Original Interview in November 2022
This interview was conducted by Abby Sonnier, Policy Analyst at Consortium Networks.
Dr. Melissa K. Griffith is a Lecturer in Technology and National Security at Johns Hopkins University School of Advanced International Studies’ (SAIS) Alperovitch Institute for Cybersecurity Studies as well as a Non-Resident Research Fellow at the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC). She works at the intersection between technology and national security with a specialization in cybersecurity, semiconductors, and 5G networks with a focus on national risk and resilience models.
Griffith’s book project investigates how relatively small countries, with limited resources, have become significant providers of national cyber-defense for their populations. Her work sheds important light on the components and dynamics of cyber power and cyber conflict, as well as the vital role that public-private cooperation and both security and economic policy play in cyber-defense. Concurrent research projects examine (1) the security implications of 5G; (2) collective defense and resilience in cyberspace; (3) emerging technologies and great power competition; and (4) power and smaller states in international politics.
Griffith holds a Ph.D. in Political Science from the University of California, Berkeley (2020); an M.A. in Political Science from the University of California, Berkeley (2014); and a B.A. in International Relations from Agnes Scott College (2011). She was an English Teaching Assistant with the Fulbright Program from 2012-2013..
What brought you to cybersecurity?
For me, it was twofold. There were two things I was really interested in. I was completing a PhD in Berkeley, at the University of California- Berkeley, in the heart of Silicon Valley, and came in with a national security focus and saw this disjuncture between traditional ways of approaching national security and what cybersecurity would require from countries. This moment led to a lot of conversation within the tech sector and throughout society about how to work with industry on these issues. There was also a question of how this changes when states compete and how existing structures and academic theory fit into the space.
So this is the first factor that led me to cybersecurity– there was an academically interesting topic. The second was being very interested in policy and seeing this incredible window of opportunity for the United States and countries like the United States to get the policy problem right.
I was seeing these conversations being held in real time and thinking that we could get better clarity on some of these problems and do more research into some of the causes and policy processes that can address the issues in order to get the policy decisions right.
It was this disjuncture in what I saw in scholarship and the window of opportunity for policy that made it a lively spot to intersect at that moment that led me here.
Do you think it’s a different experience being on the policy-oriented side rather than the technical side?
Yes. I think there are a couple things that set them apart. When I was starting my PhD in political science, there wasn’t a lot of interest of support for people in the social sciences or policy fields to study cybersecurity and work on these topics because it was seen as a technical problem. If that was what you wanted to do, you worked in industry or were studying computer science or, maybe, business school– you weren’t a social scientist in these areas.
This has changed quite a bit over time in terms of recognizing that the vast majority of problems are not just technical but also require tactical, strategic, and operational decisions. They’re about states and how they position themselves and how they work with their industry and the ways in which they give power to agencies. It’s about these states’ preferences and risk tolerance as they engage with other countries. It’s about how countries cooperate and how they manage their markets. All of these things are political science and national security questions as much as they are technical questions.
When I first started out, the aperture was if you want to do this, go into a different field. Now, these questions are increasingly paramount to the conversations we’re having and they require a different skill set. They require the ability to explain and understand situations from a 10,000 feet, 30,000 feet, and 60,000 feet view. It is necessary to understand a situation from the technical, operational, and strategic point of view in order to best inform strategy and policy.
Do you think we have a communication gap? Is there a better way to communicate this need for non-technical people in the space?
I think that while there is a bit of a communication gap, the bigger issue is knowing the diversity of what is available in the space. When I get questions from people wanting to pivot to a career in cybersecurity, they often ask what their options are. My first question is always “what are you interested in?” because the answer is different based on if someone is coming from a national defense perspective or someone interested in governance or in business risk or underrepresented communities like small-to-medium businesses or a hands-on-keyboard view. These are all going to lead to very different career spaces from very technical to much more social science backgrounds.
In this, it’s less of a communication gap in the sense that we aren’t articulating the opportunities available and more of an issue that when people hear cybersecurity they immediately think of the hands-on-keyboard roles. With the ubiquity of technology, everything you work on has a cybersecurity component to it, whether you recognize it or not. You could be working in insurance or law or acquisitions and cybersecurity will be relevant to you. If you are thinking about how countries think about risk or how businesses make resourcing decisions, cybersecurity is relevant to you. Cybersecurity is truly horizontal and is in all spaces.
Is there a person or problem that inspires you most in the space?
I would have to say people a bit more broadly. When I first started, particularly as a social scientist, there was a real feeling that you were very alone trying to enter into this field and what has been most heartening and inspiring to me is how radically that has changed over the last ten years. When you look at the field, far more positions are opening up and far more people are doing really interesting social science academic work from junior to senior levels. There is also an increasingly welcoming public sector towards the academic world which has led to much more collaboration and community building.
Two examples of this are two conferences this year that were very inspirational to me: CyberWarCon and LabsCon. In both of these conferences, the diversity and caliber of speakers, the enthusiasm of the community, the range of junior to senior attendants, and the combination of government, industry, and academic all in the same room was very inspirational and gives me a lot of hope about where the field is going.
In contrast, when I first started out, it felt like a search of finding my people. Now, they’re here and are deeply collaborative. These communities that are being built are so cross-sectional and I’m really excited about what we’re doing and what we will continue to do.
What is the most challenging part of your job?
Because the field is so new, there is a wide array of questions that exist which means you have both the wonderful opportunity to study almost anything and an incredible pressure because almost everything is understudied. There are a lot of unknowns that haven’t been rigorously studied whereas other spaces are a bit more constrained because they are more established. These traditional spaces have theoretical constructs that help you navigate research. In this field, there are a lot of first-order questions– rather than asking why something happened, we are still having to ask what happened and how.
