Deviancy Dropout: What Stefani Learned by Dropping Out of School - Securing Sexuality Podcast Episode 19
Securing Sexuality is the podcast and conference promoting sex positive, science based, and secure interpersonal relationships. We give people tips for safer sex in a digital age. We help sextech innovators and toy designers produce safer products. And we educate mental health and medical professionals on these topics so they can better advise their clients. Securing Sexuality provides sex therapists with continuing education (CEs) for AASECT, SSTAR, and SASH around cyber sexuality and social media, and more.
Links from this week’s episode:
Emphasizing the Importance of Regulation and Accountability in Cyber Criminology; Social Workers, Hacking and Cybersecurity, Regulation and Accountability, Certification from Professional Groups, and Gatekeeping in the Context of Sexuality and Technology
As our world becomes increasingly interconnected and reliant on technology, cybercriminology has emerged as a rapidly growing field of study. In this blog post, we'll outline the importance of regulation and accountability in cyber criminology.
First and foremost, regulation is a critical component of cyber criminology. It ensures that cyber criminals are held accountable for their actions. Without proper regulations in place, prosecuting or even identifying those who commit cybercrimes can be extremely difficult. Moreover, regulations protect victims by providing clear guidelines on how to react when a crime has occurred.
Accountability is another essential aspect of cyber criminology. Without appropriate accountability measures, it becomes challenging for law enforcement agencies and other organizations involved in preventing or responding to cybercrimes to carry out their duties effectively. Furthermore, without suitable accountability mechanisms, there is no way to assess whether an organization or individual has taken all necessary steps to prevent or respond effectively to a crime.
Both regulation and accountability are integral to any successful effort aimed at combating cybercrime. Without these two elements working hand-in-hand, attempts to prevent or respond effectively to cybercrimes would be significantly hindered. This is because there would be no way to ensure that everyone involved is doing their part correctly and efficiently.
In conclusion, we want to emphasize the critical nature of both regulation and accountability in addressing cybercrime effectively. Without these two components working harmoniously within an organization or system dedicated to combating such crimes, any efforts made will likely be ineffective due to a lack of oversight or enforcement mechanisms in place. It is, therefore, essential for those involved in preventing or responding to cybercrimes to take these two concepts into consideration if they wish for their efforts to be successful and sustainable over time.
Hello and welcome to Securing Sexuality, the podcast where we discuss the intersection of intimacy and information security.
I am Wolf Goerlich.
He's a hacker and I'm Stefani Goerlich.
She's a sex therapist and together we're going to discuss what safe sex looks like in the digital age.
And today, today, ladies and gentlemen, we're talking about Stefani's experience as a cyber criminology student. And I finally get to hear those three little words every husband longs for. “You were right.” I don't know what makes it sweeter hearing that or having it on this recording. Because you know that other people are going to hear this recording.
So not only do you get to hear it, you get it documented for posterity with witnesses. I was wrong and you were right. So for about a year now, I've been telling people you were a terrorist, a deviant, and a criminal.
Why is that?
So last year, almost actually a year ago, I submitted my application on New Year's Day. So my New Year's resolutions every year are always to learn something new. Every year I pick something I want to learn more about. And that is my New Year's resolution. I have made rag quilts. I have taken aerial silks classes.
I took a chef's knife skills course so that I could be, you know, a badass circus performer who could cut you. Every year I want to learn something new. And in 2022, on New Year's Day, I decided that I wanted to learn more about cybercriminology. I have always, always been one of those nerdy true crimes people.
When I was in high school, I wrote a letter to John Douglas asking him how I could become a future FBI profiler. John Douglas crushed my 16 year old dreams in ways that are both cruel and irrelevant to our topic today. But I've always been somebody that was really fascinated by the intersection of my work and criminology, especially as a sex therapist who does so much with BDSM and kink.
