Amelia Estwick

Cybercrime is real, and your personal data can be used by malicious parties for whatever reasons they have. ‘Until we get serious, until we get to a point where there’s enough education […], unfortunately, we’ll keep hearing about data breaches, but there won’t be too much action afterward’, – says Dr. Amelia Estwick, the Program Director at the National Cybersecurity Institute at Excelsior College (NCI).

Dr. Estwick has an impressive 20-year long career, she entered the industry before the term ‘cybersecurity’ appeared in our lexicon. Dr. Estwick’s a U.S. Army veteran, a former Computer Science Researcher at the National Security Agency (NSA), a Certified Ethical Hacker, a Cybersecurity Professional, and a role model to many.

Dr. Estwick found some time in her busy schedule to answer a few questions about online privacy, education, and women in the industry.

According to some sources, women in cybersecurity represent ~11% of the industry worldwide. From your personal experience, what are the main challenges women in the industry face?

There are some numbers that globally we’ve reached 20%.; so I question that 11% statistic. (ISC)2 just released a study titled “Women in Cybersecurity” state the number is roughly 24%.  However, the cybersecurity industry can still feel like an all-boy network.

When I started, there weren’t supportive communities of women in this space. I would say 99% of my managers have been male, and those I have supervised have also been male. I think it’s essential that women who see themselves in the position of leadership and influence, understand how to reach back and bring more women into the industry.

I think we’re seeing that now. We’ve got Women in CyberSecurity (WiCyS), Women’s Society of Cyberjutsu organizations, and other women-specific cybersecurity organizations.

There is a growing need in the understanding of the area to what I call support and mentorship/sponsorship. I think that was one of the barriers before, we did not have this, unfortunately. I’m thankful that I had male allies, who knew my technical aptitudes, skills, and abilities, and were able to sponsor me when technical leadership opportunities were available. There were some things I had to fight for like instead of being a manager, I had to leverage myself to being a technical manager, there’s a difference.

The industry likes to put women in managerial positions, which is fine for some. For others, like myself, I say – ‘wait, I have too much of technical background to be managing people, I want to be managing technical projects AND leading people’. I’m thankful that I had the right leadership in place that recognized my contributions. I would tell you, it’s a huge challenge. If we’re going to support women in the cybersecurity industry, we have to provide them with a pathway for them to move up in their careers.

What tips could you share with women who are entering the cybersecurity field?

Don’t forget that there are not only young women, but also mid-career women who are new to cybersecurity, and I don’t want to exclude them. They also need support. It’s important these women reach out to industry leaders and organizations that can assist.

I have a lot of mentees. They reached out to me via LinkedIn, or they are my students at Excelsior College. As the co-Vice president for the Women in Cybersecurity Mid-Atlantic Regional Affiliate, I also have women reach out to me through that connection.

To support these women, you can host technical mock interviews. Women need to understand what’s expected of them when they come into the space – what type of questions will be asked of them — just being there, just being present and helping these women navigate a very dynamic and exciting but sometimes hostile environment is very important.  Unfortunately, I have found some women will report the industry can be hostile towards women, I’m not going to sugar-code it.

If these women are not a part of any of these organizations, they need to find one. Find out what’s going on in your area, in your community. Because now there are so many options, that I did not have. There are some excellent opportunities for them to get involved; you have to find your tribe (laughs).

Some of these women say they are introverts, and find it difficult to reach out; but that’s why we have technology! You don’t have to see the person face-to-face to ask questions; instead, send an email or call the organization. Whatever that comfort zone is for you, I think finding your community of women will help you. And find male allies! Every time we talk, I always try not to discount the males who are understanding that it takes diversity and inclusion to make the industry stronger.

Amelia Estwick

Dr. Amelia Estwick, Excelsior College (NCI)

What worries you the most regarding the US national security?

So there are a couple of things. First, I’m concerned about the gaps that we have in the development of a skilled technical workforce. I feel that we as a country need to take this as  priority #1. If we don’t have the skills within, then it will be difficult for us to fight cyber-attacks.

Second, I’m also concerned about the influence of other countries, like China. They are pushing artificial intelligence, machine learning, so they can dictate, control and influence matters that may not be conducive to our national security. That’s a big one for me as well.

I would say the third one would be – where we’re going with all of the data privacy laws and understanding that tricky balance between security and privacy, and how our data can be used for nefarious purposes.

Let’s get back to the first concern you’ve mentioned – the talent gap. Why do you think this is happening – is the education system failing to prepare skilled professionals for the fast-changing cybersecurity industry?

I think we’re paying the price of not being aggressive in our STEM options, in our STEM curricula. I do believe Colleges and Universities are trying their best. Then again… technology, as you know, is very dynamic.

Overall Higher Education could not do this without public and private partnerships. Some companies come to us as say: ‘oh, we need talent.’ But shouldn’t the companies be invested to provide resources to help Higher Ed? There are a lot of initiatives that are trying to strengthen the bond between K-12, academia, government, public and private partnerships. Some of these initiatives are supported by the government, such as the Center of Academic Excellence in Cybersecurity Defense Education (CAE-CDE) that is sponsored by the National Science Foundation (NSF) and NSA.

