What's this #HeForShe thing?

Technically speaking, #HeForShe is a hashtag, a social media tool defined as: "a word or phrase preceded by a hash or pound sign (#) and used to identify messages on a specific topic (Wikipedia).

The #HeForShe hashtag originated with, and is the name of, the UN Women’s solidarity movement for gender equality.

The idea behind HeForShe is to invite men and boys "to build on the work of the women’s movement as equal partners, crafting and implementing a shared vision of gender equality that will benefit all of humanity."

Tagging things #HeForShe is a way for me to share the fact that I have accepted that invitation and I have been using the hashtag for a while now. Why? Because I truly believe that gender equality does benefit all of humanity. I also believe that gender equality will not be achieved unless more men - most men, all men - commit to it, and make it a priority, in practical terms and not just as a vague aspiration.

Getting schooled on #HeForShe

I came to know about #HeForShe because I was studying at the University of Leicester when, back in May of 2015, it joined the UN Women’s HeForShe solidarity movement as an "IMPACT 10x10x10 champion," one of 10 universities around the world participating in the program with the goal of taking "bold, game-changing action to achieve gender equality within and beyond their institutions." Here's how the program was introduced:
"Announced at the World Economic Forum in Davos, Switzerland, in January of 2015, HeForShe’s IMPACT 10x10x10 programme engages 30 key leaders across three sectors—the public sector, private sector and academia. All 30 IMPACT champions have made common commitments and have also developed tailored commitments, formally reviewed by an expert team at UN Women and approved personally by the Executive Director of UN Women, Phumzile Mlambo-Ngcuka."
But the fact that my school had embraced HeForShe was not why I chose to embrace it myself. Gender equality is something I have always believed in, from well before my first stint at university (University of Leeds, 1971-74). I can't say that I was born a feminist - the scientific jury is out on whether that is even possible - but I knew that I was a feminist-sympathizer as soon as I heard the word used in a sentence. That would have been around 1965, shortly after I became a teenager and read my mum's copy of The Feminine Mystique.

That book, and several other "radical" texts, showed up in our house in the mid-sixties when my mum enrolled in a teaching college under a government program to reduce the shortage of teachers created by the baby boom. Her decision - which my dad supported practically, emotionally, and philosophically - resulted in a real world experience of gender equality in action. Among other things it demonstrated that:
  1. Women can have a productive career outside the home.
  2. This is not a threat to men.
  3. Men and boys can do housework quite well if they try.
On top of that, mum's time as a mature student created a steady flow of interesting books into our house, notably the afore-mentioned 1964 classic, The Feminine Mystique, by Betty Friedan. This has since been "widely credited with sparking the beginning of second-wave feminism." As I read - entirely of my own volition - Friedan's analysis of women frustrated with society's narrow and deeply limiting definition of what a woman should be - wife, mother, cook, cleaner - it rang true with my own observations.

That's right, I had - for whatever reason - been observing women from an early age (maybe I was born to be social scientist). As a child I was surrounded by women, at home, at church, and at the shops. I listened to them talking. I read women's letters to the advice columns in ladies' magazines (which were definitely not feminist back then).

Rather fortuitously, my childhood in Coventry, England, was enriched by frequent visits from numerous aunts and great aunts, all of whom had all survived World War Two. My mum's mother had actually lived through aerial attacks in both World War One and World War Two. All of these women had lived through large-scale bombing campaigns, including the one in 1940 that killed over 500 people in Coventry in one night and destroyed two-thirds of the city's buildings (Wikipedia). My grandma and several of her sisters worked in munitions factories which were targeted in these bombing campaigns.

Often when I was small these women, most of them housewives with grown children, would sit and talk about those times gone by, and I would quietly listen at their feet. That is how I came by precious historical vignettes like this: my Great Aunt Tot standing in the middle of the street shaking her fist and swearing at a German Messerschmitt 109 as it made a daylight strafing run on the factory at the end of her road.

So maybe it is not surprising that I grew up thinking of women as strong, independent individuals; all the while becoming increasingly angry that society would not treat them equally. Yes, there has been some progress, but nowhere near enough. Hopefully #HeForShe can help us move things forward.

