyber Security was because i happened to work on Cyber Security when i was in the government and ministry of defense. I got out to my masters degree in washington dc on fulbright and back in 2009 Cyber Security was not as hot as it is today. I dont think we use cyber scary back then but i didnt care so much about security for people because its foundation was right. One of my classmates asked to be im looking for someone who can write about china on Cyber Security. I didnt know that what she wanted and i thought i could do that. My piece was, as you say, train yourself to get out of your comfort zones to take the challenge to do something different. Im a foreigner im not a us citizen and it was the first time for me to publish something in english about Cyber Security. It was again, i didnt know if i wanted to do Cyber Security because it wasnt there yet. It actually helped me a lot afterward like, hey, i have something in english peerreviewed and one of my classmates started to work for a Cyber Security company in washington dc and. [inaudible] he said hey, i know youre interested in east asia and securities and maybe not with Cyber Security but maybe you want to talk to. I had coffee with him and on the. [inaudible] even though i was not able to get a job there but i started to send english summaries of what is going on in japan for cyber securities for a year. That commitment helped me to recognize to be organized and say she can do this. I was not able to work in the United States after my degree here but it helped me to get a job in japan. My piece of advice is try to show your values to people around you and find those champions will endorse you. And also to be a good communicator. Cyber security is about everything. Its about it touches on every Risk Management and you never know who wants to help you or needs your help. You have to be flexible and ambitious and trying to be a great teammate for everyone around you. Mara, the question. How did you get to where you are and given that what you think other people can learn from your experience . Sure. Again, thank you as well for inviting me to participate. I will start out with my first piece of advice and that is to follow your passions and interests. That is what has brought me along in my career. In high school i was motivated by my coach to go into engineering. I did so and i found it interesting that that was mid 90s and i realized this thing called information was popping up. I was interested so i dont do that. That really has led me along the way. It started out doing work within it and throughout my career i was going back and forth which was working in the it field in the Cyber Security field and as i moved along in my years i realized they are the same field doing work securely is the way we should be looking at them separately and its not the way to go. Now as we have heard we do security so we can enable some functions from business and you dont do security as a means of itself. So, finishing college similar to your story there wasnt a Cyber Security program and i have an undergrad in accounting and information system. I got in internship the late 90s doing enterprise where the industry was starting to look at Risk Management and how heaters and systems could be manipulated to have a negative impact on a company. Thats where i got my feet wet and because it was so new that i had so many opportunities to try different fields because it was new for everyone. There was no need to hold myself back because there was no experts in the field. My advice really is to go for it, learn as you go, the official learner but dont hold your back because you dont know. Guess what was there someone else who is ambitious and will go for it. We all might as go in and work collectively toward the cause. In doing consulting i was asked to go on board and i did so thinking sure, ill try this for a little while. What i learned in my experience is that a little while turned into ten years and i absolutely loved my government service. I got so much exposure in the fertility because i was willing to step out there. Then i hit a point where i had wonderful opportunities and multiple departments and had a wonderful opportunity to serve as part of the National Security council in the white house and after that decided to go into the private sector and had a wonderful opportunity to work for exelon, one of our nations Largest Energy providers. Im really enjoying now been able to apply those Technical Skills both in it and security in the policy and Program Management. These fields ever stop and she may have to jump out at some point. Dont be surprised if she steps off the stage. She will hopefully join us later when we have the one thing i picked up of a common theme is there are great jobs of their which you have come to through different places but come to love. Yet, if you look at the statistics for women and minorities in Cyber Security, workforce at large is pretty difficult. The figures are terrible. Low double digits. Two questions which relate to each other. In terms of the people coming in, is it just those in the schools and universities simply not getting the advice, the message, the opportunities that you had . Or is it that employers arent seeing the benefit from having highly qualified women come through and how do we go about changing . I dont think its the latter that theyre not seen the benefit at all. Thats never been my experience. I agree, right. Theres very few women and minorities that cannot tell you how many tables have sat around that lack of diversity in any way imaginable. I dont know that theres always an awareness of it until it comes up in terms of diversity, inclusion efforts that nearly every Government Agency and every corporation has. That is becoming a bigger and bigger field, those in public and private sector now that i have significant private sector and seen it much more prevalently than i did in the government. This is really great to see. I do think that both government and industry can do a better job in funneling to the universities where the Technical Expertise is coming and then can make a pitch to include all genders, diverse cultures and backgrounds and go after them. I think there are some Government Agencies that do this better than others and partner with some of the local universities here. I know george mason has a program to get people in government, gw recruits quite heavily some of the agencies and industry is starting to do this as well. Thats absolutely critical especially in cyber to build off of what samara was saying in the 90s when this was new. Id argue that cyber is a continually new field in whatever skills you had ten years ago may not apply today. Those skills evolve faster than imaginable. The actual curiosity in targeting that new talent is coming out that is up to speed the