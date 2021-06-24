If we want a diverse workforce and women in STEM, the women who are there need to lift up others — encourage them, counsel them on career questions and help them achieve their goals.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Kathleen Hyde, MCIS, MBA, chair of Cybersecurity Programs for Champlain College Online. She is responsible for the online cybersecurity and computer forensics and digital investigations undergraduate programs, as well as the M.S. in the digital forensic science program. As program director, Ms. Hyde maintains the cybersecurity and digital forensic programs’ competitive and relevant edge, promotes the growth of the nation’s cybersecurity workforce, and shares her passion for lifelong learning by teaching several online classes.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

Interesting question. I was born in New Jersey, moved to Germany and lived there as an infant and toddler, before moving back to New Jersey and eventually Vermont.

I never saw myself in a career working with computers, though I remember programming BASIC on my brother’s Commodore, including “Hello World,” and loving it. I thought I would become a veterinarian or lawyer. I graduated with my Bachelor’s degree in Visual Communication and worked as a news reporter and investigative journalist before becoming a computer technician and later Information Technology/Information Security consultant.

Along the way, I obtained master’s degrees in Computer Information Systems and Business Administration. A position as an adjunct instructor in cybersecurity and digital forensics led to my current employment as Chair, Cybersecurity Programs at Champlain College Online. Currently, I’m working on a PhD in Information Security.

On a personal level, growing up I was very active in 4-H, band, and theater. When I wasn’t studying, playing my flute, or acting/singing in musicals, I could be found in the barn milking my registered dairy goats or collecting eggs from my chickens. Farming seems to be in my blood because today, I live on a farm, which is “home” for about 70 goats, a dozen sheep, a handful of dairy cattle, and eight donkeys.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I am a fan of British mysteries, especially those authored by Sir Arthur Conan Doyle and Agatha Christie. Every three to four years I read The Complete Sherlock Holmes and when my original copy was lost in a fire, that was the first book that I wanted to replace. I felt lost without a copy on my bookshelf. What appeals to me is Sherlock’s keen sense of observation of the physical world and human behavior. I love people-watching, and looking for patterns and anomalies. It really isn’t a surprise, when you think about it, that I love cybersecurity and forensics.

Currently, I’m reading James Clear’s Atomic Habits. I receive his weekly newsletter titled 3–2–1 Thursday, which features three ideas, two quotes, and one question to consider. Even if I am working on a project or solving a tricky problem, I take time to pause, read, and ponder the ideas and quotes as soon as the email hits my Inbox. The questions always make me wonder, “How did he know that’s just the question I needed to answer this week?”

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My career in cyber reads a bit like an after action for a breach. Typically, a single point of failure isn’t the cause of a breach. Instead, there are a series of small decisions or actions that, when combined, lead to its success.

I came to cybersecurity through a series of small decisions. When I started working as a computer technician, I didn’t limit myself to installing operating systems or only administering servers. I taught myself how to work on printers, copiers, and even x-ray and MRI units. I learned to design and install networks. As information technology evolved, the need to protect systems and data became more critical so learned to identify malware, secure information systems and data, and use digital forensics. All of these little experiences inspired and drove my career.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

One of the funniest mistakes I’ve made happens to all of us from time to time — we think about something we should do, but put off doing it until later.

Early on, this usually was in the context of needing to back up proposals or assignments when I was obtaining my degrees. In the days before automated backups and cloud storage, if I thought that I should do something and I didn’t, I got burned. Nothing big, but a file here and there.

It served as a reminder of why, when we are responsible for the security and uptime of others’ systems, we need to always pay attention to the small voice that says you should do something. Putting off a patch or not checking an alert are simple activities that can lead to something much larger.

Are you working on any exciting new projects now? How do you think that will help people?

I’m working on several exciting projects. In my role at CCO, I’ve just finished, along with a colleague, designing a new Master’s in Information Technology along with several new graduate certificates, including a Digital Forensics and Incident Response (DFIR) certificate. These programs will help prepare adult learners for new careers and to advance in their careers.