Of allies, male feminists, and good men

I hope to find time to write more about HeForShe but in the meantime I will try to use the hashtag wherever appropriate in order to raise awareness of gender inequality and the need for men to work to eliminate it.

What I will try to avoid is referring to myself as an ally of women, or a male feminist, or a good man. Those are designations to which I aspire, but it is not part to claim them.

Will "repeal and replace" hurt genomic medicine and victims of genetic conditions?

Let me give you the short version of my answer up front: Yes. If the current privacy protection for genetic medicine in the US, in which Obamacare/ACA has played a key role, is diminished by the "repeal and replace" efforts of the current US administration, then America's hopes for genomic medicine will also be diminished. Victims of some genetic conditions will be particularly hard hit, as will all forms of research that involve the human genome.

The even shorter version goes like this: Why would I give anyone my genetic information if that might lead to myself and my family being denied insurance or paying higher premiums, for medical, life, or longterm care policies?

brian0918, Public domain, via Wikimedia Commons
Fans of genomic medicine are apt to respond by saying there's no need to worry because there are laws to prevent that type of discrimination. To which I have heard many people say: I don't trust the insurance companies and/or the government to abide by those laws. And besides, laws can be repealed, and databases can be hacked.

In short, when it comes to enjoying the benefits of medical science, Americans face a bleaker future than the residents of other wealthy countries due to the absence of two rights: the right to health care and the right to privacy.


Who am I to present these arguments? For more than 25 years I've been studying information security, data privacy, and risk. I've been a Certified Information System Security Professional for more than two decades and I have a Master of Science degree in Security and Risk Management. I have also put in more than a decade as primary caregiver for someone with a genetic illness (variously known as hereditary hemochromatosis, genetic haemochromatosis, Celtic Curse, Bronze Diabetes, Iron Overload). In that role I have spent many years interacting with the families of hemochromatosis patients and the main support group for this condition, the Iron Disorders Institute.

What is the problem? The House recently passed legislation called the American Health Care Act of 2017 (H.R. 1628). There is a Senate version known as the Better Care Reconciliation Act of 2017. As far as I know, both of these pieces of legislation remove a gene-related provision of the current law, ACA (a.k.a. Obamacare). Here's the problem:
  1. The Genetic Information Nondiscrimination Act of 2008 a.k.a. GINA says employers and health insurers can't use your genetic data in hiring decisions and health insurance coverage; but, as Maryam Zaringhalam at Slate points out: life, disability, and long-term care insurance are not covered under GINA’s provisions, and those insurers "already use genetic testing results to deny coverage to otherwise healthy individuals".
  2. Furthermore, GINA only protects people who are genetically predisposed to a disease as long as they are asymptomatic. In other words: "once a person begins showing symptoms, GINA no longer matters" (Zaringhalam- see link in References below). For example, my wife was born with the HFE mutation that can produce a potentially fatal condition known as iron overload but she was asymptomatic for the first few decades of her life. Then, in her forties, due a phenomenon dubbed hemopause, she became increasingly symptomatic. She is now eminently "declinable" under pre-Obamacare rules.
  3. This GINA "loophole" as Zaringhalam calls it, was closed by Obamacare. That's because the ACA outlawed discrimination in health care insurance pricing or coverage based on preexisting conditions.
  4. Now the current administration looks set to return America to the days when preexisting conditions were considered grounds for charging higher insurance premiums.
  5. That would mean returning health insurance to the list of things you pay more for if your insurer has knowledge of your genes. Remember, that list already includes life, disability, and long-term care insurance.
I would be the first to admit that the above is a simplified account of the problem, but I stand by its accuracy and will go into more detail below. A complicating, and possibly offsetting factor in this story is the plethora of state laws on genetic data, medical privacy, and health insurance. Those might give you hope, but then you have to factor in the rampant hacking of supposedly private databases of personal and medical information that we have witnessed over the past few years. Bottom line? It is not hard to understand a response of "No way!" when you suggest to someone that they should get their genes tested, even when that test could potentially save their life, or those of their relatives.

