The cybersecurity industry can be made stronger if we attract more women and non-males. I've had the pleasure of interviewing some in my series. I
spoke to Dr. Jessica Barker, who advises organizations on information security and maintains a blog at
Cyber.uk. Then I
spoke to Emily Crose, a network threat hunter.
Most recently, I had the opportunity to speak with
Lesley Carhart. She leads a team in security incident response. She also writes an engaging cybersecurity blog,
tisiphone.net.
Kim Crawley: Your infosec focus is largely in digital forensics, and you have an impressive academic background that's directly related to our field. How did you get into cybersecurity in the first place? How long were you interested before you went to college?
Lesley Carhart: Very early on! I grew up on a midwest farm. While that meant a lot of hard work and time outside, it also meant early access to a computer when my father bought one to manage inventory and accounting. He is definitely an old school hacker, and we learned how to use MS-DOS together when I was 7 or 8. We both picked up scripting and BASIC, and it quickly became a contest between him building hardware and software controls to restrict my use and me evading the controls.
By the time I was 15, I had been coding regularly for seven years or so, and the early dot com era was beginning to boom. Through connections, I was quickly picked up by a local firm as a SQL developer and did that through high school. That gave me a great segue to the burgeoning Chicago hacking community and introduced me to other fields of IT and tech.
Of course, the dot com boom didn't last forever. When the job market dried up after graduation, I enlisted in the Air Force, cheerfully requesting any job that got me hands on with electronics. I kept up my interest in hacking and digital forensics and read everything I could.
KC: I'm happy to hear that you got into coding as a little girl. Now, I notice that you also work for Circle City Con. How did you get involved with Circle City Con in the first place?
LC: The Chicago infosec community is heavily involved in
Circle City Con, simply due to numbers and location.
KC: So, you were just chatting with fellow Chicago infosec people and someone offered you the role?
LC: We have a very active and tight-knit group of people here in the BurbSec meet-ups. There's an infosec hangout almost every Thursday in the Chicagoland area. I'm very heavily involved in that organization, and many of the the primary Circle City Con organizers are, too. It was a logical move.
KC: That reminds me of
TASK here in the Toronto area. Let me ask you: what are some challenges you've had as a woman in cybersecurity?
LC: My entire life has been a series of male-dominated industries, hobbies and coursework. By the time I was working professionally in infosec, I was thoroughly used to dealing with this.
All human beings are fundamentally biased in different ways – some are just more self-aware than others – so of course I've had to deal with some sexism. It's frustrating when I'm questioned on fundamental IT skills before somebody trusts my advice as a subject matter expert. It's irritating when I go to conferences and people ask me if my boyfriend brought me along. The trick is recognizing that prejudices exist and building the self-confidence to not let them phase you.
We're taught in our society to defer and apologize to others. We have to be able to break out of those conventions. Politely telling people they're incorrect and backing that up with reasoning and evidence is a crucial skill learned over time. At the same time, we have to try to consciously avoid gendering activities ourselves. Just be a human and be good at what you love.
KC: I'm dismayed to see much fewer girls and women pursue IT and computer science. Hopefully, articles like this one and
your blog can help a little in showing people that women play a very important role in our industry. How do you feel that women uniquely benefit the cybersecurity field?
LC: Being a good computer hacker relies on a broad range of experience and cross-discipline skills. Being good at detecting and preventing hacking does, as well. The more backgrounds, hobbies, previous careers and methodologies we can bring into our field, the better we will be at responding to complex problems in an innovative way. The homogeneity of our industry, coupled with the absurd stereotype of a hacker in our culture, can only harm us as cybersecurity impacts broader and broader society.
KC: What do you think will be the biggest problems in information security in the next several years? IoT is making me very nervous.
LC: Ransomware will continue to get more diabolical. We're already seeing local file encryption turn to public (s)extortion, and there are plenty more malevolent things malware authors can do to make people's lives miserable in the age of IoT.
As for IoT, the problems will likely continue (and get worse) until legislation requires security standards in internet-connected devices. We're caught between a population wanting the latest gadget, sellers driving down prices to meet buyer demands, and manufacturers cutting security corners to reduce cost. I don't see much chance of any of those factors changing independently.
Finally, I predict that we will soon reach a breaking point in internet infrastructure attacks where fundamental problems that have been ignored for decades and lack of redundancy result in expensive enough catastrophes that solutions have to be implemented.
KC: I'm not optimistic about cybersecurity legislation in the United States considering Rudy Giuliani's appointment! Is there anything else that you'd like my readers to know?
LC: If you want to be a hacker, don't be afraid of illogical myths. Don't be afraid of the myth of the hoodie-clad hacker who's fundamentally "better" than you. Get out there and learn. Don't be afraid of the myth of the infosec rock star as an untouchable paragon. Skill levels vary, but everybody puts their pants on the same way, and even the old-school hackers are usually pretty approachable. Don't be afraid of the myth that a CFP rejection means you're not clever enough. Everybody gets rejection letters, so pick yourself up and keep submitting. Don't be afraid of the myth that you have to be a drunken raver to be a real hacker. It's okay not to drink, and it's okay to go home to your kids. Don't be afraid of the myth that only 1337 hackers speak at cons. Bring your experience and unique perspective into a research project, work hard, then share it.
KC: Thank you so much for speaking with me. I've learned a lot.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
