Marcia Cole: Think Like a Criminal

You can learn a lot about the Technological Leadership Institute by talking to its alumni, faculty and program fellows. Marcia Cole happens to be all three.

She was named the new fellow for TLI’s Security Technologies (ST) program earlier this month. She replaces Patria Lawton, who recently stepped into the Director of Graduate Services role. 

Cole is well-suited to the new position, having worked in the ST field for two decades before enrolling in TLI’s program in 2015. She is an information security advocate with a long history of implementing information security management systems as well as helping organizations navigate regulatory audits. She currently works as a consultant, designing security and governance practices in the corporate sector.

We talked to her about her background, experiences and what she hopes to accomplish with the ST program going forward.

Q: What sort of work were you doing before entering the TLI program?

A: I was at 3M after my undergrad work, and that was an amazing experience. I worked in the electromechanical resource division. They sent us out to fill out groups that needed particular expertise in something. So I was the person that brought the electromechanical piece, having learned how to build power supplies and things like that. They also instilled in me their mantra is “do it right the first time” – get everything you need to be successful, ask for it, lobby for it, take the time that you need to make this product or fill this idea out so that when it's realized it's working, effective and safe.

Q: You stepped back from full-time work when your kids came along. What sort of work were you doing during that time?

A: That was when I got really interested in product development. Not only software, but in the tangible world as well, the safety and security around that. One early product I worked on was a manufacturing machine that was about to be sent out, built so that a person could get in it and turn it in different directions. It was like a ride, and it was one of the things I pointed out to the developers that this is not safe. You need to put some kind of a cage around it, because the first thing employees are going to want to do is get in it and spin around in it. I knew I couldn’t be the only one that's going to think of this.

The same was true with security testing. I picked up pretty quickly that the integration points in software development are where you find issues and problems, where leakage is going to occur. So I guess it's kind of my personality, looking for vulnerabilities. I’m pretty good at thinking like a criminal.

Q: What do you hope to accomplish in your new role as ST fellow?

A: We need to continue one big thing we’re doing now -  promote recruiting a diverse body of students, and find funding to defray some of the costs. It's an expensive program, and more comprehensive than a cyber bootcamp. We’re short about 300,000 security technologies professionals in this country alone. So we really need to create more opportunities for people to take cybersecurity minor or security technologies like a certificate program and get more people out doing the work.

Another thing that I’ll be doing is a curriculum revision to make sure that the curriculum reflects what's really happening out there now. Typically you don't have to update your materials more than once every three years at a university. But when we talk about emerging technologies and certainly artificial intelligence, every three years isn’t often enough. We have to make sure that we are ahead of the curve in regards to the curriculum that we're putting out there for people.

Q: Talking about the 300,000 jobs that we need to fill, what do those jobs look like?

A: There’s a need for people in all kinds of areas: threat intelligence, training AI, training people, risk management, writing policies and procedures, audit and compliance, ethical hacking, vulnerability testing, cybersecurity forensics, application security.

One of the things that AI and other machine learning tools can't do is triage incoming threat detection signals and information. That really has to be observed by humans. Intrusion detection systems are going to catch some things that are coming into your network, but you need humans acting as security triage analysts to look for anomalies. Right now, there are a number of organizations like Arctic Wolf that provide a concierge service to do that. So they hire many, many, many security analysts to do that. For other companies, it would be beneficial for the organizations to have those people in-house.

Q: What would you say is going to be the next big frontier in ST? Will that be AI?

A: AI has been in the news a lot, and it's news that is very scary to people. I think what people don't understand, especially those that are fearful, is that it's been around for a long time.

What's different now is that it is available to anyone. These tools are largely free, and available on platforms that make it easy to cause mischief –  for example, creating deep fake videos of Joe Biden saying he's not going to run this year. 

That is going to be a real problem because so many people will believe exactly what's fed to them and will never question it. I'm thinking about absolutely every technology that's come out, the policy lags behind.  And so that's something that we really need to work on, getting the policies in place, the consequences in place, and then technological controls because I don't know that we can trust humans to control themselves when it comes to some of these new tools.

In the medium term, AI and machine learning will be used to both defend and attack systems in our interconnected digital world. The attack surface will grow exponentially as we continue to connect more devices and industrial control systems through IoT platforms. We'll also need to develop quantum-resistant cryptography to protect the encryption methods used now. And securing essential systems in our critical infrastructure against cyber attacks will require global collaboration between governments and the private sector.

Q: So is that the internet of things gone berserk, or is that just the internet of things that people were imagining 10 years ago?

A: I think it's both. Have you read any Kurt Vonnegut?

Q: Sure.

A: In his novel Cat’s Cradle, he’s talking about Ice-nine, where they would drop that chemical into water someplace in the world and that all the water was connected absolutely everywhere, and at some point it were to all be crystallized. Same thing with the internet. The only place that we're really excluded right now is China and North Korea, because they contain and isolate their internet infrastructure. 

Q: What do you see as long-term threats in the tech world?

A: Looking farther out  – probably off planet? We’re looking at the prospect of communities and developments being built in Earth orbit, on nearby planets and perhaps even asteroids for mining. I think there's going to be a lot of work that will be done off of our planet relatively soon, and I think we need to be ready.

As technology goes to new places, it inevitably becomes a new target and security isn't always at the top of everyone’s mind. You have to build security and quality into products and processes. Doing it afterwards, after something's happened, is a really poor core strategy.