The PEARC21 (Practice & Experience in Advanced Research Computing) Student Program featured a Cybersecurity Careers Panel. Five experts shared lessons learned from more than 100 years of combined experience. While it was difficult to identify trends among panelist career trajectories, each has a history of involvement with charitable causes dedicated to cybersecurity workforce development, and all expressed an urgent need to fill the pipeline.
Full panelist biographies are available on the PEARC21 panel description page.
How does one prepare for a cybersecurity career?
Among panelists, only Principal Research Scientist Jim Basney (University of Illinois at Urbana-Champaign/National Science Foundation Trusted CI; UIUC/NSF) holds a terminal degree; a PhD in computer science (CS).
After graduating from West Point, Chief Executive Officer Bryson Bort (GRIMM/SCYTHE/ICS Village) earned three grad degrees, including Electrical Engineering (EE) and CS, Telecom Management and a Master’s in Business Administration.
Federal Bureau of Investigation Section Chief Philip Frigm (FBI Cyber Technical Analysis and Operations Division) acquired six certifications and licenses along the way, in addition to undergraduate history, and Information Science graduate degrees.
While Basney, Bort and Elham Tabassi (National Institute of Standards and Technology/NIST) pursued technical baccalaureate degrees, Frigm and Anita Nikolich (UIUC/NSF) were undergrad history majors. They eventually pursued CS grad degrees, but that path hadn’t occurred to them as undergrads.
Tabassi was academically inspired early in life by an aunt who studied at the Sharif University of Technology in Iran. “So, naturally, that’s the school I wanted to attend, and I graduated with a degree in electrical engineering (EE),” she said. After immigrating to the US, she earned a graduate EE degree from Santa Clara University in California and is currently pursuing a CS PhD at Michigan State University. She said that while CS and math are important to NIST, above all, they need problem solvers. She recommends that students keep an open mind; chase things that satisfy their thirst for knowledge, “and always question why.”
Nikolich and Tabassi expressed an early adoration for mathematics, but Frigm confessed, “Math was never my friend.” He originally wanted to be an astronaut, and enrolled in the Penn State Aerospace Engineering program. But Calc-2 was a ‘weed out’ course which prevented him from achieving that goal. When he was within view of graduation, employment prospects for history majors were bleak. An adviser recommended that he consider an Oxford PhD, but that required pre-payment, and it took an average of eight years to finish. “An IT graduate degree from Rochester Institute of Technology (RIT) made more sense,” he said. Employment at the RIT help desk led to work as an IT manager for WXXI public radio. Upon arriving at WXXI, they had been recently hacked. For his capstone project, he wrote a set of security policies for WXXI, using NIST frameworks.
Long and winding roads…
“When you’re young, you think your career path will be straight, but it rarely is,” said Nikolich. Upon leaving the Marines, she worked for an Internet Service Provider in the 90s, “when the internet was young.” That’s where she learned how to secure really BIG websites. She then supported enterprise security for a global company with 72,000 employees. “That was a great place to develop skills, but the work could be stressful,” she said. Nikolich describes her “superpower” as being able to connect the dots, which is useful in her role as UIUC Director of Research Innovation where she focuses on multidisciplinary applications for artificial intelligence (AI).
Tabassi joined NIST in 1999, and specialized in biometrics evaluation and standards. “If you can’t measure it, you can’t improve it,” she said, echoing Lord Kelvin’s famous quote. She was the principal architect of NIST Fingerprint Image Quality, which is now a widely-adopted international standard. Her work at NIST began with speaker recognition in 1999. Since then, she has been working on various computer vision and machine learning research projects with applications in biometrics. Currently Chief of Staff in the NIST Information Technology Laboratory (ITL), Tabassi leads the agency’s Trustworthy AI program. From their website, “ITL is one of six NIST labs that promote US innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.”
Basney’s early work involved HTCondor development; the framework that underpins federated high throughput computing, and the Open Science Grid. His first professional appointment was with NCSA where, 20 years later, he continues to support NSF CI security. He has contributed to the NSF TeraGrid, XSEDE and Trusted CI projects; MyProxy credential management service; CILogon federated identity service; and SciTokens which enable capability-based access to scientific data.
Bort never had a long-term plan. With each opportunity that came his way, he was excited about learning something new; at the same time, experienced anxiety from not knowing what he was doing. “I grew and learned with each job,” he said.
“I didn’t set out to become an entrepreneur,” said Bort. “As an Army captain, I was injured in the war, and took the first job that was offered upon discharge, which had nothing to do with computers. But I was eventually recruited back into the tech space,” he added. Bort believes that no matter how awesome a job is, at some point, “the golden cage rusts.” As CEO, he feels that it is important to grow and replace yourself; to train the person who takes your job.
