Category: FAQ

There are many options available for technical training. Here are a few suggestions.

• TryHackMe has excellent labs to build skills.
• Jetbrains offers free access to its coding and other teaching modules to those who have a university email account.
• The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to U.S. government employees, Federal contractors, and veterans. There are free courses available to the public here as well.
• Many boutique services now focus on penetration testing, such as Hack the Box and Cryptopals Crypto Challenges. There is also a vibrant “capture the flag” community tracked here.
• Services such as Immersive Labs offer simulations to show off your skills, and often give access to a demo test.

We hear this question regularly and we are certain that many other students don’t even ask because they do not see cybersecurity as a field with a place for them. The answer is yes! There is a place for you. At the same time, a number of barriers can make the cybersecurity field unwelcoming to some.  We are devoted to identifying these barriers, understanding them, and helping erode them. 

Surveys of the field show that women occupy somewhere between 11–24% of cybersecurity positions. Women are paid less than men in similar positions. Minorities are also underrepresented in cybersecurity, and tend to occupy non-managerial positions, leading to lower pay.

Barriers are also imposed by historical concepts of “security,” and how they have translated into the practice of security. Security is not evenly distributed.  As a society, we have prioritized and invested in some individuals’ and groups’ security over others. At worst, security can be a mechanism to enforce class, racial, or gender-based divisions. Racial profiling is an example of policy that unfairly distributes security, where the privacy and security expectations of one group of people leads to police attention being focused on other groups. This privileges one group from police attention, in effect granting it a kind of privacy; it also focuses that attention against the less powerful group, leaving it insecure against unjustified suspicion.

Ultimately, we end up with worse security because of the field’s lack of diversity. Racial profiling again is an illustrative example. While it results in over-policing of targeted groups, it does not necessarily improve security by reducing crime. But both the over-policing and the ineffectiveness are less likely to be predicted by a non-diverse group developing goals and practices than by a diverse group. And these problems are less likely to be observed in practice if oversight is handled by a non-diverse group lacking relevant experience or perspective. Developing effective security goals and practices requires the input of all affected people. 

To address this problem, we need to understand why the field can be unfriendly to women and minorities. There are a number of structural causes underlying  barriers to women and minorities. One, elucidated by Berkeley Alum Ashwin Mathew, relates to how knowledge spreads in cybersecurity. Cybersecurity experts tend to network in small, in-person networks, and these are difficult for women and minorities to enter. 

More generally STEM fields and the military itself, both prime contributors to the cybersecurity field, are male-dominated. Silicon Valley’s decades-long history of discounting diversity efforts set the stage for today’s lack of women and minorities in technology. For instance, for decades Lockheed was Silicon Valley’s largest employer, yet it did little affirmatively to address diversity. Even after the passage of equal employment laws, Lockheed was 85% male and had only 10% Latino, Asian, and Black workers, according to Margaret O’Mara.

Thankfully, efforts to erode these barriers are ongoing and growing. We have pointed to resources in this FAQ that provide opportunities for women and underrepresented minorities in cybersecurity. Some of these include Women in Cybersecurity, the International Consortium of Minority Cybersecurity Professionals (offering mentoring, scholarship, and career support), SANS Institute Diversity Cyber Academy (offers training and certifications to minorities and women at no cost), and the The Diana Initiative. Sourcelist now provides its women+ database with a list of experts in cybersecurity and other technical fields.

There are also steps you can take to erode these barriers. For instance, consider offering your services and expertise to a group that needs security help. Many organizations have relatively-low-levels of security expertise. Thus, for instance, if you know how to implement 2FA, many small businesses and nonprofits could use your skills. CLTC has explored this avenue in Improving Cybersecurity Awareness in Underserved Populations. 

Focusing your research on underrepresented groups is another approach. University of Toronto’s Citizen Lab stands out as a model for thoughtful, inclusive research. Data & Society, a group started by Berkeley alum danah boyd, has made digital fairness a key focus. At the law school, Professor Khiara Bridges wrote a book detailing the class dynamics of privacy.

