Wisdom From The Women Leading The Cybersecurity Industry, With Hanan Hibshi of CyLab Security and Privacy Institute

An Interview With Jason Remillard

Be objective but stay compassionate. Find the balance between staying objective in every situation while also being compassionate to people’s situations and personal needs. A good leader will be able to balance that and draw a line when needed.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading Cybersecurity Industry”, we had the pleasure of interviewing Hanan Hibshi.

Hanan Hibshi is a Research and Teaching Scientist at the Information Networking Institute and Researcher at CyLab Security and Privacy Institute at Carnegie Mellon University. She is an expert in usable privacy and security, cybersecurity education, security requirements, mobile and IoT security, and ML/AI for security and privacy. This year she was the faculty sponsor for picoCTF, the world’s largest online hacking competition for middle and high school students hosted by CyLab and Carnegie Mellon’s College of Engineering. Follow her on Twitter at @HananHibshi.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I grew up mostly in Saudi Arabia and spent three years in the UK with my family during elementary and middle school. I went to King Abdul-Aziz University in Jeddah for my undergraduate degree in Computer Science. After graduation, I worked in the banking industry for about three years, then I decided to switch my career back to academia and I decided to move with my husband and two kids at the time to the US to complete my master’s and then PhD.

I was the first in my family to enter the field of computer science. My father is in the medical field (a dermatologist) and my mother’s career was in K-12 education, counseling and childhood development. No one in my family or extended family had any idea what the outcome of a degree in computer science could be. At first, members of my family and social circles made fun of me by asking sarcastically if I am going to spend four years in college to end-up repairing everyone’s computer.

Computer science was a secondary choice to me, my first choice was to become a neurosurgeon. However, due to some personal, family and cultural obstacles at the time, I could not pursue that field even though I graduated with high grades in high school where I can easily get into med school in Saudi Arabia. When I thought about it at the time, I decided that the main motivator for me was my fascination with the human brain that I wanted to know how it works. Therefore, I decided that it might be a good idea to study the “artificial brain” and that’s how I chose computer science. I am so happy that I made that decision because studying computer science opened up my eyes to a whole new field where I found my true passion.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

There are many. For films, I would say “The Godfather” series and Tom Hank’s “Catch Me If You Can.” Both movies show how external circumstances can push someone to make certain life decisions even when they try to do the right thing. They also illustrate how hard it is to do what is right vs an easier path that could be more financially rewarding. I especially like in “Catch Me If You Can” how sometimes we can help guide someone to utilize their talent for the good and give people second chances. I can relate to this idea as someone in the cybersecurity field, because we can utilize the talent of rule breakers who like to hack systems and channel their passion into ethical hacking and defense activities. I think the two movies provide life lessons on how to be objective, but also have compassion that can encourage people and help them find the best version of themselves.

As a woman in a STEM field, I am especially inspired when “Hidden Figures” came out. The movie focuses on African American mathematicians in NASA during the 60’s era; but those who take a deeper look can find many scenarios that can still apply to minorities in any field including women in STEM fields. We might have moved away from restrooms that segregate by skin color, but there are places in the world (including the US) where women’s restrooms might be located in an inconvenient location when compared to men’s restrooms. A woman might still need to excel in her field and be an extraordinary performer so she can be seen, respected and her voice get heard. Just like the women in the movie continued to work despite the unfriendly work environment, women today might juggle so many responsibilities and deal with many challenges in the background while maintaining their productivity at work even in the presence of non-women friendly policies making all the challenges look seamless on the front-end. Look at how many women work during their maternity leave and how many returns to work only after a couple of weeks when their bodies are still physically not fully recovered. The COVID-19 pandemic that we are still living is another example of how many women calmed a child, fixed lunch, troubleshooted devices for online school, created activities to keep children occupied, took care of a dependent, or even changed a child’s diaper while participating actively in a zoom call. Thanks to the video turn-off feature, those challenges look seamless to a viewer!

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Cybersecurity was the field of the “unknown” to me. I did not take cybersecurity classes in undergrad and I was never formally introduced to the field.

