Why We Need Diversity in Cyber Security, with Diana Burley
Episode 87: Why We Need Diversity in Cyber Security, with Diana Burley
Diana Burley has extensive expertise in cyber security. As Executive Director and Chair at the Institute for Information Infrastructure Protection (I3P) and professor at George Washington University she is passionate about ensuring the confidentiality, integrity and availability that reside on our systems. In this week’s episode, Diana discusses being a woman of color in the tech field, gives us advice on how to go into our work with confidence and encourages women that it’s never too late to start a career in tech. Whether your’e 12 or 65, tech needs diverse backgrounds, and it’s important for those voices to be heard.
00:00: Welcome to the Ellevate Podcast: Conversations With Women Changing the Face of Business, and now, your hosts, Kristy Wallace and Maricella Herrera.
00:12 Kristy Wallace: Hello and welcome to the Ellevate Network Podcast. This is your host, Kristy Wallace, here with my co-host, Maricella Herrera, and we are so excited. Are you excited? Are you feeling my excitement?
00:27 Maricella Herrera: I am feeling your excitement, I'm a little scared of your excitement. [laughter]
00:32 KW: No, I'm excited for our guest today, Diana Burley, who just... She has it together and I really enjoyed our conversation. She, more so than I thought I would with someone who is in cybersecurity, which I know nothing about, but she did a fantastic job of telling me all about it, and why I should care, and if I wanted to get into cybersecurity how I could do so.
01:00 MH: Are you getting into cybersecurity?
01:02 KW: Maybe, maybe. I still have a lot of life left in this body. [laughter] I could be one of those inspirational stories, like granny goes back to school to fight the hackers of the world. It could be...
01:20 MH: I think you should do it.
01:21 KW: Alright.
01:22 MH: I think you should do it.
01:22 KW: Yup.
01:23 MH: The Ellevate Cyber Network.
01:26 KW: We're gonna do it. Diana is just... She was great. I had a lot of fun with this interview, and I know all of our great listeners are gonna have a lot of fun with it too. Something that I am so awed by is the number of women we've had on the podcast. We're now about a year and a half in and each story is different, and each story of resilience, of reinvention, of innovation and creativity, of just passion and impact, is so authentic and it's so real, and it inspires me every single day. And I take a little piece from every story, and it all serves to make me better and stronger. I just wanna say thanks to all of our guests, because it means a lot that you spend the time with us on the podcast and to share your insights. Sometimes that's not easy to do, but I've certainly gained so much value from it and I hope that all of our listeners have too.
02:28 MH: Oh, that's sweet. Yeah, I would agree with that. It's incredible to hear these stories and just everything that we learn from them every week. So, thank you to all of our guests, thank you to all of our listeners, thank you to all of you who rate, reviewed, subscribed and keep up with listening to these amazing stories, and on the side a little bit of our nonsense, but these [chuckle] amazing stories primarily. And also, thank you... I wanted to bring this up, thank you to everyone out there who also suggests guests. We have a lot of women in our community who are amazing, and to me, it's just so powerful to see when one of them who we know is great just reaches out and says, "You have to meet these other women who are also great, and you should be sharing their stories." So thank you to all of them.
03:29 KW: Great, absolutely. Enjoy my interview with Diana, she is just fantastic. I had so much fun with this interview, and we look forward to seeing you here next week on the Ellevate Podcast.
03:54 KW: Diana, my first question for you today is this burning, earth-shattering question, is: Can you explain what cybersecurity is?
04:08 Diana Burley: Yes, I can, and let me say that there are many different definitions of cybersecurity and in many ways the term is a misnomer because there really is no way to ensure that there is 100% security within our networks. But the idea behind cybersecurity is that we are dealing with systems and we are trying to ensure that there is confidentiality, integrity and availability of the data that reside on our systems, whether we're talking about the data as it stands in storage or as it flows between entities or nodes in the network. So when we talk about confidentiality, what we're saying is that we have some sense of only those who are authorized to access the information can actually do it. So it's very akin to the idea of privacy. When we talk about integrity, we're talking about the fact that we have some assurance that the data has not been manipulated in some way, and that we can trust that the data is accurate as it stands. And availability is about being able to access that data when we need to, and by those who are authorized to, to avail themselves to the data. So if you think in terms of those three buckets, that's a nice easy way, we call it CIA, and that's a nice easy way of thinking about what cybersecurity means.