WISP: Women in Security & Privacy has many Berkeley alumna and provides meaningful mentoring opportunities and interesting programming

The Mozilla Foundation has a major commitment to privacy and security of its users, and sponsors a mailing list of privacy events.

The Bay Area chapter of the Open Web Application Security Project (OWASP) organizes meetups.

SF Legal Hackers is a global movement of lawyers, policymakers, technologists, and academics who explore and develop creative solutions to some of the most pressing issues at the intersection of law and technology.

San Francisco is home to one of the biggest industry conferences on cybersecurity: RSA. This is a massive event that is great for networking, and it has a student event known as College Day. We regularly receive free RSA passes for enrolled students, so check in with us about it. CLTC also maintains a RSA presence and has passes for the event. Note: Many professional groups (e.g. WISP) offer scholarships for students to attend some of the conferences listed below. 

Security BSides is typically scheduled around RSA, and offers a more intimate look at academic/commercial work in cybersecurity. Discounted student passes are also available. 

The Women in Tech Symposium is an annual conference focusing on the experiences of women in a particular technology field; the 2019 event was focused on cybersecurity and the proceedings are online here.

Day of Shecurity is a one-day event advocating the inclusion of women & diversification of cybersecurity.

The IEEE Computer Society’s Technical Committee on Security and Privacy hosts the annual Symposium on Security and Privacy, and is among the leading academic events in security.

* CCS (http://www.acm.org/sigsac/ccs.html)

* NDSS (https://www.ndss-symposium.org/)

PEPR (USENIX Conference on Privacy Engineering Practice and Respect) is held annually in Santa Clara.

Be sure to sign up for the Berkeley Center for Law & Technology’s lunch talks and other events, as well as the Center for Long Term Cybersecurity’s events.

Other Conferences outside of the Bay Area: 

• IAPP (Worldwide)
• ACM CCS (Worldwide)
• BlackHat USA (Las Vegas) 
• Defcon USA (Las Vegas) 
• FIRST (Worldwide)
• ISACA (Worldwide)
• ISSA (Worldwide)
• NDSS (San Diego)
• OWASP (Worldwide)
• ShmooCon (Washington, DC)
• USENIX Security (Worldwide)
• WiCyS (Rotates across the US)

Many podcasts cover cybersecurity. Some of our favorites are Darknet Diaries, Steptoe’s Cyberlaw podcast, Cyber from the Start by CSIS:, CSIS Cybersecurity and Technology, Beers with Talos, Rational Security, Privacy, Security & OSINT Show, and Berkeley Technology Law Journal (student podcast).

Work in privacy and cybersecurity can result in many different responsibilities–from leadership to compliance, to a focus on particular hardware or software. One cannot predict these responsibilities and so we recommend that you focus on basic skills that have utility in almost any environment. It’s important to know that colleges and universities don’t typically teach computer skills in an explicit way. Here we identify six priorities and below list a few campus resources to pursue them on your own:

1. Learn how to use the command line. Under the hood of all computers is a powerful tool that most computer users never use–the command line (aka “Bash shell” or in Windows, “PowerShell”)! Anyone can learn how to write basic shell scripts and you’ll find that these can accomplish your goals quickly. Once you learn shell, you’ll wonder how you got along without it! 
2. Learn Python. As a high-level language, Python has taken over many development environments, and so learning it will be transferable to different careers. 
3. Learn graduate-school-level statistics. Statistics forms the core of cutting edge security and privacy analyses. As a cybersecurity expert, you will use statistics for many functions, from assessing risk, to deciding what threats to make a priority, to deciding whether datasets of personal information are identifiable.
4. Learn about networking. Employers report that the greatest skills gap surrounds knowledge of basic networking principles: how TCP/IP works, how the different layers of the internet interact, and how to use networking tools such as Wireshark.
5. Take a course on penetration testing. Learning penetration testing helps one think like an attacker. Experts in cybersecurity need not only keep complex systems running, these systems have to run in the presence of wily attackers who try to make them fail. Learning “pentesting” is a good way to develop the skills and instincts that adversaries have. Pen testing also teaches that offensive and defensive skills overlap and are sometimes identical. Thus, our intent, and issues such as whether one has gained adequate consent and documented work really matter.
6. Demonstrate your skills. Increasingly, employers require applicants to perform some kind of simulation as part of the screening process.

