Add to collection(s) Add to saved
  1. Business

The SEI Fellows Series: Nancy Mead ----------------------------------------------------------------------------------------------

advertisement 
The SEI Fellows Series: Nancy Mead
Featuring Nancy Mead as Interviewed by Suzanne Miller
---------------------------------------------------------------------------------------------Suzanne Miller: Welcome to the SEI Podcast Series, a production of the Carnegie Mellon
University Software Engineering Institute. The SEI is a federally funded research and
development center sponsored by the U.S. Department of Defense and operated by Carnegie
Mellon University. A transcript of today’s podcast is posted on the SEI website at
sei.cmu.edu/podcasts.
My name is Suzanne Miller. I am a principal researcher here at the SEI. Today, I am very
pleased to introduce you to Nancy Mead. This is the first podcast in a series where we talk to SEI
Fellows, who have been so named because of their outstanding contributions to the work of the
SEI, and from whom the SEI leadership may expect valuable advice for continued success in the
institute’s mission.
Today, we are talking with Dr. Nancy Mead who was named an SEI Fellow in 2013. We are
going to talk to her about her career, her fellowship, and the future of software engineering and
cybersecurity. First, some background on Nancy, who has been on our show previously, to talk
about her work in developing a curriculum for software assurance.
Nancy R. Mead, is an SEI Fellow and principal researcher at the Software Engineering Institute.
She is also an adjunct professor of software engineering at Carnegie Mellon University. She is
currently involved in the study of security requirements engineering and the development of
software assurance curriculum.
She also served as the director of education for the SEI from 1991 to 1994. Her research interests
are in the areas of software security, software requirements engineering, and software
architectures. Prior to joining the SEI, Dr. Mead was a senior technical staff member at IBM
Federal Systems, where she spent most of her career in the development and management of
large real-time systems. Welcome, Nancy. I am so glad to talk to you about this.
Nancy Mead: Thanks, Suzie. I am delighted to be here.
The SEI Fellow Series: Nancy Mead, page 1
www.sei.cmu.edu/podcasts
SEI Podcast Series
Suzanne: This is all about you. Today is all about you. I want to hear about you and your
experience. I have known you ever since I walked in the door in 1992. You have always been
someone who knew something about everything. I have asked you so many questions about so
many different things.
How did you get to be that way? You are one of the first people that I knew that was woman in
software engineering. You were in the software field in the early ’60s, before there was a
software engineering; back then it was mathematics. You dealt with some stuff that I didn’t have
to deal with 20, 30 years later. What was it like coming up through the ranks, working at the big
IBM at the time, and being one of the early females in software engineering as it became known
to be?
Nancy: There were some really interesting aspects. When I was in high school, I used to do all
the problems in my math books just for fun. When I tell my grandchildren that, they say, Oh,
grandma, how could you do that? Math is so boring. But it wasn’t boring to me. To me it was
really fun. Later, as a senior in high school, I won the math and science award that was given to
the best senior in math and sciences and decided that I would be a math major in college. I went
to New York University at their uptown campus the first year that they admitted women to that
particular campus.
There were about 100 women for maybe 3,000 students. In most of my math classes there would
be maybe one or two of us. There were three math majors in my class that were women. I was a
minority right from the beginning, as far as that was concerned.
Once I graduated, I started trying to decide what I would do for a job because programming was
not something that was studied at universities. There were jobs in the field, but people would get
trained to do those jobs after they got them.
Suzanne: Sure. It was on-the-job training.
Nancy: Exactly. So I talked to a few people and they said, Well you should really get into
programming, so I started looking at the want ads in the New York Times. One of the interesting
things that I discovered after looking through the ads for about a month was that the ads were
classified as Help Wanted/Male and Help Wanted/Female. All the programmer jobs were in the
Help Wanted/Male section.
I had to read that part of the classified ads to find a job. Eventually I found a job, initially, at a
bank. Then, after a year or so went to IBM, which was a very good move. Most of the time, there
were just a few women that I was working with, and a lot of men, especially in management. At
IBM, the managers were mostly out of the marketing organization, and most of the marketers
The SEI Fellow Series: Nancy Mead, page 2
www.sei.cmu.edu/podcasts
SEI Podcast Series
were men. Even though there were no discriminatory rules about women in management, there
just weren’t that many, because the career path then didn’t lead to it.
