From Talk to Action: Tools for Creating Diversity in the Cybersecurity Workforce
by Erin Ptacek, Audio Engineer and Co-Founder at Starfighter.
In her article, “WANTED: Diverse Cybersecurity Workforce,” Meredith Holmes writes, “[The] United States faces a shortage of people with a particular set of advanced technical skills.” This is a great article. But what comes next? How do we get candidates from “I am interested in information security” to “I work in information security?”
There’s this paradox we all experience in our careers: you can’t get the skills without the job, and you can’t get the job without the skills. This is especially true in ‘cybersecurity’ — acquiring the skills to think like a criminal without actually committing a crime is tough. What if you could get the experience before the job? I’ve started a business to fix that.
So who am I, exactly? This is what is making this article particularly difficult to write. I read articles like Meredith’s and I feel like a complete impostor. I don’t have a Ph.D. What I do have is a lot of metaphorical scars from persisting in an industry where I’ve not always felt welcome. Hopefully it conveys something that I’m not only still here, but that I am now in a position to figure out why there aren’t more of me.
A brief history of me: I went to school for Audio Engineering. I graduated broke and homeless. After a couple of years of trying to establish a career as an audio engineer, college loan debt breathing down the back of my collar, I started working as a systems administrator. Looking back, there were some crazy moments of pure luck that pushed my career in tech forward; buy me a beer some time and I’ll tell you the whole story. In 2005, my husband started Matasano Security, and I went to work for them, unpaid. Not many people get a chance to reinvent their careers after spending 8 years as a SAHM, and I was willing to go without a salary in order to climb the ladder back up into my career. Yes, that’s not fair, but that’s not what this article is about.
Matasano experienced exactly what Meredith describes — we were struggling to hire security consultants. Candidates with impressive CVs were out of our price range. Matasano engineered a solution, which we later found out already has a name: work sample testing.
Capture the Flag Challenges
There is a growing trend in information security: “Capture The Flag” challenges (CTFs). These are games you typically play by writing code. These challenges are opportunities to acquire skills. Permission to hack on stuff without risking incarceration. CTFs are also incredible tools for outreach, which is the first phase of recruiting. And they are also work sample testing of the digital age.
Work sample testing is exactly what you think it is: candidate does the work she would be doing on the job.
In 2013, Matasano released The Crypto Challenges and Microcorruption. The response was phenomenal. Suddenly it seemed like everyone in the universe wanted to work with us. The neatest part of all? It didn’t really matter where you were or what you were doing, professionally. You had permission to hack (free skills!), and you found out you were good at it. At least once a week, someone reaches out to me to tell me that they’ve just hired a candidate who listed The Crypto Challenges and/or Micro-corruption on their resume.
So we started Starfighter. The name is inspired by the 1984 film The Last Starfighter. Our business has two parts. We write CTFs. Our CTFs are called Stockfighter.
Full disclosure: we also recruit. You sign up, solve the challenges and when you hit a certain level, we ask very nicely if you’re interested. *But only if you want us to.* We don’t pull up in a Delorean and fly you to Rylos. I don’t want to spoil the movie if you’ve not seen it. If you have, you know why we chose the name: our goal is to get candidates as close to their dream career as we can. We think it shouldn’t matter what you’re made of or where you’re from. If you can do the work, you should get the job.
We’ve written tens of thousands of lines of code. We have tens of thousands of subscribers playing these games. But there’s a problem: there are no women, so far as I can tell. You might be wondering how I know this, because Starfighter purposely does not collect any demographic information from subscribers. I am making this assertion based on the conversions that are occurring; to wit, every subscriber who has asked us to help them find a job is male. This is due in no small part to how Starfighter has done outreach to date. I am writing this article to change that.
Build It and They May Not Come
My motivation for founding Starfighter was exactly to find the “underserved” people in technology (read: me). Starfighter is an opportunity to prove that there is no correlation between gender (or any other demographic classification) and the kind of problem solving required to secure software. Even though we are barely out of the gate, disappointment has started to nag the edges of my mind. I built it, and they did not come.
I need help. I need to learn how women hack. The three female peers I know have expressed distaste at the “zero sum” nature of hacking games. They tell me that the player vs. player nature of most CTFs makes them extremely uncomfortable. They would prefer to cooperate to build rather than pit themselves against others in what they perceive as a destructive endeavor. Lucky for me, three is a very small sample size.
So help me — are you a woman in technology who gets involved with CTFs? Have you participated in PlaidCTF, the Cryptopals Challenges, or even Stockfighter? Come talk to me, so I can learn more about making CTFs appeal to women.