Diversity in Cybersecurity
A Mosaic of Career Possibilities
Diversity in Cybersecurity:
A Mosaic of Career Possibilities
Cybersecurity Careers: Off the beaten path
In this eBook you can read the stories of professionals from around the world and hear how they got their starts in cybersecurity. No two answers are the same.
Our contributors also talk about advice they would give their younger selves at the start of their cybersecurity careers, and whether they would do anything differently.
We hope this eBook proves that we are a stronger security community when we embrace diverse backgrounds and skills.
Question 1
What was the path that led you into the cybersecurity industry?
I was in school trying to become an eye doctor and realized very quickly that it was not the right path for me. And so I started taking different electives, really trying to explore and figure out what I wanted to do with my life and career.
I came across a cybersecurity class, and I'll never forget the exact assignment when I knew. We had this task to decrypt a string of encrypted texts. Things like that can be a pretty tedious process. I was up until probably two or three o'clock in the morning trying to figure this thing out. And I'll never forget the adrenaline rush that I felt when I finally cracked it and got it right. It was almost like I had won a game or like I had solved a puzzle. I couldn't help but think to myself, “Oh my gosh, this is what some people do for work. This is an actual job.”
“I'll never forget the adrenaline rush that I felt when I finally cracked it and got it right. It was almost like I had won a game or like I had solved a puzzle.”
Christine Izuakor | CEO of Cyber Pop-up
My story goes back almost 23 years. I came straight into it with no experience of technology. (My background actually is in art and design.) Whilst I had worked in sales, I actually went straight into starting a tech company with a partner who understood technology.
Because I didn't know anything about technology, I looked at what was available in tech. The only two things that interested me were AI and security. AI was too new at that time. Security sounded really exciting and dynamic. I thought it sounded a little bit like James Bond. (I’m a big Bond fan.) That's how I got into this industry, and that’s what led me here.
One thing that I love about cybersecurity is the people. The people are interesting. The people are challenging. The people are frustrating, and the people are incredibly diverse. I love hanging out with people in cybersecurity.
The way that I see it is we really are securing the world’s operations. We are really securing the world’s freedom, which is a really important thing to do. And certainly as a woman, because we see risk in a different way than men, I feel that the industry really needs us as women to come in and add to it.
One thing that I love about cybersecurity is the people. The people are interesting. The people are challenging. The people are frustrating, and the people are incredibly diverse. I love hanging out with people in cybersecurity.
Jane Frankland
After school, when I was about 16, I progressed to college to complete a BTEC Level 3 Extended Diploma in Software Development. Over two years, I learned to build and program everything you could think of: websites, games, mobile applications, scripts and more. On this diploma course, we had a networking module that focused on security. It was at this point when I definitely had my “calling.” After nearly two years of building things, I discovered that breaking them was much more fun!
Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber Security Management. Four years later, including a year’s placement in industry and a huge amount of community involvement, I completed my degree with First Class Honors. I’m now about to commence my first role in the industry as a Junior Security Consultant of penetration testing.
After nearly two years of building things, I discovered that breaking them was much more fun!
Sophia McCall | Junior Security Consultant
In my spare time while getting my engineering degree, I researched and “hacked” the boot sequence of a PlayStation with a “ModChip” I programmed, and I was able to play video games from different regions around the world. (Back in those days, games were on CDs and had country regional restrictions on them. Some of the best games never came to my region!)
I was one of the first with these ModChips at that time, so my friend and I started to help others on the side. This freelance job was quite thrilling and exciting! This was my first experience with hacking and reverse engineering. It taught me how to use root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work). This is a fundamental skill which I have found useful in my cybersecurity career.
I used root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work).
Jason Lau
Well, there wasn't a defining moment for me because cybersecurity as an industry wasn't really called an industry yet. I became a hacker at an early age, but back then, we were just focusing on computer security, which was an offshoot of computer science.
I think a lot of people who have been in cybersecurity for as long as I have—over 20 years professionally—have a very meandering path that led them down this career rabbit hole. For myself, I was a molecular biologist, and I was working on the human genome project at MIT. I decided molecular biology wasn't for me, but I wasn't quite sure what I wanted to do. So I took a detour, which I thought was temporary, into the systems administrators group at the genome center at MIT. I helped them build those systems out, and then, I took another systems administration job at MIT in the Department of Aeronautics and Astronautics. There, I took care of the network that helped launch some Mars rovers. This was the late 90s we're talking about here.
