Black Hat: Sharing Information, Hiring and Retaining Women Cybersecurity Engineers

Written by Edward Gately
August 10, 2018

This year's Black Hat USA included topics such as the need for increased information sharing, and the issue of hiring and retaining female cybersecurity engineers.

(Pictured above: CrowdStrike’s Ashley Holtz on stage at Black Hat USA 2018, Aug. 9.)

BLACK HAT USA — And that’s a wrap for this week’s massive Black Hat USA 2018 conference in Las Vegas, which focused on latest opportunities to stop cybercriminals.

One of the core themes during the conference was a need for more information sharing in the industry, said John McCumber, director of cybersecurity advocacy at (ISC)2, a global provider of cybersecurity certifications.

“This is not a new concept, but one that has been repeated for years now,” he said. “The technology fix for this is beyond simple and could happen tomorrow. The real issue at hand is that most organizations have data-management policies that stymie this type of open sharing environment. Unfortunately, you can’t solve policy issues with technology. A first step is to ask ourselves, ‘How do our policies align with the need for sharing information?’ Only by tackling that aspect head-on will we make any real impact on how our systems and people are able to communicate to mitigate risks.”

On Thursday, the issue of hiring and retaining women cybersecurity engineers was the theme of a briefing by Ashley Holtz, engineering manager at CrowdStrike. She said ensuring equal treatment and opportunities for advancement are some of the keys to success.

Holtz said much of the research regarding why women aren’t being hired in technology is flawed — and they are leaving their careers in technology. A common misconception is that women aren’t interested in computers, she said. Also, unequal pay has been overly cited as a reason.

“If unequal pay is the only problem you have in your organization, you’re very, very lucky,” she said. “Changing a number is a lot easier than changing a culture.”

And women don’t necessarily need a female mentor, but “want to find someone who can help them advance and grow,” Holtz said. In terms of technology leaders, women tend to be more involved controlling budgets and staffing, as opposed to being strategic leaders.

“We want to increase that,” she said. “We want to answer how we can remove barriers early on.”

In terms of recruiting, one of the problems is that women might not see the job postings, so the “easy fix” is to place the posting where women can see it, Holtz said. Job postings also should be shared with organizations that are focused on women in technology, she added.

Also, when applying for a position, the job description can be a turnoff. It’s important to focus on what the person will be doing day to day, she said. And rigid lists of requirements are unnecessary because “there’s lots of transferable skills.”

Women in Security and Privacy is one such group that’s focused on advancing women in cybersecurity. Masha Arbisman, a security operations analyst with Phobos Group, is part of the organization.

“I’ve been coming to Black Hat and Def Con (a hacker convention immediately following Black Hat) for the past four years and this organization has tripled in that time,” she said. “So if that shows what the industry has been like, it’s definitely grown. We’re seeing progress and more to come hopefully. I think the industry as a whole is growing, but specifically for women in the industry, I feel like we’ve gotten more of a step to stand on with everybody joining. With more people coming in, we have more people to rely on.”

Also at Black Hat, for Rohyt Belani, Cofense‘s CEO and co-founder, this week marked his 17th year at the event. The company’s collective defense suite combines attack intelligence sourced from employees with incident-response technologies to stop attacks and stay ahead of breaches.

“We’ve been here since the beginning and obviously it’s one of the flagship shows here,” he said. “At Cofense, we rebranded from PhishMe, which most people knew of six months ago, so obviously we’re trying to get the name out there. But more importantly, we wanted to showcase some of our new innovations. We’ve put out a couple of new products, and we wanted to converse with partners and customers to get their feedback, and get the ball rolling there.”

On the other end of the spectrum, this was King & Union‘s first time at Black Hat. The company was started in April 2016, and its Avalon software platform allows cybersecurity analysts to optimize their efforts through workflow automation and real-time collaboration.

“Black Hat is a networking thing for us … we do have our clients here so we’re kind of tagging around them all week and we’re looking for new partners that we can bring into the fold,” said Brent Wrisley, King & Union’s founder. “We’re just trying to get the word out, get feedback and make new connections.”

Dave Dufour, Webroot‘s vice president of engineering, said his company’s primary focus at Black Hat is its OEM offerings. The company has been signing up new partners this week. It provides cybersecurity and threat-intelligence services.

“From that OEM perspective, it’s about making those relationships stronger than we already have,” he said. “From a product perspective, this is one of a couple of conferences you want to come to just to make sure your presence is known in the industry and people know what you’re doing. Basically what’s old is new. We’re still seeing lots of ransomware, lots of phishing, lots of fundamental things around just training people and making sure they have the right things to protect companies. So we’re spending a lot of time just ensuring people of the fundamentals.”