When it was time for me to pick a specialty for me in computer science and engineering, I chose cybersecurity because I was driven by curiosity to learn more about a field that I am not an expert in. During my time as a master’s student at CMU’s Information Networking Institute (INI), I discovered that cybersecurity is a field that crosses over many disciplines in computer science and others which makes it unique, challenging at times but with a lot of room for creativity and new ideas.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

At my job in Saudi Arabia, I was excited to send my husband an email from my business email client. I wrote: “I love you baby,” followed by a very personal message and then pressed enter without noticing that the autocomplete in the email recipient field had filled another name other than my husband’s. I immediately sent a clarification email to that employee, who was also male and responded with no problem and a smiley face. I learned the hard way from that mistake! Until this day, I double check the name in the recipient field multiple times. I might make mistakes every now and then (we are human in the end) maybe by forgetting to attach a file for example, but rarely (almost never) I send an email to the wrong person. I have also become more privacy-aware due to that incident; I think more than once about what I want to send in an email!

Are you working on any exciting new projects now? How do you think that will help people?

I am looking into researching cybersecurity education especially after the pandemic. I think this project could help us identify challenges in teaching the discipline and help us improve our pedagogy practices and create better tools that accommodates the need in the field. This work was motivated by my role as one of the principal investigators for picoCTF, CMU’s online capture the flag platform that is geared towards educational purposes for K-12 students.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

First, job opportunities! The cybersecurity industry is growing in demand that it is creating lots of opportunities for the workforce at every level of expertise. The opportunities are not limited for those who completed a graduate degree in Cybersecurity. In the field of cybersecurity there is a place for everyone. People without college degrees can choose to complete a 2-year degree in cybersecurity and this will still open the door for opportunities and high pay positions. Related to this is the second thing that is exciting, which is the room for growth. This field keeps changing and is highly dynamic. It is the kind of job where it would be very rare to do the same thing every day. It is the field where we continue to learn and grow as the technology advances and more threats emerge.

The third exciting thing is the industry shift from viewing cybersecurity as an extra secondary task that is waste of time, to a critical part of an organizations success. Companies around the world are taking cybersecurity more seriously, where we see increased spending, investment in workforce development in the field and a direction towards innovation in the field. These are all promising directions that makes researchers and educators in our field optimistic and hopeful.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

First is our speed in responding to the workforce demand in cybersecurity: are we doing enough to beat the speed of hackers and intruders? I don’t think so. Despite all the current efforts and the high demand to fill the gap in cybersecurity talent, we are still not even close to closing that gap. The Job openings continue to increase. Cybersecurity is one of the fastest growing fields in technology with an expectation of 56% growth in demand for security analysts is by 2026 [1]. In 2018, NIST’s report to the President of the United States titled: “Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce” states that the global shortage in the cybersecurity workforce is projected at 1.8 million by 2022 [2].

Second concern is job security for cybersecurity experts. Addressing this concern could also help with the making the field more attractive to newcomers which could help address the talent gap problem I mention above. I do not see job security for cybersecurity professionals prevalent in many discussions. Think of this example; if a talented software engineer has a choice between a cybersecurity position and another software development position, the software engineer might choose the latter even if the cybersecurity job pays more because there is less risk of being fired when something goes wrong. Without naming specific incidents, if we look at the history of our attack cases, we will see numerous occasions where an organization’s response is to start firing cybersecurity people. I am not advocating for ultimate protections against making mistakes, but we need policies and mechanisms that differentiate between mistakes due to negligence and mistakes that could be human error (that even the best experts can fall for).

Third is the misunderstanding around many organizations that cybersecurity is a product that they can buy or a certification that an entity can perform once and call it for that software product. Software does not stay the same. We update our systems over time with new features, services, packages, etc. Cybersecurity evolves as our systems evolve and new technologies are invented. For example, security requirements for software running on desktop computers is different than software running on an IoT device. We cannot abstract these details from developers and assume the code to behave the same. At the same time, having a system with the best security measures is not sufficient if we do not take into account the human interacting with that software. Cybersecurity should be viewed as an integral part of every ecosystem that applies to everything we do in that systems.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