From there, defending the systems that I was in charge of led me back into the nascent security fold. But this was all before there was an actual cybersecurity profession. So for me, my security origin story is murky because it's coupled with the origin story of cybersecurity itself.
This was all before there was an actual cybersecurity profession. So for me, my security origin story is murky because it's coupled with the origin story of cybersecurity itself.
Katie Moussouris | CEO of Luta Security
I was working as the Webmaster and Linux Administrator for a company whose endpoint security product blocked USB flash drives from connecting to systems. At that time, my only exposure to security was on the defensive side. I was curious about how the USB malware we were trying to block worked and how it got into forums where some of these tools were being traded.
I went down a lot of rabbit holes in my research, and I even built a website called USBHacks.com that provided samples of the USB malware to help educate network admins. (This was also the first time the FBI reached out to me.)
Around this time, one of my co-workers had his car broken into and his laptop bag stolen. We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer. After the conversation, I started building tools based on my USB malware that were designed to protect devices and data if they were stolen.
We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer.
Ken Westin | Head of Competitive Intelligence, Elastic
There was no “calling” moment. It just kind of happened that I realized I was part of the information security community.
When I started working as a nurse at a lot of different healthcare institutions, I didn’t have my own login codes. My colleagues were helpful insofar as they let me use theirs. I quickly realized how dangerous this shared access was; I could work under my colleagues’ names and use that access to change information in the stored medical records. I also found out that medical devices were connected to the same PC, allowing me to control some of those products from that computer. It was around that time that I became curious. Could someone from the outside establish a connection with the PC? If so, what could they do?
I decided to contact the security team. At first, they were surprised (and suspicious) that a nurse showed interest in security. But they quickly saw that I really wanted to deepen my understanding and learn.
I decided to contact the security team. At first, they were surprised (and suspicious) that a nurse showed interest in security.
Jelena Milosevic | Registered Nurse
Jelena Milosevic (Continued)
In no time, I received a lot of information and made contacts with many infosec professionals from all over the world who were ready and open to help me. They explained a lot to me, sometimes in too many details. They also showed me the tools that I could use to learn by myself.
I discovered Mozilla Observatory, NMAP, Wireshark, Shodan and much more. I often lost myself in trying to find the meaning of every word I couldn’t understand with regards to using these and other tools. It was a lot. Many times, I got depressed thinking that I’d never be able to learn a subject, that I’d never be able to learn enough. But I didn’t give up. There was a lot of different stuff to learn. I wanted to find out where my place was in all of it.
By already knowing the medical side of things and by building my understanding of security, I was able to develop a deep and global picture of the security situation in healthcare. I’ve used that understanding to try to connect medical security and privacy and to help individuals from both sides hear and understand each other so that we can all work together. I strongly believe that medical security and privacy departments can make the healthcare system not just more safe and secure, but also better for everyone by working as a team.
I got depressed thinking that I’d never be able to learn a subject, that I’d never be able to learn enough. But I didn’t give up.
Jelena Milosevic | Registered Nurse
Richard Archdeacon
Advisory Chief Information Security Officer, Duo Security, Cisco | LinkedIn
Like most people, I fell into cybersecurity through exposure to some really big security events.
Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the time (security was still low on the radar unless you worked at a bank or financial organization). In one of the virus attacks, I saw a whole corporation lose its email system.
It struck me that this meant nobody knew how to prevent or respond to these attacks and that security was going to be vital going forward. All our digital transformations would come to naught if a simple attack could cripple us. So we had to develop security in the same way that we were changing IT.
I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime. It struck me then that we were not dealing with script kiddies but bad people who were committed to doing bad things to innocent victims. This was more than just a job; it was a calling.
I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime.
Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco
Ambler T. Jackson
Senior Privacy Subject Matter Expert | LinkedIn
I knew that the cybersecurity industry was the right industry for me when I began working on assignments that required not only an understanding of the law and general business processes, but also the ability to understand an organization’s data governance practices and speak “security.” My confidence with respect to my career path increased once I understood how my skill set obtained throughout my law career, coupled with my technical aptitude, transferred to the cybersecurity space and specifically to the data privacy and protection area of cybersecurity.
