Previously, I interviewed Dr. Jessica Barker. She's a woman who runs a firm, J L Barker Ltd., where she advises many British organizations on how to handle information more securely. Now, I'm honoured to talk to Emily Crose, a network threat hunter. I discovered her on Medium, where she wrote a thought-provoking article about the differences in her experiences in tech and nerd culture as a woman and when people thought she was a man. Her work in incident response sounds very exciting. She also has a unique perspective on what life is like as a woman in information security.
Kim Crawley: How did you get into cybersecurity, and what do you do?
Emily Crose: I got into cybersecurity after leaving my college training to be a history major. Once I realized that I'd make no money as a history major, I wanted to learn a solid marketable. I wanted to make contact with history rather than just be the one talking about it all the time. I took an interest in security right away because I was attracted to the concept of going where other people don't get to go. I wanted to see things and research things that most people never interact with. I wanted to see how the guts of technology work and how people break them. I remember reading an article in Wired over 10 years ago about teams of security professionals whose job it was to support military operations overseas. I was a nerdy kid who never thought I'd be able to help protect anyone, but when I read that article, I realized there might be a way that I could help defend people, and that interested me deeply.
KC: That's really cool! Actually, I've written about a lot of people in cybersecurity who had backgrounds in the social sciences before entering the field. Considering the impact of matters like social engineering, UX design and human error, I think we offer a badly needed perspective that purely STEM people usually lack.
EC: I've noticed some of the same patterns but the funny thing is that, ultimately, most of the people I know who have a history in the social sciences are fairly quiet and wind up actually fitting in better in technology anyway.
KC: What do you do in cybersecurity these days?
EC: I'm working for a cybersecurity startup! I'm a member of a hunt team in support of incident response on my company's hardware product.
KC: What are some of the greatest security challenges now?
EC: Attack attribution is one these disciplines that is a question that in many ways doesn't have a clear-cut answer. Catching an attacker in the act or shortly thereafter is something any good defender can do. But an even greater challenge is finding the right person to pin the crime on. When you get to the level of dealing with attribution for attacks perpetrated by hostile governments targeting rival governments, we start to tread into really dangerous ground. With the rise of organizations like US Cyber Command, whose doctrine includes the notion that the United States will retaliate against attacks on critical infrastructure using measures leading up to and including kinetic responses, the stakes are incredibly high for getting the attribution piece wrong. Lazy attribution could very literally start a "hot war" if missteps are made.
Questions about attribution also tie into a lot of other technical areas that raise questions about the efficacy of network defense. Are we collecting the right logs? Are our sensors in the optimal place to collect metadata on our traffic? SSL decryption is a problem that has solutions, but not every company can afford solutions like Bluecoat to make sure the traffic traveling through the SSL tunnels that have become so ubiquitous these days is clear of any questionable or hostile activity. IoT is obviously becoming a hot topic that falls along these same lines. We have all of these cool widgets that all want to connect with each other, but as security professionals, we understand just how dangerous promiscuous connections can be. When our devices are slutty, the danger to the trusted areas of our networks both on our corporate networks AND our home networks becomes significant. I think we'll see many more issues arise with the IoT as these devices creep further into our lives and (heaven forbid) our skin.
KC: Wow, that's gotta be stressful. Now, to move to another subject, you caught my attention when you wrote an article for Medium that became very popular. From one writer to another, I think you're very good at it, and I've read some more of your articles since. You have very valuable and unusual experience as a woman in tech with nerdy hobbies because as a transgender person you've experienced how people treat men firsthand. I think it's weird that anyone ever expected that your hobbies and professional interests would change when you came out as a woman.
EC: Thanks for reading! It always means a lot to me to hear other writers critique and comment on my writing. I'm pretty standard, though, in that I feel like 95% of what I write is total sh*t and should be seen by no human eyes. I've always been a proponent of inclusion for anyone who wants to be involved in tech. It's not such an exclusive club that we can (or even should) turn people away who have the interest it takes to stay ahead of the curve in this rapidly changing field. Some of the most talented people in security these days are women, and for better or for worse, those women don't often feel the need to point out the fact that they're women in order to be as outstanding and smart as they are.
KC: Do you think you're in a unique position to educate cisgender men about what tech and nerd culture can be like for women and non-binary gender people?
EC: I think there are two answers to give here. On the one hand, yes, I'm in an incredibly unique position to educate cisgender men specifically on how living and working so closely with them can be for people who aren't cis men. Whether I like it or not, I have that perspective. The other half of the question is, "Do you feel like you should educate cisgender men."
To that, I would say, no. When I write essays like the one you saw, I'm writing them as observations of my own world. I'm giving the reader a look inside my diary, so-to-speak, but I know better than to tell anyone what they should or shouldn't do. My hope is that people will read what I write and consider what I'm saying rather than take my words as direct criticism.
KC: How do you think those of us who don't identify as male, whether we're female or non-binary, uniquely benefit the cybersecurity field?
EC: The way that we process information and recognize patterns does play a part in the way we experience the world. We carry those experiences and socializations everywhere we go, and it does change the angle from which we might approach solving a crime, for instance. That door swings both ways, though. Where I might see something that a cis man who was socialized traditionally won't, he will inversely see things that I won't see. Security, in particular, requires us to accept those differences so that we can work together for common defense. With the security challenges we're facing today, we shouldn't exclude people on the grounds that they don't look or act exactly like us. So why would people like us uniquely benefit the cybersecurity field? It's hard to say without generalizing, but back in 2011, the Harvard Business Review did a study on team efficiency. What the study found was that not only is gender diversity good, but if you want the collective intelligence of your team to increase, you should add more women. We have to consider that type of information when we make a judgment about the value women and enbies bring to teams because, by and large, security is a team sport. The data says we benefit from diversity, and we should embrace that.
KC: Is there anything you'd like to add? Is there anything that people in the cybersecurity industry should know right now?
EC: It's really important for people to understand that the future of cybersecurity, and national security writ large is egalitarian. We all have to be willing to hear each other out when it comes to potential solutions to problems we as a community of security professionals will encounter in the future, but we also have to be honest with ourselves about how often minorities are represented in the public eye. Representations have been uneven whether there is an existing bias or not, and we should be excited to promote those representations because we have a lot to learn from the voices that don't always get the microphone. That's just as true for racial and religious minorities as it is for gender and sexual minorities. The tech security sector is home to some of the most intelligent people our culture has to offer. We wouldn't be here if we didn't bring something to the table, and we should all continue to celebrate our individualities while we work together for a safer society for everyone.
KC: Thank you so much for your insight. I know it will resonate with a lot of people.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.