We should stop and rethink before releasing new products. New applications and software products are created at a remarkable speed without proper security analysis. By doing so, we are widening our attack surface and opening the door to more vulnerabilities. I predict that we will continue to see sophisticated multi-stage attacks (e.g., SolarWinds) that will take advantage of early adoption of new technology or hardware that lacks best security practices. However, we will also see simpler attacks that relies on social engineering and tricking the human because the usable security problem and addressing the human-in-the-loop is an ongoing challenge.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

During my first job as a programmer, I did point out an error in how user credentials are being hardcoded and I said to my manager at the time: “I don’t think this looks right, someone might be able to do x, y and z…” and I went on describing to him scenarios of what could go wrong. I was ignored and told to focus on developing the new “tab” and “button” with the function I was asked to implement. I was also told that I am wasting everyone’s time with this nonsense. Two weeks later, the data was deleted due to authorized operation, and if the hardcoded credentials weren’t there, that whole scenario could have been avoided. Thanks to the backup that I have arranged to have every night, we could have lost significant amount of data at the time! This story was one reason that motivated me to study cybersecurity.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Tools differ by their utility and function. There is no one tool for cybersecurity. If I want to reverse engineer a program, I will use certain tools and if I want to monitor network traffic, I will use others.

For the benefit of the readers, I think one important tool for our daily lives is using a password manager. Weak passwords are a major vulnerability that offers an easy entry point to any system no matter how much we spend on sophisticated approaches in other components of the system. Dr. Lorrie Cranor, along with a team of researchers, contributed a series of studies focusing on passwords and their role in authentication. Their research recommends a set of guidelines that includes many recommendations for securing one’s passwords, and among these is the use of password managers. Password managers achieve two goals from a usable security perspective, the steps are more user friendly than remembering complex rules for every system, and the automation piece that makes generating random passwords almost seamless from a user perspective.

One important tool available for every reader is automatic software updates. Making sure that our systems are up to date is really important because updates include bug fixes and system patches that help address some vulnerabilities. An out-of-date software is more vulnerable to known attacks.

Cybersecurity professionals are concerned about privacy. I try to use DuckDuckGo as often as I could instead of searching on Google. Another tool I use is Ad blockers Some might view this from a convenience angle but from my perspective it is important to help protect my privacy online and limit information that is being shared about my online behavior with advertisers.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

Anytime someone mentions to you receiving a weird email, that is a sign that your email was hacked. Don’t wait to consult, go ahead and change your password and add another layer of security (e.g., two factor authentication). Frequent crashes and unusual slow performance could be another sign of malware running in the back end. Unusual activities and changes to your online accounts that you don’t remember authorizing are another sign. For emails, a major sign to look for is when we are asked to provide personal information or click on a link. It is always better to double check sender info and navigate through the main website instead of clicking on a link in an email.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

First is notifying the customers. Customers need to be made aware. A customer might need to change the password or take more measures that would protect them online. Notifying the customer might prompt them to change all their online passwords and take more precautionary security measures. Unfortunately, many companies don’t notify their customers immediately which affect consumer trust in organizations.

If the security breach involves a ransomware attack, it is strongly encouraged to inform authorities (the FBI in the United States). Never pay the attackers; first it is illegal and second it will complicate this issue on a larger scale.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

The heart of the problem is treating security as a secondary issue that is taken care of for compliance. Companies tend to either follow a criterion in a check-list to make sure they are complaint with standards; or buy a product and rely on that product for ultimate security. Companies might believe that these two measures are enough, and they should not do anything further and that is a risky approach to security. Security needs to be treated with a holistic approach where we involve security best practices in every activity. More importantly, we are not focusing on the human factor. All of these attacks have one factor in common: a human making a mistake! An employee who does not work in IT can make the mistake of clicking a link in an email that appears authentic enough to fool even those who are the most familiar with technology. An IT support person who is overwhelmed with all of the information displayed in small text on multiple screens, can easily make the mistake of not patching the software properly in time due to a number of reasons that are beyond their control (e.g., poor instructions, process, avoid service down time, backups, etc.).