The DFIR certificate is especially exciting because the need for professionals that know how to respond to incidents and restore operations is great. It helps professionals determine what happened, when it happened, and how it happened while knowing the steps required to preserve evidence.

I’m also finalizing the selection of the topic for my dissertation. Both topics I am considering will impact people, but in different ways. The first topic involves development of a practical security framework for small to medium businesses because the frameworks that are typically used are too resource intensive for sole proprietors and small businesses and make it easier to ignore than design and deploy solutions. The second topic involves software design and development, and privacy.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Acronyms — We do seem to love them in cyber! I’m excited because of things like SOAR (Security Orchestration, Automation and Response), UEBA (User and Entity Behavior Analysis), and ML and AI (Machine Learning and Artificial Intelligence).

So much of what we do in cybersecurity is tied to data, regardless of whether an organization has thousands of endpoints or as few as five, or has offices at a single location or worldwide. The ability to automate data collection and analysis to gain insight has and will continue to improve our ability to protect critical infrastructure, systems, and data from attacks and insider threats. Not all insider threats are intentional and that’s where using technology to recognize patterns of behavior can help us create better, more security-conscious processes throughout organizations.

I’m also excited to see organizations embracing diversity in the workplace. They aren’t just embracing diversity, but hiring so that the cybersecurity workforce IS more diverse, which is crucial. Each of us frames the way we think and do cybersecurity differently, based on our work and life experiences. Having a diverse workforce means that those who are designing and implementing the security solutions, and developing and maintaining policies, will view the world through a much wider lens. The added bonus is that I’m no longer the only woman in the room when I attend a breakout session at a conference.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Automation — You asked about the three things that most excite me about the industry and one of my responses focused on specific technologies but with the common thread of automation running through them. I view automation as a blessing and a curse. Automation can help us mitigate lack of resource issues, improve response times, and allow us to automatically address routine tasks that are more prone to error when completed manually. I am concerned, however, that we will develop an overreliance on automation. There’s always a danger with automation that we will become complacent. We know notification fatigue is real. What happens when we assume automation is protecting our assets and we don’t realize that something went wrong or was wrong from the start and we never noticed it during testing? The other issue with automation is that we can’t forget that adversaries also have access to and will use this technology. Physical Security — I realize subscription models are good for business, both for the vendor selling the service and the organization that doesn’t have to purchase something tangible. I also realize many of us have just spent the last year working remotely, and may remain working remotely after the pandemic. The problem is that we are spending so much time talking about subscriptions and the security of the data that is residing in the cloud that we are forgetting physical security. We must not lose sight of the role that physical security plays in cybersecurity. I see this being especially important when we talk about the security of critical infrastructure and human resources. Due Diligence — There always seems to be a rush in cybersecurity. A rush to identify new attacks or to patch or upgrade. In most instances, the rush to patch or upgrade is good. But sometimes, in our quest to solve a problem or bring a product to market, we simply don’t test enough or consider how the product or services might impact society. I find this is especially true when I look at mobile apps since many of them collect more data and access more functions on mobile devices than is necessary. Are we considering cybersecurity in all that we do?

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

We need to be prepared for attacks that are on a larger scale and more sophisticated than what we’ve seen in the past. We also need to be prepared for hybrid, or cyber-physical attacks. Finally, we need to remember to not lose sight of insider threats. I’ll address each of these separately.

Scale and sophistication — The same solutions — ML and AI, for example — that we are using to secure the enterprise can be used against us. Of course, our use of these technologies also has the potential to increase the attack surface. We shouldn’t be too quick to forget the SolarWinds breach. Likewise, if more organizations opt to pay ransom when they become victims of ransomware attacks, criminals will expand their demands — we’re likely to see these attacks increase.