You know, those are heavily stigmatized communities. And one of the more common tropes, right, is the idea of the kinky person as the criminal, the kinky person as the deviant. Anybody who's ever watched an episode of Criminal Minds or who has seen Basic Instinct, they're familiar with this trope, this idea that kinky people are somehow more inclined towards criminal behavior.
And I decided in 2022 that I wanted to combine those two areas of passion for me and learn more about criminology. And because I'm married to you and because we move through the world that we move in, I decided I wanted to refine that to cybercriminology because so many of my clients are meeting their partners online. They are fostering relationships online. They're exchanging content online.
There are so many ways in which the online world influences the world of sexual health. And I decided 2022 was going to be my year to become an expert in cybercriminology and deviancy.
And now, now it is a year later, it is 2023, and you don't get to brag that your wife is a criminal terrorist deviant anymore because I am in fact a deviancy dropout.
Yes, you are. So you're not already those other things. Now you're a dropout. I'm very pro learning right now. As a matter of fact, I'm taking a course on intrusion detection. So things tend to be very specific to my field. I always love the fact that you wander.
Maybe that's not the right word for it, but would you say you wander?
It feels like you're very expansive in what you learn. So I think that there's always a common thread in what I learn.
I mean, maybe not circus arts, knife skills, rag quilting, but academically, professionally, I like to find new ways to expand my knowledge of and for the populations that I work with. So it might seem a little nonlinear. It might seem maybe expansive, I think is a good word. But everything is connected to my core purpose, my core populations.
I want to be really well rounded and have a very holistic interdisciplinary view of the worlds that I work with. So it might not always feel like a linear path, but I think maybe a labyrinth or a spiderweb is a good metaphor for my learning journey. Everything I do is interconnected. Everything I do makes logical sense to me.
But sometimes to people looking at my learning from the outside, they go, huh, that's different. And then once I explain to them the logic behind the choices, so like, okay, yeah, that makes perfect sense. I totally see it now.
Now, one of the things that you and I have debated about for a long time is I think it's important people learn. I think it's important people enrich themselves. I think it's very important people master their crafts. I have a lot of suspicion for people in my field who call themselves doctor. I have a lot of suspicion for people in my field who list all their certs after their name.
I have a lot of suspicion for cybersecurity programs that tout you're going to make your first six figures within six months and lure students in and then don't necessarily give them the proper skills. I have a lot of resistance towards this idea that you need to be six figures in debt in order to get into our field.
And it's been my experience that people who do get six figures in debt do just go into this because their college said that cybersecurity is a great way to make money, do list every certification under the sun after the signature. Those people tend to not be the best professionals. That's a broad stereotype. If you're listening to this and you're like, no, I'm awesome.
I have a PhD and six figures of student debt and all my certs after my name, hats off to you. But I tend to look at that a little bit scant, I would say. And that has been, I wouldn't say a point of conflict. You and I don't really fight.
However, we do furiously cite our sources at each other at times. And one of the things that you and I have often failed to have a meeting of minds on is the idea of the importance of academic paperwork, I'll say, or a documented learning path.
Because in the mental health world, we have a lot of institutional power, right?
As a social worker, as a qualified mental health provider, I have the authority to petition the court to have somebody involuntarily hospitalized. Now the court has to make that decision, but that is something that I can do. And my request for that carries additional weight because of my role in my profession.
People in my world, if your job, if you work in CPS, one of the big, big stereotypes about social workers is that we're baby snatchers, right?
And we're not. Family reunification and family preservation is the goal always. But that myth exists because people know that in certain jobs, social workers have the legal authority to remove your children from you. If you work in geriatrics, social workers and mental health providers have the ability to have a guardian appointed for you or to request that the court appoint a guardian. We have a lot of institutional power.
And because of that, I'm really comfortable with my world being very heavily regulated. I do think that my peers should have to have a master's degree. I do think that my peers should have to pass the licensing exam, which is its own shocking statement right now.
There's a whole controversy happening around board exams and whether or not those are gatekeeping, traditionally underrepresented people or whether they are a way to ensure that people are qualified to move into this profession. And I think that there are arguments to be made on both sides.