05:41 KW: Thank you, and all of that sounds terrifying, yet so incredibly relevant, given just what's been in the news, and just given how we live our lives today, so tapped into technology and lots of data out there. But Diana, I know you are renowned for your expertise in cybersecurity, which is one of the reasons I'm so excited to have you on the podcast. You're a professor at George Washington University, the executive director and chair at the Institute for Information Infrastructure Protection. How did this all begin? At two years old, three years old, were you like, "Yes, I wanna get into cybersecurity"? What got you to this point?
06:25 DB: Well, I don't think we knew what cybersecurity was.
06:30 DB: But I would say that I've always been interested in technology and in the interface between technology and people. And so my interest was one of trying to understand how people use the technology, how the technology influenced people's use, how it enabled certain things to happen, whether or not individuals had access to technology. So it's always about that interplay between people and technology, we call it in the research world socio-technical systems. That was my interest as growing up and certainly as an undergraduate, but I still didn't have a good sense of the field, as it stands today. But I pursued that interest, and that has led me in lots of different directions and ultimately led me into the direction of cybersecurity and of trying to do what I could to help people effectively use the technology that really permeates every aspects of our lives, and to do that in a way where we are protected, where society is protected, and we're able to accomplish the business that we need to accomplish.
07:47 KW: Thank you. Diana, I know our guests, our listeners cannot tell this. They know you are a woman, but you are also a woman of color. And I wanted to call that out. I think it's so important to know, because we've been hearing so much, for quite some time, about the challenges for women and particularly women of color in the workforce and specifically in technology. So you are such a role model for the work that you're doing. And I wanted to just take a minute to just thank you for that.
08:22 DB: Thank you.
08:24 KW: But I would love to hear about your experiences because it's so important that we talk about these challenges and also the ways that we can overcome it. Have you run into any challenges as a subject matter expert? Do you feel that your gender or your race have played a role in the experiences that you have or have not had?
08:46 DB: Certainly my gender and race has played a role on... I would say, though, that even in the negative experiences, of which there have been some... And I think that everybody has their share of them, I have found a way to take them and absorb them and turn them into a positive, or at least a positive motivator for me to keep going and for me to give my contribution and to be better. And I think that it stems from, certainly I can speak to my family and my upbringing and the confidence that they instilled in me. But I often go back to a professor that I had when I was at Carnegie Mellon, and there really weren't very many graduate students at CMU that were African-American, certainly not many in the technology space or, and African-American women even fewer so. But one of the things that she said to me was that my voice was needed. That technology doesn't come into being by itself. People build computers, people write programs, people develop algorithms and if we only have one type of people who are building the technologies, who are designing the software, who are developing the algorithms, then inevitably they are going to be developed from one singular perspective and they just inherently can't meet the needs of the entire population.
10:17 DB: And so in order for the technology to really be an enabler for all types of people, all types of people need to be a part of the process. And that is something that I have held on to as I walk into many rooms where I'm the only person that looks like me, or the only voice that sounds like me, I hold on to that, knowing that while my voice might be... We might often characterize it as a solo voice and as someone who is alone in the room and cast that in a negative light, I cast it in a positive one that says, "If I'm not there, if I don't speak up, if I don't develop to the best of my potential and add my voice to this entire space, then the society loses because we don't have the type of systems and technology that really will be of value to all of us. And so I hold on to that. And that helps me to get through those lonely days and certainly, early in my career, lots of intimidating days, where I was the only one in the room, but I have held on to that and used that to my advantage and allowed that to propel me forward.
11:37 KW: Thank you, Diana. That was so well said. I had chills as you were saying it. Do you have any advice or tips or tricks that you've used to get your voice across, really being an expert in this field and as you said, oftentimes you're the only woman or only woman of color in the room. How did you get to the point today where you've really... Your voice is so powerful and I'm sure it was a journey to get to that point.
12:08 DB: It is a journey, it has been a journey, it continues to be one, but I would say the first thing is that you need to do your work. You have to develop your expertise in whatever area, whatever line of work you are in, you have to do your work. And I think that sometimes we lose sight of that when we're fighting all of these other battles. And I don't say that lightly because in order for people to listen to you, especially when you're coming and speaking in a package that is different, you have to let them know that while the package is different, the knowledge is sound. The opinions are sound. And so you must do your work, and I cannot stress that enough. But then you also have to learn the language, the culture, the environment within which you operate, so that you know where their perspectives are coming from, so that you understand the entirety of the space, and you know how to push just a bit to expand the edges. Change does not happen in these big, grand ways. Change happens in a very incremental process, but in order to move that ball 10%, you have to understand that 90% of what you're bringing to the table needs to resonate and be respected by those who are already sitting at the table.
