Wisdom From The Women Leading The Cybersecurity Industry, With Dr Hanine Salem of Novus Consulting Group

Be who you truly are and embrace your softer side as a leader. I started my career always trying to prove myself worthy in the field, and even tried to almost “dress like a man” to be taken seriously. Now I embrace my true self, my softer side.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Dr. Hanine Salem.

Dr. Hanine Salem is a Managing Partner at Novus Consulting Group, where she currently heads both the K-12 Education and the Organizational Performance & Effectiveness Practices. An experienced policy analyst and strategist, Hanine brings twenty years of senior working experience in the field of public sector development. She previously served as the associate director of the Education Unit at RAND Corporation, where she focused on K-12 and higher education reform, including the implementation of policies and examination of topics related to human capital and skills attainment.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I lived in several countries across several continents but always dreamed of becoming an architect or engineer. As a female, first-generation immigrant, I grew up in a generation where there weren’t many opportunities to pursue my dreams. The lack of possibilities made me even more determined to be an independent woman, and it also inspired me to want to help others rise above stereotypes and perceptions. Most importantly, I have always wanted to make a difference in the lives of our youths. I received my master’s from the University of Oklahoma and my Ph.D. from the University of Strathclyde; since 1999, I have been involved in public policy, education and youth development. Throughout that time, I realized students often graduate unprepared to face several of life’s challenges, including cyber literacy; I wanted to play my part in setting the next generation of students up for success. Therefore, I established and started Novus Consulting Group (NCG) to develop courses focused on skills and competencies that are key to youth development and success in life, including our Cyber Citizenship course. Children and youth are often considered soft targets, mainly because they have not been trained on basic cybersecurity subjects. We created this course to enable young people to protect themselves, understand appropriate internet usage, and explore cybersecurity as a professional path.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Throughout my life, I’ve had a couple of very influential, strong career women who were my bosses at one point in time; I couldn’t help but be in awe of them and their passion and the way they have dedicated their lives to improving their field. I was lucky to have a couple of these amazing women as my role models, and through watching them and learning from them, I became so inspired to lead the same path. My father, who recently passed away, was always a great motivator in my life, and he always encouraged me to work hard and be my best. He has always been a leader I’ve looked up to and wanted to be like in life.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

Being a woman in a field typically dominated by men is not easy. When I started my career, I often felt nervous around certain men who I felt weren’t taking me seriously. For example, one man I worked with many years ago would often dismiss my ideas. One time I was so nervous when he was in the room that I accidentally cut up an important document because I wasn’t concentrating and was fiddling around with the scissors. When I was younger, my biggest mistake was letting these types of things intimidate me. Now I know it doesn’t matter my gender or race; what matters is being comfortable with who I am as a person. Once you are satisfied with being you, your confidence will be the strongest shield you have against the naysayers.

Are you working on any exciting new projects now? How do you think that will help people?

If you use the internet, you are at risk of a cyberattack. By simply checking an email, you are at risk of a cyberattack. We are all connected to the internet, and we are all responsible for our safety, security, and behavior. Imagine a house with a fence around it and a guard in front of the fence. The guard can stop an attacker from getting to the fence. In the same way, individuals can prevent hackers from getting through to the technical defenses that protect their devices by becoming thoughtful cyber citizens.

COVID has significantly contributed to the upsurge in cyberattacks on schools, mainly due to the shift to remote learning. Cyberattacks have hit schools and colleges harder than any other industry during the pandemic. Students are considered an especially vulnerable target for cybercriminals due to their lack of knowledge of being good cyber citizens. In response to the emerging need to keep students safe, Novus Consulting Group recently launched our Cyber Citizenship course. The online course covers the fundamentals of cybersecurity as a subject, then dives into what to do and not to do while using a laptop or mobile phone, recognizing cybercriminal activities, safe web surfing, and best social media practices, among others many other subjects.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. The opportunity to solve a critical problem facing K-12 institutions. As cyberattack incidents continue to increase in school districts, primarily attributed to the pandemic’s push for digitization, millions of people recognize the importance of solid cybersecurity education programs and cybersecurity fluency. It excites me to play a role in protecting schools in the present and future generations to come.
2. The opportunity to diversify the field of cybersecurity. Implementing cybersecurity training in more schools means a higher chance of diversity in the industry. People from different genders, ethnicities, and backgrounds can provide a fresh perspective to solving highly complex security problems.
3. The sky’s the limit. Cyberattacks are growing more sophisticated by the day, and we need as many great minds as possible to counter these attacks. I am excited to be part of a business working to grow great minds in the industry.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