I definitely think the exams should be revised, but I don't think they should be thrown out because the people that work in my world can do a lot of good and we can do a lot of harm. And I think it's important that there be systems in place to make sure that only the most qualified people are working in my world.
And that has always carried over to my perception of your world. You and I have had many, many vociferous, heated citations flying back and forth, non-arguments around whether or not cybersecurity people and privacy people should have some sort of structure more similar to my world. And I have always said that your people, your peers are the ones that are trusted with so much personal information and so much protected data.
And it has always felt very similar to me that your industry can do so much good and it can also in the wrong hands do a lot of harm. And so because of that, I have always felt that your people maybe needed a little bit more paper or a little bit more letters after their names or some form of, no, we can vet the suitability of this person for this role.
And that has been one of, I would say, our biggest relationship disagreements. And now a year after my own sort of abortive journey into this world, I have to say, I think you were right. I don't know that the cybersecurity, the privacy, the information security community benefits in the same way that my world does from a structured academic discipline.
Here's the thing, I don't want to suggest that a person in cybersecurity or a person in privacy shouldn't have a degree of training and be held to a degree of standard.
The challenge has been what is that degree of training and what is that standard?
And the bodies who have attempted to put it in place historically, I'm thinking about the certification bodies, have had all the challenges that your certification community is wrestling with right now, as well as have often been out of date, have often been behind the times and have often really not had the teeth to do much.
And at the same time, our field, our discipline, I have oftentimes likened hacking to being a tradesman or craftsman, as opposed to being someone who is in physics.
And why is that?
It's because most of what you need to know is something that you master hands on, is something that is done in the community, is something that is provided ideally through an apprenticeship model. I'm a big fan of apprenticeships and mentorships, having run one for a while, as well as participated in varying degrees and many similar programs. What you need to know is something that is passed on from person to person.
It's not something that you read in a book that was written 10 years ago, because the technology is changing a lot faster than that old school model would support. And that skilled trades approach, that apprenticeship model is exactly what I walked away from finally, I think, understanding and agreeing with in my time in my program.
I'm specifically not mentioning my program, because there are a lot of really great programs out there, and this isn't about a particular learning experience. I think it's more a global conversation around a learning pedagogy or a way that learning should be accomplished.
Because what I found as somebody that chose a program for non-technical people, as somebody that was coming in with zero, zero computer science or frankly, criminal studies, criminology background, the only computer courses I took in my studies were an undergrad class in Word, Excel, PowerPoint, and Access that was required by my bachelor's institution.
So coming in as the blank slate for this program, I was recognizing a lot of names in the textbook. I was screen capping pages in our textbook and sending them to our friends, people you and I know in real life and going, look, you're in my textbook.
And it very quickly became apparent to me that everything I know about your world, about cybersecurity, and frankly, even about the criminology piece was not content that I was learning in this course. It was content that I had learned simply by being immersed in the world that you brought me into when I met you and we formed a relationship.
And that pre-knowledge was occasionally enhancing my reading of the text or my understanding of the lectures. But generally speaking, the academic environment wasn't what was giving me information. I had brought that in with me. And that really opened up my eyes to the value of an apprenticeship. I think when you and I were first talking about this, I even said like the old school guild sort of model.
The okay, we have voted to bring you into the community and we are going to support you and train you. And we as a community of experts are going to give you what you need to know.
And I don't think until I had had that ability to sort of firsthand compare and contrast an academic environment like I had had in my own grad school experience in your world with the sort of, oh, look, they're so cute. They've been hanging out since they were 10 and now they're here. And they're looking for their first like sort of help desk job.
And we know her mom and we can't wait to like teach her all the cool stuff that we learned.
And that sort of just we're bringing you in, making you one of our own and we're going to get you their model that has always felt a little too unstructured for me as somebody who's very aware of the institutional power of my world until I actually saw what it looks like when we take your community and try to put it into a book.
