Focal Point Blog

Dr. Lori DeLooze, Cyber Security Pioneer and Defensive Security Expert

Written by Buffy Ellis | Sep 11, 2018 1:17:00 PM

This interview is the fifth part of our series "The 11%: A Look at the Women Closing the Cyber Security Gender Gap." This series takes an in-depth look at the variety of roles women play in the field of cyber security and the ways they're changing the industry. Check out the whole series here

In the early 1980s, programming and computing were viewed by many as administrative work. In the military, early computing tasks were often assigned to servicewomen who were prohibited from serving in combat roles. It’s perhaps no surprise, then, that the first generation of programming experts was largely comprised of women.

Many of these women, including Dr. Lori DeLooze, went on to have long and influential careers as pioneers in the new fields of cyber security, computer programming, and machine learning.

Dr. DeLooze joined the Navy in 1985, and as a brand-new ensign, she was assigned to build databases on the new computers that Rear Admiral Grace Hopper was distributing to Navy bases around the world. While these early projects were viewed by some as administrative tasks, Dr. DeLooze and her team saw it as an opportunity to learn everything they could about computing.

Her early interest in computing took her down a career path she never could have expected. As one of a very small group of people within the Navy with computing experience, she was soon assigned to high-profile projects and teams that were in desperate need of computing skills. In the 1990s, Dr. DeLooze joined Naval Space Command and then the U.S. Space Command. Later, she became part of the first team assigned to the military’s new cyber security program.

Dr. DeLooze went on to earn her doctorate, penning a dissertation on computer security and machine learning, and became a professor at the U.S. Naval Academy. Today, she is a Cyber Security Instructor at Focal Point Academy, specializing in programming and cyber security courses.

Dr. DeLooze sat down with her long-time friend and colleague, Buffy Ellis, General Manager of Focal Point Academy, to give us a first-hand look at the early years of computer science and cyber security and what she sees as the future of cyber security.

Buffy Ellis (BE): You and I both come from military backgrounds and have probably had some similar experiences. When I was in the Army, there over 300 soldiers in my last battalion and only a handful were women. That was fairly consistent throughout my Army career.

Lori DeLooze (LD): Well, yes and no for me. I joined the Navy in 1985, running a computer facility for the Secretary of the Navy here in D.C. I had six programmers, and four of them were women. Back then, we also had to have someone running the microcomputer during both the day shift and the night shift, and one of those was also a woman. So more than half of my staff were women.

But during the dot-com bubble in the 1990s, men suddenly thought, “Oh, this computer stuff is pretty cool,” and started flooding the field. Within this very competitive environment, it became expected that you would put in more and more time. If you were already working full time, you were expected to put in over 60 hours a week, but you also had kids and other obligations, so a lot of women decided IT was not the way they wanted to go. There was this sort of mass exodus of women from IT in the early ‘90s.

BE: Let’s go back and talk about when you first encountered computing. Was that a conscious choice?

LD: I joined the Navy in 1985, in the middle of a recession, similar to what we went through in 2008. People were graduating with no job prospects. I had a degree in chemistry, but I didn’t really like it. I grew up in Hawaii, and I worked at Pearl Harbor for a few summers. So, I went to the Navy recruiter and they said, “Great! You’re in!”

There were jobs in the Navy, but there was a whole range of jobs that weren’t available to women. You couldn’t go on a ship and you couldn’t fly a plane, because those were combat positions. If you wanted to and had really good eyes, you could probably fly a tanker and deliver goods or gas. You were limited to what we called “Shore Station Management.” You were able to do recruiting, communication station management, and that sort of thing.

I ended up working in D.C. as a brand-new ensign. In 1985, Admiral [Grace] Hopper had just negotiated this deal for the Zenith 248, so we had hundreds of thousands of these computers being distributed throughout the Navy, and somebody had to work on them. You had these captains and commanders who have these brand-new personal computers that are generating emails, and they don’t want anything to do with them, so they delegated the use and management of them to women. “Brand-new Ensign, you’re in charge!” It was a good time to be an ensign in the D.C. area, because otherwise you’d be making coffee.

Before computers, organizing and ranking the promotion-eligible officers was time consuming and painstaking.  Leveraging computing, we created a database for all the captains and commanders who were being promoted and dramatically reduced the time it took to analyze and decide who to promote. It was all automated. They had a database that had all these records. That’s when computers became a valuable tool for a job. People were doing their jobs better because they had a computer.

BE: After that experience, where did you go next?

LD: I really liked computing, but I was trying to get a different type of job. I got an MBA in management of science, technology, and innovation at George Washington. About the time I was ready to get out of the Navy they asked if I would be interested in going to Navy post-graduate school. With a degree in chemistry, I had the science background required, so I was offered one of a limited number of slots in this space-systems engineering curriculum. Out of 30 people in the program, there was only one other woman. I said yes and ended up with a degree in computer science in the space-systems engineering field.

From there, I ended up at Naval Space Command and then eventually at U.S. Space Command. In the late ‘90s, President Clinton decided that we needed someone to protect our infrastructure for the military. Who could do it? Space Command could do it. I was one of the few people with a computer background, so I shifted from computers supporting space to computers supporting cyber security.

