What was the path that led you into the cybersecurity industry?
I was in school trying to become an eye doctor and realized very quickly that it was not the right path for me. And so I started taking different electives, really trying to explore and figure out what I wanted to do with my life and career.
I came across a cybersecurity class, and I'll never forget the exact assignment when I knew. We had this task to decrypt a string of encrypted texts. Things like that can be a pretty tedious process. I was up until probably two or three o'clock in the morning trying to figure this thing out. And I'll never forget the adrenaline rush that I felt when I finally cracked it and got it right. It was almost like I had won a game or like I had solved a puzzle. I couldn't help but think to myself, “Oh my gosh, this is what some people do for work. This is an actual job.”
My story goes back almost 23 years. I came straight into it with no experience of technology. (My background actually is in art and design.) Whilst I had worked in sales, I actually went straight into starting a tech company with a partner who understood technology. Because I didn't know anything about technology, I looked at what was available in tech. The only two things that interested me were AI and security. AI was too new at that time. Security sounded really exciting and dynamic. I thought it sounded a little bit like James Bond. (I’m a big Bond fan.) That's how I got into this industry, and that’s what led me here. One thing that I love about cybersecurity is the people. The people are interesting. The people are challenging. The people are frustrating, and the people are incredibly diverse. I love hanging out with people in cybersecurity. The way that I see it is we really are securing the world’s operations. We are really securing the world’s freedom, which is a really important thing to do. And certainly as a woman, because we see risk in a different way than men, I feel that the industry really needs us as women to come in and add to it.
After school, when I was about 16, I progressed to college to complete a BTEC Level 3 Extended Diploma in Software Development. Over two years, I learned to build and program everything you could think of: websites, games, mobile applications, scripts and more. On this diploma course, we had a networking module that focused on security. It was at this point when I definitely had my “calling.” After nearly two years of building things, I discovered that breaking them was much more fun! Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber Security Management. Four years later, including a year’s placement in industry and a huge amount of community involvement, I completed my degree with First Class Honors. I’m now about to commence my first role in the industry as a Junior Security Consultant of penetration testing.
In my spare time while getting my engineering degree, I researched and “hacked” the boot sequence of a PlayStation with a “ModChip” I programmed, and I was able to play video games from different regions around the world. (Back in those days, games were on CDs and had country regional restrictions on them. Some of the best games never came to my region!)
I was one of the first with these ModChips at that time, so my friend and I started to help others on the side. This freelance job was quite thrilling and exciting! This was my first experience with hacking and reverse engineering. It taught me how to use root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work). This is a fundamental skill which I have found useful in my cybersecurity career.
Well, there wasn't a defining moment for me because cybersecurity as an industry wasn't really called an industry yet. I became a hacker at an early age, but back then, we were just focusing on computer security, which was an offshoot of computer science.
I think a lot of people who have been in cybersecurity for as long as I have—over 20 years professionally—have a very meandering path that led them down this career rabbit hole. For myself, I was a molecular biologist, and I was working on the human genome project at MIT. I decided molecular biology wasn't for me, but I wasn't quite sure what I wanted to do. So I took a detour, which I thought was temporary, into the systems administrators group at the genome center at MIT. I helped them build those systems out, and then, I took another systems administration job at MIT in the Department of Aeronautics and Astronautics. There, I took care of the network that helped launch some Mars rovers. This was the late 90s we're talking about here.
From there, defending the systems that I was in charge of led me back into the nascent security fold. But this was all before there was an actual cybersecurity profession. So for me, my security origin story is murky because it's coupled with the origin story of cybersecurity itself.
I was working as the Webmaster and Linux Administrator for a company whose endpoint security product blocked USB flash drives from connecting to systems. At that time, my only exposure to security was on the defensive side. I was curious about how the USB malware we were trying to block worked and how it got into forums where some of these tools were being traded. I went down a lot of rabbit holes in my research, and I even built a website called USBHacks.com that provided samples of the USB malware to help educate network admins. (This was also the first time the FBI reached out to me.)
Around this time, one of my co-workers had his car broken into and his laptop bag stolen. We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer. After the conversation, I started building tools based on my USB malware that were designed to protect devices and data if they were stolen.
There was no “calling” moment. It just kind of happened that I realized I was part of the information security community.
When I started working as a nurse at a lot of different healthcare institutions, I didn’t have my own login codes. My colleagues were helpful insofar as they let me use theirs. I quickly realized how dangerous this shared access was; I could work under my colleagues’ names and use that access to change information in the stored medical records. I also found out that medical devices were connected to the same PC, allowing me to control some of those products from that computer. It was around that time that I became curious. Could someone from the outside establish a connection with the PC? If so, what could they do?
