If given the chance, what advice would you give yourself when you first joined the industry?
If I could go back and tell myself anything, it would have been to pace myself. I would have reassured myself that I was on the right track, that things would turn out the way they're supposed to. And I would encourage myself to learn as much as I could but to be patient with my learning. A lot of times, newbies want to be experts, and they don't give themselves the chance to take the steps to get to that point. Having been in the industry for about 11 years now, I totally see that even if you have all the books behind it, you still don’t have the experience when starting out. That experience is what helps me execute my tasks and examine a problem the way that I do. So I would have just told myself to be patient. You’re on the right track. You’re doing all the right things. You’re learning. You’re getting the foundations and fundamentals. And every aspect of that industry is going to involve learning. The learning never stops. Basically, I would have taken the pressure off of myself to know everything in the beginning so that I could add value to a space and just know that it was going to come with time.
The advice that I would give myself when I first joined the industry would be to trust the process. I don’t necessarily know if I would give my past self any new advice because I’m thankful for the journey that led me to where I am. But trusting the process has been something that I tell everyone and myself often. You can only do what you can do. The rest is up to the process of contributions and reaping the benefit of the work that you put in. So if you trust the process and stay disciplined, great things can happen for you.
I would remind my younger self not to internalize criticism. If you’re a writer your work is going to be critiqued. Nine out of ten times it’ll be stronger for it.
In cybersecurity, personal feelings sometimes take a backseat to quickly responding to an issue. It has definitely changed for the better over time, but there is an above-average number of plain-spoken and direct people in this industry.
When coming from a non-computer related field, not everyone will immediately see the value of what you bring, and you’ll have to spend extra time proving your worth. Stand your ground when necessary, but pin your ears back for other ideas and perspectives. You’ll pick up some very valuable information.
So ultimately, my advice to myself would be to learn to take things in stride. That, and don’t get too attached to that hairline.
Looking back, I would advise myself as follows:
Security likes “rock stars,” that is, people who have very good technical skills or who are loud, very present and can tell a good story. When you’re new in the industry, as I once was, it’s tempting to look up to them and try hard to be liked by them. This might give you a short-term career or confidence boost, but in the long run, I have learned it is much more important to look out for people who are kind and who have a good moral compass.
Looking back, I would have told myself much earlier on to focus on the human element of cybersecurity. There was already so much focus on technology, systems and software in the early days of cybersecurity and not enough on the “people” side of things, which is the initial cause of many incidents. Focusing on this topic could have made a much bigger impact on the early days of the security awareness training industry. Cybersecurity is a shared responsibility, so the more sharing we do, the safer we will all become as a whole.
There’s certainly things that I could have done better. Now that I have spent a lot of time mentoring people, I would say it would have been better if I had looked for a highly experienced mentor from day one. That would have accelerated my career trajectory in those five years that I've been pushing myself. However, if I were to go back, there’s not much that I would change. Before I start doing something, I ask myself, “Am I scared?” If I'm not scared, then I don’t do it because it is through doing things that we are afraid of that we grow the most. If there is one critical piece of advice that I’d give to aspiring cybersecurity professionals, it would be to place yourself as someone who can communicate persuasively and with impact, who can simplify that critical message and push it to the wider business community, you'll be able to differentiate yourself. Every time I mentor people, I see people doing the same old thing. They get certification after certification but forget that maybe 10 million people look like you. How are you different? What is something different that you bring to the table?
When I first joined the industry, I wasn’t aware of all the options and diversity of paths, so I got sucked into the “you MUST be technical to be worthy of anything” world.
If I were to go back, I would tell myself to not worry about how technical I was or wasn’t. I would put more focus on knowing my strengths, interests and hobbies. I would then spend time figuring out how I could combine them all to make a difference in someone’s life. Not everyone gets to do that, but if you can find that combination, it can be life-changing. I eventually found it, but I would definitely tell myself to stop stressing over grades, certifications, job titles, compensation and technical abilities because it doesn’t matter. It didn’t for my journey, at least.
I would tell myself that the impact I was called on to make in this world was bigger than any of that, and that I didn’t have to squeeze myself into a box of degrees, certs, job titles and career paths.
I would basically say to pace yourself and to understand that you're not going to be able to learn everything overnight. Cybersecurity is very broad. You have things from ethical hacking, pen testing, digital forensics and incident response, exploit development, etc. So yes, become familiar with all the different domains and the ones that you want to specialize in and that attract you the most. Then dive deeply into it while always recognizing that you will never be an expert in every single area in cybersecurity. Pick your niche and concentrate on it.
By attending a huge amount of conferences and events over the years, I have been able to build a network of professional connections and friends who have helped to support me along my security journey.
If I could turn back time, I definitely would have told myself to not be afraid and to start networking earlier! At first, I was scared to attend events and I didn’t start doing so until nearly the end of my first year at university.
In my opinion, it’s never too early to start networking. The earlier you start, the sooner you can grow your network and utilize it as a stepping stone to help you kickstart your career.
I am not one to wish for a time machine in general. I believe each success and failure has made me who I am today. I do not want to sound like I have had a perfect journey and that I have achieved all that I have intended to accomplish. Quite the contrary. My life is a continuous journey, and my occupation is just a part of that journey.
If I could go back to the point when I was just joining information security, I would tell myself to not shy away from being visible. I would urge myself to use my voice and network. Visibility is the most important thing that a woman needs to do in order to advance her career.