Cybersecurity is a very broad discipline, and the field is enriched by many different skills, capabilities, expertise, personalities and backgrounds.
Ambler T. Jackson | Senior Privacy Subject Matter Expert
Omar Santos
Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco | @santosomar | LinkedIn
It started when I left college and joined the United States Marines. I was in the U.S. Marine Corps, and my military occupational specialty was in electronics and secure communications. From there, I shifted into networking and specifically network security. That’s when I knew that cybersecurity was for me.
After I left the Marine Corps, I joined Cisco in 2000, and I was part of the technical assistance center. I was supporting firewalls, IPS devices, VPNs and a lot of encryption.
At the end, I was actually doing penetration testing and ethical hacking against many large Cisco customers. I shifted gears again, and now I'm part of the product security incident response team where we specialize in vulnerability management. I also concentrate on helping industry-wide efforts.
I was actually doing penetration testing and ethical hacking against many large Cisco customers.
Omar Santos | Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco
The defining moment for me was when I got involved in a forensic investigation after my manager at the time asked if I wanted to shadow him and learn a few things. I was working in desktop support, and I found it fascinating. It was the catalyst for me. From there, I made a lot of mistakes, learned a lot, and adapted. I’ve been fortunate enough to work with some really good people along the way, and I still find the work interesting.
I made a lot of mistakes, learned a lot, and adapted.
Mo Amin | Independent Cyber Security Culture Consultant
In the second grade, I was placed in college math and English, but a few years later, I was taken out of public school to be homeschooled. During this time in the late 80s and early 90s, homeschool was not as evolved as it is today. In my boredom, I happened to discover BBSs (bulletin board systems) and, subsequently, the Internet. I quickly adapted to manipulating software and hardware to do things they were just not made to do.
Eventually, I tested for my General Equivalency Diploma (GED) and started working in carpentry. I wanted to create things. This career was over quickly, however, as I was injured about a year into my apprenticeship. The only skill I had to fall back on was my knowledge and curiosity for tech. So that is what I did.
Fast forward a few decades, and I continue to make my way into an area where it just feels like a natural fit for me.
The only skill I had to fall back on was my knowledge and curiosity for tech. So that is what I did.
Amanda Honea-Frias | Head of Product Security at Duo, Cisco
I got onto the information security, privacy and compliance path at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare corporation. I didn’t even realize change control was a critical information security control at the time until I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation.
After I went to the IT Audit area, I performed an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created. There, I created all the corporation’s information security and privacy policies along with their supporting procedures, and created the training program, established requirements for the firewalls and web servers, performed risk assessments, established the requirements for one of the very first online banks at a time before there were any regulatory requirements for them, and generally oversaw the program. I’ve loved working in information security and privacy, simultaneously, ever since.
... I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation.
Rebecca Herold
The moment that I realized the security/privacy industry was right for me was when I made my own path in it. I quit my job at a consulting gig and then developed Cyber Collective. I was able to make the safe space that I was looking for in the security industry that I didn’t necessarily have for myself and for my peers outside of the security industry. I think that dialogue needs to reach everybody. When I realized that I could turn security into something creative that benefits people, that reaches the empaths and into people’s ethos and pathos, that’s really when I realized that security was my calling, that this was something that I could do.
I was able to make the safe space that I was looking for in the security industry.
Tazin Khan Norelius | Founder of Cyber Collective
Ben Nahorney
Threat Intelligence Analyst at Cisco Security | @benn333 | LinkedIn
I studied journalism at university with a focus on magazines. I had my sights set on a career in investigative journalism, and I wrote stories around personal privacy, individual rights and security issues for campus publications while finishing my degree. While I had touched on cybersecurity in my writing, my first brush with it as a career came when I graduated during a recession. I took an entry-level tech support job at a cybersecurity company, all the while expecting it would be temporary while I looked for a writing gig.
In demonstrating that I could write, I was moved into a role writing knowledge-based documents. Eventually, I took on a position within the company’s threat research group where I wrote virus write-ups based on notes from cybersecurity engineers.
I don’t think I looked back after that. Researching threats had a very similar vibe to the investigative journalism work I wanted to do.
Researching threats had a very similar vibe to the investigative journalism work I wanted to do.
