CyberWire Daily - Solution spotlight: Paths to cybersecurity. [Interview Select]
Episode Date: October 9, 2023Solution Spotlight: Simone Petrella is talking with Diane Janosek, Executive Director of Capitol Technology University's Center for Women in Cyber, about paths to cybersecurity and ways to address cyb...ersecurity workforce intelligence through education. You can view the video of this interview here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Today, I am so thrilled to be joined by Diane Janicek, Executive Director of Capital Technology
University for their Center for Women in Cyber. Diane, thank you so much for joining me today.
Oh, thank you, Simone. I'm excited.
I am too. Let's get right to it. Can you start off by telling me a little bit about your own
path into cybersecurity? Oh, sure. I wasn't expecting that one,
but we all have different paths, especially since, as we know, cybersecurity really didn't pick up as an academic discipline until about 20 years ago when it was an infancy.
So folks that are working in the field usually have different paths and we all come together around a common passion.
And so my path was really on the law, policy and technology side. I did a lot of, I went into network security policy, and I really appreciated that.
I also had to deal with some of the unauthorized disclosures and a lot of our interfaces with
the public and Capitol Hill in terms of protecting information.
And then, of course, the protection of privacy and civil liberties.
So those all really synchronize and center in the nexus between data governance, civil
liberties and privacy,
and then cybersecurity and how information security all come together. So I'd like to
think that cybersecurity is kind of a nice umbrella because there's multiple things within
that that are just really exciting and always changing. Yeah, that's amazing. So tell me,
how do you think that your own experiences have shaped the way that you think about the cyber
talent challenge that we're grappling with as an industry here? That's part of what we like to talk
about and highlight. So where does this kind of land for you as we think about how we solve this?
How we solve it? That's like the million dollar question. I know.
You had a dollar for every idea, but I what we're looking at um as the challenge the
real challenge is getting the country energized right you always have to have a sense of urgency
that there's an issue that we have to rally around kind of like the world war ii kind of
we can do it and pull together i usually have to have that as an impetus before you really
get people on board and you know get that momentum and momentum and get the buy-in. I think we've had that with enough incidences going on, as well as people at their home having
their own ring doorbells, you know, compromised and, you know, having their bank accounts
constantly having to change out their credit cards, they were compromised. So people are
feeling it at a personal level. And then they're also seeing it, you know, at a national level in
terms of banks and libraries and Department of State.
I mean, every level, the library up in Alaska, they're all getting compromised.
So people are now realizing this is an issue. This is a challenge. It's real.
But not everyone's coming together in terms of how can we make a difference to actually change this?
And I think that part of that issue lays on how the United States is constructed in terms of our three branches of
government with our federal and our state and how that issue has arisen on top of our governance
in the United States. And that's what makes it particularly challenging in terms of is there
one way forward or not, or can we all rally together on some common purposes and goals?
Yeah, it definitely strikes me when I think about having worked in this space, but also previously in the more functional and operational cybersecurity side, that there are a number of really impressive initiatives, whether it be through industry, academia, and government, that are looking to sort of take on this workforce shortage and the talent and skill set shortage we have head on.
shortage and the talent and skill set shortage we have head on. What are some of the things that you have found, especially in your work with Capital Technology University, that have helped to create
new pathways, not only for individuals, but maybe even for the employers that are looking to, you
know, employ these graduates after they go through their programs? Everyone has, you know, an innate
need to belong. They all want to belong to something that's important. And if we can get people to have a sense of this area is important, you can easily get
them into the pipeline.
But getting them into the pipeline and getting them into the workforce, I think are almost
two different equations, right?
And we're trying to match those up with all the initiatives that are going on right now.
So in that regard, I think they're looking at all avenues of tapping into talent, starting
off young with, you know, some of the middle schools and high schools, starting off with varying types of degrees and scholarships and opportunities for associate degrees and bachelor's degrees.