I decided to contact the security team. At first, they were surprised (and suspicious) that a nurse showed interest in security. But they quickly saw that I really wanted to deepen my understanding and learn.
In no time, I received a lot of information and made contacts with many infosec professionals from all over the world who were ready and open to help me. They explained a lot to me, sometimes in too many details. They also showed me the tools that I could use to learn by myself.
I discovered Mozilla Observatory, NMAP, Wireshark, Shodan and much more. I often lost myself in trying to find the meaning of every word I couldn’t understand with regards to using these and other tools. It was a lot. Many times, I got depressed thinking that I’d never be able to learn a subject, that I’d never be able to learn enough. But I didn’t give up. There was a lot of different stuff to learn. I wanted to find out where my place was in all of it. By already knowing the medical side of things and by building my understanding of security, I was able to develop a deep and global picture of the security situation in healthcare. I’ve used that understanding to try to connect medical security and privacy and to help individuals from both sides hear and understand each other so that we can all work together. I strongly believe that medical security and privacy departments can make the healthcare system not just more safe and secure, but also better for everyone by working as a team.
Like most people, I fell into cybersecurity through exposure to some really big security events. Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the time (security was still low on the radar unless you worked at a bank or financial organization). In one of the virus attacks, I saw a whole corporation lose its email system. It struck me that this meant nobody knew how to prevent or respond to these attacks and that security was going to be vital going forward. All our digital transformations would come to naught if a simple attack could cripple us. So we had to develop security in the same way that we were changing IT. I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime. It struck me then that we were not dealing with script kiddies but bad people who were committed to doing bad things to innocent victims. This was more than just a job; it was a calling.
I knew that the cybersecurity industry was the right industry for me when I began working on assignments that required not only an understanding of the law and general business processes, but also the ability to understand an organization’s data governance practices and speak “security.” My confidence with respect to my career path increased once I understood how my skill set obtained throughout my law career, coupled with my technical aptitude, transferred to the cybersecurity space and specifically to the data privacy and protection area of cybersecurity.
It started when I left college and joined the United States Marines. I was in the U.S. Marine Corps, and my military occupational specialty was in electronics and secure communications. From there, I shifted into networking and specifically network security. That’s when I knew that cybersecurity was for me. After I left the Marine Corps, I joined Cisco in 2000, and I was part of the technical assistance center. I was supporting firewalls, IPS devices, VPNs and a lot of encryption. At the end, I was actually doing penetration testing and ethical hacking against many large Cisco customers. I shifted gears again, and now I'm part of the product security incident response team where we specialize in vulnerability management. I also concentrate on helping industry-wide efforts.
The defining moment for me was when I got involved in a forensic investigation after my manager at the time asked if I wanted to shadow him and learn a few things. I was working in desktop support, and I found it fascinating. It was the catalyst for me. From there, I made a lot of mistakes, learned a lot, and adapted. I’ve been fortunate enough to work with some really good people along the way, and I still find the work interesting.
In the second grade, I was placed in college math and English, but a few years later, I was taken out of public school to be homeschooled. During this time in the late 80s and early 90s, homeschool was not as evolved as it is today. In my boredom, I happened to discover BBSs (bulletin board systems) and, subsequently, the Internet. I quickly adapted to manipulating software and hardware to do things they were just not made to do. Eventually, I tested for my General Equivalency Diploma (GED) and started working in carpentry. I wanted to create things. This career was over quickly, however, as I was injured about a year into my apprenticeship. The only skill I had to fall back on was my knowledge and curiosity for tech. So that is what I did. Fast forward a few decades, and I continue to make my way into an area where it just feels like a natural fit for me.
I got onto the information security, privacy and compliance path at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare corporation. I didn’t even realize change control was a critical information security control at the time until I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation. After I went to the IT Audit area, I performed an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created. There, I created all the corporation’s information security and privacy policies along with their supporting procedures, and created the training program, established requirements for the firewalls and web servers, performed risk assessments, established the requirements for one of the very first online banks at a time before there were any regulatory requirements for them, and generally oversaw the program. I’ve loved working in information security and privacy, simultaneously, ever since.
The moment that I realized the security/privacy industry was right for me was when I made my own path in it. I quit my job at a consulting gig and then developed Cyber Collective. I was able to make the safe space that I was looking for in the security industry that I didn’t necessarily have for myself and for my peers outside of the security industry. I think that dialogue needs to reach everybody. When I realized that I could turn security into something creative that benefits people, that reaches the empaths and into people’s ethos and pathos, that’s really when I realized that security was my calling, that this was something that I could do.
