The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

CERIAS Blog

Page Content

Another Loss in the Community

Share:

I received news today that Yves Deswarte passed away on January 27th.

YD-2010b.jpgDr. Deswarte was a notable member of the computing community, with a career of 30+ years as an educator, researcher, and manager. His career as a computing research pioneer spanned issues ranging from fault-tolerant computing to microcomputer systems to networking to issues of identity and privacy to system safety, and more. His most recent affiliation was with theLAAS-CNRS; the Laboratory for Analysis of Architecture of Systems at the French National Center for Research in Toulouse. He also had been an engineer and manager at INRIA, and spent time with SRI and at Microsoft Labs in Cambridge (with the late Roger Needham). Some of his more recent work involved the security of cloud and embedded systems.

Yves was the deserving recipient of the 2012 IFIP TC-11 Kristian Beckman Award and an award for Outstanding Service to IFIP. His acceptance address for the Beckman was devoted to issues of identity and privacy — topics which had been central to some of his research in recent years. In addition to his research and his work with IFIP, Dr. Deswarte was also notable for his work with ESORICS, and for the Ph.D. students whose work he advised: his webpage lists 20 Ph.D. graduates advised, and 5 in progress.

A memorial page for Dr. Deswarte has been established at LAAS.

I only met Yves once or twice, and our work only occasionally brought us into contact. Interestingly, his path in computing had some parallels to mine — he was working fault-tolerant computing (the SURF project) about the time I was (as a grad student), and then moved into security and privacy issues. I have known of him and his work for most of my career in computing, but unfortunately did not have the opportunity to get to know him well in person. I am undoubtedly not doing justice to his many contributions with the meager account above, and I would welcome comments from those who knew him better.

I have written memorium pieces for many people in the field over the last few years, most recently Willis Ware. Yves is closer to my age than most of them, so that makes is a little more personal. It is a sign that the field is maturing as we begin to lose our colleagues, but that is hardly any solace.   

R.I.P. Yves Deswarte, 1949-2014.

We’re Out of Balance

Share:

I’ve had several items cross my social media feeds, along with email, in the last few days that prompt me to write this. It’s gotten a bit longer than I intended, but there’s a lot to say on an important topic. As a first post to this blog in 2014, I think it is a good topic to address. It has to do with imbalance and bad behavior in the overall field of cybersecurity: the low percentage of women, and how they are sometimes treated.

Computing, as a field in the USA, has had a low and almost constantly decreasing percentage of women going into the field and staying. (The US is the primary focus of this blog entry; I believe the problem is similar in Canada, the UK, Australia, and others, but don’t have the data. Also, there is a corresponding problem with other traditional minorities, but that’s not what prompted this post and I hope to visit it later.). There are many reasons posited for this, many of which are likely somewhat to blame; there is no single, dominant reason, apparently. Many studies and reports have been conducted, experiments tried, and programs put into place, but few have made any measurable, long-term change. The problem is almost undoubtedly rooted in social behaviors and expectations because there are other cultures where the ratio of women to men is about 1:1, or even has women in larger percentages.

Cybersecurity is little different, and may be worse. I regularly speak at conferences, companies, and agencies where the room will have 30 men and one (or no) women. At events where there are speakers or panels, all the speakers and panelists are men. The few women attending often are simply the ones there processing registrations. And there are a nontrivial number of reports of women being groped and harassed at professional meetings (see, for instance, this). Also bad, women are frequently abused online as well as offline, and not only in security and computing. Many are reluctant to publish email addresses or contact info online because of unwanted, inappropriate content sent to them — no matter whether they’re 8 or 80.

(Right now, if you are thinking to yourself that there isn’t a real problem, that things are fine, and it is all a problem of some women who can’t take a joke, then you are part of the problem, and you need to shape up. Worse, if you think that women shouldn’t be upset about this status quo, instead they should get back to the kitchen, then you are so out of touch that I don’t know where to start. In either case, try telling that same thing to women doctors, pilots, police, firefighters, or better yet, to our many women in the military — especially when your safety is in their care. Then come back when you’ve healed up. If nothing else, at least keep in mind that there are legal reasons to treat people equally and with respect.)

