Megan Garcia is Director at New America CA, which focuses on how the work of New America think tank programs link to problem solving approaches on the West Coast. She is also a Senior Fellow at New America’s Cybersecurity Initiative. She is an expert on national security policy and writes about how it can be better informed by the processes deployed in Silicon Valley and other centers of innovation.
Previously Ms. Garcia was a Program Officer at the William and Flora Hewlett Foundation, where she oversaw the foundation’s Nuclear Security initiative and then created its Cyber Initiative, a program centered on cybersecurity and Internet policy. Ms. Garcia has been Military Legislative Assistant to Rep. Jan Schakowsky (D-Ill.), a Policy Fellow for Sen. Sherrod Brown (D-Ohio) during his time in the House of Representatives, a consultant to USAID’s Office of Military Affairs, and has worked for Public Citizen California.
Ms. Garcia holds a Master’s degree in public policy with a focus on national security from the University of California at Berkeley and an Bachelor’s of Arts degree in American History and Literature from Harvard University.
[OnlineEducation.com] As someone who worked in the area of public policy and legislation, how were you drawn into focusing on cybersecurity?
[Ms. Garcia] Like so many people in cybersecurity, I worked in a related field — in my case, nuclear security and national security—and was drawn in because of my employers’ need. I was a Program Officer at the Hewlett Foundation, where I was managing the foundation’s Nuclear Security Initiative. Larry Kramer joined the foundation as President and wanted to explore whether a large foundation like Hewlett could make a difference in cybersecurity and information security. This was an especially interesting question because so much of the field is driven by the businesses sector, whether it’s companies in need of cybersecurity or those selling cybersecurity products, and by government agencies. Those two sectors have very different goals and points of view, and there was really no set of honest brokers to think about what was in the public’s interest, or to think long-term about what the field should look like to be able to solve future problems.
It became my job to help determine whether Hewlett should fund in cybersecurity and then build the Cyber Initiative, which is designed to help create a robust, multidisciplinary cybersecurity field that serves the public interest.
[OnlineEducation.com] In relation to the gender disparity in cybersecurity employment, you’ve pointed out that, “having a cybersecurity job doesn’t necessarily mean that you’re sitting by yourself in a hoodie coding all night.” What do you see as some of the other important misconceptions about jobs in cybersecurity, and how can we better explain what it means to be a cybersecurity specialist?
[Ms. Garcia] One of the biggest lessons we try and share via New America’s Women in Cybersecurity Project is that there are so many different types of jobs in the cybersecurity and information security fields. There are lawyers, communications people, policy experts, marketing professionals, along with engineers and more technical roles. And we know that the narrow stereotype of a guy coding in a hoodie keeps many women from thinking they might thrive in the field, when at the same time, so many companies need people and are actively trying to recruit women. And given that the average salary for a cybersecurity job is almost $98,000, it’s a very lucrative field for women to enter.
The other important element of the guy coding in a hoodie all night image is that it’s of someone working alone. We know from research that many women seek out work environments where there is a sense of teamwork, and that the idea of working in isolation isn’t particularly exciting to many women. In reality, much cybersecurity work requires teams. You can’t assess a severe vulnerability, engage with clients, or project future vulnerabilities in isolation. And cybersecurity and information security employers and employees report that communication skills are just as important as technical understanding to be successful in the field.
[OnlineEducation.com] I believe you’re familiar with the idea of a “brogrammer” culture that may be an impediment to women entering cybersecurity. And, the fact that cybersecurity to a significant extent grew out of the military has also contributed to an underrepresentation of women in the field. To what extent are these structural issues, or are we at a point where it’s largely a matter of changing people’s perceptions about what it means to work in the field of cybersecurity?
[Ms. Garcia] It’s both. On the one hand, changing the idea of the field to have it match reality is really important. When women know that their skills are required and desired in the field, they’ll apply for jobs more often. And we know from research that when women, or any other minority group, sees itself represented in the leadership of an organization, they are more likely to envision themselves as a part of the organization. What that means is, as we raise the profile of the women already doing stellar work in the field, that should also draw more women in.