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

The short answer is no. I do not think any women in STEM would answer Yes to this question. Even though the numbers and percentages are not ideal, I am happy to see that more women are joining the pipeline, and there is an increase in women in STEM. However, I am concerned because those talented women are faced with policies that hinder productivity and creativity. We know the issues we just need to come up with solutions that address ussies like the pay gap, maternity and family leave policies, subsidized childcare, emergency childcare, clear evaluation and promotion criteria that reduces bias, and acknowledging that women in this field are a necessity. We need to shift our language and narrative to start focusing on how women are integral parts to the STEM fields. Without women like Joan Clarke, Julia Parson and the women in Bletchley Park we would never been able to decrypt the German communication that used the Enigma machine, and we would not be where we are today. Nowadays, women in STEM fields are pushing the filed forward with their innovations but the narrative is not focused on them. Their role is portrayed as secondary, and they are treated in many places as a quota that need to be filled!

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

The field itself is diverse. There is room for every skill in cybersecurity. There is a room for mathematicians, programmers, graphic designers, psychologists, statisticians, and even artists! There is a certain stereotype about cybersecurity that is not true and I encourage everyone to educate themselves about the field. Even those who are not interested in pursuing a career in cybersecurity, learning about the field will be eye opening and will improve our cyber hygiene. This is no longer a luxury given our heavy reliance in technology that I expect to continue to grow.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Listen. A true trait of leadership entails listening. This is one of the greatest pieces of advice I was given and it had a significant impact on my career. Be calm and gather your thoughts and wait before jumping to conclusions. Focus on listening to your team members, customers, and stakeholders. As a woman who was always a minority in my field, I was used to people cutting me every time I speak. Unfortunately, I grew up with an unconscious misconception that in order to get heard, we need to interrupt. I am glad that I was able to realize that mistake later, and train myself to be very patient, listen, and wait before I make my point. This change made me a better leader who can convince people with reason and constructive arguments rather than interruption.
2. Include everyone in the conversation. Get feedback from everyone that you interact with. Every perspective brings something to the table and help us improve. Most of the great ideas I had in research and courses was a result of listening to students, staff, tech support as well as my mentors. Every individual we deal with in our professional interactions can give us feedback that we can use to continue to grow in our profession.
3. Explore new ideas. New ideas add motivation and excitement. No one wants to stay in a routine for a long time. Excitement makes us enjoy our daily jobs even more and open up more opportunities for innovation.
4. Be the change, and make the workplace better for new women joining in. As women in this field, we need use the lessons learned throughout our journey to support each other and help create change by having each other’s back. We know from research and from life experience that “women don’t ask” and do not tend to negotiate for themselves. Since we are already aware of that we can offer support when not asked. For example, if you are a manager and you are aware of a woman in your team who has a young child, you can offer childcare experience reimbursement for business travel or for after-hours meetings. Don’t wait for women in your team to come ask for that, try to be creative and see how you can make it better for other women. If you are not in a position to make these decisions, reach out to other women colleagues and see how you can help. Sometimes referrals or time management tips can go a long way! These are only very few examples; we can be creative in this space if we encourage ourselves to be the change that we want to see in the field of STEM.
5. Be objective but stay compassionate. Find the balance between staying objective in every situation while also being compassionate to people’s situations and personal needs. A good leader will be able to balance that and draw a line when needed. For example, I can have a strong disagreement with a team member during a meeting, but once the meeting is done, we can hang out and have coffee to chat about personal hobbies! If a student cheats on an exam, there will be consequences according to course policies and university standards, but that has nothing to do with my respect for the student and my support for them as an educator during their journey. I will be objective in my assessment for the cheating situation and its consequence, but my compassion makes me realize that everyone is subject to making mistakes. We deal with the consequences of mistakes, but we learn to move on and learn from them.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I am lucky to be surrounded with many amazing women leaders here at CMU where I can enjoy a conversation over a meal. That is why I am going to pick someone from another field that I am less related to. I would pick current speaker of the us House of Representatives Nancy Pelosi. Whether someone agrees or disagrees with her politically, she is a strong woman who navigated a tough place where men try to make most decisions. If I have a private lunch or breakfast with her, I would like to argue with her about some politics, and despite our agreement or disagreement, I want to listen to her story as a woman trying to make a change.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!