By Paul Lanzi
Nation-state actors, zero-day exploits, privacy breaches and ransomware attacks take up the majority of the news cycles regarding cybersecurity. There are two underlying issues that — though they get little media coverage — portend much greater problems ahead of us. Specifically, the lack of broad cybersecurity education, and the lack of diversity of the cybersecurity workforce.
I see both of these issues, personally and professionally, every day. My own cybersecurity education began many years ago when, as a 13 year-old, I ran the tech support department for Northcoast Internet — the first Internet Service Provider in Humboldt County, California, where I grew up. Being part of the company’s founding team back in 1994 was an amazing experience. I was lucky to have a front-row seat to experience the shift away from walled-garden services like Prodigy and AOL and the emergence of the web and the internet that we know today. It wasn’t all roses and candy though, as we also had to contend with threats to our service — most often directly from our own users.
In those days, it was expected that every new user on our service would get a shell account along with their dial-up modem access account. Most of our users used those shell accounts for reading email or news, but some went beyond the permitted use, and tried to run scripts to attack other internet hosts or run spam operations on our servers. The days of “script kiddies” brought a set of cybersecurity threats to our company that we scrambled to address. Our cybersecurity education came with the motivation that if we didn’t effectively shut down those threats, our business would fail.
Today, businesses again face the possibility of failure due to cybersecurity threats. However, instead of it just being internet-focused businesses like Northcoast Internet that face those threats, it’s every business. Marc Andreesen famously wrote in 2011 that every business must be a software business to survive. Moreover, individuals are now subject to having their data breached when the companies they trust with their personal information are less than fastidious with it. In short, we all — both as workers and individuals — face cybersecurity threats at an unprecedented scale.
Unfortunately, individual and employee education hasn’t caught up. While some employees receive some cybersecurity training in the workplace, not all do. Often, the cybersecurity education they do receive is more focused on how they can protect company assets, rather than their individual privacy. When I recently completed the Cyber Chip training with my cub scout, the one question he consistently answered incorrectly was whether it was safe to share his name, address, phone number, and parents’ names online. The known rules and best practices for protecting yourself online are grey, at best, and the information isn’t consistently disseminated. We must address this lack of cybersecurity fluency — not just to protect the assets of the companies we work for — but to protect our own data and privacy as well.
The lack of diversity of the cybersecurity community is too often overlooked as a major problem — presently, and even moreso in the coming future. Today, up to 20% of cybersecurity jobs are held by people who identify as women. Happily, this is up from 11% in 2013, but even that improvement leaves this group vastly underrepresented in the cybersecurity practitioner community. My wife, Kristin Lanzi, is one of the rare female VPs of IT. Through observing her successes as she navigates the male-dominated world of IT, I have gained a deep sympathy for the challenges that women in our field face. To meet current and future challenges, we need to bring more women into the field of cybersecurity, and to do that, we must remove all of the barriers that stand in their way.
Gender, ethnic and racial diversity aren’t the only kinds of diversity that matter as we grow our community. I recently contributed a quote to a Defense In Depth podcast episode that addressed the use of personality tests in the workplace, and highlighted the need for neurodiversity as well. There is strong evidence that the more diverse a team, the stronger they are: better equipped to make decisions and weather difficult times. To ensure a stronger cybersecurity community and to staff the estimated 3.5 million unfilled cybersecurity jobs globally by 2021 we will need to tackle these diversity challenges head-on.
I was recently asked to join the CyberSecurity Nonprofit as a Board Advisor. I could not be more supportive of CSNP’s mission and vision. As a 501(c)(3) non-profit organization dedicated to promoting cybersecurity education and awareness, CSNP is passionate about building a supportive, diverse, and inclusive cybersecurity community. CSNP is precisely positioned to educate and develop the broader community that we need.
As the co-founder of Remediant, I’m proud of Remediant’s track record of supporting the amazing work of dedicated volunteers helping to drive forward efforts in this space. CSNP joins PyLadies, The Diana Initiative, Day of Shecurity, WoSec (Women in Security), WISP (Women In Security and Privacy), and Women Unite Over CTF in the non-profit organizations that Remediant supports. I look forward to supporting the great work of CSNP.