Ben Nahorney | Threat Intelligence Analyst at Cisco Security
Mary Aiken
Professor, Forensic Cyberpsychology, University of East London | @maryCyPsy | LinkedIn
I first encountered AI when I was working in the Marketing and Advertising Services sector in the United States in the 90s. A colleague had been working on an AI project and was about to launch his 'Chatbot' (www.jabberwacky.com) on the Internet. I was captivated by this AI software that could simulate conversations with humans. Immediately, I began to think of applications for the elderly, the lonely, people suffering from mental health conditions or social isolation and children with specific challenges or learning difficulties.
That being said, I was concerned. What if this form of sophisticated social AI was deployed as an attack vector? The prospect of a dystopian future in which sophisticated AI could engage with or even deliberately target some of the most vulnerable people on the planet was an extremely disturbing prospect. I decided to engage and requalify as a Cyberpsychologist, which was an emerging discipline in the early 2000s. Some years later, I embarked on a completely new career in the cybersecurity and cyber safety sector. All of this was inspired by a brief but illuminating encounter with a Chatbot.
The prospect of a dystopian future in which sophisticated AI could engage with or even deliberately target some of the most vulnerable people on the planet was an extremely disturbing prospect.
Mary Aiken | Professor, Forensic Cyberpsychology, University of East London
While in the Air Force, I was doing military intelligence. I pivoted from that to specifically cybersecurity. Prior to that, I had no clue about cybersecurity or what it meant and what it entailed.
The turning point came when I had my first work role in a counter terrorism office for the NSA. It was so life changing for me because that was when I actually applied theory with on-the-job training. That counterterrorism office was high pace. Just nerves on edge all the time. There was a lot going on, but it was so amazing. I used everything I had learned. I learned how to think on my feet, to be creative. It really allowed me to dig deeper into pen testing. Had I not done that job, I wouldn't have learned that I enjoy pen testing as much as I do. It was also very rewarding because you saw the actual result of an action you took.
I used everything I had learned. I learned how to think on my feet, to be creative.
Jihana Barrett | Founder, CyberSuite LLC
My corporate job introduced me to the world of security awareness and the human aspect of security that I didn’t know existed. In that instant, my entire world changed, and my career in cybersecurity was solidified.
Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching and authentically connecting with people.
And once I started my own business and brand, I fell deeply in love with creating a movement and tribe around security awareness and education.
Now, it’s no longer about the “right career” but about the “right calling.” I’m in an industry where I can create massive transformation and impact.
Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching and authentically connecting with people.
Fareedah Shaheed | CEO and Founder, Sekuva
During my very first security conference back in 2007, I saw a talk on the Julie Amero case: a teacher who faced a long prison sentence because malware on her laptop had displayed adult content to a class of minors. It taught me how security can have an impact on people’s lives and also how different people can have very different threat models.
The latter lesson I think is relevant well beyond IT security. It could help us understand society better as a whole.
It taught me how security can have an impact on people’s lives and also how different people can have very different threat models.
Martijn Grooten | Researcher, Writer and Security Professional
Curiosity led me to a cybersecurity career. I was that one student who always had questions to ask. Upon obtaining my Bachelor’s Degree in Information Technology, I landed a Systems Admin role. Those late-night shifts at the datacenter were the core foundation of my career, as I learned a lot.
While at this role, I attended a lunch-and-learn session that was hosted by the Infosec team. They shared information on the latest malware trends, tactics, techniques and procedures used by the threat actors. I was so fascinated by the knowledge shared, and I asked so many questions to the point where they offered me the opportunity to shadow the team in order to learn more. It was this opportunity that deepened my interest in security. Later on, I was offered an opportunity to join the MIT Cybersecurity program. From the knowledge I had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it.
I knew that cybersecurity would be the future, and I wanted to be part of it.
Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco
Phillimon Zongo
Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | LinkedIn
I would say my eureka moment came around the end of 2015 when I went back to the drawing board and took a deep look at my career path. I felt like my career had stagnated.
I wanted to specialize in cybersecurity because by that time it was one of the fastest growing fields within the technology risk space. It was clearly the center of attention for the board of directors, regulators, customers and even investors. Instead of spreading myself thin across every aspect of technology risk, I wanted to go deep in cybersecurity.