There was no valedictorian and other observations on the way to my graduation

Last month I graduated from the Criminology Department of the University of Leicester with a Master of Science degree in Security and Risk Management (MSc SRM). I graduated in person, in England, with my own two-person cheering section (mum: Dorothy; partner: Chey).

The trip to get there was a long one, and I don't just mean the miles (6,000) or the years (two spent on the course, but many more getting ready for it). However, the journey was well worth making, and the graduation ceremony was well worth attending, even though it raised several questions that I feel obliged to answer here.

1. Why graduate in January?

The timing of my graduation ceremony was awkward to say the least, but it was due to the fact that the SRM program that I wanted to pursue has two cohorts per year, commencing in March and September, with two graduation ceremonies, July and January. I was in a September cohort for which the usual graduation is January.

That is not, in itself awkward, just unappealing, given how cold and grey January weather can be in England (for the photo of Chey and me on the right I had to crank up the Brightness).

But the exact timing was awkward, given that my employer, ESET, whose generous employee education program had funded my studies, decided to hold its annual North American Partner Conference (NAPC) that same week as my graduation.

The NAPC is a great event, hosted at the San Diego Hard Rock Hotel, and as head of the US Research Team I was expected to address the partners on the 2017 cybersecurity threatscape, the world into which they would be selling ESET's security solutions in the months ahead.

Fortunately, it was possible for me to do that, and go to the graduation, by speaking before lunch on the first day of the conference and then taking the direct BA flight from SAN to LHR later that afternoon. Unfortunately, that meant getting to our UK home base of Coventry late in the afternoon of the next day,  checking into a hotel, having dinner with Mum, and then rising next morning to head for Leicester. Not a lot of time to get over jet lag, but it was do-able.

2. Second or third masters degree?

At the end of my remarks to the NAPC I apologized for not being able to hang around for the whole two day event, making a joke about having to go and get my degree because the university refused to change the graduation date to accommodate ESET, even though it's one of the largest security software companies in the world.

That got a few laughs, but it's what I got over lunch that surprised me: questions about whether this was my second or third masters degree, or more generally: "How many degrees is that then Professor Cobb?"

I can honestly say my initial reaction was entirely factual: I said that this was my first masters, two degrees total. Some people obviously assumed I had spent a lot more time in academia than is the case. But I had to chuckle when I told my classmates about this at our department's pre-graduation buffet, because they all said they would have played along with the assumption: "Second or third masters degree? Hmm, let's see, hard to keep track."

Of course, my fellow graduands were all security people, many working in physical and operational security, and this accustomed to the odd piece of, shall we say, tactical social engineering. And for some of them this was their first degree, since it is possible to do a Masters degree in England without a Bachelors or, as in my case, without a relevant Bachelors. My first degree, back in the 1970s, was in English and Religious Studies (and the number computers involved was zero).

A big motivating factor in attending my second graduation is that I skipped my first one. Why? I was boycotting the royal family. Allow me to explain. I have always objected to monarchy and my first degree would have been handed to me by the Chancellor of the University of Leeds, a position held at the time by a member of the British royal family.

I did not think that was appropriate and I did not want her handing me my degree. At the time, this posed something of a dilemma for my mum, seen here on the right. As far as we knew, I was the first person in our family to get a degree, so it was definitely something to celebrate, but on the other hand, my mum and dad had raised me to stick by my principles, on top of which, they weren't fans of the royal family either.

In the end we compromised and I a posed for some suitably formal picture taking in my grandparents' garden, wearing the appropriate gown from a Leeds alum who was a friend of the family. (My grandfather might not have had a degree, but by the time he was 50 he was able to sell his share of an engineering firm in Coventry that he co-founded, and retire with a garden large enough for a bowling green and graduation pictures.)

3. Isn't that against the rules?

In America, the rules of academic hierarchy tend to be strict. For example, you will have a hard time getting a paid teaching gig at a US university if you don't have a masters degree. But rules can be bent at times, for example when a new discipline emerges. There was a time, not much more than a decade ago, when you couldn't hire someone with a computer security degree to teach computer security because such degrees did not exist.