Assuming you are actually living in the 21st century, let me assure you that the overall situation is a HUGE problem for us. As a field, and as a society this is bad because we have a shortage of talent that is getting worse with time. We also have some rather skewed and limited ideas of how to approach problems that might benefit from a more inclusive pool of designers and practitioners. And as human beings we should be concerned — especially those of us who are sons, brothers, fathers, and husbands — people who could be (and sometimes are) our mothers, sisters, daughters, and wives are being mistreated and demeaned. That simply isn’t right. Neither is it right that we are limiting the opportunities for individuals to learn, grow, and achieve.

Computing, security, privacy, creativity — those are all traits of the mind. Minds exist in all kinds of bodies, including those with other colors, more or fewer curves, different masses and volumes, varied ages, and some have less physical abilities than others. But that doesn’t change what is possible in their minds! We should applaud ability, dedication, and imagination wherever we find it. Discouraging women (or anyone with ability) from pursuing a career in computing, abusing them online, and groping them at conferences are all counterproductive to our own futures — as if rude and wrong wasn't enough. Cybersecurity and privacy are key areas where we need more insight and creativity — we should enhance it rather than diminish it.

No field is populated only with superstars and wild talents. That is especially true in IT. We hear about people with great accomplishments, and we like to think we’re special in our way, but the truth is that the field is too large for any individuals to master it. Success comes from teams, and the most successful teams are those that integrate many different viewpoints, backgrounds, and skill sets, and who respect their differences yet work with common goals. That includes bringing in people from different genders, ethnicities, ages, and more. Success is enhanced by diversity.

I’m not going to go through a longer litany of problems here, or try to analyze the situation further. I’ve been working with various women’s groups for over 20 years and I still don’t pretend to be able to understand all of what is happening. It is complex. However, I see the problem continuously when I look at our student body, when I visit professional meetings, and when I read reports. I know it is real.

What I can do, is offer some advice to those who care.

For Men

Here are some general tips that should be common sense.

  1. Simple: be aware. Help others be aware. Don’t limit your involvement to this alone, but everything else flows from here.
  2. If you have children, encourage them and their friends to consider computing in school. Be supportive of anyone trying an IT profession. Be positive and not condescending.
  3. If you are a teacher/professor, don’t let the male students bully or harass the females. You are there to create a learning environment for everyone. Generally speaking, many women are less quick to respond to questions as they think about how to frame the answers, and they tend to let others speak without interruption; males generally are the opposite. Don’t let anyone be interrupted when speaking, and ensure that everyone gets a chance.
  4. At a conference or professional meeting? Don’t assume that the women are less important than then men there -- especially if they look young! Address everyone equally. No one should be invisible. Would you want people to ignore you or trivialize what you had to say if you looked different than you do? Address the person, not the appearance.
  5. Don’t ever touch a woman, without her clear uncoerced permission, in any manner that you would not touch a male authority figure. That is, would you touch your boss/professor/policeman in the same manner — without getting slugged/fired/arrested? Thus, shaking hands, fine. Catching someone if they stumble, fine. A greeting hug? Let her initiate it. Grabbing their butts? Definitely no. Use the same rule of thumb for language. Would you proposition a male policeman you just met?
  6. As for language, think carefully about your adjectives. If you would be “firm” and “decisive” in what you do, don’t describe a woman colleague as “bitchy” if she acts similarly! If you are "aggressive" she is not “pushy.” Banish “overly emotional” and “moody” from the list, too.
  7. Don’t set perceptions based on age. Women report that young male colleagues are often given opportunities to “prove themselves” or “learn the ropes” but they are not given the same opportunities because they are too young. Don’t either give or limit opportunities based on age or whether you think someone is attractive — either way, you are limiting what you could get and what they can do, and that is your loss.
  8. Be polite to everyone. Manners matter, even if it doesn’t seem that way some times. Don’t treat any group differently than any other. This includes not making jokes about people to others, staring openly, etc. That’s maybe the norm in 3rd grade, but not in a professional context.
  9. If you see someone else being gropy, rude, or otherwise inappropriate, speak up. (And “Attaway, bro!” is not the thing to say.) No, of course you are not defending someone weaker — you are chastising someone acting unprofessionally. That is because you should also do the same for anyone being rude to someone in a wheelchair, wearing a turban, with brown skin, with a missing limb, speaking with a lisp, or simply standing there. Being different is never an invitation to be abusive or rude. Report it to event organizers or management, too.
  10. If you are invited to speak or appear on a panel at an event, ask who else has been invited. If they don’t seem to have invited (m)any women, suggest some and don’t agree to speak until they filled out the roster a little more. I have heard one good rule of thumb (which I try to follow) is not appear on a panel unless at least one woman is also on the panel. Help give other voices a chance to be heard.
     