Cyber-Physical Attacks — Imagine what an adversary might do with a combination attack. A ransomware attack on a utility can produce the desired effect of taking it offline, but what if the goal is something else? If the goal is actually effecting a more permanent state of disruption, then cyber attacks may be used to disable physical security systems or as smokescreens for other, more physically-intrusive attacks. We have to remember why attacks take place. While the motivation for most attacks is financial gain, some are done out of spite or to gain another advantage over the victim. When cyberattacks don’t produce the desired effects, the rules of engagement will change again and again.

Insider Threats — I like to tell my students and others that everyone has a price. For some, the price is less than others, but everyone has a price. We should never discount the tactics that someone will use to get what they want. When phishing emails, ransomware, and other attacks become less effective, we’ll see more insider attacks, especially if the purpose of the attack is to gain access to intellectual property — think new technology that isn’t available otherwise.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Great question! I once had a very savvy end user become the victim of what I’ll call the Apple Support scam. The end user received a call, which was quickly followed up with an email, purportedly from Apple Support. The email was nearly an exact replica of what an Apple Support email looked like at the time.

Long story short, the end user reluctantly allowed the “support technician” remote access into a device. The end user became suspicious when the support technician then requested other devices be removed from the network and/or turned off, like mobile devices that could receive fraud detection alerts.

After a short time, the end user became nervous, contacted me, and advised me what was taking place. I immediately told the end user to unplug the device from the network. About 20 seconds later, while I was on the phone with the end user, the support technician called the end user on a different line and requested access because he wasn’t done fixing the issues with the device. While the end user was talking with me and the hacker/scammer simultaneously, someone else initiated calls to the end user’s credit card companies. Luckily, by the time all was said and done, the hacker ended up with nothing, despite having used the device to make over $1,000 in purchases of gift cards and more.

The key takeaway is to always be careful and question unusual requests online. Cyber criminals are becoming increasingly sophisticated and even tech-savvy users can be foiled by smart social engineering and new tactics.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The list is long so I’m going to describe some categories of cybersecurity tools. Of course, I use software to detect and remove malware, as well as to automate certain processes, like capturing system information and patching. I also use software to identify vulnerabilities in operating systems, software, and websites, and various tools to test the vulnerabilities.

Other tools that may benefit your readers include those that capture and analyze packets, like Wireshark, and those used in digital forensics. Many are open source, like Kali Linux, or available in community editions.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

For me, one of the biggest signs that something is amiss is when someone reports the activities that they performed yesterday with relative ease and speed are now taking longer than expected.

Slow performance can be related to a failing hard drive, installation of updates, or any number of other reasons. But, absent readily identifiable reason, one should dig a little deeper, rather than dismissing the issue. One shouldn’t assume that the cause is external either. I once had a client report slow network activities from multiple devices and then found that an employee added a wireless router to the network.

Pop-ups, new toolbars, and changes to a browser, like a homepage being changed. are also signs that something is amiss. On the other hand, if someone tries to open a file and is greeted with a message that the file has been encrypted and to access the file, they will need a key that can be acquired by paying a ransom, there is a problem that requires immediate attention.

Prevention is key, so it’s essential to watch your Inbox for phishing and ransomware attacks. Don’t easily give up your credentials or try to do things too quickly. That’s when mistakes happen. Many times I’ve had someone say, “I knew the moment after I clicked on that attachment that I shouldn’t have done that.” Live by the adage that “if it’s too good to be true it probably is.”

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

No one wants to suffer a data or security breach, but they can and do happen. One of the first things a company needs to do is to take any allegation of a breach seriously. Investigate it thoroughly, even if it appears unlikely that anything has happened. If a breach has occurred, hire a firm that handles incident response so that there’s a fresh set of eyes looking at the what, why, and how the breach happened, even if the company has internal resources available. Depending on the nature of the compromise and its impact, the internal resources may not have the ability to preserve evidence and restore operations.

