The Inside Story of How The Girl Scouts Created Their Cybersecurity Merit Badges

In June 2017, I was in Vancouver, British Columbia, attending Palo Alto Networks’ annual cybersecurity conference, Ignite. Typically, the focus is on in-depth technical challenges and on how customers are solving those problems using Palo Alto’s technology, but something different happened in 2017. During the opening keynote, Mark McLaughlin, who was the CEO of Palo Alto Networks at the time, stepped aside and welcomed the Girl Scouts CEO, Sylvia Acevedo. Acevedo came on stage and announced that her organization had partnered with Palo Alto Networks to create a series of cybersecurity-focused merit badges for girls. We all can learn from how the girl scouts created their cybersecurity merit badge program

Acevedo had been on the board of the Girl Scouts for eight years when she was asked to become the interim CEO in June 2016. At the time, the Girl Scouts were in the planning stages of completely revamping their merit badges to incorporate science, technology, engineering, and math (STEM) and other important concepts. Through surveys across the country, they asked girls what they were interested in, and girls of all ages answered that they wanted to learn about one topic: cybersecurity.

In 2016 TechCrunch reported that the average girl gets a smartphone at age ten. By that age, many children already have email addresses necessitated by their school or other activities. The Girl Scouts realized that girls didn’t have a trusted source for information on how to protect themselves in a digital world. They realized they had a calling to fill that gap. But what would be the best method to teach these girls about cybersecurity?

The real challenge for Acevedo was figuring out how to teach girls about something as complicated as cybersecurity. The answer, as it turns out, doesn’t just apply to Brownies or Daisies. The answer applies equally well to dentists or CEOs. To teach someone, you need to figure out what interests them and what is relevant, and then you need to find a way to make that knowledge practical.

Acevedo began her career as a rocket scientist at NASA’s Jet Propulsion Laboratory, where she worked on NASA’s Voyager 2 mission. She has held executive and engineering roles at leading technology companies, such as Apple, Dell, Autodesk Inc., and IBM. Acevedo’s background in technology led her to ask the following questions: What if we adopt agile development methods and apply them to the merit badge process? How can we short-circuit the development process and get girls the skills they need when they need them?

In technology, the concept of agile development began to gain momentum in the early 2000s. Modern software can include billions of lines of code. So, it’s important to make sure that the code, as written, actually does what the users, customers, and businesses need it to do. Old development methods were like those used to build a building: An architect came up with the plans and the builder delivered on those plans. Unlike with a building, if the software wasn’t right at the end of the project, it would usually get thrown away, and the process would start over. Agile development is different in that it gives the users, customers, and executives a chance to provide feedback while the building is being built. This process requires developers to break projects down into small, individual pieces. They use “sprints” to deliver these pieces quickly, usually within two to three weeks instead of the years or decades it normally takes to build software. This is why companies like Google now deliver their software with “beta” on them; being in beta means that the software is still being tested and new features will continue to roll out much more rapidly than they otherwise would.

In applying this agile method of development, the Girl Scouts looked to partners like Palo Alto Networks for subject matter experts in different areas. Finding the core subjects in a field helped define what needed to be taught. The Girl Scouts then applied their understanding of how girls learn to come up with the programs and activities for how to teach these subjects in each age group. They continue to test these teaching methods to find out what works best and to make sure the activities are fun and relevant, ensuring the girls want to keep learning. The security strategy that fits your needs might be different depending on who you are: A recent college graduate looking for a job needs different strategies to stay secure than a vice president who is looking to become a CEO. A one-size-fits-all approach won’t meet either person’s needs, so it’s best to experiment rapidly to see what doesn’t work and what leads to success.

In the Girl Scouts, girls are grouped by age. Grouping the girls this way is important to learning because each age defines a new stage of development, and education is tailored to each stage. To teach coding to Daisies (grades K-1), you need to show how computers talk to one another in binary language. Computers transmit code in bits that are labeled as a zero or a one. Computers string millions of these ones and zeros together every second as they talk to one another. But you’ll lose the Daisies if you talk about ones and zeros. Instead, the Girl Scouts put blue and yellow beads on the table. Then, they have the alphabet expressed not as zeros and ones but as yellow and blue. The Daisies are asked to write their initials on a bracelet using the code. What happens after this is amazing. The girls come back wanting a longer piece of string. They want to write not just their initials but their whole name. Then they come back and ask for an even longer piece of string because they want to write all their names together. “You’ve taught them an unbelievably complex idea in a way that they can wrap their heads around,” said Sapreet Saluja, chief strategic partnerships and new ventures officer for the Girl Scouts. “And then they build on it and build on that. And then by the time they’re ready to learn the next skill, they get it practically, and they know how to build from there. Not only do we, per our mission, want them to use those skills to impact the world, but it’s also what they want. It’s one of the most important things to them. It ends up being the delta between interest and disinterest if there is something practical they can do with their knowledge.”

To teach Brownies (grades 2-3) about important concepts in cybersecurity like networking and malware, where would you begin? You can’t start by describing how TCP/IP protocols encapsulate data into headers. You can’t teach them the OSI seven-layer model of networking. Instead, the Girl Scouts teach the importance of a physical network in transmitting computer viruses to someone the girls have never connected with. The Brownies sit in a circle and pass a ball of yarn to one another; in a short amount of time, a physical network appears. Then they can show how Alice talked to Jane and then Sara talked to Jane. They can see in the network how the malware was transmitted from Alice to Sara. This is relevant to the girls not just because they start to see a pattern emerge but because while they’re doing it, they’re constantly reinforcing the things most important to the girls: community and connection. But how do we apply this agile development model of learning to help others learn about cybersecurity?

Unfortunately, learning can be scary. One group suggests that up to 38 percent of the population has moderate to severe test anxiety. I met the founder of, Jeff Taylor, at a conference early in my career. I vividly remember one of the pieces of advice that he gave. He said, “If you’re nervous, you’re in danger of learning something.” Taylor observed that most people do the same thing every day; new experiences can, consequently, make them nervous. Instead of being afraid of these experiences, we should seek them out like explorers.

The challenges girls face with cybersecurity are the same ones we all face. We’re isolated from one another, afraid or embarrassed to talk about our security failures. We’ve been conditioned to believe that loose lips sink ships. In the past, cybersecurity leaders and vendors grabbed short-term attention or increases in budget by using fear, uncertainty, and doubt (FUD). The Girl Scouts offer an alternative to everyone: fearless learning. They hear from the girls that they are having fun while doing these activities and making connections with other girls—that is meaningful. Learning requires a safe environment and a patient mentor willing to allow individuals to go through the process of self-discovery and learn from their own mistakes along the way. When learning is fun, you want to keep doing it. “We don’t lead through fear,” Girl Scouts’ Acevedo said. “We are raising girls to be courageous, confident people. We’re giving them the skills to be fearless.”


The Origami Man

The following is an excerpt from George Finney’s No More Magic Wands: Transformative Change for Everyone. The book follows the story of Harmony Evergreen, the

Read More »

Mister Groundhog

The following is an excerpt from George Finney’s No More Magic Wands: Transformative Change for Everyone. The book follows the story of Harmony Evergreen, the

Read More »
Click to access the login or register cheese