Interview: Dragos’ Lesley Carhart on industry gatekeeping and the importance of diversity in cyber security

Lesley Carhart, Dragos’ director of incident response for North America, has both a fantastic career arc and a lot to say about cyber security. Moving from the farm to programming and into the US military before finding a place in cyber security, Carhart’s path wasn’t always easy, but it left her with a strong idea of the importance of opening up the industry to a more diverse workforce.

Cyber Daily: So I’m very keen to talk to you about addressing the cyber security skills shortage and how to keep people on the coalface, but before that, I understand your own career journey is quite an interesting one. Where did you start, and how did you get to Dragos?

Lesley Carhart: Where did I start?

I grew up on a farm. And, you know, there was a point in time in the ’80s when my dad went out and bought or leased a very expensive computer to inventory his farm. I mean, I had two choices as a child – it was learn to work on the farm or learn to use the computer, and I don’t have the complexion to work on the farm. I decided to learn how to use the computer.

I started programming when I was seven or eight. And when I was 15 – it was an era in time where even if you were 15 years old, people were so desperate for developers and programmers that you could get hired during the dot.com boom … I started working around 15 or so as a programmer.

And, of course, that didn’t last forever.

Eventually, I didn’t have a lot of options but to join the military, and they said, “What nerdy thing would you like to do?” And I said, “What do you got?” And they said, “Well, you can solder an aeroplane together. And I was like … that sounds good. I’ll learn to solder an aeroplane’s computer. So I did the military thing for a while, I moved into cryptography and computers and military cyber for aircraft.

I got my engineering degree, but I always liked that hackery stuff. And you know, I couldn’t get any mentorship as a young person – I didn’t look right … didn’t look like the right kind of person to be a hacker. So I kind of found my own way over a long, long indirect route into the cyber security space, and I’ve been doing it ever since, and I’ve always been in that kind of non-standard electric, electronic ICS kind of space of cyber security. Yeah, that’s my background. That’s my degree in engineering.

VIEW ALL

And I love it. I think it’s fascinating to know how the world works.

CD: So what did people not like about the way you look? Was it a gender-based thing back then?

Lesley Carhart: Oh yeah, absolutely.

I thought forensics was cool in the ’90s, and I tried to call the local police department and find out if I could get an internship or if I could talk to somebody, and no one would talk to you at the time.

So it’s been a lot of my motivation for mentoring people going forward is like I couldn’t get any mentorship. I want to mentor people who don’t look like me, you know, because we need all the people we can get; we need different perspectives. And I mean, it was still hard for me. I don’t want anybody else to have to deal with that.

CD: And has that changed in recent decades? Is the gender imbalance being addressed?

Lesley Carhart: Yeah, a little better.

Conferences have gotten less exclusionary, and programs are doing more outreach, and things like that, but still, you go to a conference and people pretty much look the same. It’s still a really big problem.

Things are improving, and I’m glad we’re making efforts, and I’m glad organisations are making diverse hiring efforts or making more educational efforts. But, it’s still real bad.

It’s more possible to get mentorship now, certainly, and find people who are willing to mentor different people to get into the field. There are more internships, apprenticeships, things like that, but it’s still really bad.

CD: And at the same time, while we see cyber security technology advancing to meet a growing threat environment, we’re still in a situation where there simply aren’t enough warm bodies in the industry. How bad do you think the skills shortage really is?

Lesley Carhart: I don’t think the skill set shortage is always portrayed in the correct way.

So, are we short people in certain roles? Yes, we absolutely are.

Are we gatekeeping some of those roles? Yes, we absolutely are.

Are we being exclusionary about who we hire and how we train people? Yes, we absolutely are.

Are there human beings who want to fill the seat who we could use?

There’s all those elements to this. It’s easy to say, oh, there’s X number of jobs that we can’t fill. That we’re short X number of people. Well, are they senior or junior people? And if they’re junior people, are you willing to train them up without them going to a university at massive expense? Are you willing to reach out to communities that aren’t typically represented in the cyber security community? Are you willing to offer apprenticeships?