And when we try to turn it into a college class. And I very quickly realized and I'm glad that we're recording this because you're never going to get me to say this twice in 20 minutes. You really were right that a college degree is not necessarily the path forward for somebody that I can trust with my data and privacy. I got it out of her twice. This is fantastic.
No, but I also want to recognize that you've made some really good points over the years, right?
But before I do that, I'm going to recognize some of your points in just a moment. But before I do that, one of the things that has frustrated me about cybersecurity learning is a lot of the material is things that people can get their hands on is things that should be made available. Right. And I look at some of the work that well, again, our friends are doing.
We've got we know like three different people who do pay as you can or pay as you go models up to and including offering free training to the people who are just starting out. And that's just part of the DNA of their companies, part of the DNA of the way they go through the world. And I wish that there were lower barriers to entry for people getting that material.
So one of the questions I wanted to ask for you and just to delve deeper into it was what do you feel was lacking in this education?
What do you feel that was lacking that caused you to eventually drop this program?
So the first answer is difficult to give without sounding critical of the program itself. And that is quite simply instruction. Yeah. This program was entirely online. And I'm okay with that. A lot of my undergrad courses were entirely online. It was only in grad school that every class I took was on campus. So I'm really comfortable with online learning and I've experienced really good online learning.
But in this particular case, the program was really set up in a read these book chapters, watch this YouTube video, download these five journal articles, answer one discussion question in two or three weeks. And then in three months, we'll have an exam on this.
And I think that one of the things that has fascinated me about learning more about your world is how similar your world is to the world of mental health in that the answer to almost every question is it depends. Everything is so situational. You really can't read something in a book and say this is how that would apply to every situation that this chapter covers.
Because it's going to depend on the people involved, the place that it happened, the mindset of those involved, how much of it was deliberate versus accidental, how much of it was consented to or not. The same questions that I'm asking when I'm doing a case consult with a colleague, you are asking me about the case studies being presented in my reading.
And because we didn't have that interaction one on one, those dialogues, those back and forths, those live conversations with the instructors, I didn't have the answers to your questions. And what that really showed me was I wasn't being given what I needed to really understand the case scenarios being presented.
Because it's not formulaic in the same way that I can't give somebody a checklist that will lead them to an accurate diagnosis of paraphilia. You can't give me a checklist that will show me how to respond to somebody's email being hacked and their nude photos being stolen.
And the nuance that comes from being able to say it depends, you only really learn from when you are able to sit and have conversations with, you know, in the guild model, the master practitioners, the journeymen who have refined their trades. And that wasn't a part of this program.
I recognize that I was, I think the only person in my cohort that was not already working in either law enforcement or something adjacent to cybersecurity. But I don't know that being in law enforcement would have given them the same opportunities that I've had to just sit in a room and learn from your people. And that I think was one of the biggest missing pieces in this program.
And that was really one of the big takeaways for me in terms of understanding that it's less about the piece of paper and more about the who have they known and how long have they been able to learn from that person. Completely agree. And now we're having some conversations, we had some great conversations.
I got, you know, I would gladly pay part of your tuition just to keep having those conversations.
However, it was a pretty high tuition and you know, the conversations were between us, not between you and the instructor. Now one thing I think is intriguing though, and one thing I will give you credit for in our ongoing debate, as our cybersecurity profession has developed, one of the things that we're lacking is a mechanism for community enforcement.
How do you do a licensure complaint against a hacker?
How do you do, you know, how do you attest to what you're talking about?
Like who have you worked with?
What have you done?
And people can just make up things and make up things again and again and again and no one checks them.
In your world, if a social worker does something wrong or egregious, what happens?
So it varies from state to state, but typically every state has a mechanism by which somebody can make a complaint to our licensing board. A lot of times people think it's our professional organization. So you know, my degree is in social work. People will say, I'm going to call and report them to NASW, to the National Association of Social Workers. That's a professional organization.