    Can’t think of any? Then either you aren’t paying attention or you are willfully ignoring the situation. Here’s a partial list of some of the better known women in the field of cybersecurity/privacy, all of whom I hold in great regard (and my apologies as there are many more I could list — these are off the top of my imperfect memory): Anita Jones, Dorothy Denning, Mary Ann Davidson, Window Snyder, Jean Camp, Elisa Bertino, Rhonda MacLean, Deborah Frincke, Melissa Hathaway, Chenxi Wang, Terry Benzel, Cristina Nita-Rotaru, Jeannette Wing, Cynthia Irvine, Lorrie Cranor, Dawn Song, Helen Wang, Cathy Meadows, Harriet Pearson, Diana Burley, Rebecca Herold, Shari Pfleeger, Shafi Goldwasser, Barbara Simons, Erin Jacobs, Becky Bace, Radia Perlman, Nuala O'Connor Kelly, Wendy Nather, Linda Northrup, Angela Sasse, Melissa, Dark, Susan Landau, Mischel Kwon, Phyllis Schneck, Carrie Gates, Katie Moussouris, Ronda Henning…. There are literally thousands more who are less senior but are likely to have interesting things to say. Simply look around. And if you’re organizing the event, consider this.
  11. If you are a VC or senior executive, don’t automatically hire someone from the “good ol boys.” That you only think of men to fill senior positions may be a case of tunnel vision, as in the previous item. Look around. And don’t let implicit assumptions about age or gender drive your decision-making: leaders come in all shapes, sizes, and ages.
  12. Besides giving opportunities to women to speak or lead, give them opportunities to fail without blanket condemnation. Everybody has limits and make mistakes. If you asked a young male employee to do something and he didn’t succeed, would you think to yourself “I never should have assigned that to a man”? Unless the task is peeing his name in a snowbank, gender doesn’t have anything to do with it (and if that is the tasking you give employees you have other serious problems to resolve).
  13. In a professional setting, don’t exclude the women because you think they’ll be “offended” or that they’re “too sensitive.” They aren’t china dolls that are easily broken! Include them as part of your team and make them feel like part of it. We look at the world in different ways. If you’re concerned that jokes or activities might be offensive, then maybe those aren’t the right kind of team-building experiences you should be having. (For example, you don’t need to go out for beers to the strip bar on Friday to build team presence; going out to a nearby Irish pub or a restaurant will accomplish the same thing if what you are after is a social experience.) Do the same with students if that is your context.
  14. Similarly, think about mentoring — be a positive mentor for colleagues and those junior to yourself, men as well as women. Offer it, but don’t force it (that’s what a mentor is: a voluntary guide).

The basic idea here is really embodied in #8. Be thoughtful and don't treat anyone as substantially different Instead, relate to every person as a professional. But most of all, speak up if you see someone getting picked on or treated badly, or if they aren’t getting encouragement they should. It’s like security and privacy itself — an attack on any link is an attack on the whole, and if a link falls we are all diminished.