I realized that there was a major problem in cybersecurity: a lot of the material that I was reading was very technical in nature, but it was almost impossible for me to link cybersecurity tools to strategic business goals. I realized that the subject of cybersecurity was confined within the corridors of IT. It was supposed to be a responsibility of everyone from the front office staff to the board of directors and cybersecurity professionals themselves. That’s when I realized there was a major gap. After months of researching and talking to other people, I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders.
I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders.
Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute
Question 2
If given the chance, what advice would you give yourself when you first joined the industry?
If I could go back and tell myself anything, it would have been to pace myself. I would have reassured myself that I was on the right track, that things would turn out the way they're supposed to. And I would encourage myself to learn as much as I could but to be patient with my learning. A lot of times, newbies want to be experts, and they don't give themselves the chance to take the steps to get to that point. Having been in the industry for about 11 years now, I totally see that even if you have all the books behind it, you still don’t have the experience when starting out. That experience is what helps me execute my tasks and examine a problem the way that I do.
So I would have just told myself to be patient. You’re on the right track. You’re doing all the right things. You’re learning. You’re getting the foundations and fundamentals. And every aspect of that industry is going to involve learning. The learning never stops. Basically, I would have taken the pressure off of myself to know everything in the beginning so that I could add value to a space and just know that it was going to come with time.
I would have just told myself to be patient. You’re on the right track. You’re doing all the right things. You’re learning.
Jihana Barrett | Founder, CyberSuite LLC
The advice that I would give myself when I first joined the industry would be to trust the process. I don’t necessarily know if I would give my past self any new advice because I’m thankful for the journey that led me to where I am. But trusting the process has been something that I tell everyone and myself often. You can only do what you can do. The rest is up to the process of contributions and reaping the benefit of the work that you put in. So if you trust the process and stay disciplined, great things can happen for you.
If you trust the process and stay disciplined, great things can happen for you.
Tazin Khan Norelius | Founder of Cyber Collective
Ben Nahorney
Threat Intelligence Analyst at Cisco Security | @benn333 | LinkedIn
I would remind my younger self not to internalize criticism. If you’re a writer your work is going to be critiqued. Nine out of ten times it’ll be stronger for it.
In cybersecurity, personal feelings sometimes take a backseat to quickly responding to an issue. It has definitely changed for the better over time, but there is an above-average number of plain-spoken and direct people in this industry.
When coming from a non-computer related field, not everyone will immediately see the value of what you bring, and you’ll have to spend extra time proving your worth. Stand your ground when necessary, but pin your ears back for other ideas and perspectives. You’ll pick up some very valuable information.
So ultimately, my advice to myself would be to learn to take things in stride. That, and don’t get too attached to that hairline.
Stand your ground when necessary, but pin your ears back for other ideas and perspectives.
Ben Nahorney | Threat Intelligence Analyst at Cisco Security
Looking back, I would advise myself as follows:
- BE PATIENT with yourself, as it takes time to grasp the vast domains of cybersecurity.
- EMBRACE CHANGE, as this industry is constantly evolving, and you have to constantly learn to adapt.
- GET A MENTOR ASAP to help answer your discrete career questions and provide you with tailored career advice.
- Do not rush into certifications, as they can be costly. Instead, gain some experience, and then consider which specific domain certificate you’d like to pursue, if necessary.
- Network with others in the industry by attending local meetups, chapters and social media platform group gatherings.
- Lastly, don’t be too hard on yourself. Cybersecurity is indeed a journey, not a destination.
Cybersecurity is indeed a journey, not a destination.
Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco
Security likes “rock stars,” that is, people who have very good technical skills or who are loud, very present and can tell a good story. When you’re new in the industry, as I once was, it’s tempting to look up to them and try hard to be liked by them. This might give you a short-term career or confidence boost, but in the long run, I have learned it is much more important to look out for people who are kind and who have a good moral compass.
I have learned it is much more important to look out for people who are kind and who have a good moral compass.
Martijn Grooten | Researcher, Writer and Security Professional
Looking back, I would have told myself much earlier on to focus on the human element of cybersecurity.
There was already so much focus on technology, systems and software in the early days of cybersecurity and not enough on the “people” side of things, which is the initial cause of many incidents. Focusing on this topic could have made a much bigger impact on the early days of the security awareness training industry.