This led to an interesting exchange when I was being interviewed for my job at ESET in 2011. The head of HR, who has since become a good friend, said to me: "Your resumé indicates that you taught master of science in information assurance classes at Norwich University, but how was that possible when you only have a bachelors degree?" To which I replied, "Well spotted! It was only possible because the Dean made an exception, based on my knowledge and experience."

In fact, the award-winning MSIA program at Norwich, created in 2002, was put together by someone with a PhD in applied statistics and invertebrate zoology, Dr. Mich Kabay. To create and deliver the program's online curriculum, Mich tapped myself and Chey and a small army of security industry experts, none of whom - to the best of my knowledge - had a degree in security at the time. His approach paid off in short order as Norwich was quickly named a Center of Academic Excellence in Information Assurance Education (referred to as COE for short) by the NSA's Deputy Director for Information Systems Security.

I was initially surprised that people assumed I had multiple degrees, and then I felt flattered. I decided it meant that they think I know what I'm talking about. And that is actually true most of the time: I do try to talk only about what I know, or at the very least, to provide a clear disclaimer when I'm asked, or tempted, to talk about something that I'm not sure about.

Over the years folks have occasionally referred to me as Doctor Cobb, and I have immediately pushed back. I do not have a doctorate, even now. But I am less concerned when folks call me Professor Cobb. I have taught at university, and may do so again at some point. However, and just to be clear, I currently only have two degrees.

4. What happened to the valedictorian?

Another funny thing that happened on my way to, and upon return from, my graduation, was the multiple requests from my manager for a copy of my valedictorian speech. According Wikipedia, Valedictorian is "an academic title of success used in the United States, Canada, Central America, and the Philippines for the student who delivers the closing or farewell statement at a graduation ceremony (called a valedictory)." Fair enough, but notice which country/region is not on that list? Graduation ceremonies in England, and certainly the one that I attended at Leicester, do not have a valedictory or valedictorian.

The intent of the good-humored ribbing was to suggest that I had graduated at the top of my class. But that's another thing my class did not have: individual ranking. When I got my Bachelors degree in 1974, the results for all the students were posted on the department notice board, a physical object in a specific geographic location. Going to the department and looking at the board was how I, and all my classmates, found out that I got a First (English universities used to rank degrees as First, Upper Second, Second, and something else). As it turned out I was the first person to get a Joint First in English and Religious Studies at the University of Leeds, and the only person to get one that year. But there was no list of results ranking my class. For my masters I got my grade via a website and that only showed one result: mine (which was Merit, one level below Distinction).

So it is quite possible that I was not the top student in my class. There were 33 of us graduating and none of asked about each other's grades - I think we were all just glad to have made it to the finish line, especially since most of us were holding down full time jobs, often in challenging places (like Kabul and Beirut to name two).

Indeed, whenever I was feeling like giving up I reminded myself that studying in San Diego was a lot easier than in a lot of the places my colleagues were coping with, so I should quit complaining, and besides, I was studying in my native language, which quite a few of my classmates were not (I confess that I'm awed by people who get a degree in a non-native language).

So in closing, but still speaking of languages, I promise my next post will be about the meaning and significance of the University of Leicester motto: Ut Vitam Habeant (here's a hint).

[Disclaimer: I have not yet written that blog post.]

Life after the University of Leicester, pronounced Lester, plus academic bang for bucks

(In which the author gets back to his blog after a virtual expedition to a place called Leicester...)

I was going to start this blog post with something like: "As regular readers may have noticed..." But frankly, I doubt there are many regular readers left out there, mainly because I've not been blogging on this site on a regular basis for several years. Why? Because of my preoccupation with two things: cybersecurity and going to school.

I didn't stop writing blog posts, but they've mostly been about cybersecurity, and most have appeared on WeLiveSecurity.com or on S. Cobb on Security and ESET.com.

As for going to school, most of the going has been virtual, that is: distance learning over the Internet. Most of my "spare" time for the past 24 months has been dedicated to working on a postgraduate degree at a university in England, specifically an MSc in Security and Risk Management, namely at the University of Leicester. And while the name Leicester looks like it might be pronounced "lie - cess - ter" the correct way to say it is "lester".