They're looking at doing cross-training for mid-level career people that may want to change and move into the area of cybersecurity, some cross-training going on.
They're looking at, there's initiatives right now with veterans and first responders.
on. They're looking at, there's initiatives right now with veterans and first responders.
After they may have done their 20 years, they can move on and try something else,
moving naturally into the cybersecurity, retraining and having that paid for,
and having them open up the doors for that. So just opening up the aperture of who might be interested so that the pull to pull from and to gravitate and get the energy behind it,
there's a bigger mass in which to literally pull from.
From that way forward, from the employer perspective, as you mentioned as well,
they have to be creative. So just because you have someone lock in the door doesn't mean that
they're going to be ready for the challenges that constantly are changing in the cybersecurity area.
So keeping folks upskilled and current is a whole nother challenge. So this field is just
layered with issues in terms of opportunities and challenges that have to nother challenge. So this field is just layered with issues in terms of
opportunities and challenges that have to go through it. So that's why I call cybersecurity
a team sport, because there's so much to get the right person in the chair at the right time to
address the right threat. Yeah. I love that you referenced that it's a team sport. It's something
that I've harped on for a while now around the
idea that we're often trying to field players, you know, on the field without even knowing their
positions in a real consistent way. And then we're somehow surprised when we haven't given them
the upskilling or the training to be successful in those roles. We just expect them to kind of
grow on trees. So that resonates with me a lot.
If we just kind of focus on CapTech as an exemplar here, what are they doing as an institution to
kind of bridge that gap between what they're doing from a pipeline perspective and growing
new talent, but then also looking at job readiness and the employer side? Because I view that as one
of the primary gaps in this equation is
employers care about job readiness, and institutions and universities often care
about graduation rates. Those don't always align. Yeah. No, you are spot on. So very,
very insightful in that regard. So the current president of Capital Technology University is
Dr. Bradford Sims.
I believe he came from Embry-Riddle before that, but he was primarily in the industry of manufacturing and a lot of critical areas in terms of the pipeline and the supply chain.
years ago, when he came, his whole thing was, let's have students that are ready, able, and,
you know, ready to go into the workforce for the needs that are out there. He doesn't want to create a degree program that there's not a demand for. So his, the programs at Capital Technology
University are very much focused on the emerging technology sectors. There's, you know, there's
even unmanned aerial vehicles degrees in that area.
A lot of the digital networking areas, network security, just the different areas that are
even manufacturing, artificial intelligence, things that are in need right now by employers.
They guarantee that you will have a job upon six months of graduation.
If not, they will help you get additional training to make sure that you get the job
that you desire, that you want to work in, that's marketable to you as well as to the employer where it's a good fit.
They are 100% on that.
They have a job guarantee rate because they know they are hitting the money with respect to what the employers in the local area need to sustain their economic business models as well as the security of their products and of their people and other industries.
So I think that's one thing that's really interesting.
They don't have any liberal arts degrees.
You wouldn't have like a language degree.
They're focused primarily on
what do they think is really necessary
in some of the key infrastructure sectors
of the United States.
So I think that meet their name in that regard.
We're Capital Technology University.
That's the first thing. They're focused on what employers are looking for,
for our country. The second thing that they're focusing on is making sure it's affordable,
education is affordable, and they all very much participate in a number of different scholarship opportunities that are provided for at the federal level as well as the state level.
So they're making it affordable for students to participate. Then the third thing that they're doing, and I'll end there and turn it back
to you, is that they have said, you know, we want to be a leader in the area of cybersecurity
education. They have embraced the role for the National Center for Academic Excellence for
Cybersecurity. There's five nationwide hubs, so to speak. They are the hub for this region.
And so in that regard, they're saying, hey, we want to help be a leader. We want to help
shepherd new professors into the space, help mentor them, help get the interest into the area,
host different opportunities for high school students to come through on Saturdays,
teachers to come through during the summertime to learn, as well as students to cross-train in the area from one sector to another. So they're really trying to do a lot.