Cybersecurity is a shared responsibility, so the more sharing we do, the safer we will all become as a whole.
There was already so much focus on technology, systems and software in the early days of cybersecurity and not enough on the “people” side of things...
Jason Lau | Chief Information Security Officer, Crypto.com
Phillimon Zongo
Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | LinkedIn
There’s certainly things that I could have done better. Now that I have spent a lot of time mentoring people, I would say it would have been better if I had looked for a highly experienced mentor from day one. That would have accelerated my career trajectory in those five years that I've been pushing myself.
However, if I were to go back, there’s not much that I would change. Before I start doing something, I ask myself, “Am I scared?” If I'm not scared, then I don’t do it because it is through doing things that we are afraid of that we grow the most.
If there is one critical piece of advice that I’d give to aspiring cybersecurity professionals, it would be to place yourself as someone who can communicate persuasively and with impact, who can simplify that critical message and push it to the wider business community, you'll be able to differentiate yourself. Every time I mentor people, I see people doing the same old thing. They get certification after certification but forget that maybe 10 million people look like you. How are you different? What is something different that you bring to the table?
I would say it would have been better if I had looked for a highly experienced mentor from day one.
Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute
When I first joined the industry, I wasn’t aware of all the options and diversity of paths, so I got sucked into the “you MUST be technical to be worthy of anything” world.
If I were to go back, I would tell myself to not worry about how technical I was or wasn’t. I would put more focus on knowing my strengths, interests and hobbies. I would then spend time figuring out how I could combine them all to make a difference in someone’s life.
Not everyone gets to do that, but if you can find that combination, it can be life-changing. I eventually found it, but I would definitely tell myself to stop stressing over grades, certifications, job titles, compensation and technical abilities because it doesn’t matter. It didn’t for my journey, at least.
I would tell myself that the impact I was called on to make in this world was bigger than any of that, and that I didn’t have to squeeze myself into a box of degrees, certs, job titles and career paths.
I would tell myself to not worry about how technical I was or wasn’t. I would put more focus on knowing my strengths, interests and hobbies.
Fareedah Shaheed | CEO and Founder, Sekuva
Omar Santos
Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco | @santosomar | LinkedIn
I would basically say to pace yourself and to understand that you're not going to be able to learn everything overnight. Cybersecurity is very broad. You have things from ethical hacking, pen testing, digital forensics and incident response, exploit development, etc.
So yes, become familiar with all the different domains and the ones that you want to specialize in and that attract you the most. Then dive deeply into it while always recognizing that you will never be an expert in every single area in cybersecurity. Pick your niche and concentrate on it.
Pick your niche and concentrate on it.
Omar Santos | Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco
By attending a huge amount of conferences and events over the years, I have been able to build a network of professional connections and friends who have helped to support me along my security journey.
If I could turn back time, I definitely would have told myself to not be afraid and to start networking earlier! At first, I was scared to attend events and I didn’t start doing so until nearly the end of my first year at university.
In my opinion, it’s never too early to start networking. The earlier you start, the sooner you can grow your network and utilize it as a stepping stone to help you kickstart your career.
In my opinion, it’s never too early to start networking. The earlier you start, the sooner you can grow your network and utilize it as a stepping stone to help you kickstart your career.
Sophia McCall | Junior Security Consultant
I am not one to wish for a time machine in general. I believe each success and failure has made me who I am today. I do not want to sound like I have had a perfect journey and that I have achieved all that I have intended to accomplish. Quite the contrary. My life is a continuous journey, and my occupation is just a part of that journey.
I believe each success and failure has made me who I am today.
Amanda Honea-Frias | Head of Product Security at Duo, Cisco
If I could go back to the point when I was just joining information security, I would tell myself to not shy away from being visible. I would urge myself to use my voice and network. Visibility is the most important thing that a woman needs to do in order to advance her career.
When I talk about visibility, I mean it in a sense of using your voice so that people know about you. You need to get yourself out there. They need to be able to see and understand the work that you are doing. So it's really important that women build their visibility.
Use your voice, demonstrate your value, really focus on building your network and use all of the tools around you.
