Interview with Nadya Bartol

Would you share a bit about your career background?

I currently advise Fortune 500 companies on how to improve their cybersecurity programs, organizations, and businesses. During my career I have held multiple leadership roles at Booz Allen Hamilton, and then at the Utilities Technology Council. Currently, I am Associate Director at BCG Platinion North America where I am co-leading the BCG cybersecurity practice in North America. I have also been a part of the ISO and IEC standards development process for over 10 years and have served as project editor of multiple cybersecurity standards, including the first ever standard on cyber supply chain risk management, ISO/IEC 27036, Information Security for Supplier Relationships. Additionally, I chair the cybersecurity programs advisory board at Thomas Edison State University.

 

What prompted you to enter into the cybersecurity area?

It was an accident. When I started, the term "cybersecurity" did not exist. I have a Master's degree in piano performance and spent the first six months of my career teaching students who didn't really want to learn to play piano. To do something more practical, I earned an MBA and a Masters of Information Systems degree from Boston University. My first job was as a computer programmer for a small business, but I did not like staring at the screen all day. A friend took my resume to Booz Allen and I was hired there to work in the INFOSEC practice. Over the years, the term changed from INFOSEC to IT Security, Information Security, Information Assurance, and then Cybersecurity. I found it interesting and stuck with it; you could say I grew with the discipline.

 

Do we need a more sophisticated educational system within this field?

Yes, we absolutely do. First, we need a more sophisticated and more diverse education system in terms of covered topics. Cybersecurity is traditionally considered to be a technology topic, but we know that the vast majority of breaches happen due to human error. To make a lasting positive impact we need to teach more than technical topics when we teach cybersecurity. We need to teach psychology, economics, policy, and soft skills, as much if not more than the technical topics. And we need for those topics to be integrated. An interesting example of how we are not doing this right is that today we see Master's level cybersecurity taught either in business or in engineering school within the same university. To be holistic about cybersecurity it needs to be taught in both schools of business and of engineering. This is necessary because every company today is a technology company that has gone through or in the process of digital transformation. As we create platforms of tomorrow and build economic models on top of those platforms, we need to design security into those platforms upfront. We also need to consider who will use this technology and how and what could go wrong with the use of the technology because of human nature. If we don't do so, we jeopardize the rewards of digital transformation, and risk data breeches, loss of operations, unhappy customers, and ultimately loss of revenue.

Second, we need to teach cybersecurity as a part of other topics. Most importantly, we need to teach it as a part of systems engineering and computer science curricula. Here is why. Cybersecurity means that the system does what it is intended to do and nothing more. I use the word "system" in its broad sense, to mean people, process, and technology. Cybersecurity risk is realized when people use systems inappropriately or subversively. Systems get subverted because when other people create systems they often do so without thinking about security during the creation process. Because technology is such a significant part of how we get things done today, thinking securely when designing systems and developing software is critical to reducing cyber risks. A campaign to include cybersecurity in computer science curriculums has been going on for over 20 years, but many programs still don't teach it. This means teaching computer science students about the basics of how to design with security in mind, including writing code with security in mind.

Third, today, cybersecurity is everyone's job. We need to teach cybersecurity awareness to every individual within the enterprise, regardless of what they do, so that they understand cybersecurity and know that it is part of their job.

 

What are your reflections on the role of the women in the field of cybersecurity?

Statistics show that women make up about 11% of the field. All of us encountered prejudice, sexual harassment, and poor career progression. Everything you read about in the news applies equally to cybersecurity field. I don't know if personally I have been held back because of my gender, I only recently started thinking about this question. I do know that I had to prove my technical credibility over and over again. But I do not know why. In general, women in cybersecurity still have to prove that they are competent. The good news is that there are a lot of female and male leaders who are very aware of this problem and are trying to get more women into the field.

Everything in cybersecurity is highly technical, but people tend to only view the parts that are cool and hands-on to be "technical." Women traditionally cluster toward more process and policy areas of the field but there are also plenty of amazing women in hardcore technical areas. I should note that people and process areas are highly technical because of their content and impact.

There are some very prominent women in cybersecurity who have made a huge difference. For example, the very first vulnerability disclosure program at Microsoft was created by Katie Moussouris, who now runs her own company, Luta Security. Another woman who inspires many of us is Edna Conway, Chief Security Officer, Global Value Chain at Cisco. There are numerous other women in cybersecurity leadership positions in large technology companies as well as a number of women who are CEO's of growing cybersecurity companies.

The contributions women have made to the field are not necessarily well known. Regardless, we need more women in the field. But it is hard to convince women to enter this field. The emerging STEM and cybersecurity programs must attract more women to be successful.

For me, cybersecurity is not just a technical discipline. Cybersecurity can and should be integrated into other disciplines that are viewed as less technical but in no way are less difficult or less complex. Cybersecurity does not need to be intimidating. It is just about thinking differently. It is always interesting, rewarding, and never boring. It offers job security for decades. I urge more women to choose it as a career.

 

Do you predict any complex, systemic improvements on the global cybersecurity arena? If so, what do you see?

Cybersecurity is now a big criminal business, and a platform for intelligence gathering and cyber war. The adversaries are very sophisticated and we have to stay ahead of them. Improvements cannot be limited to just technology solutions. There are many good technology solutions that helps make our infrastructure and applications more secure, but those are only marginally helpful when we do not have enough talent diversity of thought in the field. We have to build the talent through education, apprenticeships and internal programs within enterprises. We also have to make business leadership aware that this is a long term challenge. People in leadership positions need to think about cybersecurity the same way they think about any other fundamental business functions such as finance or safety. Creating a culture change that makes cybersecurity a part of how organizations do business will bring about long-term improvement.