"Out of 30 people in the program, there was only one other woman. I said yes and ended up with a degree in computer science in the space-systems engineering field."

BE: You eventually left Space Command and ended up in the Naval Academy as a professor. What were the steps in between?

LD: Actually, it was a pretty fast transition. I was at U.S. Space Command working on cyber stuff. Because we didn’t have a lot of background, I started taking classes, working on my PhD in computer security. I eventually ended up doing a dissertation on computer security and machine learning and automating the process of intrusion detection.

At this point, I had taken about five years’ worth of classes and was one of a very small group of women with a background in information technology. The Naval Academy was starting a brand-new program in information technology, and they had this opening. They decided they needed someone with a very specific background and asked who could fill it. So, they went into that database we talked about earlier and discovered there was just one person who had that background: me!

Admiral Mayo, who was in charge of the cyber security/computer automation in the Navy at that time, was responsible for filling that role. He was on our base the afternoon that question was asked. I had about 20 minutes to make my way over in a snowstorm in Colorado Springs to talk to Admiral Mayo. We had a nice conversation, and they offered me the job. I had 10 days to get to Maryland/D.C.

The transition was so fast because there was this push from the industry advisors. They said we couldn’t wait for people who are graduating from the Naval Academy to become the first in IT and security. We needed to start training them immediately – as in the next semester, which was starting in two weeks. That was 2003, and we graduated the first group in 2005.

BE: And today, you’re teaching again as cyber security instructor. Can you tell us what you’re focusing on now?

LD: I specialize in computing and programming. I teach all Focal Point’s programming classes, so C, Python, and Java, etc. I always try to find strong examples and scenarios that tie cyber security into general programming classes. Most people know they need to have to have it, but they’re not sure how to incorporate cyber security. My courses demonstrate the overlap between cyber security and programming, not the idea that cyber security is a layer over top of programming. Security needs to be incorporated, so why not talk about it from the very beginning? I am creating courses that use programming to introduce cyber security.

BE: I want to go back to your whole progression. Along the way, did you have any role models or mentors that helped you or pushed you in certain directions?

LD: Well, let’s start with Admiral Hopper. Everyone knew who she was, and everyone admired her and her background. In my initial position, I would say she was my role model.

When I got to Naval Space command, there was a man who was in charge of the organization: Admiral Herbert Brown. He had been the commanding officer on the George Washington before he came there, and he had absolutely no space background at all, but he knew how to manage and lead people.

During the time I was there, Space Command’s mission transitioned from focusing on space stuff to being better at getting information down to the war fighter. We had space-based information being held in an intel community, and we had people on the ground dying because they didn’t have the information during Desert Storm/Desert Shield. Admiral Brown’s responsibility was to get that information from spaced-based assets down to the war fighter and computers were the obvious answer.

He didn’t care if you were a male or a female, a new recruit or a commander – if you had information he could use, he would use it. He was a good role model.

BE: In addition to these role models, did you have anyone that was a mentor, that provided a dialogue of support?

LD: When I was at the Naval Academy, there was Captain Lindsey Moran, who had initially been brought in to start a specific IT program. She was told, “Bring this online, and bring it online quickly.” She had a doctorate in computer science, but it didn’t matter to her how young you were or how inexperienced you were, she was more than willing to try something new, because we were all trying something new. She was also willing to admit that she didn’t know the answer and ask around.

BE: To me, that has been a key characteristic to success in this field – a willingness to admit you don’t know.

LD: It’s not realistic for you to know everything. The term “cyber” encompasses so much that there is no way you can actually be an expert in cyber. It isn’t humanly possible. But you have to understand the realm of the possible. You don’t have to understand the details, but you have to understand it is possible for something to happen. If you stay on one side, you can get deeper and deeper.

"It didn’t matter to her how young you were or how inexperienced you were, she was more than willing to try something new .... She was also willing to admit that she didn’t know the answer and ask around."

BE: It is impossible to keep up with it all, so what areas in particular draw your interest and how do you keep up with those areas?

LD: I have given up on being involved in the offensive side of cyber security in any way. My career in the Navy, and everything since then, has all been defensive. Even though I like the idea of being able to do penetration testing and hacking into other people’s machines as part of an exercise, I don’t have the skillsets and I don’t have the time to develop those. I’m going to stay on the defensive side.

But I do try to understand the realm of the possible. If I’m on the defensive side, I need to know what is possible on the offensive side. I may not know the tools and techniques, but I know someone could do it, and that’s all I need to know.

BE: Looking at defensive techniques, are there certain resources that you draw from to keep up to date with what’s going on?

LD: As an example, we teach a class on intrusion detection systems, and it focuses on one tool, but there are other tools out there. How do I stay current with all these? I read a lot and I play a lot. I bought this little Intel NUC machine and a dual monitor set-up, and I have created this little environment where I play with defense and attack. I don’t know how to do the attack stuff, so most of that is me watching YouTube videos to see how to do stuff, and then testing how I can defend against this technique and doing little experiments.