Suzanne: It wasn’t there. Even today there aren’t a lot of women in the software workforce. A
recent study indicates that women are still only 16 percent of the software workforce, and 9
percent, even less, for hardware. What do you think we should do to get more women involved
as software engineers?
This is something I struggle with myself. You can tell people how much fun it is, but what are
the things that you think are barriers to getting more women in software engineering?
Nancy: I think there are a few things. One is starting at a very young age, before high school,
maybe in elementary school, to cultivate that interest rather than…
Suzanne: Yes, and I was very lucky. My father was one. He was an Air Force colonel. I
remember in fifth grade when he was looking at the math problems that we were doing. He is
teaching me how to solve simultaneous equations to solve our math problems. And he says, You
should know how to do this. I had no idea.
My teacher is saying, Where did you learn to do this? But, I was encouraged. All along, I felt
like I could own this. But I don’t know that we have as many girls, young girls, getting that kind
of support. If your father isn’t an aerospace engineer, how are they even going to tell you what
this could be? That is another aspect of it.
Nancy: I agree. There is a lot of hidden bias that maybe is not intentional. For example, when I
first started working, they had rules that women could not be in the building by themselves at
night.
Suzanne: For your safety.
Nancy: Exactly. If you wanted to work late and get that precious computer time, you had to have
one of the guys there with you. Then there were the more obvious kinds of things like if you
answered the telephone, somebody assumed you were the secretary. When you got into
management, they said, Well maybe it is just a token. You had to demonstrate that you actually
knew something before people would take you seriously. I think that perhaps since there are
more choices now, that when women encounter that kind of thing, they might decide, Well this
isn’t for me.
Suzanne: If they are not passionate about the topic, and they have other choices. You are right.
There are a lot of other choices that are not perceived as being quite as difficult sometimes.
The SEI Fellow Series: Nancy Mead, page 3
www.sei.cmu.edu/podcasts
SEI Podcast Series
Nancy: They might say to themselves, I don’t need this aggravation. In my era it was very
different. Neither of my parents finished high school. To them success was graduating from
college. That was a big thing. I was the first one in the family to do that. Then to have a good
job. Those were the…
Suzanne: …those were the stepping stones and the milestones for your family.
Nancy: Exactly. It was good that it was exciting to me. That is why I stayed in the field, but it
was also good that it was a good career path because those kinds of careers weren’t that available
to women in that time.
Suzanne: Location is part of it. IBM at that timeframe was one of the largest employers on the
cusp of discoveries relating to computing, so they needed all the talent they could get: male,
female, it doesn’t matter. In that sense, that would have been a good place to work at.
Nancy: Oh, definitely. It was the largest employer, and it was considered the pinnacle. That was
where you wanted to be in that time. Now, of course, over time things shifted and the market is
now very different.
Suzanne: It is very diverse now.
Suzanne: Let’s move over to the SEI. After some time at IBM and an illustrious career there,
you came to the SEI. Why did you come to the SEI? Why did you say that is the next thing that I
need to do?
Nancy: Sometimes I say that my career has been one big series of accidents. Maybe that was one
of them. At the time…
Suzanne: A happy accident for us.
Nancy: …I was thinking about coming to the SEI as a resident affiliate on assignment from
IBM. I came out here and I talked to Mary Shaw, Maribeth Carpenter, who I knew from IBM,
and probably Harvey Hallman who I also knew from IBM. We had worked out an arrangement
whereby I was going to come here and work on software architecture and software engineering
education.
Well, that was all well and good. I had three levels of management that said Yes, that sounds
good to me. Then the facility manager said, Oh no, you can’t go. We need you here. That was
kind of a discouraging note.
Suzanne: Let me explain to our viewers that a resident affiliate is where a company actually
allows one of their employees to come work at the SEI. You continue to get paid by the company
The SEI Fellow Series: Nancy Mead, page 4
www.sei.cmu.edu/podcasts
SEI Podcast Series
that sent you, but you work on SEI projects. So, you are a resident at the SEI. You come move
here. I did the same thing. But, you are an affiliate, you are not an actual employee. So, he was
objecting to you actually making that move.
Nancy: Right. Because I was working on a large project and I would be leaving the project for a
year to come work here. At that point, I came back to the SEI and said, Well, how about a real
job?
Suzanne: Good for you.