Companies should also notify the appropriate authorities. They need to be aware of and comply with reporting requirements. One of the worst things a company can do is delay an announcement for weeks or try to minimize the impact to customers by describing the breach as something that it isn’t. Companies should try to be as transparent as they possibly can without divulging any information that would put their customers at greater risk. As well, they should take steps to monitor the web for any data that was exfiltrated.

To protect themselves and their customers, companies also need to not only learn from breaches, but implement appropriate security controls to prevent additional breaches. The reason that cybersecurity professionals conduct after action reviews is so that they can learn what worked, what didn’t, and take the preventative steps necessary so they don’t find themselves in the same situation a year later. Use a thorough review of the incident and response to identify improvements and necessary changes. The worst thing a company can do after a breach is to restore operations, notify customers, then do nothing, and think it won’t happen again.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Companies trust their employees to make the right decisions and expect them to treat company data with the same care as they would their personal data. Without guidance, employees are going to choose the path of least resistance for data to get from point A to point B because convenience wins out over security. And, while some employees are going to be very diligent in their efforts to safeguard company data, I’ve seen what some employees post to social media. Companies need to provide security training that addresses the corporate environment and personal security/privacy. When employees understand why posting the intimate details of their lives to social media can be problematic, they become more aware of why a company desires to create a security culture and buy-in to corporate security initiatives increases. Using appropriate security controls in systems can also help prevent unauthorized dissemination of information and data loss. Companies look for a solution rather than identifying the problem and/or purchase a solution without considering security. I see this frequently. Company X attends a conference, sees a demonstration, and then assumes that Company Y’s solution is the “right” solution without first consulting with stakeholders, identifying needs, or considering the impact the solution will have on existing systems and their security. Or, Company X purchases a service and then finds out that security is provided through a third-party vendor, under a different contract. This boils down to a recommendation — do the research and exercise due diligence. Make sure you ask questions and test solutions prior to signing contracts. Don’t believe that automation or any of the acronyms I’ve mentioned previously, will replace the need for qualified professionals or be a panacea. Consider any and all solutions as part of a larger cybersecurity toolkit and be prepared to regularly assess and update that toolkit as the threat landscape and company needs dictate.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

We’re doing a great job introducing younger women and girls to STEM, but there’s an issue translating the numbers in those early programs to college programs in STEM fields and industry.

What’s missing is a support system for young women after they complete K-12 programs. Once these young women go to college, they often find themselves on their own in environments where there are fewer young women and mentors. Without a support system, it’s easy for traditional students and even adult learners to become frustrated and discouraged.

We need to encourage students to create support systems or join organizations, like WiCyS, so they can realize their dreams of working in cybersecurity and other STEM occupations. In the industry, recent progress hiring a diverse workforce needs to continue.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

I don’t think there are too many people who would describe cybersecurity as a boring profession. In fact, many in the industry are drawn to cybersecurity because every day is a new adventure. However, every alert doesn’t mean that an incident response team needs to be activated. And being a hacker isn’t as easy as it looks.

For starters, there are many events and false positives before there’s an actual incident, which is when something takes place that threatens or affects the confidentiality, integrity, and availability of a system or data. Once there is an incident, the process of determining what happened, when it happened, and how it happened can be lengthy, and might not lead to anyone being prosecuted or held responsible for damages. Just because a hacker group is named as the responsible party for an attack doesn’t mean there will be repercussions.

And identifying an attacker can be complicated. The same technology, like virtual private networks (VPNs), that we use to protect data can be used by attackers to conceal their identities. Internet Protocol (IP) and email addresses can be spoofed. Then there’s the matter of hacking. While there are plenty of tools that can be used to detect vulnerabilities that can be exploited, and tools that can be used to take advantage of them, hackers need to be patient, and it takes skill to execute an attack that requires pivoting from one system to another within a network, and persistence, which means that an attacker maintains access for a period of time regardless of whether a system is restarted or credentials are changed.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

Be confident. Earlier in my career, I was the only woman in the room — and by room, I mean in northern New York — who was repairing computers and printers, installing and troubleshooting networks, and generally “doing” all things IT. I can remember going to one site and after carrying in my tools and materials, which included an eight-foot ladder and boxes of networking cable, I was asked by a manager when the technician would arrive. I announced I was the technician and the manager was stunned.