Finally, don’t worry about your age. Don’t worry about how young you look, and don’t worry about not being considered technical. For me, I had a great big hang-up about being really young. I wasn’t actually bothered about being a woman. I didn’t see that as being a disadvantage at all, but I was really concerned that I looked so young and that I wasn’t technical. So I would go back and tell myself to not worry about looking young and to not worry about not being technical. I was able to do my job and to do it really well even though I wasn’t technical in those days.
Don’t worry about your age. Don’t worry about how young you look, and don’t worry about not being considered technical.
Jane Frankland | CEO, KnewStart
If I were to go back and give myself my younger self advice, I would probably aim myself towards early ventures that accumulated a lot of capital, a lot of cash. And the reason for that is not that everything comes down to money, but money makes a lot of things easier, such as making your ideas come to fruition.
When you're a minority woman in any industry, I think it's a challenge for us to be taken seriously early in our careers, mid-career and even later on in our careers. I think that having access to capital, and the means to make some of our ideas come true, is important. I think that would have been the advice that I would have given myself back then. And now, we'll see what I do with some capital, since I've earned enough to bring a few new ideas to reality.
If you can, try and find a mentor. There are more avenues and channels now than when I was starting out. When you find someone, make sure that you play your part in the relationship. You need to put the effort in, too. Also, remember to be patient with yourself. You can’t know everything at once. Pick an area that interests you and try to become the best that you can be in it.
You can’t know everything at once. Pick an area that interests you and try to become the best that you can be in it.
Mo Amin | Independent Cyber Security Culture Consultant
At one point I realized I needed to do more to understand executive and other management views of information security and privacy. I could then take those perspectives, and use them in effective ways to raise awareness of all levels in the organization chart about the need for strong security. That was the only way to obtain executive buy-in.
Another piece of advice to myself would be to not wait until I feel I am confident I know and can do everything related to information security and privacy before offering ideas or being proactive with actions. Early in my career, I did not speak up with my ideas that likely would have propelled me much further and more quickly in my career if I had. No one will ever know, though.
We need to have confidence and faith in our own capabilities as well as to always approach issues logically. We also need to be aware that others who may be less knowledgeable and/or experienced than you will advance more quickly because they didn’t wait to be 100% knowledgeable or fit 100% of an advertised position within which they ultimately excelled.
We need to have confidence and faith in our own capabilities as well as to always approach issues logically.
Rebecca Herold | CEO and Founder, The Privacy Professor Consultancy
Mary Aiken
Professor, Forensic Cyberpsychology, University of East London | @maryCyPsy | LinkedIn
I believe that regret simply serves to undermine decision making, not just in the past, but importantly going forward, as well.
Bottom line: don’t second guess your own judgement, that is, the ability to make considered decisions and come to a sensible conclusion. My only advice to those who seek a career in cybersecurity is to do what I did and don’t view opportunity through the myopic lens of a singular discipline. Try to adopt a transdisciplinary approach, and don’t underestimate the incredible value of the arts. In terms of decision making, Robert Frost’s “The Road Not Taken” sums it up:
Two roads diverged in a wood, and I—
I took the one less traveled by,
And that has made all the difference.
Bottom line: don’t second guess your own judgement
Mary Aiken | Professor, Forensic Cyberpsychology, University of East London
Ambler T. Jackson
Senior Privacy Subject Matter Expert | LinkedIn
If I had an opportunity to go back to the beginning of my career, I would have dedicated some additional time to learning about the technical considerations of data governance first. While I later studied data governance, what you learn from databases, data models and data management helps to provide the big “forest-from-the-trees” picture for understanding why and how organizations capture data and how data elements move throughout the data lifecycle. I wish that I had obtained the formal education at the outset, as it would have helped to set the stage for fully understanding the lifecycle of a data element early on.
I wish that I had obtained the formal education at the outset, as it would have helped to set the stage for fully understanding the lifecycle of a data element early on.
Ambler T. Jackson | Senior Privacy Subject Matter Expert
When I was a kid, I was diagnosed with Dysgraphia, a learning disorder related to Dyslexia. This didn’t happen until rather late in my childhood. Up until that point, I believed I was "stupid and lazy," as that is what many teachers told me.
When I received my diagnosis, it made a huge difference. My parents bought a computer. I took typing classes. I started playing guitar (to help with motor skills). I ended up being the first in my family to graduate from college, and since then, I have built things that many people didn’t think were possible.