Copyright Leicester City F.C. Knowing this pronunciation is more useful today than it was when I started my studies there in September of 2014. Why? Because millions more people around the world have of heard of Leicester today than even six months ago, thanks in part to the amazing story of the Foxes, a.k.a. Leicester City Football Club (I will go into other reasons in another post).

To be clear, I'm not an expert on sport; indeed, I'm not even a huge fan of sport in general. The "sport" I follow most closely involves driving cars (Formula One car racing). So I will leave it to this BBC article to do the telling of this one: Explaining the Leicester City Story to Americans. The bottom line is that the team that owns the totally cool logo on the right, the Foxes, achieved what some sports fans say is the greatest underdog comeback in any sport, ever.

But let's return to a far more modest come-back, my return to blogging after spending two years studying for a Master's degree while holding down a full-time job (not only is the job full time, it requires a fair bit of travel - for example, in 2015 I took more than 50 commercial airline flights).

Was the studying worth it?

Yes! Let me make that clear. I plan to write a separate article about the details of my degree programme (it was in England, hence the English spelling of program); but even without going into detail I can say for sure that it was worth the time, effort, and money.

[caption id="attachment_2247" align="alignright" width="294"]ul-criminology No, it's not Hogwarts on a sunny day, it's the Department of Criminology at the University of Leicester (but like Hogwarts, it has hidden depths, in this case extensive cohorts of distance learning students).[/caption]

On the topic of money, I should be clear that my employer, ESET, one of the world's largest security software companies, has a very enlightened and generous tuition reimbursement program (I'm in their San Diego office, so it's a program, not a programme).

By using the annual reimbursement from ESET and the interest-free installment plan offered by the university I was able to stagger my payments across 2014, 2015, and 2016. I was fortunate enough to be able to front the payments without economic hardship. And, as luck would have it, the British pound declined in value relative to the US dollar during my studies (more on that later).

This fortuitous set of circumstances, plus some planning on my part, meant that I was able to recover most of my tuition through ESET reimbursements. However, even without such a wonderful company incentive, I think many US professionals could find that a UK postgraduate degree is an attractive option for knowledge and career enhancement. I base this on three factors that I will address in more detail: hoops, bucks, and bang.

Hoops: Most British universities eschew the "hoops" you have to jump through to get into many US schools. UK universities are more inclined to consider mature applicants for Masters degree programmes based on their potential for academic study, as demonstrated through career and life journey.

Consider my MSc in Security and Risk Management (the SRM programme). My fellow students included police and military personnel, both serving and retired, who had entered those services direct from high school. In other words, not all of them had a bachelors degree. This seems eminently fair to me.

Sure, I have a bachelors degree, but it dates from the 1970s and the subjects were English and Religious Studies (Comparative Religion in US terminology). Is that a better foundation for a masters degree in security and risk management than 20 years as a police officer, or peacekeeper in a post-conflict zone, or a CISSP? I don't think so.

What everyone on the course had in common was an understanding that we would be held to a high academic standard in our course work, and would not be able to proceed to a full degree if we fell short. Again, this seems fair to me. The university has enough confidence it its ability to identify good candidates that it is not reliant on an applicants checking boxes (called ticking boxes in England) and taking a bunch of tests. I should point that there are certain standards, and these can vary between institutions, but you may find that the general approach is refreshingly different from what you have encountered in the US.

pound-dollar-chartBucks: The tuition fee for the next intake of the SRM MSc in Leicester's highly regarded Criminology Department is £13,015 which is about $17,000 at the current retail exchange rate of around $1.30. The chart on the right shows that I paid my first installment when the pound was over $1.70, and I was sure it was worth it at that price. When I paid my last installment it was about $1.40 and boy was I chuffed (English expression for "pleased with oneself"). Then came Brexit and an even bigger drop. Of course, I have no crystal ball, so I can't guarantee the pound will stay this low, but it has a lot of climbing to do to get back to 2014 levels.

BTW, that $17,000 tuition fee is not per year, that is the fee for the entire course. It even includes several books per course, sent to you by DHL, wherever you happen to be studying (for my cohort that meant anywhere from Afghanistan to Zimbabwe).