On the other hand, we also know that having a culture that makes women feel excluded is not going to encourage them to either enter the field or to stay. Take a look at any of the websites of major cybersecurity companies, or this reel we put together for New America’s Cybersecurity for a New America conference and you’ll get a sense that the dominant language and themes we use to describe the field is very masculine and focused on warfare. That may work to sell cybersecurity products, but it doesn’t work to attract the workforce we need. As a first step we encourage companies and conferences to take a fresh look at their sites and ads and ask themselves if women would be attracted or repelled by them. Companies then have to do much deeper work to create workplaces where women are truly welcome, supported and promoted, and some are doing that.
[OnlineEducation.com] From a policy perspective, what amount of security responsibility and investment is appropriate at individual, private, and governmental levels in cybersecurity? And, what are the most important roles that cybersecurity specialists will be playing as we move into the future?
[Ms. Garcia] Those are all very open questions in major part because we, as a society, haven’t come to terms with how much data we all produce every day, what happens to it, and what that means. And, in fact, a part of the impetus for the Hewlett Foundation’s entry into this field was to encourage that conversation and the development of longer-term thinking about who should do what if we want more people and systems to remain secure while respecting personal liberty.
We need to have a shared conversation about who owns our data (the user? an internet service provider? a third party?), and who’s responsibility it is to secure it. Because both the societal and policy conversations have lagged behind technical capacity, you see things like startups opting to avoid problems down the road by dumping data (note: content may be paywalled). That’s a symptom of a larger problem, not a solution that addresses either the need for policies to dictate how data should be handled or what happens if it’s stolen.
[OnlineEducation.com] What are the biggest and/or most important factors shaping education and employment in the field of cybersecurity? Government policies? The speed of technological innovation? Economic forces? Social dynamics?
[Ms. Garcia] The number one biggest factor is the sheer demand for increasing numbers of people in the cybersecurity workforce. There is a gap of one and a half million jobs projected in the next five years, and that is increasing demand for training for those jobs. The result is new degree programs at universities, coding camps, and other types of training programs.
The U.S. government has been supporting the creation of some of the new university programs through things like the National Institute for Cybersecurity Education (NICE), through NSA grants to universities, and through other pockets of funding. Some companies have spent small amounts on scholarship and education programs that they hope will bring increasing number of cybersecurity experts into their pipelines, but those numbers are small relative to the overall need.
And something that’s still very nascent is trying to bring cybersecurity education — along with other STEM subject matter — to K-12 classrooms. As you know, education policy is it’s own labyrinth and so far cybersecurity and infosec advocates have not mounted major efforts to bring cybersecurity and more technical curricula to K-12, although there are initiatives like the National Girls Collaborative Project that encourage STEM programs. If we could bring computer science and cybersecurity education to a large number of American classrooms, there could be a huge change in both the way that people understand their own role in protecting their data, and a change in their perception of their ability to work in technical fields.
[OnlineEducation.com] One factor that’s been mentioned in regards to women in cybersecurity is the difficulty maintaining the proverbial work/life balance in a field that requires rigorous training, multiple certifications, and ongoing continuing education to keep up with the fast pace of technological change. What kind of advice and encouragement would you give to women considering a career in cybersecurity to offset those concerns?
[Ms. Garcia] My colleague Elizabeth Weingarten spoke about this very issue at Cybersecurity for a New America earlier this year. In essence, we know that burnout drives talented people of all kinds out of the cybersecurity and information security field. Already, there aren’t enough infosec employees to address the increasingly complex threat landscape, and the shortage of talent is only going to get worse. One recent study shows that burnout is the number one reason for the industry talent shortfall, especially in more senior roles.
It also turns out that the culture of overwork is especially hard on women. Harvard research shows that the culture of overwork is a bigger obstacle to women in the workplace than a lack of family friendly policies in part because the majority of caregiving work at home still falls to women.
Given all of that, what I tell women entering the field is that some companies are starting to realize that culture change is going to be necessary to retain talent. Managers are being given better tools to understand when employees are overworked and the flexibility to intervene. That said, we’re definitely not in a place yet where the average cybersecurity professional feels free from the demands of a 24/7 environment. Advice I give women is that there will be times when you’ll have to be on more (e.g., if a client has a big breach, or if a vulnerability is discovered) and there will be times when things are slower. Take advantage of the slow times to restore balance. And talk to your manager about how both the pressure of an intense schedule, and the perceived need to be “on” all the time, negatively affects your effectiveness. A good manager is going to do anything they can to increase your effectiveness, whether that means bucking trends or not.