• Instead of three, I’d like to talk about one that has many layers: the growing sophistication of the hackers behind malicious attacks, including:
• Cyber Predators: Adults who use the internet to exploit students to inflict harm.
• Malware: Cybercriminals today often trick victims into downloading malware that can take control of their devices. In some cases, malware is even disguised as games or apps.
• Malicious Ads: Ads used to spread unwanted messages or spam.
• Identity Theft: A 2018 Javelin Strategy & Research Study revealed that more than one million children are victims of identity fraud, resulting in total losses of $2.6 billion and over $540 million in out-of-pocket costs to families.
• Online Gaming: According to research from the Entertainment Software Association, 70% of families have at least one child who plays video games. With this many children actively gaming, phishing scams, viruses and harassment have become commonplace in gaming communities.
• The speed at which the “bad guys” are moving isn’t slowing down. Cybersecurity training shouldn’t be on the horizon for schools; the time is now to teach students to protect themselves.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

We are most concerned about two matters. The first one relates to the massive amount of information the hackers have today about schools systems, organizations, and their employees. This data, which is often available to the public through social media, can be harvested by hackers to further personalize their attack tactics and messages. This tactic makes it harder for the victim to distinguish hackers as a dangerous source because they appear to be someone the victims know or trust. In this case, continuous training and awareness of the employees are the most robust defense possible.

The other threat revolves around technological advances that hackers can (and will) put their hands on. More specifically, we are ​referring to Quantum Computing and Artificial Intelligence. These two technologies are advancing rapidly, and we are already seeing them in action today. Although their benefits for society, medicine, and other sciences will be life-changing, hackers, unfortunately, can use these very technologies to enhance their attack tools. For school systems and organizations, the best they can do is to keep up with the latest cybersecurity trends and technologies.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The market is full of cybersecurity tools, and some claim to be more specialized than others. Although one tool might be more substantial than another in a particular niche or technology, it is the overall protection that matters. Most of the big brand names are equally reliable, and we usually recommend any of them, depending on the specific needs. For example, Sophos, Fortinet, and Palo Alto Networks are all reliable brands; even Microsoft has become an important name in cybersecurity, especially for their family of products. All the companies in the example above offer multiple cybersecurity protection tools. For instance, they have tools to protect end-points, a fancy word to describe devices that you will find at the end of the Networks, meaning laptops, PCs, or servers. They also offer tools to protect the Network itself, to monitor and defend against any intrusion by hackers. Then, of course, there are also the tried and true Anti-Virus tools, which we know that they monitor and block viruses from entering and harming our laptops and servers.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Every organization/school system must assume that it will be the target of a successful cyberattack. Aside from the fact that statistically speaking, it is a valid assumption, it is also a good thinking pattern that can shape any organization’s cybersecurity strategy and approach. For less sophisticated attacks, a person might be able to catch some telltale signs, such as their device is running much slower than usual, their antivirus software was turned off, or if they noticed some applications installed/running on their device that was not supposed to be there. However, more ​sophisticated (and usually more dangerous) attacks are almost impossible to be noticed by any person, as they have a very light footprint. For those, technology is your answer. Some organizations have their own Security Operation Center (SOC); others who cannot afford it can outsource. SOC consists of experts watching the network and end devices for abnormalities 24/7. Of Course, the SOC is not only about people monitoring, and it involves the utilization of software and network technology.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Change your password! Immediately, change your password on the affected site/service. If the hack encompasses numerous sites, be sure to change all of those passwords. This process becomes a lot easier if you are using effective password management.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