Nancy: They made me a job offer. My husband was with me. He got a job offer too. My
husband’s background was also very relevant to the SEI. That was it. We came here. Truthfully,
when I joined the SEI, I never expected that it would be a long second career. I thought that,
Well, it will be a few years, and then we will see what happens, but I stayed.
Suzanne: Several of us have come here thinking that same thing, Oh, I will be here for a few
years and move on. Here we all are 20 years later, so it works out.
I know you were director of education; that is where I first met you. What are some of the other
projects that you worked on in your career here at the SEI? Give us some of the highlights of
what makes you the most proud out of the work that you have done.
Nancy: Well, the education work was really important. We did the master of software
engineering curriculum.
Suzanne: I need to tell you that I was at Lockheed Missiles and Space at the time that you were
doing those videos, the software engineering videos, Harvey, and you, and all those. I actually
saw those videos. We used those videos at Lockheed before I came to the SEI. I actually had
seen some of you in that role, in my role as a software engineer at Lockheed, before I ever got to
the SEI. That was kind of a nice connection when I got here. It was like, I know those people.
Nancy: Well, and that was a big thing. Evidently, from talking with some faculty members,
some of those videos are still out there.
Suzanne: Yes, I have heard that too. There is some stuff—good ideas are good ideas— some of
them hold. The world changes and our ideas need to change too, but some stuff doesn’t change
as much as you would think.
Nancy: Right. Exactly. The fundamentals of software engineering are still the same. That was a
good piece of work.
The SEI Fellow Series: Nancy Mead, page 5
www.sei.cmu.edu/podcasts
SEI Podcast Series
Then I got involved in software assurance after the education program was dissolved here at the
SEI, working with at the time, Tom Longstaff, as part of a small research team. We did some of
the first analysis work on secure software architectures. That was very interesting. One of the
things that I noticed when I started working with CERT, was that when I went to conferences,
there were security conferences, and there were software engineering conferences. There was no
overlap and you never saw the same people.
Suzanne: You had the operations folks and the development folks.
Nancy: We saw that there was a huge amount of work that could be done because everything
that we had done in software engineering had not been done in the security area. That was a big
thing. Then my work in security requirements, the SQUARE [Security Quality Requirements
Engineering] Method.
Suzanne: SQUARE is the method that you developed with others here as well.
Nancy: Right. That was supported by both the SEI, and CyLab was a big supporter of that effort.
Yes, CMU CyLab. That was a really interesting piece of work. Then the software assurance
curriculum work that we have talked about at length in our other podcast. More recently, I am
working on a new research project, well, actually two new projects.
One is doing a comparative study of threat modeling, a very popular technique in the security
field. The other is examining how malware analysis can be used to identify security requirements
that otherwise would be missing. So, using attack information to try to identify requirements for
future systems to make them…
Suzanne: You are inferring from current malware what the direction might be that systems need
to account for in their requirements.
Nancy: Exactly.
Suzanne: That sounds fun.
Nancy: Those are two exciting projects that I am working on right now. Then there is always
some very interesting customer work going on.
Suzanne: We do get to see some interesting things at the SEI for sure.
Nancy: Yes.
Suzanne: You have done research. You have done teaching. You have done development. The
teaching has always been a part of what you show to the world. You have been involved at IBM
Federal Systems. You were involved in that as well as here, and you have never really let go of
The SEI Fellow Series: Nancy Mead, page 6
www.sei.cmu.edu/podcasts
SEI Podcast Series
that. Tell us why. What is it about being a teacher that is something that is very important to
you?
Nancy: I don’t think that I am one of the world’s greatest public speakers, so giving lectures
isn’t necessarily the most rewarding thing. What is rewarding is every once in a while you have a
student that gets it, and they have that Ah-ha moment.
Suzanne: And you know you have changed them.
Nancy: Sometimes they stay in touch for years afterwards. There is one student that was in one
of our master’s degree courses, and he was a standout at the time. He went on to get a Ph.D. He
worked for some consulting firms, had some government appointments, and has done really well.
We had a young staff member who was getting a master’s degree, and I mentored him a little bit.
He eventually went on to become the CTO at his company. We have had a few really nice
experiences like that. To me, when those things happen, when people say I get this, and this is
really important, that makes it all worthwhile.