For Women

As a general tip similar to the list above, don’t ever think you are the only one experiencing some of the things that happen. Don’t blame yourself, or wonder what it is you are doing wrong — that is sometimes a natural reaction when you are in the minority and everyone seems to react to you in a manner you don’t expect. Do push back on rude behavior, don’t be afraid to make it clear when limits are reached (or exceeded), and do consider reporting persistent or very rude misbehavior to event organizers or supervisors. Yes, it can sometimes have unexpected consequences, but without that negative feedback the behavior is likely to continue against you and others; evaluate your own tolerance for risk vs. harassment.

There is debate within many minority communities of whether aligning with self-interest groups is helpful. On the plus side, the mentoring, the support resources, and the sense of community can all be a big help. However, that also runs the risk of not sufficiently engaging in the mixed environment where one has to work, of developing unrealistic expectations based on anecdotal stories, and failing to help educate the majority in how to help. There seems to be enough positive “buzz” about some groups and their activities to warrant recommending them. Not all are likely to fit your own particular needs and interests, so check them out. If you know of some I have missed, please let me know so I can add them here.

  1. ACM-W is generally for women in computing, world-wide, and provides community and resources. See their web page for more info. They have a mailing list to which you can subscribe, even if you have not (yet) joined ACM; computing professionals should consider joining the ACM.
  2. There is a long list of organizations for computing, in general, at the Ada Project that I won’t try to duplicate — I suggest you look at it. (I will also note that I have heard some criticism of the Ada Project itself, so I am only recommending the list.)
  3. The Ada Initiative is different from the Ada Project, above. It supports women in open software, and has a number of worthwhile resources.
  4. The Anita Borg Institute. The ABI sponsors the annual Grace Hopper Celebration conference, which is worth attending, plus they do a lot more in events and activities, one of which is the Systers List.
  5. The National Center for Women & Information Technology (NCWIT) has quite a few resources and activities.
  6. The Computing Research Association’s CRA-W is directed to enhancing the careers of women in computing research
  7. The ISSA has a SIG with multiple blogs, meetings, and resources. You must be an ISSA member to access them. They also have a private LinkedIn group. (Security professionals should give thought to joining ISSA)
  8. I am told that ISACA is another organization in the security space to check out for their support and activities.
  9. The Women’s Society of Cyberjutsu is a security-focused organization for women that seems to have a fair bit of momentum.

The (ISC)2 is organizing a women’s special interest group. I have spoken with organizers , but am unsure of the status of it at this time.

The Women in Cyber Security conference will be held in April in Nashville. I know nothing about it other than what is on their web page, but it looks like it could be a great experience.

ACSA has a scholarship program for women in computing; multiple scholarships are available. The (ISC)2 Foundation also has scholarships available.

Of course, please keep in mind that not all men are the same! Many want to do the right things but aren’t always sure what is appropriate. Help train a few. grin

Parting Thoughts

From a professional point of view, being a member of ACM and ISSA is good idea for anyone in the field, based simply on the value of the organizations. Both promote professionalism, community, and personal growth, and there are a variety of other benefits to membership. Both have steep discounts for student members. I am a long-standing member of both, and can recommend them.

Our society has a lot of problems with cybersecurity and privacy. New flaws show up, and old flaws don’t really get fixed. Parties ranging from individual criminals to nation-state organizations are all seeking ways to penetrate our systems and mess with our information. We need every good person we can get on board and working together if we hope to make progress. We should make every effort to enable that partnership.

Or think of it in these terms: if we can’t be trusted to protect and empower those within our own community, why should anyone trust us to protect anything else?


Updated 1/7: Added a few list items about mentoring and language, listed ISACA, small grammatical corrections.

Updated 1/8: Corrected several typos

Updated 1/10: Added ISSA group link. Added comment from Anita Jones; this is the memo she mentions in that comment.

Updated 1/14: Small grammatical corrections.

Updated 1/22: Added ACM-W page link

Updated 1/24: Added the Systers link

Updated 2/16: Added link to subscribe to the ACM-W list. Minor grammatical cleanup.

Updated 3/2: Added links to ACSA and (ISC)2 scholarship information.

Updated 6/8: Added link to the Ada Initiative

If you have any additions or corrections to the above lists, please send me private email. Also note that, as usual, anonymous, spammy, or abusive feedback to the blog may not be published as is, if at all.