Instead of being offended, I went about my business troubleshooting the network, running new cables, and testing them until the issues were resolved because the best course of action was to remain confident. As a woman, it’s incredibly important to be confident. That doesn’t mean you have to know everything or do everything yourself. You do have to demonstrate confidence in your ability to handle any situation.

Lift others up. A few years ago, I attended a conference where there was a major emphasis on the development of a diverse cybersecurity workforce. At the conference there were breakout sessions specifically geared toward women in cybersecurity. At one of the sessions, one of the speakers pointed out that women need to lift up other women when they get to the top. That one a call to action is something that I took away from the conference, and have put into practice while working with students. If we want a diverse workforce and women in STEM, the women who are there need to lift up others — encourage them, counsel them on career questions and help them achieve their goals.

Accept criticism (and don’t take it personally). I have a hard time accepting criticism and that’s true of many women, especially those who started working in tech when the percentage of women in the field was in the single digits. We had to be confident and prove ourselves and we were criticized.

For a long time, I either brushed criticism off or I would analyze every word that was said and take the criticism personally. We need to view constructive criticism as an opportunity to improve our work and ourselves, but can’t take it personally. We need to be emotionally intelligent in our responses. Hear what the other person is saying and integrate whatever parts of the criticism will result in you being a better leader, employee and human. When you are able, express gratitude. I want to add there is a caveat that comes along with this lesson. You absolutely don’t need to accept criticism that is unprofessional or what I’d call out of bounds. How you respond to the criticism, however, should be in a professional manner.

Be willing to let things go. I’ve made mistakes during my career and felt responsible for occurrences that were completely out of my control. I’ve had to explain to companies that the backup solutions they put in place themselves in an effort to save money didn’t work and they’ve lost everything. I’ve had difficult conversations with students who are experiencing personal challenges in their lives and students who failed a course because of plagiarism. I’ve said things that I would have preferred to word differently.

I’ve come to the realization that I can only control what I do and what I say, and everything else I have to let go. Similar to criticism, I can learn from the experiences of others, but I can’t let those experiences or my own mistakes overshadow the work I need to do today or what I will do tomorrow.

Commit to lifelong learning. I own several donkeys, including an older donkey named Jack who has been difficult with the farriers hired to trim his hooves. He kicks. He bites. He’s broken my nose twice, though not while having his hooves trimmed. Last fall I started working with a new farrier. It’s taken months, but he now stands to have his front hooves trimmed because we’ve been training him with the aid of the peppermint treats he loves.

The point of this story is to say that all of us should commit to being lifelong learners. Learning keeps things interesting, can give us purpose, and is absolutely necessary for those who are in tech. We should never think we’ve learned all there is to learn or stop being a resource so that others can learn from us.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them 🙂

I’d like to share a meal and conversation with German Chancellor Angela Merkel. Before she became involved in politics and became a target of hackers, she studied physics and was awarded a doctorate in quantum chemistry. When she was the commencement speaker at Harvard in 2019, The Harvard Gazette featured an article that provided this description of her by Wendy Sherman.

She is extraordinary. She knows who she is. She does not try to be anything other. She is an authentic leader, which is critical. She has a set of strong values, and she understands Germany’s history exceedingly well, in part because she comes from East Germany. So she has a certain humility that comes from her particular biography. She fights for her country and for her people. She is analytical, she’s fierce, she’s a very skilled politician. She didn’t start out that way, but she certainly has become that. And she knows how to operate on the world stage — no easy task.

if the engagement with her could be arranged to take place in Germany, where I spent several years as a child, that would be perfect.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!