13:43 DB: You have to let them know that you've earned your seat at the table. And that's a very important thing. And I don't think that... There are many times, and certainly early in my career, whether teaching a class in a technology area, or consulting, or going into a government agency or a business, where I started off by enumerating my credentials. Not in a defensive way, not in a combative way, but in a way that says, "I have earned the right to be here. You have reason to listen to the things that I'm going to say." And when there's pushback, respecting the pushback, and having a response that indicates, while I respect the pushback, I'm not intimidated by it, and I have the depth of expertise to be able to address whatever your concerns are. And that takes a lot of time to develop that expertise, and also to develop the confidence to be able to use it and apply it, and to accept that there will be times when you won't know everything, and there will be times when even despite the fact that you've been able to demonstrate your expertise, people are still going to dismiss and discount you. And you take that and you... But you don't allow it to reduce the level of confidence that you have in your own knowledge.
15:09 KW: We hear oftentimes from the women in our community they sort of get to a career inflection point where they're trying to figure out what's next, and they don't know what it is. And many of the women are really interested in technology, in getting into technology, and oftentimes didn't have that guidance from parents or teachers or community earlier on in their lives to direct them into those fields. And I hate asking this question, but is it... It's too late? You've missed the boat. Or is there always an opportunity to...
15:45 DB: Never too late.
15:47 KW: Okay. [chuckle] I'm so happy to hear you say that.
15:50 DB: That it's never too late. And one of the things about the cybersecurity world, of course, and this goes for every single person in the workforce, is that there is a continuous learning that is required. Even if you have a technical background, there are always new technologies, there are always new things to learn, and so part of coming into this workforce is recognizing that you have to take the attitude of, "I will be a forever student." And that doesn't mean... In a traditional program, that doesn't mean devoid of full-time employment, but it does mean having the mindset of continuous learning and growth and development. For those individuals who are in a career field now that is not cybersecurity or is not technical in nature, there are many different ways to begin to immerse themselves in the content of this career field, everything from very informal opportunities. There are lots of meetups and seminars and sessions that people will hold just to introduce ideas or to further have discussions to begin to help people understand what's going on.
17:04 DB: Going to a boot camp. There are lots of coding boot camps that are around that are designed to teach people in a very shortened amount of time, how to code, and so that's what they're designed for. People who don't have that experience. Even going to enroll in a course or a program at a community college, again, designed for people who do not have experience in the field but want to begin to develop and gain knowledge. I know that also many institutions are developing post-baccalaureate programs that are designed precisely for people who have degrees in other disciplines but have decided that they want to now transition into the cybersecurity workforce.
17:53 DB: They don't wanna come back and get a full bachelor... A full additional bachelor's degree, but they want to be able to earn a certificate or some other credential that it gives them the opportunity to gain knowledge in the cybersecurity space, so that they can start career number two or number three. So, absolutely not, it is never too late, and I encourage anyone with even an inkling of interest to begin to explore, even online programs. And the National Security Agency, for example, has something called a Day of Cyber, where people can just go into the website and begin to explore, just to see what kinds of different jobs are available and what kinds of work people might do, so that they can then make some decisions. But we need everyone. We need everyone to prepare and to join the workforce, whether they are 12 or 65. Really, there is a space for everyone.
18:56 KW: And thinking long term, I've heard that cybersecurity expertise is increasingly sought after for public board positions, as well. So, looking for that expertise and that's a huge opportunity for us, for women to fill that role, to get involved in cybersecurity technology, but also to help close the gender gap on boards.
19:24 DB: Yes, there is a tremendous need there. And again, I would encourage people who have the expertise to begin to develop networks and let individuals know that they are available, because as companies continue to recognize their vulnerabilities, and there are vulnerabilities across many different areas. Sometimes it's the technology, sometimes it's the people within the organization, but there are many different reasons why an organization has exposure. They need to have that expertise, and they need to have it on the board, but in a way where the individuals have the expertise, and also have an understanding of how it fits in with the business and with the business concerns, and can advise companies on how to effectively manage risk.