When I talk about visibility, I mean it in a sense of using your voice so that people know about you. You need to get yourself out there. They need to be able to see and understand the work that you are doing. So it's really important that women build their visibility.
Use your voice, demonstrate your value, really focus on building your network and use all of the tools around you.
Finally, don’t worry about your age. Don’t worry about how young you look, and don’t worry about not being considered technical. For me, I had a great big hang-up about being really young. I wasn’t actually bothered about being a woman. I didn’t see that as being a disadvantage at all, but I was really concerned that I looked so young and that I wasn’t technical. So I would go back and tell myself to not worry about looking young and to not worry about not being technical. I was able to do my job and to do it really well even though I wasn’t technical in those days.
If I were to go back and give myself my younger self advice, I would probably aim myself towards early ventures that accumulated a lot of capital, a lot of cash. And the reason for that is not that everything comes down to money, but money makes a lot of things easier, such as making your ideas come to fruition.
When you're a minority woman in any industry, I think it's a challenge for us to be taken seriously early in our careers, mid-career and even later on in our careers. I think that having access to capital, and the means to make some of our ideas come true, is important. I think that would have been the advice that I would have given myself back then. And now, we'll see what I do with some capital, since I've earned enough to bring a few new ideas to reality.
If you can, try and find a mentor. There are more avenues and channels now than when I was starting out. When you find someone, make sure that you play your part in the relationship. You need to put the effort in, too. Also, remember to be patient with yourself. You can’t know everything at once. Pick an area that interests you and try to become the best that you can be in it.
At one point I realized I needed to do more to understand executive and other management views of information security and privacy. I could then take those perspectives, and use them in effective ways to raise awareness of all levels in the organization chart about the need for strong security. That was the only way to obtain executive buy-in. Another piece of advice to myself would be to not wait until I feel I am confident I know and can do everything related to information security and privacy before offering ideas or being proactive with actions. Early in my career, I did not speak up with my ideas that likely would have propelled me much further and more quickly in my career if I had. No one will ever know, though. We need to have confidence and faith in our own capabilities as well as to always approach issues logically. We also need to be aware that others who may be less knowledgeable and/or experienced than you will advance more quickly because they didn’t wait to be 100% knowledgeable or fit 100% of an advertised position within which they ultimately excelled.
I believe that regret simply serves to undermine decision making, not just in the past, but importantly going forward, as well.
Bottom line: don’t second guess your own judgement, that is, the ability to make considered decisions and come to a sensible conclusion. My only advice to those who seek a career in cybersecurity is to do what I did and don’t view opportunity through the myopic lens of a singular discipline. Try to adopt a transdisciplinary approach, and don’t underestimate the incredible value of the arts. In terms of decision making, Robert Frost’s “The Road Not Taken” sums it up:
Two roads diverged in a wood, and I— I took the one less traveled by, And that has made all the difference.
If I had an opportunity to go back to the beginning of my career, I would have dedicated some additional time to learning about the technical considerations of data governance first. While I later studied data governance, what you learn from databases, data models and data management helps to provide the big “forest-from-the-trees” picture for understanding why and how organizations capture data and how data elements move throughout the data lifecycle. I wish that I had obtained the formal education at the outset, as it would have helped to set the stage for fully understanding the lifecycle of a data element early on.
When I was a kid, I was diagnosed with Dysgraphia, a learning disorder related to Dyslexia. This didn’t happen until rather late in my childhood. Up until that point, I believed I was "stupid and lazy," as that is what many teachers told me.
When I received my diagnosis, it made a huge difference. My parents bought a computer. I took typing classes. I started playing guitar (to help with motor skills). I ended up being the first in my family to graduate from college, and since then, I have built things that many people didn’t think were possible. The impact on my self-esteem is something I carry even today. If I could go back and tell myself about my disorder, tell myself I wasn’t stupid and to get into computers sooner, I think it would help my confidence throughout all of my life.
The one thing that stands out for me is asking questions and being brave about asking questions. I still remember early in my career how I often found myself being the only woman in the room, the only person of color in the room and/or the youngest person in the room. And on top of that, I already had a very shy and timid personality. Bundled together with asking questions, it was a nightmare for me sometimes.
What I would do is I would take out a notepad every time I heard something I didn’t know or every time there was a concept that I couldn’t quite grasp. I’d go home and do a ton of Googling and researching to figure it out. That worked for me. I think being able to ask questions and really get that information and soak that in, as well as to build relationships with the people around you is an added plus. Don’t be afraid to ask questions. No matter how “beginner level” those questions might sound in your head or how stupid you think some people might think they are, all of that doesn’t matter at the end of the day. When you get answers to those questions, that is helping you to evolve and grow into the best version of you and the best professional that you can be. That is what matters.
Over time, I realized that I can’t know everything in this field. Nor do I need to. This helped me learn to take a breath, to take a look around and have more patience with learning step by step instead of all at once. There are many sources of information and free courses/training packages that we can find on the Internet for learning more about security. There are also many companies that will give you a chance to start working even if you don’t have your diploma. Reach out to them to show your initiative! The information security community is awesome. Thanks to some people and their trust in me, I was able to find my place. I now find what I want and do what I can to produce change for the better. So here I am, a nurse in the information security world.
It’s about people. We have to understand the technology. But the most important skill is communication. No matter how strong our technology controls are, we will get nowhere unless we can explain the “what” and the “why.” Otherwise, we will become an obstruction and not a help. Our colleagues do not come to work to do security. They come in to carry out their tasks in their own departments in order to fulfill their role.