The other issue is, there’s this kind of a patchwork of K-12 common standards, and some of them are a little bit more rigorous, and some of them are not. For example, we talk about mathematics, but what level of mathematics do we need to introduce the concepts of precalculus and calculus? They should not be options; they should be a part of the standard curriculum. Some school districts have done better with their mathematics and computer science curricula; but then again, some schools don’t even have a computer science offering at all. There’s a lot of push now to understand how can we bring more STEM to include a focus on computer science and cybersecurity in the K-12 curricula. Unfortunately, we’re playing catch-up right now.

Until this happens, how do you motivate your students?

In my capacity I do quite a bit of outreach. At Excelsior College we do offer a Bachelor’s and Master’s Degree in cybersecurity and we are designated as a CAE-CDE for our Bachelor’s program.  We’re also realizing that our programs are focused on adult learners, many who already had career paths, and now they want to transition to cybersecurity. Providing these students access to industry professionals as well as helping these students understand what their transferable skills are so that they can find a career pathway in cybersecurity, has been extremely beneficial to our students.

Also, NSF teamed up with the NSA to offer these generational cyber programs called “GenCyber”; which, provide grants to Colleges and Universities to host cybersecurity camps across the country geared to K-12 students as well as teachers.

Excelsior College was fortunate to be awarded a grant last year. I was the Camp Director and we held a one-week cybersecurity camp for middle and high school teachers. I feel that teachers are also an important piece in the skilled technical workforce pipeline. Once we teach teachers, then they become force-multipliers. Again, to sustain these programs, we need public and private partnerships.

Interesting that you’ve mentioned teachers. I’ve been noticing this kind of a ‘shift’ of focus on teachers. The biggest science centers in the world, like CERN, are offering programs specially tailored for middle school teachers. Sometimes the students are more tech-advanced than their teachers. Having this in mind, how can teachers help students?

Absolutely. You’re right, the students understand technology faster than us. I tell people all the time – yes, my background’s computer science, I’ve been in technology for over 20 years, but I’m not considered a technological-native, right? I had to learn it. The generations coming up now, they are natives of technology. It’s in their world. But I think teachers have to educate them on understanding the fundamentals of technology, how to protect their data, the ramifications, etc.

It seems that not a day goes by without yet another online data privacy concern. And I can’t help but wonder, is it the new normal we have to get used to?

Well, I hate to say, but yes. For someone who has been in this field, I’ve seen data leaks all the time. For example, there are small ones when some sysadmin misconfigured one of their databases, or large-scale breaches like the Equifax breach.

But what I tell people all the time is – be vigilant about your information. I don’t expect a 100% privacy, because I understand that in this world of technology it is hard to enforce. But if you have misused by data, I do expect to be notified. And I think this is what we’re seeing. We have data breach notification regulations here in the US; however, there’s still more work to that needs to be done to make them universal.

The question is not whether or not your data was part of Equifax or whatever breach, it is – do you understand the impact? Are you trying your best to protect your data? Do you know what your rights are? Just because an organization asks you for personal data, it doesn’t mean you have to give it to them!

As you said, data breaches happen every day, some of them have billions of compromised accounts, that’s why people are getting fatigued and aren’t, as you say, vigilant towards the security of their personal information. This makes hackers’ job easier. What has to change?

Before seat belts became law in 1983, the US had a high fatality rate from car crashes; however, because of the law and with proper education and awareness, people started to wear seatbelts. There was a whole public service announcement: seatbelts, seatbelts, seatbelts! In addition, cars were made a little safer, with proper seatbelts. This is an extreme comparison, but sometimes I have to tell people that their personal identifiable information (PII) can also be a life-or-death issue. Cybercrime as a service is a real threat; people are buying and selling information on the dark web for nefarious purposes that can be used to essentially harm you.

For example, your health information is essential. You can have someone steal your health information and prescribe illegal substances in your name; and you wouldn’t even know about it! I’ve heard of cases where doctors say that it’s a nightmare for them when someone comes to the ER, and they have all kinds of substances on their electronic health record (EHR). They assume they have to treat the patient one way, but then find out later (sometimes through a family member) that person has never taken those substances; unfortunately, the EHR was compromised!

What must change?  I think we need to go back to the idea of education and awareness. I can’t say this enough – educating people to understand what the ramifications are when their data is breached is step one; providing the consumer with the awareness of how their data can be used is another step.

Also, not to let our tech folks off the hook. They need to have better policies in place to secure our data. I’m surprised how many organizations don’t practice or implement end-to-encryption to secure their data in transit and at rest.

Until we get serious, until we get to a point where there’s enough education and awareness out there where consumers understand what it means when there’s a data breach, unfortunately, we’ll keep hearing about data breaches, but there won’t be too much action afterward.

Do you think that we need more participation from the government? In some cases, this has brought some positive results (e. g. the GDPR in the EU), while other examples are worrying – e. g. Australia’s new encryption backdoor law. Where’s the fine line that they’ve gone too far?

So the line where we’ve gone too far is a sticky point for me. I’m willing to give up some of my ‘privacy’ for the sake of national security. But that’s Amelia Estwick speaking. I think there needs to be some type of a happy medium, and I don’t know where that is right now.

What Europe has done, for many looks like it’s in the right direction. I would say, as you said, there are some areas that need modification. But I think we’ll start seeing a ripple effect, which we’ve already had! In 2018, California passed a bill called the California Consumer Privacy Act (CCPA) to enhance the privacy rights and consumer protections for residents of California. It is my hope that other states will get onboard.

But it will take some time. In the meantime, as consumers, we don’t have the luxury of waiting. Hence, we have to be educated, aware, and remain vigilant about our data.