20:18 KW: So, Diana, when you are not saving the world, [chuckle] what are you doing? What are your hobbies?
20:25 DB: My hobbies are monitoring what my children are doing. [chuckle]
20:30 KW: We'll finish, and then I wanna ask you about that. [chuckle]
20:33 DB: That's pretty much it. That takes up all of my time, is getting into the middle of what they're doing.
20:41 KW: Okay, so I couldn't ask for a better segue, "A cyber security expert, how do I monitor what my children are doing? [chuckle] Please, show me the way."
20:55 DB: Well, it's funny, because I could certainly talk to you about the technology and how to set up internal networks and watch what the kids are doing, and all that. But the truth is that even when you do have the monitoring tools, technology tools, that children will find a way around that monitoring, because it is... Just like it is the job of a parent to get in the way, it is the job of the child to find out a way to subvert. And so, the best advice that I can give is to continue to engage your children in having an open relationship and dialogue, and really treating them with the respect that you do in every other aspect, no different than wanting to know about what's happening in their dating lives or in other places.
21:52 DB: But it's because it is a perpetual challenge to keep up with the technology, and so, you really just have to... Almost like the people in your organization, you help them to understand why the rules are there, what you're trying to protect them from, how... What they do can impact them and the rest of the family. And then, when a mistake is made, to tell you, and not to be afraid to tell you. And that's really key, because people are going to make mistakes, whether they're your kids or the people in your organization. They're gonna click on that link, they're going to download that file, they're going to give away information that they probably shouldn't have. It happens to all of us. But the best way to limit the damage is to alert whomever, whether it's the parents or the managers, that the mistake has been made, because then you can more quickly remediate and close that hole, and get back to some sense of normalcy.
22:58 KW: So, Diana, I feel like I would be remiss if I did not ask you about what has happened in the past year, year and a half, I think on the public stage, with everything from Hillary Clinton's email server, to cybersecurity risks with Russia, to even big data breaches that we've seen with credible reporting agencies, and with e-commerce sites, and whatnot. This has been a really hot issue. How is that making you feel?
23:34 DB: So, certainly, like everyone else in the general public, knowing about the vulnerabilities and hearing the news is certainly alarming. As someone in the space, none of these things are surprising, because the way that the systems in the internet, and the technologies and companies and everything has been evolved has not been with a security mindset. Security was not at the forefront, security was an afterthought, because operability was first, and so this is what happens when security is not baked in at the beginning. That being said, I hope that it is a wake-up call to everyone, from the politicians to the general citizens, that we need to all pay attention and care about the security of our systems, whether they are election systems, or online e-commerce systems, or healthcare records, or whatever it is, we all need to be ever vigilant in doing our part to protect them.
24:54 DB: And then I think that the next question is, "What does doing our part mean?" Many smart people are trying to figure that out because it's almost very much like when I said that the academic environment is challenging because we are at the same time, structuring what the workforce looks like as we are trying to structure what these programs look like. And there's not a lag, there's not the natural lag. The same thing holds true in the societal space. Public policies are not in place to deal with... To deal with the reality of the technology and what it enables us to do both positively and negatively. So, everything is evolving at once.
25:42 DB: I would just hope that, as we continue to develop our policies and procedures, both in the public sector that dictate what we as citizens of any country do, but also in the private sector as businesses make decisions, I would hope that they would rely upon the true experts in the cybersecurity space to gain the insight that is needed in order to develop policies and practices that will be effective, rather than running off and not taking the time to really learn and hear from that expertise. But we are in a shifting societal reality and as we as consumers want increasing accessibility, we want increasing convenience, we have to understand that while those things are possible, they also come at a cost. And part of what we have to do is to wrestle with, at what cost and how do we manage the risks associated with all of the pleasures and conveniences that we enjoy in this cyber-enabled society that we live in.
27:00 KW: Well, thank you, I appreciate that advice. As a parent, as a consumer, as a business leader, it has been amazing talking to you today and I just wanted to thank you so much for joining us on the Ellevate Podcast, so thank you, Diana.
27:15 DB: Thank you very much. My pleasure.
Have more questions? Follow up with the expert herself.
You deserve more.
No matter the challenge, you don't have to face it alone - but it’s up to you to take the first step. Join Ellevate to find the people you can trust, who understand what you’re going through, and who genuinely want to help you succeed.
Already a Member?