Here’s the deal with the information security industry in the United States: our country doesn’t have nearly the number of information security professionals that it needs. According to an estimate from Cybersecurity Ventures, the shortage of US cyber security workers could reach 500,000 people in 2021. The other point worth noting is that the information security professionals we do have are overwhelmingly white and male.  ISC2 data show that just 24% of cybersecurity workers are women. Just 9% of workers self-identified as African American or Black, compared with 13%of the population at large. Just 4% identified as Hispanic, compared with 18% of the overall population. 

Camille Stewart is the Head of Security Policy for Google Play and Android at Google.
Camille Stewart is the Head of Security Policy for Google Play and Android at Google

We know that the shortage of infosec pros poses a cybersecurity risk. Companies across industries struggle to find and then retain information security professionals to staff security operations centers (SOCs) and manage the security of networks in sectors like government, healthcare and retail. 

Episode 148: Joseph Menn on Cult of the Dead Cow also Veracode CEO Sam King on InfoSec’s Leaky Talent Pipeline

But what about the lack of diversity? Do infosec’s racial and gender imbalances create their own kind of security risks? Does a homogenous population of security pros potentially blind the organizations they work for  – and our society – to cyber risks? Does it shut off exploration of potentially beneficial programs, solutions or avenues of inquiry that might help solve the epidemic of cyber security threats and attacks plaguing our society? 

You and your teams are not as effective and as able to address the threat without a diverse lens. 

Camille Stewart, Google

Episode 85: Supply Chain Attacks and Hacking Diversity with Leon Johnson

According to our guest this week: it just might. Camille Stewart is the Head of Security Policy for Google Play and Android at Google. She is also a Cyber Fellow at Harvard University’s Belfer Center for Science and International Affairs. Camille is the author of the essay “Systemic Racism is a Cybersecurity Threat” which ran on the Council of Foreign Relations website back in June of 2020.

In it, Camille argues that understanding how systemic racism influences cyber security is integral to protecting the American people and defending the country from cyber adversaries. 

In this conversation, Camille and I talk about her own journey to information security as a black woman and about the barriers that men and women of color face as they seek to enter information security.

We also discuss her theory on how the information security industry’s struggles to diversify might increase cyber security risks. Camille notes that the country’s history of systemic racism and the different lived experiences of black and white Americans bears on everything from the effectiveness of public information campaigns to hiring and recruiting within the field, to the U.S.’s efforts to foster international agreement on cybersecurity norms.

“We do a disservice to ourselves as practitioners to ignore race and gender,” Camille told me. “They are a direct impediment to the work we’re doing.”

The statistic that cybercriminals have been unleashing 18 million phishing emails laced with malware on a daily basis into cyberspace during the pandemic is mind boggling and one that executives should pay attention to when prioritizing resources for user education. Math was never my strongest subject, but the math of 18 million malicious emails targeted at all of us on a daily basis is a LOT.

A new study rolled out by Google, in collaboration with researchers at Stanford University, studied over a billion malicious emails and targets that Google had identified and blocked over a period of five months, to get more intelligence about who was being targeted and how the campaigns were targeting users. The study found that users in the U.S. were targeted more than any others in the world, followed by the United Kingdom and Japan.

The study found that the most effective phishing scams were fast and short lived, lasting one to three days. They found that over 100 million malicious emails were launched in these short time frames. In addition, they found that if a user’s email address or personal information had been previously compromised, they were five times more likely to be targeted by a phishing scheme. The study also concluded that users aged 55 to 64 were 1.64 times more likely to be targeted by cybercriminals than 18-24 year olds.

The statistic is astounding, but the results of the analysis are very informative for businesses. The take away is that the number of phishing schemes continue to rise, user education continues to be essential in protecting company data against these schemes, and education is particularly important depending on users’ age.

The Irish Data Protection Commission (DPC) fined Twitter 450,000 euros (about US$546,000) for failing to timely notify the Irish DPC within the required 72 hours of discovering a Q4 2018 breach involving a bug in its Android app, and also for failing to adequately document that breach.  The bug caused some 88,726 European Twitter users’ protected tweets to be made public.

The case is notable because it is the first fine levied against a U.S. technology company in a cross border violation under the EU’s General Data Protection Regulation’s (GDPR), which went into effect in 2018.  Under the GDPR, the member state of the foreign company’s EU headquarters takes the lead on inquiries on behalf of all the EU’s 27 member states. Because Twitter EU’s headquarters are in Ireland, the DPC took the lead on the investigating the 2018 breach incident, which Twitter attributed to poor staffing during the holidays.

Pursuant to Article 60 of the GDPR, the Irish DPC submitted its draft decision last May to the other EU DPAs. In the draft decision, the Irish DPC found Twitter’s violations to be negligent, but not intentional or systematic.  Other member states disagreed with the Irish DPC draft decision, due in part to the small proposed fine.  The Irish DPC‘s proposed fine was only a small fraction of the maximum fine amount permitted, which under GDPR is up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher. Twitter’s global annual revenue was reportedly about $60 million in 2018.

The Irish DPC responded to the criticisms from other member states by stating that its proposed fine under the GDPR was an “effective, proportionate and dissuasive measure” and brought the matter before the European Data Protection Board, which upheld most of the decision but directed Ireland to increase the fine.

The Twitter case is just the first of many cases involving U.S. companies before the Irish DPC, as there are some 20 other pending inquiries. Ireland also serves as the EU headquarters for U.S. technology companies such as Facebook, Apple and Google.

The decision is available here.