They have our code of ethics and they advocate for our profession, but it's our state really that oversees our licensure process. And I actually just had to do this back in August, there was somebody who was advertising themselves as a trauma therapist saying they were providing cognitive behavioral therapy and they were an RN. They were registered nurse with a two year associates in nursing.
They had no qualifications within our state to be practicing as a therapist. And I had to make a report to our state board saying, hey, there's somebody who is telling clients they are trained and skilled in something that they are quite obviously not qualified to be doing. And the state stepped in and sanctioned them.
And now whenever anybody is researching whether or not they want to work with this person, anybody can go to your state website and do a license search on any licensed healthcare provider including counselors, psychologists, marriage family therapists, and social workers. And this person, if anybody looks up her license, will show that she had been sanctioned for practicing without a license.
So there are mechanisms by which our governing agencies from state to state can either say you did something egregiously wrong and you need to do X number of hours of continuing education to learn about this area that you messed up in.
There are instances here in Michigan where clinicians, including medical providers, doctors, and nurses who are reported because they have a substance use issue, they'll actually be given the opportunity to do continuing supervision around both their clinical practice and their substance use issues in order to protect their license and not have that revoked.
There are lots of different possible outcomes including just having a note on your license saying hey somebody complained and we told them to knock it off. But there is a mechanism by which the community and our clients can police ourselves and can warn one another about dangerous or at least unskilled providers. And we have nothing like that in cybersecurity.
You have the knowns, right?
Like there are certain people that if you talk to others like you don't want to work with that person or you really don't want them at your conference. I don't want to go into details but here's what they did in this event. Or I don't, you know, it's not my story to tell but you may want to talk to these other people before you consider hiring this person.
So we have that type of structure but we don't necessarily have a licensing board. We don't necessarily have the ability to have a public record. And I do think that allows people who are charlatans and I do think that allows people who are abusers or abusive to get away with more than they should in our community right now.
So bringing this back to securing sexuality, what should we do for this space?
If you had like the ability to paint the perfect picture about how toy makers and therapists and hackers would work together and how you would hold people accountable and yet still allow them to get in, how you would lower the gatekeeping but yet have enough gatekeeping to hopefully filter out people who are ineffective or downright predatory.
What would that look like?
This is something that I think about all the time in my space on a day-to-day basis. And I don't know that we have a good answer here yet but I'd love to hear your answer.
In my world, one of the biggest messages that we try to get out is the idea that you want a licensed provider, right?
There are so many people calling themselves life coaches, sex coaches, kink coaches, relationship coaches. Anytime you see coach in somebody's job title, please know they are operating outside of a professional scope of ethics. Which is not to say that they don't have their own personal ethics.
Whether they are a mental health provider and they know that what they want to do in this area runs afoul of their professional code of ethics so they're choosing not to identify as a mental health provider and they're saying I'm doing this as a coach and not as a therapist or they are not a qualified mental health provider at all and they have simply decided that they are now a life coach or a sex coach because there is no regulation of the coaching term.
And so one of the big things on my side is just making sure people know that they want to be working with licensed providers and that no matter what state you live in, it is possible to verify somebody's license and to make sure that they don't have any sanctions or complaints against them before you work with them.
And I do think that's an important thing to, an important step to take and an important piece of knowledge to have. I have a lot of clients who come to me because they said well my sex coach told us to try X, Y, and Z and it didn't work and now my partner wants a divorce.
Sexuality, relationships, intimacy, frankly your mental health and your brain, these are all fragile things that deserve to be protected and deserve to be treated with the care and dignity that they warrant. And I think knowing whether or not your provider is a qualified provider and what their level of expertise and whether or not there have been any complaints about them is a really, really important step to take.
So that's a piece of my world. I know in your world, you're right, a lot of it is kind of behind the scenes conversations. You wouldn't believe what they did at the last conference I was at with them. Maybe you want to reconsider bringing them in for an interview.
But I don't really know what you could do in your world to make that a little bit more transparent the way it is in mental health.
