Of all the cybersecurity events that had to take place virtually this year, last month’s annual conference of the International Information System Security Certification Consortium (known in the industry as ISC²) stood out for Canadians.
At that event, well-known cybersecurity leader Bonnie Butlin was given the annual Fellow of ISC² Award for her decades of work.
In an interview from her Ottawa base, Butlin admitted the award, announced earlier, caught her off guard.
“It came as a real surprise. I didn’t know I had been nominated, and let alone from Sai Honig, [co-founder of the New Zealand Network for Women in Security] who’s around the world. So that was a bit of a double surprise … and for me to receive the award when I’m not actually a member myself is just a huge honour when I wasn’t even expecting at all.”
In an email, Honig said she nominated Butlin because she is a strong advocate of women creating networks in their own area. “She, like me, transcends national borders. She is also very good at getting men to recognize the need for women in cybersecurity. To that end, she has connected me to others in the Australia – New Zealand region of the world.”
Butlin’s bio is extensive: Co-founder and executive director of the Ottawa-based Security Partners’ Forum (SPF), a network of cyber and physical security professionals; creator of the Women in Security and Resilience Alliance (WISECRA), a global network; member of the Women in Cyber Capacity Building Network of the Global Forum on Cyber Expertise; an expert network member in cybersecurity with the World Economic Forum; a member of the advisory council of the Institute of Strategic Risk Management; former vice-chair of a working group of the Infrastructure Security Partnership and former executive director of the Canadian Association for Security and Intelligence Studies.
This year she was also named one of IT World Canada’s top women in cybersecurity.
A graduate of the University of Calgary who speaks five languages, Butlin specializes in international security, strategic and tactical intelligence and crisis management. She also holds a Canadian government Level II (Secret) security clearance.
Given all the international speaking demands she faces, one might think Butlin is a videoconferencing veteran. Not so. “I’m hoping we can get back to in-person meetings and conferences fairly soon,” she said. “I think a number of these platforms are a nice add-on, but I don’t think they can fully replace the security community for sure. For example, at conferences making presentations on a virtual platform, it’s hard to really get a sense of how the audience is receiving your ideas. And I think a lot of people are hesitant to put their feedback in writing or on a platform that’s recordable in some cases, and so I think we do lose some of that interaction and candidness that we really do rely on. So for sure, definitely looking forward to going back [to conferences] and to the trade shows. I don’t think it’s possible to replace the trade show experience entirely with virtual or online presentations of products and services.”
‘Toiling in obscurity’
The Security Partners Forum operates behind the scenes, connecting people and helping solve problems. “It’s a lot of people toiling in obscurity a lot of the time,” she says. “And so it depends on what we’re doing at the moment, or what the need is, or which partners we’re working with. For example, with the Caribbean, right now. They haven’t received a lot of attention. And there is a lot of interesting work being done in the Caribbean and other areas that other people aren’t aware of around the world, and wouldn’t necessarily be aware of unless it is highlighted.”
Butlin spends a lot of time raising the profile of women in cybersecurity. The results so far, she admits, are mixed. “Some disciplines of security are doing better than others for inclusion and retention of women, such as fraud examination, or the privacy space. They have been doing very well. Others not so much.”
Cybersecurity was already a challenging career choice before the COVID-19 pandemic because of the constant changes in technology and the high demand for retraining, she said. But now, some salaries are actually decreasing. “Some companies are looking at reducing salaries if people aren’t working in more expensive urban areas. And so the things that were attractive to the field may not be so attractive moving forward.”
Highlight success stories
“It’s quite an intensive career choice. Which again, is why it’s I think it’s so important to highlight where the opportunities and success stories are, because it’s hard to know going into a cybersecurity career when you’re picking your education programs to know how to get to those careers or where you’ll end up or if it will even look the same by the time you graduate, let alone 10 years in 15 years in.”
One problem, Butlin says, is that security was shut out of pandemic management decisions in many organizations, which she finds “shocking.”
“The fact that decisions were made by public health officials and select experts only– often not from traditional security disciplines or from cybersecurity — is going to be viewed, I think, in retrospect as quite skewed and unbalanced. You know, where were the pandemic planners? Where were the emergency managers, the risk managers, the crisis managers, the cybersecurity experts, the cybersecurity economics experts that could have perhaps better manage the economic decisions before the fallout and disruption of the economies? These professionals were sidelined. And that I think, caught the security community off guard. I certainly was surprised by it.”
Meanwhile, Butlin adds, businesses struggle to carry on. For some there’s a temptation to cut corners on physical and/or cybersecurity, she said. But at the same time regulatory and privacy obligations are increasing.
Pressures on infosec pros
The pandemic is creating other pressures on infosec pros: Pandemic relief funds pouring out of governments to firms and individuals have spawned phishing scams, while the increasing number of people working from home is another target. “In that sense, cybersecurity is so much more important [now], and with a very little ramp to get up to where we need to be in terms of cybersecurity spend.”
Asked to assess the state of cybersecurity in the last 12 months, Butlin said she was struck that organizations had to scramble quickly to try and maintain their businesses and in many cases go virtual. “To change it in very normal times is tricky enough, and it’s risky. But to change your business models and your business strategies on the fly during a pandemic with a shifting legal background and health orders changing rapidly is very risky. And I think cybersecurity is impacted by that.”
One thing she’s noticed is a large number of job ads for security directors. “That may signal that companies are looking for more cybersecurity, leadership and management, which would be a good thing. Or it could signal that there is there’s a lack of people wanting to take this right now because it’s too unstable, too much churn within the cybersecurity world right now, it’s too much of a risk.”
Students can’t get work
The problem isn’t just at the top, she added. There’s downward pressure on cybersecurity wages at all levels. Meanwhile, there’s the alleged skills gap and job shortages. “You know,” Butlin said, “I’ve heard from tech students and graduates of computer science programs, so many of them are not getting hired. My nephew, for example, just graduated from a program. Only two of them were hired into positions. And so when there are claims of so many empty positions, I think I would like to see a little bit more clarity of where those positions are and what type of positions they are. Because I’m hearing from students all the time that they can’t get work coming out of schools.”
There are other weaknesses: Organizations still failing to implement cybersecurity basics, which she fears the pandemic is making worse because infosec pros have limited resources. Risk management in cybersecurity still isn’t mature, she said.
In closing, when asked what she thought was her biggest missed opportunity, she answered: “I don’t think I could name one,” she replied. “I guess [my] philosophy is that you just have to take the opportunities where they are. You can’t look back.
“I think often at conferences, particularly conferences for women, we often get the question of what would you tell other people coming up., but I think everybody’s just trying to make the best decisions they can at the time with the available options. And so I just try to keep going forward, I guess. And if we can, if we can fix the structures to make it easier for those coming behind us. That’s what will help the others coming up more than any personal advice I think I could offer.”