Melissa Hathaway: Internet Security Advocate

In honor of Ada Lovelace Day, today I am writing about a woman in technology. In particular, my topic for today is Melissa Hathaway, an Internet security expert. Melissa Hathaway serves as Senior Security Advisor for Cisco Systems and as Senior Advisor for the Belfer Center for Science and International Affairs at Harvard's John F. Kennedy School of Government. Ms. Hathaway has a B.A. degree from the American University in Washington, DC, and graduated from the U.S. Armed Forces Staff College with a special certificate in Information Operations.

In 2009, Ms. Hathaway worked in President Obama's administration as Acting Senior Director for Cyberspace for the National Security Council and the Homeland Security Council. In this role, she carried out an interagency review of cyber security plans, programs, and activities, providing an important link between the Bush and Obama administrations. During Bush's administration, Ms. Hathaway served as Senior Advisor to the Director of National Intelligence and as Cyber Coordination Executive. In August, 2009, Ms. Hathaway returned to the private sector where she is President of Hathaway Global Strategies, LLC.

If you made it through all those impressive titles and are still with me, I'd like to explain why I admire Ms. Hathaway. I admire her because, like our hero, Ada Lovelace, she's a good communicator and team player. To understand the importance of this, you need to understand the network security field.

OK, I'm not being politically correct here, but let's just come right out and say it: the network security field has generally been male-dominated with a pervasive attitude of cowboy one-up-manship. Many old-timers learned security on their own, spending countless Mountain Dew-powered hours working alone in a lab, tinkering with hardware firewalls, and penetration-testing corporate networks. You just need to read that phrase, penetration testing, to know that this was a male-dominated field.

Ms. Hathaway represents an evolution in the security field to a bigger focus on communications and collaboration. Her work to bridge the Bush and Obama administrations' security programs demonstrates that, as does her work during the Bush administration on the Comprehensive National Cybersecurity Initiative (CNCI), where she built consensus among nearly two dozen diverse organizations. You can read more about her work in that area in this IEEE interview.

To protect networks from attackers, security professionals need to collaborate with other stakeholders, which can include co-workers, business managers, other companies, and governments. They should share information about problems and solutions, think in terms of systems and policies, and understand users, not just hardware. Soft skills, often more associated with the Yin world of business than the Yang world of network security, are just as important as engineering skills.

An important area for collaboration (that is especially suited to Ms. Hathaway's background) is in the private/public interface. Despite all the talk about Cyber Czars and Internet security laws, most of the Internet is privately owned. Governments need to collaborate with businesses. Governments also need to work with other governments in an international push to avoid a cyber meltdown.

As an engineering instructor, I'm especially pleased when I hear Ms. Hathaway comment on the need for practical training for security professionals. Using terminology from government hiring practices (which hopefully will become more popular in industry as well), she talks about the need to understand the knowledge, skills, and abilities (KSAs) required of security practitioners, engineers, CIOs, and CSIOs.

In this video from Cisco, about 29 minutes in, I found myself cheering as she discussed the importance of on-the-job training that provides real-life practical exercises. She mentions, for example, lab exercises that might let learners deal with the Conficker worm in a simulated lab, or analyze an infected thumb drive, or configure protections from a distributed denial of service. She suggests that the exercises should also help students learn soft skills where they can practice responding to a security breach and communicating the problem to executives. In turn, executives should practice communicating about the problem to employees, customers, and governments.

Ms. Hathaway also talks about the importance of telling stories, certainly a tried-and-true method of education. She suggests explaining cyber security in simple terms, helping people understand that online shopping could be affected by an attack, for example. Ms. Hathaway is skilled at helping the layperson understand security risks, as can be seen in this paper she wrote about the five myths of cyber security.

In summary, I feel privileged to have this opportunity to blog about a modern technical woman, a person who demonstrates some of the same skills that Ada Lovelace had, and who continues to persevere in a male-dominated field (though that is changing!) in her essential role as an Internet security advocate.