I think that's the three things would be appropriate degrees that are necessary for the country,
being a leader in cybersecurity education for the nation, and then three, really making tuition
cost effective. And for those who aren't familiar, the National Centers for Academic Excellence in Cybersecurity, it's been around since 1999 and it has had a significant impact. Can you tell us a little bit about the program and where it came from and how it fits into some of the work that you've been doing there?
question. So I used to be involved with the program. I've since not been with the ball program. So this is just Diane's view of the world, so to speak now, but the National Centers
for Academic Excellence in Cybersecurity, they call it the CAE program. I kind of think of it
as a stamp of a perimeter or stamp of approval that you would get like a housekeeping seal
that we saw with CISA coming out with some things these days. What they have to do is demonstrate
institutions of higher learning have to demonstrate that they meet core competencies in their curriculum, in the area of cybersecurity, in both information assurance, traditional cybersecurity arena, as well as some of the research components as well.
Now, the small component is cyber operations.
So the schools say, hey, we believe we have a great school, not only a great school, we have great professors, we have students that are interested and willing and able to contribute to the field, and what we're teaching them meets that high standard of readiness.
Great.
So with that, there's now over 400 schools in the United States.
States, Adam, I think there's about 5,000 institutes of higher learning in the United States.
Over 400 of them have this quote-unquote kind of stamp, the NCAE stamp of approval.
And what has been happening is that there was just a study done, as you mentioned, it started in 1999 by just a couple of folks and people that may have remembered Dr. Deb Franke, who was one
of the former directors of research at the National Security Agency, is now with one of the national labs. She was at the University
of Idaho. She was one of the first schools that began in 1999. And what she really was doing was
establishing an opportunity to learn and to grow the cybersecurity, not just the workforce,
but the teachers, right? They didn't even have a textbook in 1999.
So really growing that curriculum and starting it forward.
So moving forward, right?
I shepherded that program for a while as my role as the commandant of the National Cryptologic
University.
Moving forward, June of 2023, so just this summer, a report came out and it said, do
we think this program's worked?
Has it yielded the dividends that we thought it should?
And they said, overwhelmingly, yes.
And they said, absolutely.
The CAE schools that the federal government has really encouraged them to grow their faculty,
grow associates degrees, their bachelor's degrees, as well as research programs. They said that these institutions produced an outsized number of cyber and cyber-related
graduates relative to the non-CAE schools. And they went through a number of different examples.
And the reason why we were so excited at Capital Technology University is that it was done by a
very well academically focused
entity out of Washington, D.C. with professors from Georgetown. One of the sentences in there
is that the CEE program and its designated institutions do more than just graduate cyber
talent. Standout institutions such as Dakota State University, Pittsburgh Technical College, and Capital
Technology Universities collaborate and bolster the community inside and outside their universities,
and they work with the community.
They receive access to networks of employers, professional development for faculty, new
funding streams, and nationally recognized designation.
So this program is just one of the toolkit that the nation has to grow academic
programs for the employers in the country so that we can fill this big void of cybersecurity
workforce that I know, Simone, you know very, very well. I do. You know, that study was so
illuminating on so many levels. One of the things though, and it's near and dear to my heart, I know to yours, is how much we've seen statistics over the years around representation in the cybersecurity field,
specifically around diversity of all kinds, women in particular. And this recent study you're citing
shows that the finding of, you know, the statistics we've seen across the industry
are mirrored in the CAE institutions
as well, meaning we're still lacking as much diversity as we could in those programs and in
the industry. So my question to you, you know, even as a passion play and having mentored so
many women and worked in this field for so long is what can not only academia, but, you know,
when you think broadly about the industry, what can our industry partners,
what can academia, what can government do, what can organizations do to really not just talk about
diversity and increasing diversity, but what can they really do in your mind that would start to
actually have an impact on those numbers? Well, thank you for that. So in the area of
gender diversity, which I think the numbers are
quite low, they're not moving as far as they want. I believe, you know, Jen recently commented on
that. They're moving some, but you know, not enough. In the area of gender diversity, they've
been doing studies in terms of, you know, when a young female might want to get into a STEM field,
they generally make up their mind by
10th grade, if not eighth grade. So you have to start really early. And there was a couple of,
there was one study done that said, because this is a very, I wish I had the name of the report.