The impact on my self-esteem is something I carry even today. If I could go back and tell myself about my disorder, tell myself I wasn’t stupid and to get into computers sooner, I think it would help my confidence throughout all of my life.
If I could go back and tell myself about my disorder, tell myself I wasn’t stupid and to get into computers sooner, I think it would help my confidence throughout all of my life.
Ken Westin | Head of Competitive Intelligence, Elastic
The one thing that stands out for me is asking questions and being brave about asking questions. I still remember early in my career how I often found myself being the only woman in the room, the only person of color in the room and/or the youngest person in the room. And on top of that, I already had a very shy and timid personality. Bundled together with asking questions, it was a nightmare for me sometimes.
What I would do is I would take out a notepad every time I heard something I didn’t know or every time there was a concept that I couldn’t quite grasp. I’d go home and do a ton of Googling and researching to figure it out. That worked for me.
I think being able to ask questions and really get that information and soak that in, as well as to build relationships with the people around you is an added plus. Don’t be afraid to ask questions. No matter how “beginner level” those questions might sound in your head or how stupid you think some people might think they are, all of that doesn’t matter at the end of the day. When you get answers to those questions, that is helping you to evolve and grow into the best version of you and the best professional that you can be. That is what matters.
Don’t be afraid to ask questions. No matter how “beginner level” those questions might sound in your head or how stupid you think some people might think they are, all of that doesn’t matter at the end of the day.
Christine Izuakor | CEO of Cyber Pop-up
Over time, I realized that I can’t know everything in this field. Nor do I need to. This helped me learn to take a breath, to take a look around and have more patience with learning step by step instead of all at once.
There are many sources of information and free courses/training packages that we can find on the Internet for learning more about security. There are also many companies that will give you a chance to start working even if you don’t have your diploma. Reach out to them to show your initiative! The information security community is awesome.
Thanks to some people and their trust in me, I was able to find my place. I now find what I want and do what I can to produce change for the better. So here I am, a nurse in the information security world.
So here I am, a nurse in the information security world.
Jelena Milosevic | Registered Nurse
Richard Archdeacon
Advisory Chief Information Security Officer, Duo Security, Cisco | LinkedIn
It’s about people. We have to understand the technology. But the most important skill is communication. No matter how strong our technology controls are, we will get nowhere unless we can explain the “what” and the “why.” Otherwise, we will become an obstruction and not a help.
Our colleagues do not come to work to do security. They come in to carry out their tasks in their own departments in order to fulfill their role.
Our colleagues do not come to work to do security. They come in to carry out their tasks in their own departments in order to fulfill their roles.
Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco
Further Thoughts
Job Descriptions, Conclusion, and Resources
We couldn’t end this eBook without confronting the topic of job descriptions.
In order to attract and support more people in the cybersecurity industry, they need to visualize themselves in the roles. But do current job descriptions enable that, or does the amount of experience and certifications requested up front lead to a certain amount of soul crushing?
Certifications and accreditations certainly have their importance, but for the majority of people in this industry, they are here because they have a passion for helping others. The passion of the contributors in this eBook alone clearly leaps off the page.
People in cybersecurity want to make the world a better place, and they want to ensure the safety of as many people as possible online. Are the majority of job descriptions appealing to that nature? We would cautiously suggest that many of them don’t.
Don’t just build a website asking for applications and assume they will come. Go out into the marketplace, and go to disadvantaged schools. Talk to them about the industry. Creating a job spec on your website and sending it out on social media isn’t good enough.
Theresa Payton, the first female CIO of the White House
There is no singular footpath into cybersecurity. And that’s not a bad thing. Our adversaries are diverse and strategic, so we must ensure our defenders are also diverse, and are made up of people who also approach solutions from different angles.
Giving people opportunities, even if they don’t tick every box of a job description’s “Essential Skills” list is one of the best things you can do to help. This will ensure the future of cybersecurity is in the hands of those who are passionate learners.
Also, when finding our path in cybersecurity, having a mentor, or an ally, can help light the way forwards. Allies can open doors that previously seemed closed.
In short, we must ask ourselves what we want the future of cybersecurity to be, and support people to be with us on that journey.
A discussion on non traditional paths into cybersecurity
A monthlong roster of events, activities and educational content
Put your talent to work
Empowering all people with career possibilities