Also included is excellent room and board if you attend Study School in Leicester. These are three day events and there are one or two per year. Attendance is not required but I found them very helpful, and enjoyable (I flew over for three of them between 2014 and 2016).

Of course, I had to buy the airline tickets, and I spent some of my own money on additional books, not to mention the care and feeding of a big color laser printer (I'm sorry, but I just can't read and annotate academic articles on a computer screen). All told, the degree was, in my opinion, something of a bargain. But that doesn't mean it lacks punch as a professional qualification.

[caption id="attachment_2255" align="alignright" width="300"]uk-uleicester Leicester is a couple hours' drive north of London, close to the center of England. I grew up 25 miles away, in Coventry, which is between the L and A in England on this map.[/caption]

Bang: In my experience, degrees from British universities in general tend to have a certain cache in America. I'm not going to argue whether or not this is justified, but I can put some stats around the place from which I obtained my "bargain" degree (borrowing heavily here from the university's own materials).

On the world stage, the University of Leicester has been ranked among the top 200 universities in the world for many years. It was 167th in 2016, ahead of Brandeis, George Washington University, Texas A&M, and the University of Miami.

In UK terms, Leicester won Times Higher Awards every year from 2007 to 2013, the only university to win awards in seven consecutive years. Leicester was awarded the prestigious title of University of the Year 2008/09 by the Times Higher Education magazine. The judges cited Leicester’s ability to “evidence commitment to high quality, a belief in the synergy of teaching and research and a conviction that higher education is a power for good”. In short, they said Leicester was "elite without being elitist". The UK has a number of national ranking tables for universities and Leicester is consistently in the top 20.

Of course, some universities are better for some subjects than others. The primary driver of my decision to go back to school was to gain a better understanding of crime and so I looked for schools that had a good reputation in Criminology. In 2013 the Guardian ranked the University of Leicester third in the UK for Criminology. This ranking is perhaps not surprising given that Leicester's Department of Criminology has a large number of widely published faculty, but it also reflects an exceptional score for student satisfaction with teaching.

Summing up

It's good to be done with my degree, which I will actually collect in person later this month (expect graduation photos on Twitter @The StephenCobb). And of course, it's good to be free of that constant feeling of "you really should be studying" instead of whatever else you happen to be doing. That said, I never felt that my studying conflicted with my work, largely because the subject of my studies was my work - after all, I am a security researcher by title and trade.

It helped that the work output for the course was essentially six essays and a 15,000 word dissertation. Six essays may not sound like a lot, until you factor in the scale of the essays, which range from 3,000 to 5,000 words, plus references. In other words, you are not attending classes, you are doing the reading and research for the module topic, then writing up your results in the form of an extended academic argument around the question you have chosen to answer. (One essay is actually a research proposal with literature review, and there are some tests on referencing and statistics.)

You have three questions to chose from in each of the six modules, but considerable scope to frame your essay on your own terms; for example, I managed to make all of my essays about, or relevant to, cybercrime and cybersecurity. That enabled me to use a lot of my essay research and writing for work, a good example being the data privacy white paper that I published last year on WeLiveSecurity.com. The paper is an essay re-worked as a guide to US data privacy law.

You will remember that I mentioned high academic standards. That privacy paper has garnered a fair amount of praise and is looked at by several hundred people a month; however, the grade that the essay earned me was barely above a pass (largely because there was too much descriptive accounting of privacy protections and not enough argument around the actual essay question). In other words, a lot of us were sweating our grades after each module.

Fortunately, I got better grades on the other five essays and the dissertation, all 80 pages and 15,000 words of it. I produced two papers on my way to the dissertation, available from my security site, and the dissertation itself should be published later this year. I am also using material from that research in my session at HIMSS next month (as in Health Information and Management Systems Society Annual Conference, a conference likely to be attended by more than 40,000 people).

With that, I will wrap up this "back from school" blog post and make a promise to provide more about the programme at Leicester and the pleasures and perils of adult education and distance learning in a future post. Thanks for reading!