Another challenge in this space is the scope of what you need to know to do your job well. The scope here is far wider than other national security topics that I worked in previously to my pivot towards cybersecurity and emerging technology. For example, to do good nuclear policy work you obviously need to know a certain amount about the technology at play, national defense structures, and strategy, but it is much more bounded. One of the core challenges of our field is that you have to be proficient in the technology and add in private sector threat intelligence.
Do you ever feel like as a woman in the space that you have to be more proficient in your understanding of these technologies so that people take you seriously?
It depends on the room that you are in. There’s always a bit of a proficiency test when you’re in conversation with someone where you can see them decide that you are worth their time. They look to see if you’re asking enough good questions, if you know enough about the space, and that you are interesting for them to chat with. It’s hard to identify how much of that is being a woman, how much is being younger, and how much of it is being a social scientist.
More broadly, there is a question of if you know what you’re talking about. I have faced this primarily simply by knowing what I am talking about. I am very careful not to put myself forward as an expert about topics that I don’t feel like I can answer a second, third, or fourth order question about. I think it’s important to display a lot of competency in these spaces. The second piece is finding community. I have been incredibly lucky in terms of finding good mentors who are keen on sharing ideas rather than gatekeeping.
The bigger challenge around being a woman is often being the only woman in the room which creates a certain dynamic because there are certain implicit assumptions that go along with that. The absence of the many talented women across the space is to the detriment of the field at large.
Lastly, there is a failure of imagination at play. I can count the number of women who are experts on specific topics on one hand. That’s a bummer to people who are up-and-coming trying to see themselves in those fields. My experience at a women’s college in undergrad prepared me to know how to seize my space even if I am the only woman in the room. It’s really important to me to be the woman in the room and leave the ladder down behind me.
Do you see a difference between cybersecurity and other traditional security industry spaces in the treatment of women?
I think in cybersecurity it is definitely better in terms of being young because there are so many young people in tech, so that part is incredible.
One of the challenges of the industry I chose is that it is at an intersection of national security, intelligence, and technology which are all three heavily male-dominated. When you combine them, they become even more male-dominated.
I will say that owning your expertise has been incredibly helpful for me and knowing that if I am in the room and they don’t want to listen to me, that’s on them, not me. It’s about owning your knowledge and not treading into areas that you don’t know enough about as that will damage your credibility.
What are some major lessons you’ve learned about advocating for yourself in the workplace, finding mentors, and otherwise handling the difficulties of being a woman in this space?
I am incredibly thankful to have gone to a women’s college. There are a number of things that are different about going to a women’s college that have impacted the way I see this. For one, you didn’t have to imagine people in positions that were women because everyone around you were women in positions of authority. The whole alumni base was full of women doing incredible things. There wasn’t a question of can I do this and go into national security because these alumni were visibly doing that already.
More broadly, I have been lucky to find senior women who were incredibly generous with their time both personally and professionally. I also find it important to address these conversations around the struggles women in this space face to both women and men. It is important to include men so that they can recognize some of the things they do, perhaps even subconsciously, in order to do better.
For me, it is important to look at spaces that I am interested in and developing expertise in, and instead of asking if I am welcome or should I be there, just opening the door and walking in to take a seat at the table.
One of the best pieces of advice I received at my college was to know what hills you are willing to die on before you are on the hill and to know what you want your responses to be. Sometimes I will be on a panel full of men where everyone is introduced as Doctor so-and-so and I am simply introduced as Mellissa. In that moment, I could say that I am also a doctor and make a big moment of it or I could try to subtly slip in the doctor part later or just focus on the ideas I am there to present. This is also an example of an opportunity for men on the panel to correct the situation by addressing me as Dr. Griffith in their own response.
It’s these kinds of moments where you need to know if you’re going to die on those hills and know how you will respond and the tradeoffs you’re willing to make so you can go about it in the most effective way possible.
On the topic of mentors, it is important not to limit yourself and your network to women. Some of the most impactful mentors in my life have been both men and women. We sometimes think we can only talk to women about the difficulties of being a woman in this field and how to navigate it but what we really need is someone who is incredibly supportive of your career. It isn’t necessary to limit that pool to just women.
If you could give one piece of advice to young women looking to enter this space, what would that advice be?
Pick something you are passionate about. Independent of being a woman, work is hard. This field is hard and fast moving and you will hit institutional, bureaucratic, personal, research, and policy challenges over the course of your career.
Once you pick the thing you love, develop expertise in it to the best of your ability and rest on your laurels. When you’ve picked something that you’re always going to be passionate about and are willing to put in the time to navigate the challenges of that space and learn as much as you can about it, people will recognize that.
For me, the most telling thing in this space was that if you do good work, it will get recognized over time. It is much easier to address the challenges of being a woman in this field when you have good work to fall back on.
Final thoughts?
Sometimes we are our biggest gatekeepers. That isn’t to say that there aren’t institutional sexism and other real challenges to face, but it is important to get out of our own ways and just do it.
My hope is that every cybersecurity conference I go to, the women’s bathroom line gets longer and longer.
Years ago at a conference a mentor of mine came up to me to say that no women had asked any questions in the last few sessions and noted that when one woman asks a question others follow. He asked me to ask a question in the next session so he could call on me. I did, and the next number of questions asked were by women as well. An intervention by a man can be an important part of us getting out of our own way.
The willingness and the community is here. The community wants diversity and is deeply welcoming of it. People want to put in the work and we need to meet them there. They want to hold the door open for us to take our seats at the table.
