Being a woman in infosec isn’t easy, but if you play it right and earn the respect of this dude gang, it is absolutely the most fun. Here, in the last bastion of a nearly HR-free zone, where many cubicles still have stashes of silly string, where sarcasm is the norm, where outwit and outlast is the name of the game, I am home.
This love of playing with the boys started many years ago. When I was 15, my dad and I rebuilt a 1965 Chevy Malibu SS. This had been his first car many years prior and I loved working with him. We upgraded the 283 to a 327. We replaced the automatic transmission with a Muncie 4-speed.
Beyond the mechanics though, he taught me how to listen to the engine to trace sounds to issues, issues to solutions. I learned to love the smell a new motor has when it fires up for the first time, and I learned that brake fluid is a great nail polish remover.
When I was 16, my neighbor was racing superstocks at the nearby Cajon Speedway. I heard his team working one day in their garage, and wandered over. All the seasoned dudes were leaned in over the engine. It was a Chevy 350, so I knew what I was looking at. I listened as they brainstormed the tuning. I could hear the carb was choking on too much gas (who couldn’t smell that rich, unburned racing fuel?!) and frankly I think the timing was a bit off too.
But I hesitated. Waited. I offered to hold the flashlight while they discussed. I guess I didn’t bug them too much because they said I could come back another day. I morphed that opportunity into hours spent handing off flatheads and wrenches to the “real mechanics.”
Then one day, the brake guy didn’t show. I offered to bleed the brakes. It was my first real assignment. I fiercely and proudly never asked for help to break a lug nut that was too tight or lift that heavy racing tire. I was going to prove I could belong. With time, I did. And I earned their respect.
After college, I decided with very little forethought to join the Army. I was done with desks, and I was ready for adventure. I loved the shocked look on people’s faces when I told them I wore combat boots and was a sharpshooter (I had never held a real rifle until bootcamp—only shooting I had done prior was Duckhunt).
The heavily male dominated Army culture suited me. I met many great women like me, besties to this day. I never had glass ceiling or gender issues because I simply found a way to maneuver around them. I proved myself with consistent high scores in physical training and exemplary attitude that led to Battalion Soldier of the Year. I left after one tour speaking fluent Mandarin.
I came into Information Security in quite a sideways manner. As a management consultant for the military, I built requirements specification docs for shipboard systems, built network diagrams and drug cable for compartmentalized labs, built racks and crimped more RJ45 connectors than I care to remember. OJT with great folks, but no official training.
No assignment was beyond me because I could Google, and rely on guidance from SMEs who didn’t want to do what I was assigned anyway. Motivated, I took a CISSP bootcamp and passed the exam. But it turns out since I hadn’t grown up a SysAdmin, since I didn’t maintain my own Linux based home network, I was not legit in the eyes of my peers. That hurt. I wanted a way to show I could be a dude in the IS world.
Turns out, that took passing the OSCP, the Offensive Security Certificate. Truth was, I had never worked at the command line before, never installed a VM before, never heard of Backtrack, or Metasploit or Milworm before. I took this course with three coworkers, an awesome software engineer, an awesome network engineer, and an awesome hardware engineer.
And me. I never wanted anything so bad as, nor worked so hard to earn, that certification. I read, I documented, I tried and tried again. I cried, I cursed, I drank, I only occasionally slept for the better part of two months to get through the material and videos. I was on Freenode IM nearly 24/7 lurking for clues and learning to Try Harder.
This culminated in a grueling 24 hour exam, during which I executed a beautiful, 16-step buffer overflow, and (eventually) gained root on the required MS and Unix boxes. After this success, when I came into the lab at work, my coworkers would do that cool head nod thing that guys do, and sometimes they’d say, “Dude.” I was never more proud.
Being a woman in infosec requires you re-demonstrate your chops with every new IS dude gang. It gets exhausting but I find it is just part of the culture. If you don’t like it, you better build a thick skin or go elsewhere. Some days I wish it were easier. But I just can’t not be with the dudes. They have the coolest toys, play hard, not always fair, but it is just where I have to be.
About the Author: Marsha Wilson has a B.A. in English from CalState Northridge, and an MBA from Embry Riddle Aeronautical University. Her crazy long string of certifications beyond OSCP can be found at linkedin.com/in/marshajwilson/, or follow @decisivemarsha. Her career has focused on the chasm between IS and Business, regardless of business sector. She is a contract consultant, mom and wife, and an avid Stone IPA and jogging enthusiast.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Empowering Women in Information Security
- Empowering More Women in Infosec
- Infosec’s Rising Stars and Hidden Gems: The Hackers
- Infosec’s Rising Stars and Hidden Gems: The Educators
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock