Empowering women in ICS cybersecurity, promoting diversity and inclusion remains in focus as S4x24 takes off

As the S4x24 event in Miami South Beach draws near, professionals in OT (operational technology) and ICS (industrial control system) cybersecurity are gearing up for an immersive experience of engagement, networking, and knowledge exchange. This year’s edition is set to offer an extensive program, boasting an impressive array of speakers and thought-provoking discussions. Participants can look forward to exploring a variety of topics such as the Vulnerability Management Pavilion, S4 Prime Rooms, Women in ICS Security events, and an OT Escape Room, primarily designed to foster innovation and collaboration in the field.

The ‘Women in ICS Security Career Pathing Panel’ at S4x24 serves as a platform for empowering women in cybersecurity, promoting greater diversity and inclusion in the field of ICS security. The event showcases the voices and experiences of leading women professionals in the field of ICS security. A very popular panel at S4x23, this year it will not run concurrently with the social event and it is in a bigger room with a stage and more suited to a panel.

The panel aims to inspire and guide women pursuing careers in ICS security, a traditionally male-dominated field, to achieve success and leadership positions. The panelists also share their personal journeys, challenges faced, and strategies for overcoming gender barriers in the industry. They emphasized the importance of mentorship, networking, and continuous learning in advancing one’s career in ICS security. Moreover, the panel discussed the critical role of diversity and inclusion in strengthening cybersecurity practices and mitigating risks in ICS environments.

Through their stories and insights, the panelists highlight the diverse opportunities and pathways available in the ICS security field. They also stressed the need for women to believe in themselves, pursue their passions, and contribute their unique perspectives to drive innovation and change in the industry.

Insights on upcoming S4x24 event

Industrial Cyber connected with the panelists from the ‘Women In ICS Security Career Pathing’ to gain insights into what excites them the most about this year’s S4x24 event.

Dimple Shah, senior director for global technology and data policy at Honeywell told Industrial Cyber that as cybersecurity threats intensify in both scale and sophistication and our society becomes increasingly reliant on technology – it poses a serious risk to the safety and security of individuals, corporations and the nation, and allies as a whole. 

“I am looking forward to addressing the cyber threats being faced by critical infrastructure and what our collective community is doing to address them,” Shah added. “In particular, I look forward to discussing this topic with the Women in ICS about what they are doing to pioneer, disrupt, and diversify on this front.”

“This is my first opportunity to present at S4, and I am honored to be on the main stage. I encourage everyone to identify a topic to present and challenge themselves to bring their knowledge to the conference,” Cassie Crossley, vice president for supply chain security at Schneider Electric’s Cybersecurity & Product Security Office, told Industrial Cyber. “I’m also excited to sign copies of my new book, ‘Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware,’ which just released with O’Reilly Media. My book is for anyone wanting to learn more about software supply chain security, including the firmware and embedded software on OT devices.”

Danielle Jablanski, an OT cybersecurity strategist at Nozomi Networks, told Industrial Cyber that she is “excited to witness new announcements, innovations, and even new companies that are being launched this year at S4. It’s always an exciting time for companies, industry organizations, and the government to provide details on which direction they are taking next, what topics are most interesting, and what’s on the cutting edge.” 

She added “As I’ve shared on social media, there is an incredible amount of talent on the agenda this year, and when I made my own list of sessions I don’t want to miss, of course, I saw many brilliant friends of mine. But there are also a number of women I don’t know and cannot wait to listen to because they are wildly qualified and have interesting talks on the agenda.”

This is my first year at S4x24, Annabelle Lee, president/chief cyber security specialist at  Nevermore Security told Industrial Cyber, adding that she looks forward to seeing old colleagues and meeting new people. “Having a panel on ICS women in cyber security is a positive approach. I have mentored many individuals both men and women, and am interested in continuing to provide guidance.”

Kylie McClanahan, director of engineering at Bastazo, said that she is “most looking forward to Marita Cheng’s keynote on Wednesday. Her work is incredible, and I was thrilled to see her on the agenda.”

“It’s clear that the work women are doing to create opportunities in industrial cybersecurity is having success,” Kerry Tomlinson, a cyber news reporter for Ampere News and cybersecurity speaker, told Industrial Cyber. “This year, I’m looking forward to seeing more women at S4, sharing more ideas with an even larger group, celebrating the successes, and planning the future.”

Boosting women’s careers in ICS security

The executives highlighted the crucial elements that facilitate career advancement for women in the realm of ICS security. Furthermore, they offered insightful strategies for women aiming to forge successful careers in ICS security.

“Women historically have had a very low representation in cybersecurity and ICS, and yet we remain critical to the mission of security,” according to Shah. “As threats are global in nature, we must continue to diversify and respond to workforce needs. We must also reflect on the various perspective needs to address and ameliorate threats.” 

Shah added “We are pleased to be a part of a larger chorus of organizations around the world who work to close the gender gap by connecting and supporting women in cybersecurity. These organizations enable women to join groups, attend conferences, further their education, and explore new possibilities in cybersecurity.”

Crossley called upon women to challenge themselves to take on difficult projects and situations that extend their comfort zone. “I was terrified to speak in front of groups, but I forced myself over and over to do so, and also joined a Toastmasters group to practice and break through my fear.” 

Another key strategy for building a career in ICS is through continuous and constant learning, Crossley added. “Reading analysis reports, threat attack information, and vendor publications will give deeper insights into how things work and prepare you for different situations.”

Jablanski thinks the answer is always investing in success, adding the need to invest in people, and their professional development, whatever that means for the individual and the company. “Women learning ICS independently have many resources they can utilize, but when their company supports the time, effort, and cost, they become an even more valuable and resourceful part of your team.” 

She added that there are several layers to understanding sectors, businesses, devices, and security approaches to this field that nobody should think it’s too late to start or that the topics and their sub-specifications are too technical for them. “Start now and continue learning, piece by piece, course by course, layer by layer.”

Lee highlighted that one of the most important components of cyber security, in general, and in ICS cyber security, specifically, is to understand the operational/application environment. 

“I have worked in several different environments – law enforcement, FBI, electric sector – and it was critical to know the context for implementing cyber security. This is particularly relevant for the electric sector – where an error could result in blackouts/brownouts or injury/death to an individual,” Lee detailed. “The most critical component of ICS cyber security is to support the reliability and resiliency of the infrastructure. This may require altering the most effective ICS cyber security approach.” 

From a strategy perspective, “if you come from an IT environment – admit you are a novice and find individuals who will assist in educating you. I was told many times – OT is very different from IT,” Lee added.

McClanahan pointed out that it would be remiss not to say that the key factor for career growth is the presence of a corporate and societal culture that doesn’t punish women, non-binary, or genderfluid people for not being men. 

“However, when talking about factors that we have some level of control over, I think community is crucial. Championing others and having others (regardless of gender) who will champion you makes a huge difference,” McClanahan added. “The ICS cybersecurity community is a wonderful place, and while events like S4 are a great opportunity to meet others in the field, you don’t have to be at every event (or any event) to be a part of the community.” 

Tomlinson observed that the key factor that supports career growth for women in ICS is constant learning. “Technology and tactics change so quickly that it seems essential to carve out time in your life for reading and exploring. It’s a building block for your career — and it’s also fun! It can help to quantify that constant learning by earning a certification(s) to add to your resume.”

Empowering women in ICS cybersecurity

The executives offer expert guidance for women aspiring to excel in the field of ICS cybersecurity.

Shah said “Don’t be afraid to initiate conversations with people who are already doing the work you seek to do. Many entities are actively building their partnerships with a mission to encourage more women in technology.” 

She added that by working together on this shared mission, “we can do more quickly to realize our goal of operating with a powerhouse of diverse talent. But companies and technology-related entities won’t know you are interested also unless you put your hand up.”

Crossley said to “ask for challenging projects and tasks, without limiting yourself because of gender. Go to plants, manufacturing floors, and utilities, and find experts who are willing to share their knowledge and experience.” 

She added that she is also excited to talk with people who want to learn more, although she expects them to do their homework and learn all they can from each situation.

Jablanski said to think outside the box. “Men and women come to this field from all sorts of backgrounds, not just security and not only from core sectors that make up the list of 16 critical infrastructure sectors here in the U.S. There are so many challenges and hurdles to tackle, from rethinking the Purdue Model to the lack of centralized attack data to the legal and insurance ramifications of each and every material incident to the suggestions in the PLC programming best practices to the new standards developed for security by design.” 

She added that everyone who can think critically deserves a seat at the table if they want to work on the mission of securing the most precious resources, products, and services.

Lee said that “there will always be individuals who are more knowledgeable than you in specific technical areas, both from an ICS cyber security perspective and an application perspective. Take advantage of these individuals to expand your knowledge and understanding.” 

She also said to “be willing to feel uncomfortable in your expertise. This field is growing and changing quickly and if you feel comfortable and settled you are not growing.”

McClanahan’s advice is twofold. First, there is no shame in not knowing something, and second, look things up. “Google that acronym you don’t recognize during a conference talk, do some digging on the malware variant you hadn’t previously heard of, read the Wikipedia page for Modbus. No one is an expert in everything!”

She also added that the ability to effectively “search for information online is a legitimate skill, and one you can develop; I learned it from programming (do I need to memorize each function parameter for Python’s XML parser? I think not), but it has served me well elsewhere.”

Tomlinson said that she spoke with someone in a hiring position in industrial cybersecurity who says they look for people who are connected to security groups in some way, whether that be a B-sides or a study group or women in a security group because it’s another way to gauge a person’s commitment to the field. 

“I recommend that women — and anyone who wants to pursue industrial cybersecurity — connect with a group or groups and explore opportunities. You will likely find support, not just in your career, but also with life issues that impact your career,” Tomlinson said. “I’m a hockey player on men’s teams and have experienced similar discrimination on the ice.” 

She concluded “Being able to share those frustrations with people on the same path as you can help you put aside stress and come up with strategies to survive and improve.”