Machine learning, sometimes called “AI,” is at the cutting edge of cybersecurity research. The fundamentals of machine learning are in statistics and knowledge of python is generally necessary to use machine learning. Thus, focus on Python and statistics first. 

There are exciting research opportunities on campus exploring machine learning from several lenses. One is in the security of machine learning itself, known as adversarial machine learning, a field explored by Professor Dawn Song and the late Doug Tygar. For instance, how might attackers fool computer vision to cause, let’s say, a traffic accident? Another explored by Professor Raluca Ada Popa in the  RISELab is secure collaborative learning, an approach that enables ML and knowledge discovery on data without transferring it to others.

The other approach, AI for security, is the subject of much hype and even companies deploying “Pseudo-AI”–companies that use AI as a marketing term but that rarely actually employ the technology. One notable exception is in anti-virus software, which has enough data to routinely use machine learning to spot variants of existing malware.

Security and privacy certifications do have value, but one has to be smart about them. Certifications have two primary sources of value: first, they signal your interest and commitment to a field. That signal can move your resume into the right pile. Second, some certifications also signal expertise in specific skillsets, but these are variable in quality and may be inapt for the career you want.

One must choose carefully and this is difficult because there are many security certifications. This visualization plots over 300 certifications.

Here’s a process for considering certifications:

• Find people on LinkedIn who have the kind of career you want to pursue. Check whether they (or their direct reports) have certifications in privacy or security.
• In your job search, how many job announcements explicitly list the certification you are considering?
• From a straightforward economic perspective, one could simply compare the number of certificate holders with the number of jobs that seek that certificate. NIST’s Cyberseek presents this ratio with respect to CompTIA, GIAC, IAPP, and other popular certifications. 

Economics matter too. Certifications typically require an upfront enrollment fee and some kind of maintenance cost. Furthermore, you might have to take certification-specific training, because academic courses tend to focus on theory rather than praxis. Keep in mind that IAPP’s very popular certifications (CIPP/US, CIPP/E, CIPM or CIPT) are available at a substantial discount through the Privacy Pathways program. Berkeley is a member of the program. In 2020, the fee for Berkeley community members is  $140.

As a member of the Berkeley community, you can access ProQuest Pivot, which we have found to be the most comprehensive, one-stop-shop for finding funding. 

Closer to home, remember that the CLTC (Cal Cybersecurity Research Fellowship, Annual RFP), CTSP (CTSP Research Fellows) and UC Berkeley Big Ideas Contest are regular supporters of research here.

The academic literature in cybersecurity is vast because it can be found in so many disciplines, from law to computer science to international relations and economics. Here are some starting points:

First, searching for “cybersecurity” might be too narrow. You may need to use terms such as “privacy.”

For searching the legal field, the SSRN Information Privacy Law eJournal is a great place to start. It archives thousands of articles in the field. Also check out the Cybersecurity, Data Privacy & eDiscovery eJournal. Note that articles on SSRN are often drafts (think ArXiv), and tend to be on the recent end. Historical articles are available in legal databases.

For computer science, the most relevant places to start are ACM Digital library (cybersecurity literature can appear in many journals–ACM SIGCHI, SOUPS, S&P, USENIX, CSCW, UbiComp, ACM Transaction on Privacy and Security, TOCHI, WEIS, PETS, WWW, USEC, ACM DIS) and IEEE Xplore. We’re fans of IEEE’s Security & Privacy Magazine.

In other scholarly domains, cybersecurity-relevant literature can appear in so many different journals that we think the best places to start are Google Scholar and JSTOR.

Some of the most interesting cybersecurity researchers post substantive information on Twitter.