So it’s very easy to say, “Oh, we’re missing this number of people”. But we need to break that out by role, by seniority and talk about the gatekeeping that’s happening in our field and how we train cyber security professionals and the limited number of people who these jobs are accessible to.

CD: Do you see that changing in the short term, or is this something we need to chip away at? Because I’m absolutely with you. I believe in diversifying the workplace in every way and that you get better outcomes from it. But how do we convince the C-suites to do that?

Lesley Carhart: People like you and I, who are doing those outreach efforts, are very cognisant of this problem.

And we are talking about it, and we are trying to fix it. Is everybody trying to fix it? No. I still see plenty of gatekeeping.

I mentor people every weekend, I mentor people who are trying to get into the field from all different backgrounds. And especially in red teaming, I still hear these horrible gatekeeping stories about ageism and sexism and stuff. Like really? When we need all these people?

They can do that in red teaming because there are [fewer] jobs and more people want to do them. So they feel like rockstars, and they can be more gatekeeping in that space. And it’s awful; it’s horrible. But in blue teaming, there’s a little bit more diversity because people have been willing to build pipelines, and they need more people, so they’ve been willing to pull people in who don’t have traditional educational backgrounds.

So, again, this problem is complicated, and we can’t just throw numbers at it. We can’t just make headlines that say we’re short X number of people without talking about what that breaks down to in the problems causing it. Where are we short people? In what niches of cyber security? What levels of seniority are we short people in? How do we fix those specific problems? How do we make sure we get talent from the big pool of people who would like cyber security jobs?

I talk to people all the time who would like a cyber security job and don’t know where to go and can’t find a way in; I talk to those people every single weekend. And they’re willing to try, they’re willing to do a pipeline and apprenticeship. They’re willing to get a certification, but they can’t find a way in, they cannot find a viable path into cyber security. Maybe they can’t afford a university degree – they exist. So how do we take that pool of raw talent and put them into specific places where we need people? That’s the problem.

CD: So what would you say to someone who’s looking to expand their cyber security workforce? What would you say to them in terms of the benefit they might get from casting a wider net?

Lesley Carhart: So first of all, the benefit of getting a diverse workforce is cyber security is oftentimes a human problem. And learning how to threat hunt from different perspectives, thinking about adversaries in different ways, thinking about processes in different ways is tremendously valuable.

We can’t just think about engineering or human problems from one perspective; that isn’t the way to catch criminals. That’s not a way to stop the bad people.

And then, from the other perspective, they need to look at what gatekeeping they’re doing unintentionally. So, if we look at our postings for jobs across the world, how are we posting them? What are we requiring our people to do? Is it innocuous work? Is it remote work? What degrees do we require? Are we requiring expensive certifications? Do we only hire people with three years of experience and another in another job?

Or do we offer the opportunity to apprentice or job shadow? We have to be willing to invest a little bit in those people, in who we’re bringing in, and there’s a lot of postings I see out there for, you know, we want somebody with five years of experience who is willing to be paid minimum wage … And they need a university degree!

It makes that job so inaccessible, and there are other things, too, like work/life balance and just even wording a posting; sometimes I’ve seen them worded to be really nerdy and appeal to a certain subset of nerdy, geeky people, and I’m a nerdy, geeky person but, if your whole job posting is Star Trek references, you’re not going to appeal to a wide audience. If your hiring event is an axe-throwing thing, it might not be accessible to everybody … We [have to] think about that stuff.

I know you think you’re appealing to your nerdy, fun hacker crew, but we need more people. We need more diverse people. We need different backgrounds, and if you are only appealing to the tech culture, you can’t complain. You can’t complain that you don’t have enough people.

Yeah, your office is going to be full of nerds, but do you really want that?

CD: That makes a lot of sense. Leslie, thank you so much for your time. We really appreciate it.

Leslie also spoke to us about the nature of threats she observes within the operational technology space, so keep an eye out for the rest of this interview, coming shortly.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.