One of the more common and most dangerous mistakes we have observed is organizations and institutions not giving enough attention (and budget) to their cybersecurity department (if it even exists). Another mistake is the assumption that technology alone will keep them safe; in this assumption, organizations forget the human factor. School systems and organizations have placed cybersecurity as one of their top three risks- regardless of their industry. A successful cyberattack can stop an operation of an organization, and that would be only one of many problems they have to face. There will be custom trust issues, potential legal battles, revenue losses, bad reputation, fines, and potential problems with local or international privacy laws. So the primary step to take here is for the organization not to nickel and dime the cybersecurity budget; money must be spent, proper skills must be recruited, and the right vendors must be utilized.

The other mistake revolves around the idea of “we bought all the technology; we should be fine.” Defensive cybersecurity technology is a must, but it is only half of the equation. The other half is the human factor, the very people who work at the organizations and schools and have a profound access to its network, applications, and data. Whether it was an innocent mistake, such as an employee clicking on a malicious link in a spam email, or an actual disgruntled employee who means harm, in both cases, the consequences can be disastrous. For that, mitigating this risk can be done by a solid cybersecurity awareness training program at each organization and utilizing tools to monitor employees’ actions for known risk behaviors while using their devices.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

According to a 2021 study from the Aspen Institute, only 24% of women make up the cybersecurity workforce. It’s not just a gender issue; it also found that only 4% of cybersecurity workers self-identify as Hispanic and 9% as Black. An often-cited issue is the lack of female role models and encouragement to pursue STEM careers. Many women haven’t met anyone working in the field of cybersecurity. It isn’t easy to imagine doing a job you don’t know much about. Research done by Girls Who Code showed that although 74% of middle school girls express interest in STEM subjects, only 0.4% of high school girls choose to major in computer science. Perception plays a role in this problem; an incorrect impression of the profession from various media sources on what someone in a cybersecurity field does and ‘’looks like.’’ Think about how cybersecurity professionals are depicted in the media. One example that comes to mind is Mr. Robot, a Netflix original about a cybersecurity engineer that aired in 2015. The show was a hit and received multiple awards, including a Golden Globe and an Emmy in 2016. How is this cybersecurity professional depicted? A loner male in a dark hoodie, of course. So the big question: how do we get more women, or diversity in general into cybersecurity?

• Awareness, having conversations just like this, and making more people aware of the issue.
• Infusing basic cybersecurity awareness into the high school curriculum can prepare students for the world of work by giving them proper digital etiquette skills while also increasing awareness of cybersecurity as a possible career path. This would ensure that students of all backgrounds have opportunities to explore the profession.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

The first myth: boys are better fitted for a career in cybersecurity, and girls are not interested in the field. With only 24% of women making up the cybersecurity workforce, cybersecurity education is a key recommendation to increase that statistic. Women and girls are just as capable of pursuing any STEM career, including cybersecurity. Girls need to know this career is a viable option by introducing the topic before graduation.

The second myth: Cybersecurity is too complicated for everyone to learn. Cybersecurity is something everyone can and should learn. When creating our Cyber Citizenship course, we tried to ease the anxiety of the information by breaking it down into digestible chunks of information that anyone can comprehend.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Be who you truly are and embrace your softer side as a leader. I started my career always trying to prove myself worthy in the field, and even tried to almost “dress like a man” to be taken seriously. Now I embrace my true self, my softer side.
2. I have also learned that being overly competitive isn’t the key to success. It’s more important to be compassionate than competitive.
3. Understand the strengths of each individual on your team. People look up and try to learn from those in leadership positions who are compassionate and try to grow the team and build others.
4. Listen more as a leader. It’s so important to hear the perspectives of others. Your mission will only continue to grow within your business by understanding your team and assigning the right tasks to people based on their strengths.
5. Finally, I let my work speak for itself. Unfortunately, it can seemingly take more effort for a woman to prove herself. I have been to meetings with my team in different parts of the world where the officials wouldn’t even look at me, just the males on my team. I have learned not to take it personally or over-compensate, and again, let my work speak for itself.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!