In 2013, Bort formed GRIMM with some of the “best hackers in the world.” Three years later, a fortune 50 company asked them to build a unique software app—a modular, post-access malware framework. In the customer’s request, Bort recognized a market failure. So, he founded SCYTHE, and asked the client for permission to commercialize the intellectual property so that a market void could be filled. SCYTHE provides services for small and mid-sized businesses that can’t afford their own security teams. Bort then handed the GRIMM reins over so he could focus 100 percent on SCYTHE. A short time later, he co-founded ICS Village with Tom VanNorman (GRIMM), a 501.c.3 nonprofit organization that, “equips industry experts and policymakers with tools to better defend critical infrastructure.”
Frigm applied for the FBI training academy in December 2002 and was accepted a little over two years later. After training at the FBI Academy in Quantico, Virginia, he was assigned to the Newark, New Jersey field office where he initially investigated Italian organized crime. In 2006, he was appointed to the cyber squad and contributed to its nascent National Security program investigating nation-state intrusion activity. He was then promoted to management, and ultimately to his current role.
Frigm said that the FBI likely accepted him because of his grad degree, but attributes his success in a rewarding career to a liberal arts undergraduate education. “It shaped critical thinking, analysis and communication skills,” he said. He must often explain complex technical content in terms that a wide range of stakeholders can understand. “Some are highly technical, but senior management may not be, and they advocate on my section’s behalf,” he said.
“How’d I get from history to the FBI?” Frigm smiled, “It’s a natural step, and everybody should take it.” His advice to students, “Just pick one of your lifelong fascinations—something that you’re good at—and stick with it.”
Bort and Frigm professed an early fascination with electronics. Young Bort took stuff apart to see how it worked often enough that when something broke at home, he was blamed. At age 11, Frigm reprogrammed the Texas Instruments Ti4a calculators in the Sears & Roebuck store so that the display featured his name (a Basic command).
Nikolich described chapters of her career being well-suited for, “adrenaline junkies.” In retrospect, inherent intellectual curiosity with a dose of intestinal fortitude may have helped to prepare Nikolich for U.S. Marine Corps cryptography work, Tabassi to immigrate to another country, Frigm for white-knuckle investigations, and Bort to enlist in the Army (during a period of conflict; not to mention having enough gumption to found three businesses within four years). But what keeps an occasional thrill-seeker up at night? Bort said, “My employees; people who count on me to make payroll.”
Threat landscape; everything old is new again.
Panel rules of engagement established that we could not discuss details of ongoing investigations. That said, each described the type of incidents their teams are battling.
Basney described the range of threats the NSF Trustworthy CI team mitigates, including intellectual property theft, and efforts to steal journal subscriptions from academic institutions. High-performance computing (HPC) systems can be hijacked for cryptocurrency mining, or launching attacks against others. But, he added, “Every day in the life of a cybersecurity specialist doesn’t involve incident response; we spend most of our time helping scientists to ensure that our security controls effectively support their research.”
Bort, wearing his company’s unicorn-themed hoodie, explained why he is often in the news. In 2020-21, when the media addressed the SolarWinds breach, Colonial Pipeline ransomware attack, or the Florida Water Hack, Bort was often the expert called to explain what happened, how the issue was being mitigated and by whom. “They probably call me because of my background in offensive security,’ he said. “We have taught the methods used in the Florida water hack in our workshops for years!” That’s where someone took control of a municipal water system (within 30 miles of where the Super Bowl was scheduled to occur) and increased the amount of sodium hydroxide from 100 parts per million, to a toxic 11,100 ppm. An operator saw it happen, and quickly restored the settings. It was a wake-up call for all who safeguard the nation’s critical infrastructure.
Frigm added that while ransomware is in the news, it certainly isn’t new. “Bad actors have been holding computers and data for ransom since the 90s!” Time-tested strategies are employed when controls are weak, and targets are rich. Intellectual property associated with COVID-19 research elevated the value of medical research data; public announcements of COVID research grant awards drew unwanted attention. Comparitech reported 600 U.S. hospitals and clinics were victims of ransomware in 2020 at a cost of nearly $21 billion.
“We don’t have enough folks to answer the call in the burgeoning space of computer security; diversity of voice and experience are important. Different voices, opinions and ideas are needed. The more diversity we have, the better our security will be.” – Bryson Bort (GRIMM, SCYTHE, ICM).
About the panel author and moderator
HPCwire Contributing Editor Elizabeth Leake is a consultant, correspondent and advocate who serves the global HPC and data science communities. In 2012, she founded STEM-Trek, a grassroots nonprofit organization that supports workforce development opportunities for science, technology, engineering and mathematics (STEM) scholars from underserved regions and underrepresented groups.
As a program director, Leake has mentored hundreds of early-career professionals who are breaking cultural barriers in an effort to accelerate scientific and engineering discoveries. Her programs have specific themes that resonate with multinational stakeholders, such as food security data science, blockchain for social good, cybersecurity/risk mitigation, and more. As a conference blogger and communicator, her work drew recognition when STEM-Trek received the 2016 and 2017 HPCwire Editors’ Choice, and 2020 Readers’ Choice Awards for Workforce Diversity Leadership.
Leake was co-chair of the PEARC21 Student Program, and will return in that capacity when PEARC22 lands in Boston, Massachusetts, July 10-14, 2022.