What do you think?
Yeah, it's very difficult because you brought up NSAW and the professional groups. I think all the professional groups out there would love to say we'll just have them maintain the certification. Have it be through us, we'll be that body. And for various reasons, I don't know that we should trust in those professional groups. And likewise, I tend to be very concerned about it being regulated.
Another thing that we've taken steps forward each year, it feels like, since I've been in this field, is more and more regulation around cybersecurity and more and more government intervention into my field. I'm not entirely sure that that belongs either. But I do think, and just like you, you're now on record. You are now on record. I say that I'm right.
I do think I want to be on record in saying that as my field matures, we should learn from yours and others like you in terms of having a greater degree of transparency and accountability. I'm all about reducing gatekeeping. But the one thing that I've learned over the past years is there are some gates that perhaps need to be kept.
How we determine what those gates are has to be done in a very ethical and aboveboard way. Now when it comes to securing sexuality, it's interesting because the lack of protections that you describe and the lack of protections I describe exist in a lot of these toys and technologies. There's even less in the space of let's build a toy or let's put up a website than we talked about.
So it will be interesting as we continue having these conversations to keep thinking about that. And this is one of the things that I'm going to keep revisiting in my head.
How do we have an appropriate degree of assurance as people, as users, as consumers, as partners and friends in the technologies that we're subscribing to?
And I don't think we have a good answer.
And that I think is a huge part of what you and I are trying to do here, right?
Because it's easy for me to talk about how my field is regulated and for you to talk about whether or not and how your field should be regulated.
But as we talked about in our last episode, you know, with AVN and a lot of the cool things that we saw there, a lot of times the technology and the tools and the toys that you and I talk about are coming from outside of both of these worlds.
They are everyday people with a cool idea and some seed funding and making sure that in the same way that I can tell a client how to vet a possible therapist, that you and I are able to tell a listener how to vet a possible app or a toy is a huge part of what you and I are trying to figure out together in this whole endeavor. Absolutely.
Which reminds me, you know, just to plug, if you didn't catch our last episode, the Rowena Fielding, jump back, listen to that episode 18, because I like that she put down a good list. I think there's a good starting point for evaluating some of the toys that we need to select. But I've got a question for you. And if you don't want me to put this in the podcast, I won't.
I'm willing to hit an edit button. It's now 2023.
Have you decided what your New Year's resolution is for 2023?
What are you learning this year?
I really want to stay in the vein of 2022. I want to try and find another way, another avenue to connect my work with kink-affirming mental health care and destigmatization around BDSM and kink communities with the legal law enforcement victim advocacy sort of community.
I think that a logical extension of my work, both historically as a victim advocate and as a survivor advocate, and now as a clinician, is to really stay in that wheelhouse of criminology and deviancy.
And what do we mean when we use that term?
And how is that term misused outside of mental health and criminology?
But what that's actually going to look like academically, I don't know yet. So listeners, if you have ideas for me, let me know. And then just from the purely non-academic self-enrichment, I think this is the year I'm going to take a stained glass class. I wanted to do stained glass in 2020, and COVID shut that idea right down.
So maybe this will be the year I learn how to make pretty window art in addition to continuing my professional development. We can combine and we can do stained glass of the logos of the major vulnerabilities like Heartfleet and everything. This could be great. I'm down.
Well, if anyone has any ideas of good programs, definitely reach out to us. Thank you so much for tuning in to Securing Sexuality, your source of information you need to protect yourself and your relationship. Securing Sexuality is brought to you by the Bound Together Foundation, a 501c3 nonprofit. From the bedroom to the cloud, we're here to help you navigate safe sex in a digital age.
Be sure to check out our website, Securing Sexuality, for links to information about the topics we discussed here today, although they'll probably be late for this particular episode, as well as looking at our 2023 conference in Detroit. And join us again for more fascinating conversations, not always complaining about Stefani's schoolwork, about the intersection of sexuality and technology. Have a great week.