One report was called the Hechinger study that was done out of New York state. And there was
a second study that was done as well.
I wish I could remember the name for you. And what they were saying is that the female population in the middle schools tend to be very multidisciplinary where the boys may have some
strengths. So they have more opportunities to go into other fields. So they may say,
I want to go into science. And somebody may say, well, but you're so good at writing. I mean,
you are such an amazing creative writer. You don't want to give that up. And the answer would be, you can do both.
You can do technical and do creative and it all comes together. And, you know,
cybersecurity is so multi-talented as well that you could. So what it's really is trying to change
that narrative at a young age so that the thought of where they're going to school, you know, it's
planted in their head earlier. So they may have an idea, hey, I want to go into technology. So they naturally go to the CEE
schools because the education they, but they know, you know, a sense of approval. But so I think we
have to start before they start thinking about what school they want to go to and say, this is
an amazing profession. And the first way to do that is to give students role models, show them,
you know, open up the doors for, you know,
different gaming opportunities and competitions and just fun things and, you know, Rubik's cubes
contests and different things that they realize there is a home here and you do belong.
You know, just quickly pivoting, because I know that we've talked about in a recent episode,
I spoke to Camille Stewart Gloucester around the recent White House
cyber workforce strategy. I would love to get your take on what your thoughts are on the White
House's strategy and how that will help bolster the acceleration of cyber talent across the field,
but also where there might be some areas that we need to continue to improve upon.
I loved listening to Camille.
And of course, I'm fully supportive of what they were trying to roll out.
I've been tracking this field for a while.
The nice thing about cyber workforce development is it is bipartisan.
And everyone realizes, yeah, we need to come to the table and get together.
But the nice thing about the July 31st, 2023 strategy that Camille was talking about is it just gives it
more momentum and more energy and more focus, right? If they weren't talking about it, we wouldn't
be talking about it. So it's setting the tone for, by the way, this is really important. Employers,
we need to think about this. States, as well as the federal government, need to be thinking about
it. Cities need to be thinking about it. Let's all rally behind this. So there's why I loved Camille. I think you even used the word roadshow, you know,
when you're talking with her. That's awesome. I mean, the fact that they are interested in doing
a roadshow and talking about national cyber workforce education strategy is amazing, right?
We need that. We need that as a country with all these open positions, with so many changes in
technology, so many vulnerabilities being introduced with so many changes in technology,
so many vulnerabilities being introduced in so many ways that people are unexpected.
The fact that we have a White House that is directing this much energy with the stand-up
of the Office of the National Cyber Director, with Mr. Inglis and with Campbell Walden,
and now hopefully it's going to be a good friend of mine.
It's going to be up there too.
It's going to be a lot of goodness.
And it's all because you need momentum.
You need energy.
You need all hands on deck
and, you know, all power to them.
Amazing.
Thank you so much for joining us here today.
Really appreciate the conversation as usual.
And is there anything else
that you want to kind of bring up that maybe I neglected to ask?
I just wanted to mention that I often have people say to me, well, you know, what is cyber about?
You know, it is really an amazing field. It is an incredibly inclusive field. They want to
include you. You don't know something, hey, we'll teach you a sentence. They sit side saddle on so many things. There's so many teaming. If you like working with the team,
you like learning, it's an amazing field to jump into. So it is perfect for all ages,
all genders, all nationalities, and it's just fun. And we're very supportive of each other. So join in.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. Thank you. control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.