Suzanne: I am another one who loves teaching, and I love being in the classroom and seeing
that…Trying to get that Ah-ha to happen is hard. It is not just about lecture. It is about enabling
learning. It doesn’t always work, but you do your best. It is one of the things that I have been
happy about working at the SEI as well, is having the opportunity to train professionals as well
as…
I don’t do as much with undergrad students as you do, but all along the way we need people that
have better educations. The topics that you are working in, I think, we talked in the software
assurance curriculum podcast about how that is really a gap in the engineering education. It is
not going to get better; it is going to get worse as we get internet of things and all the things. The
more, greater complexity of our systems, the threat is not going to go away. I hope you continue
teaching and seeing that in your students.
Talking a little bit about being an SEI Fellow. You are the seventh fellow in the SEI’s history.
Let’s just set that in context. There are currently about 600 employees at the SEI. I would say
since the early 1990s, if I were to guess I would say since the early 1990s, we have had probably
about 2,000 [employees]. This is purely a guess, but at least that many have come through...
Nancy: Come and gone.
Suzanne: Come and gone. So, 7 out of 2,000. That is pretty special. One of the things that you
get with that, which I think is also very special, is you get a grant to be able to work on whatever
you feel like. No holds barred. This is your chance to do stuff that you would not normally get
The SEI Fellow Series: Nancy Mead, page 7
www.sei.cmu.edu/podcasts
SEI Podcast Series
funded for, that wouldn’t normally be part of what you would be able to do. What did you do
with your grant money?
Nancy: It was really exciting. It is a two-year grant. I am finishing up the second year of the
grant right now, actually. Some of the things that I did with it, I mentioned the research project
on malware analysis and requirements. That was a project that I started with the grant. We have a
group of CMU students working on a tool to support the work, and they will be delivering that
tool within the next couple of months.
I am writing a book with Carol Woody as co-author to be published in the Addison-Wesley
series, and it is going to be a book on cybersecurity engineering. Our earlier book on software
security engineering was published in 2008, so there is a lot of new stuff.
Suzanne: That is a lifetime ago in this world, isn’t it?
Nancy: A lot of things have happened. We wanted to get another book out there. That is another
big item.
The other thing that we did was some of the software assurance education transition work was
done with the support of the fellow.
Suzanne: Things that you normally wouldn’t have funding to do.
Nancy: Exactly. I guess the last one: I co-chaired for two years in a row a workshop on security
requirements engineering.
Suzanne: Those are a lot of work, and they take the kind of money that that grant is perfect for.
Nancy: Exactly.
Suzanne: You have gotten a lot of different things out of your grant money. That is good.
Nancy: I have also been able to leverage other funding that I had. For example, one of the
research projects that I was on, we had a client that used the research work, and so we were able
to leverage some of that. We don’t always get a chance to do that, but in this case we did.
Suzanne: Sometimes it works.
Suzanne: Let’s look to the future. We have been talking a lot about your past, and I appreciate
you sharing some of your experiences because many of us did not grow up in that timeframe. I
think especially a lot of women in the industry don’t realize how the pioneers like yourselves
have made it easier for us to not even have to notice that there are men and women in the
workforce and, So what.
The SEI Fellow Series: Nancy Mead, page 8
www.sei.cmu.edu/podcasts
SEI Podcast Series
Five years from now, what do you think will be the significant challenges confronting software,
and in particular cybersecurity. That is an expertise area, and what should we be doing now to
address some of those challenges?
Nancy: You already touched on some of this. Software is now everywhere and is becoming
more and more pervasive. As that happens, the volume of software is growing. The number of
people developing software is growing. As a consequence, we have more software that might
have bugs in it. More software that might have vulnerabilities…
Suzanne: We don’t know how trustworthy it is.
Nancy: Exactly. I think that some big sea changes are going to be needed to deal with that.
Personally, I think we need to find a way for software development to become more automated,
so that we don’t need this army.
Suzanne: It isn’t handcrafted the way it is today.
Nancy: Exactly. I think there are probably some breakthrough technologies that we don’t yet
know about that will contribute to this.
Suzanne: At the SEI we are working on things like the Architecture Analysis & Design
Language [AADL] that we have spoken about in another podcast. I just found out about a new
language called DMPL. I love the way we make pronounceable things. That is a domain based
language for basically taking care of some of that automation and trying to make the generation
of code more automated but in a way that is trusted.
There are things that are coming in this arena, but it is still…Model based engineering is
something that I remember hearing about in the 80s, you know, when I was at Lockheed. And
yet it’s still not really as well adopted today. Why is it that some of these technologies that, from
a technical viewpoint, seem so obvious? They just don’t seem to take on. Do you have any
ideas?
