From March 17-19, Cleveland will host more than 1,500 attendees of the ninth annual Women in Cybersecurity (WiCyS) 2022 Conference at the Huntington Convention Center of Cleveland. The conference aims to help organizations recruit, retain and advance women in cybersecurity—all while creating a community of engagement, encouragement and support for students and women in the field.

A consortium led by Cleveland State University/IoT Collaborative is serving as local host for this year’s conference and includes Greater Cleveland Partnership/RITE and Northeast Ohio CyberConsortium (NEOCC). More than 25 public, private and nonprofit organizations are collaborating to educate WiCyS’ professional and student attendees about Cleveland, its tech community and job opportunities.

Over the course of the weekend, WiCyS will showcase Cleveland as a place to live, study, work, invest or do business—with an initial emphasis on meetings and conventions within the fast growth sectors of IT/technology (including financial services), healthcare and smart manufacturing.

From there, breakout sessions, workshops, presentations, “lightning talks” and poster sessions will concentrate on a cornucopia of all things cyber—from knowledge sharing, best practices and career development, to trends, biometrics, methodology and more.

CSU caught up with Janine Spears, Ph.D., associate professor in the university’s Information Systems department in The Monte Ahuja College of Business, to talk about cybersecurity and the importance of WiCyS 2022 being held in Cleveland. With expertise in information security, risk management and data privacy, she teaches courses on cybersecurity, business process modeling and design.

She is also the Faculty Lead for WiCyS 2022.

Cleveland State University: There’s a huge gender gap in STEM and related fields. Despite women making up the majority in colleges and universities in the U.S., they still only comprise about 20-25% of STEM students, notwithstanding the growing need for qualified professionals. There’s a sense that women aren’t attracted to it, but there’s a lot more there than stereotype, isn’t there?

Dr. Janine Spears: I can’t universally say why more women don’t pursue STEM, but in interviewing women who work in cybersecurity for a study I’m doing, when they explain their experience to me, working in the field can sometimes be unwelcoming. Technical skills are often doubted, sometimes they feel overlooked in routine work tasks —so, they’re not really part of the club. Getting young girls comfortable working with tech early, meaning that K-through-12 stretch of education, will help change the mindset that STEM fields are just for men or boys. We as a nation have a need for more cybersecurity workers than ever before and it would be good to see more women in those roles. At various industry events I attend, women make up about 10% of attendees. The gap is especially striking.

CSU: Do tech companies have a responsibility to “prime the pipeline” to get women and minorities interested in tech at an early age? And if so, what considerations are needed to ensure broad appeal?

JS: Tech companies could sponsor certain initiatives and certifications, because funding is always an issue. When students are coming into their undergraduate programs, helping them to understand what their different options are is key. Maybe they feel like they don’t have enough math skills, for example. Computer science as a discipline has some pretty hefty math requirements, but if people aren't comfortable with math, having programs to help them supplement their math skills helps. In that sense, I feel like part of this falls on the educational system, but companies could play a role in being proactive in advancing their employees and assisting them.

CSU: How important is it for Cleveland to be hosting WiCyS this year, and for CSU to be anchoring the consortium that ultimately brought the national conference it here? And what does the talent pool look like—both here at CSU and across the Northeast Ohio region?

JS: One of the biggest strengths that we have at Cleveland State is that while we don’t have a dedicated degree—yet, we’ll say—we as an institution are approaching cybersecurity in an interdisciplinary way. The Monte Ahuja College of Business, Washkewicz College of Engineering and C|M Law all have cybersecurity courses. In our Information Systems program, we have emphasized Engaged Learning with students participating in cyber competitions, experiential learning course projects, and our Co-op program. As a result, our students are placing into good cybersecurity jobs with world-class organizations. That’s something that I’m very proud of.

Whenever a national conference comes to Cleveland, it’s a wonderful thing. There is a lot of cyber work going on in Northeast Ohio. This gives us the opportunity to talk about how we recruit, mentor and retain women in the field as a region. Any opportunity for dialogue is a good thing and this is a big one.

CSU: If you had unlimited access to resources, how would you go about getting more women and minorities involved in tech-related fields?

JS: I think sometimes seeing is believing, so exposure. Getting exposed to it dispels some of the mystique, raises interest, awareness and access. A company hosting a Cybersecurity Day with employees in the field helps. Having high schools do ‘a day in the life of a cybersecurity worker’ events helps. Professionals dispelling misconceptions about the field helps. A sort of ‘dog-and-pony-show’ on the road can be effective in showing women and minorities what the field looks and feels like.

It’s Engaged Learning, you know? Telling them isn’t enough. Trainings, bootcamps, certifications and degree programs are good steppingstones—fortified by good mentoring options, professional networking and ongoing training once they join the field—but I think if you have a package like this, you could probably get more women into the field.

CSU: What are your favorite things and not-so-favorite things about the cybersecurity field?

JS: When I interview experts, that’s one of my actual questions (laughs). For men and women both, the dominant answer is the same for both—change. Constant changes in technology, the challenge and the puzzle behind it, that their jobs are different every day—

CSU: A bit of a double-edged sword, no?

JS: Exactly. Yeah. But it’s an interesting field and never boring, that's for sure—and it shares an interesting Venn diagram of sorts with [digital data] privacy, which I’m also very interested in.

CSU: What advice would you give to someone wishing to start their career in cybersecurity?

JS: If you have an interest in technology and continuous learning and a desire to fine-tune your technical knowledge and to have fun with it, then you have a good foundation. I have found that those are the keys to the success of many of the students I’ve had here at CSU, and their moving on to successful careers has happened in large part because of these traits, as well as their active curiosity and their tenacity as students. Many professionals I have encountered over the years share these same traits.

CSU: What are some misconceptions that you believe businesses have about cybersecurity?

JS: That it doesn’t relate to them. That ‘oh, we have a department for that’ and that ‘it’s more of a behind-the-scenes technical thing that one department handles and has all figured out.’ But security doesn’t work that way. It is the responsibility of everybody in the organization, right? Phishing emails catch people all the time. Many data breaches occur due to stolen password credentials and organizations not implementing multifactor authentication because it’s an extra step to log onto a system. When business users are resistant to things being a teeny bit more cumbersome, it can become hugely expensive and damaging and that impacts everybody in an organization. And so, everybody plays a role in it.

CSU: Cyberattacks are making the front pages on a regular basis. What does the “climate of continuous risk” (as Wired magazine likes to call it) mean for businesses and for our collective future?

JS: It relates to the change we just talked about, which means staying on top of the latest threats and trends. I think part of cybersecurity experts’ frustrations come from having to convince the businesses they work for of threats and to get approval of certain measures and expenses related to it. Resistance to security measures from management can be challenging and frustrating. And yet, if there is a cyber breach, they are the ones—those security leaders—who may well get fired and land in the press afterwards, looking really, really bad. Security workers who work on incidents and response, they’re the unsung heroes. Yet, in their work, their failures are highly visible, while successes are more invisible.

Dr. Spears recently served on the Board of the Northern Ohio InfraGard chapter and has won awards for developing an experiential learning course partnering students with non-profit organizations to conduct security risk assessments. Prior to CSU, Dr. Spears was professor at DePaul University’s School of Computing in Chicago, where she taught security courses for 7 years. She led the development of the GRC (governance, risk management, compliance) degree concentration in DePaul’s Masters in Cybersecurity degree program. She holds a Ph.D. in Business Administration from Pennsylvania State University’s Smeal College of Business, and an MBA from Case Western Reserve University.