BE: When you reflect back on your career, what did you most enjoy and what personal characteristics and aptitudes do you think equipped you for it?

LD: There were two jobs that I absolutely loved. The first was at Naval Space Command under Admiral Brown. We were tasked with doing things for research and development, and we had to get something out into the field in 18 months. At that point, we had no budget and it was super-secret. We were doing amazing things, because there was no one telling us we couldn’t. The attitude was “If it works – great! If it doesn’t – we’ll try something else.” But we had this mandate that in 18 months, we had to solve this problem, and that was fun because it was like solving a puzzle and it was always a challenge.

Teaching is another one. I started out at the Naval Academy, and I absolutely loved being in the classroom. But I did not like writing papers or grading tests or having to actually tell a student, “I’m sorry, but you earned a D.” I didn’t like that part of it, because it felt like it reflected on me. But I like teaching and trying to get someone passionate about computer security or databases or whatever the topic is.

"Teaching actually folds nicely into that love of problem solving .... You have to find a better way to get through to people. The puzzle pieces are a little different, but you’re still solving a problem."

BE: What you enjoyed was instilling your passion in others. Your point about puzzle-solving is something I have heard over and over again. People that excel in cyber security or computers in general tend to be people who are persistent problem solvers. They like puzzles. They’re the person who stays up late at night finding the last piece rather than the person who leaves it on the table and walks away because they’re frustrated.

LD: And teaching actually folds nicely into that love of problem solving. In some cases, you have to find a better way to get through to people. And the technology is constantly changing. We may not see a particular thing anymore, and we have to update materials and make changes. The puzzle pieces are a little different, but you’re still solving a problem.

BE: So now you’re outside of the government and the military and are looking more at the commercial realm as a cyber security instructor. What things do you see in the industry?

LD: This may not be a popular opinion, but if you look at history, you see these waves. Back in the ‘80s, you automated your processes and that was a differentiator. You had computers, so you could do things faster and better. But then eventually, everyone had computers. It became a normal way of processing things. And now we’re getting that way with cyber security.

There is a wave of people who differentiate themselves by being more secure or having a better focus on cyber security. Eventually it’s just going to be something that is incorporated into normal IT. Whether it’s done through technology or training, somehow security is going to be built in. It might be that kindergarteners are going to be trained from the beginning about how to be good users, but somewhere down the line, cyber security will stop being a special field and just a part of how we do business.

BE: You came to cyber security over a long career, but now it’s a choice even in high school or middle school. My son was given cyber security as a high school specialization option. What would you say to young people considering a job in the field?

LD: It’s funny you mentioned your son. I have a close friend who has a 15-year-old son who went through the same thing. The reason he was interested in computing was because he plays video games. He was super excited because he thought there was a way to hack the games he was playing, and he wanted to learn how to do that.

I think you’re going to get a lot of people in cyber security because they come from a background where they feel comfortable with computers because they’ve used them since they were little.

BE: For my son, it started with creating a chat server for all of his friends to talk among themselves while they played the game. But both of these examples are teenage boys who game. What about young women?

LD: There’s a program out there called Girls Who Code. Their idea is obviously girls can do this, but they’re doing it for different reasons. Instead of gaming, they’ll teach girls to do things like build pieces of code that generate 3D beads. It’s the same stuff but focused more on what girls are interested in at that age and equipping them with skills that they can bring into the workplace.

BE: We talked to LaTonya, who you know, and she was doing a coding camp for kids in D.C. and was giving them relatable problems. They asked them to identify a problem in their environment like what the cafeteria served for lunch. I think this is an area where women in computing need to step up. We need to identify interesting problems that young women can relate to that draw their interest. There is a very human element to computing; you’re solving problems for people.

LD: And I think women are better at getting what those problems are. She was asking them, “What is a problem that you need to solve?” I think women are better at identifying those problems and solutions. Women want to dig into the details and see how things are connected. They want to go deeper and broader.

BE: What advice would you give to that next generation as they enter the workforce and consider cyber security as a career?

LD: I think it probably comes down to what we’ve been talking about: people. Technology is easy, and it’s always been easier than the people part. The part that women especially are going to bring in is being an analyst, rather than a programmer. Find out what the problem is and look at all the solutions that might work. Women are better at doing that. They’re better at exercising their soft skills.

Some people might not agree with this, but it is actually a better skill to have than technical skills. I can teach a 12-year-old how to program, but I can’t teach a 12-year-old how to bring people together to discuss requirements and to put things together in a meaningful way.

So, don’t think computers are going to solve all your problems. Don’t make everything programmatic. You do need people. People have to make the decisions. In the military, we often find this out the hard way. We try to automate everything, and then something goes haywire. There are missiles that get fired because something was in the airspace, and there was an automated rule that says if something is in the airspace, you must fire at it. You can do the same thing in the cyber world. Make sure people are actually making those decisions.

"Don’t think computers are going to solve all your problems. Don’t make everything programmatic. You do need people."

BE: Thank you so much for sitting down with us today! Are there any parting thoughts you want to share?

LD: Just that I hope there will be more women in the field in the next few years.