I studied journalism at university with a focus on magazines. I had my sights set on a career in investigative journalism, and I wrote stories around personal privacy, individual rights and security issues for campus publications while finishing my degree. While I had touched on cybersecurity in my writing, my first brush with it as a career came when I graduated during a recession. I took an entry-level tech support job at a cybersecurity company, all the while expecting it would be temporary while I looked for a writing gig.
In demonstrating that I could write, I was moved into a role writing knowledge-based documents. Eventually, I took on a position within the company’s threat research group where I wrote virus write-ups based on notes from cybersecurity engineers.
I don’t think I looked back after that. Researching threats had a very similar vibe to the investigative journalism work I wanted to do.
Ben’s Threat of the Month series can be found at cisco.com/go/threatofthemonth
I first encountered AI when I was working in the Marketing and Advertising Services sector in the United States in the 90s. A colleague had been working on an AI project and was about to launch his 'Chatbot' (www.jabberwacky.com) on the Internet. I was captivated by this AI software that could simulate conversations with humans. Immediately, I began to think of applications for the elderly, the lonely, people suffering from mental health conditions or social isolation and children with specific challenges or learning difficulties.
That being said, I was concerned. What if this form of sophisticated social AI was deployed as an attack vector? The prospect of a dystopian future in which sophisticated AI could engage with or even deliberately target some of the most vulnerable people on the planet was an extremely disturbing prospect. I decided to engage and requalify as a Cyberpsychologist, which was an emerging discipline in the early 2000s. Some years later, I embarked on a completely new career in the cybersecurity and cyber safety sector. All of this was inspired by a brief but illuminating encounter with a Chatbot.
While in the Air Force, I was doing military intelligence. I pivoted from that to specifically cybersecurity. Prior to that, I had no clue about cybersecurity or what it meant and what it entailed. The turning point came when I had my first work role in a counter terrorism office for the NSA. It was so life changing for me because that was when I actually applied theory with on-the-job training. That counterterrorism office was high pace. Just nerves on edge all the time. There was a lot going on, but it was so amazing. I used everything I had learned. I learned how to think on my feet, to be creative. It really allowed me to dig deeper into pen testing. Had I not done that job, I wouldn't have learned that I enjoy pen testing as much as I do. It was also very rewarding because you saw the actual result of an action you took.
My corporate job introduced me to the world of security awareness and the human aspect of security that I didn’t know existed. In that instant, my entire world changed, and my career in cybersecurity was solidified. Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching and authentically connecting with people. And once I started my own business and brand, I fell deeply in love with creating a movement and tribe around security awareness and education. Now, it’s no longer about the “right career” but about the “right calling.” I’m in an industry where I can create massive transformation and impact.
During my very first security conference back in 2007, I saw a talk on the Julie Amero case: a teacher who faced a long prison sentence because malware on her laptop had displayed adult content to a class of minors. It taught me how security can have an impact on people’s lives and also how different people can have very different threat models.
The latter lesson I think is relevant well beyond IT security. It could help us understand society better as a whole.
Curiosity led me to a cybersecurity career. I was that one student who always had questions to ask. Upon obtaining my Bachelor’s Degree in Information Technology, I landed a Systems Admin role. Those late-night shifts at the datacenter were the core foundation of my career, as I learned a lot.
While at this role, I attended a lunch-and-learn session that was hosted by the Infosec team. They shared information on the latest malware trends, tactics, techniques and procedures used by the threat actors. I was so fascinated by the knowledge shared, and I asked so many questions to the point where they offered me the opportunity to shadow the team in order to learn more. It was this opportunity that deepened my interest in security. Later on, I was offered an opportunity to join the MIT Cybersecurity program. From the knowledge I had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it.
I would say my eureka moment came around the end of 2015 when I went back to the drawing board and took a deep look at my career path. I felt like my career had stagnated. I wanted to specialize in cybersecurity because by that time it was one of the fastest growing fields within the technology risk space. It was clearly the center of attention for the board of directors, regulators, customers and even investors. Instead of spreading myself thin across every aspect of technology risk, I wanted to go deep in cybersecurity.
I realized that there was a major problem in cybersecurity: a lot of the material that I was reading was very technical in nature, but it was almost impossible for me to link cybersecurity tools to strategic business goals. I realized that the subject of cybersecurity was confined within the corridors of IT. It was supposed to be a responsibility of everyone from the front office staff to the board of directors and cybersecurity professionals themselves. That’s when I realized there was a major gap. After months of researching and talking to other people, I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders.