Nancy: In some cases it is because they don’t scale up. In other cases it’s because people haven’t
learned them.
Suzanne: We haven’t transitioned the education.
Nancy Mead: Exactly.
Suzanne: One of the things that our viewers may not be that aware of is that [making] curricula
isn’t just about defining a syllabus and giving people assets. There is a whole—I hesitate to use a
bureaucracy—but there is this accreditation board system. Many universities don’t change
The SEI Fellow Series: Nancy Mead, page 9
www.sei.cmu.edu/podcasts
SEI Podcast Series
curriculum unless the accreditation board actually incentivizes that. Because there’s—how do
you choose what you’re going to have students learn?
There’s so many things that could be learned, and so they use these boards as a way to adjudicate
what goes in. Some things are going to be below the cutline on that. But those decisions aren’t
always made based on what’s coming five years from now. A lot of times, those decisions are
made on what’s popular, what people will spend money on education for, and you know, I think
that is one of the things that makes it slower for some of these things to actually get into the
curricula at the universities.
Nancy: I think that is part of it. I think it is also the case that you need people to teach it.
Suzanne: Yes, you have to have the skills and competencies in the academic workforce, and
they have to get trained in all that new stuff.
Nancy: They have to be interested in learning about something new and think that it is relevant.
Suzanne: If I’m a professor in algorithms and that is what I love, don’t ask me to teach
cybersecurity unless I want to teach algorithms.
Nancy: Within cybersecurity, right. Or, if they have research grants in a particular area, well,
that’s where they want to focus.
Suzanne: So the message here is, I think, that the SEI is one of the places you can look to see
where some of those things that may not have made it all the way out there are trying to address
some of these challenges. I mean, we annually look at software challenges from the DoD and
Department of Homeland Security as well, to try to help them to understand what things are out
there so they can actually help in the transition of some of these things.
Nancy: One of the exciting activities that goes along with being a fellow is being a part of the
SEIs technical council. We do get involved in strategic planning and also in selection of some of
the research projects. That is vital and very interesting too.
Suzanne: That is one of the places you get to look at what are some of the trends in the outside
world, and in different aspects of the world. Not just our sponsors. You get to look at the
industry. I was interested when we talked about software assurance. That one of the places that’s
adopted your curriculum is the Madrid Polytechnic University. And so, you know, going outside
the U.S. to influence other parts of the world to be safer as well and more secure is important too.
Nancy: In some areas the leadership is actually in other regions. For example, the focus of
requirements engineering is more in Europe than it is in North America. And so it’s…
The SEI Fellow Series: Nancy Mead, page 10
www.sei.cmu.edu/podcasts
SEI Podcast Series
Suzanne: And model-based architecture is another one that has been very, very active in Europe
and is…
Nancy: A lot of formal methods kinds of things are more valued in Europe than they are here.
Suzanne: Somebody made the case to me that because Europe has so many different spoken
languages and written languages, that they gravitate more towards, like, formal methods,
mathematically based things because that’s actually more commonality for them. And where, in
the U.S., everyone speaks American English, so we don’t have quite the same drive for looking
for something new. So that could be… I don’t know.
Nancy: I don’t know.
Suzanne: So lots of things for you to think about. Lots of things for us to thank you for in terms
of your service to the SEI and to the community at large in many, many different areas. I do want
to thank you for joining us today. And I look forward to your new book. And I look forward to
the other projects that you sponsor and that you work on in the time that you spend with us at the
SEI. Thank you, Nancy.
Nancy Mead: Thanks, Suzie. It’s been great to be here with you.
Suzanne: This podcast is available on the SEI website at sei.cmu.edu/podcasts and on Carnegie
Mellon University’s iTunes U site. As always, if you have any questions, please don’t hesitate to
email us at info@sei.cmu.edu. Thanks for listening. Thanks for watching.
The SEI Fellow Series: Nancy Mead, page 11
www.sei.cmu.edu/podcasts
Related documents
the three questions - Priceless Literacy
the three questions - Priceless Literacy
Third Annual SEI All Ireland Photography Competition kicks off
Third Annual SEI All Ireland Photography Competition kicks off
Final Report
Final Report
Date: 10/25/2013 Time: 2:15 pm
Date: 10/25/2013 Time: 2:15 pm
Download
advertisement