Women in Federal cybersecurity - How did they get their start?

While there may still be only a handful of women in Information Security, they can be found in increasing numbers in important, high-profile positions. A recent article by my colleague Stephen Cobb inspired me to do more research into women leading Federal cyber security efforts. As someone who came from a non-traditional security background, I wondered: How does one become a cybersecurity expert for the US government?

The answer is that the paths into high-level government information security positions may be a little less diverse than in the private sector. But these distinct paths still show that there are many skillsets that can be useful in the various aspects of securing businesses and critical infrastructure.

There are three women we’ll focus on in this post:

• Suzanne Spaulding – Under Secretary for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security (DHS), and founder of the American Bar Association’s Cybersecurity Legal Task Force
• Dr. Phyllis Schneck – Deputy Under Secretary for Cybersecurity and Communications for the NPPD and Chief Cybersecurity Official for the DHS
• Lisa Monaco – Assistant to the President for homeland security and counterterrorism, who recently announced the creation of the Cyber Threat Intelligence Integration Center (CTIIC)

These women all come from different backgrounds and have different specializations, which allow them to bring unique strengths to their particular roles.

From Law to Security

It’s probably not surprising, but a lot of folks in the higher ranks of Federal cyber security have law degrees. But this is not to say they’re all focusing on the same area. It should come as no particular surprise that those with law degrees are not limited to undertaking a career in courts of law; knowledge of the law and a talent for identifying criminal activity has clear benefits in many industries, not least of which is cyber security.

Suzanne Spaulding is the head of the NPPD, which is an organization tasked with protecting and enhancing the resilience of physical and cyber infrastructure in the US. This is a natural fit for someone who was appointed to Virginia's Secure Commonwealth Panel in 2002, in order to secure the area’s critical infrastructure. This position was established in the days soon after the attacks on 9/11, as the Pentagon building in Virginia was one of the locations hit by terrorists. Coming from a background of protecting physical assets, this has given her a more holistic view of infrastructure: It’s important to protect not only real-world facilities but also the services they provide, including Internet access and data integrity. This includes implementing countermeasures not only against the threat of terrorism (cyber or otherwise) but also against natural disasters such as Hurricane Sandy.

Lisa Monaco, on the other hand, comes from a background of prosecution and crisis response. From 2004 to 2006, she served as a prosecutor on the Enron Task Force charged with investigating criminal violations by executives in charge of the Enron Broadband Services business unit. As an advisor to the President, she was recently tasked with responding to last year’s Ebola scare. After the recent Sony breach, she brought both of her specialties to bear on the problem: She began asking people in the intelligence community questions about who they thought was responsible for the attack – and could intelligence-sharing have prevented the threat before it was carried out? This line of questioning was the genesis of the creation of the CTIIC.

From Academia to Government

Having a degree in law is not the only way to get a cybersecurity position in the Federal government, as Phyllis Schneck’s appointment shows. Because the DHS frequently interacts with businesses, having someone who has been on the private sector side of the equation can be quite beneficial.

Before her appointment, Schneck was CTO for the global public sector at McAfee, where she was responsible for determining the governmental applications of the company’s security and global threat intelligence. And this was not her first position interfacing between the public and private sectors. She served on the boards at the National Institute of Standards and Technology (part of the US Department of Commerce) and InfraGard (a partnership between the FBI and private sector). Early on in her career, she also held technical positions relating to information security at MITRE and CygnaCom, two companies devoted to helping businesses interact smoothly with government entities, particularly in the area of cyber security.

In many of her positions, she was tasked with sharing data pertaining to cyber security and threats, so naturally she has focused on establishing the DHS as a trustworthy central repository for threat intelligence.

Many voices coming together

Crime and terrorism in the digital realm are difficult problems that will take a multifaceted approach to solve. The women featured in this post come from varied backgrounds, most of which are not strictly technical. Because they have different past experiences, they ask different questions about what we can do to decrease the threat of cybercrime.

Whether someone is at a junior level as she develops her career in information security career or has achieved a position at the head of a government cyber security agency, there is more to being successful in that career than merely being knowledgeable about technology. And it will take more than an industry full of technologically proficient people to finally make cybercrime unprofitable – a diverse, dedicated, worldwide team of people with a panoply of specialized skills.