My interviews with women and non-males in cybersecurity
here on The State of Security
have been very popular. Last month, when I looked for subjects for the third "Women in Information Security" series, I got an overwhelming response!
The first person I interviewed for this next wave of interviews was security engineer Keirsten Brager
. We had an excellent chat.
What do you do in cybersecurity?
I appreciate you extending this opportunity. I am a security engineer at a major power utility company. As a member of the security technology team, my primary focuses are delivering technical solutions to reduce enterprise risk and outfitting the business with automated capabilities contained within their toolsets. My role is cross-functional and requires interaction with many levels in the company, so I am constantly looking for ways to provide value to business groups. Security continues to be a service that must be sold. That part of the job is much easier to do when you add value to business groups who then advocate for you.
Excellent! So, how did you get into the cybersecurity industry?
I did the work no one else would do. Technical people tend to like tools, but they do not always like creating/maintaining documentation, interacting with auditors, and working in cross-functional capacities that involve dealing with people of who are not technical and/or in unrelated business groups. I happen to be technical and a people person, so I took on projects that required both.
During difficult audits, I also learned the importance of building trust and finding allies. When you do the difficult work that moves the company forward, people notice. Stepping out of my comfort zone and doing work that others avoided allowed me to create my own opportunities. I cried a lot while I was going through it, but I’m a better security professional because of all the stretch assignments I took on that ultimately led to the awesome team I’m on today.
Is maintaining documentation as tedious as everyone tells me it is?
It depends on the size of the company, security program maturity level and business drivers (SOX, PCI, NERC-CIP, etc). Those factors will determine the tools deployed, processes, frequency, and level of documentation required. The issue is also not always related to it being tedious. Rather, developing/maintaining documentation involves engaging different areas of the business to ensure it satisfies business requirements. Security professionals don’t just document how apps are developed, tools are deployed, or systems are protected and monitored. Documentation often has to be scoped to specific audit requirements and other stakeholders who may have different objectives – this is the people aspect of it that a lot of technical people struggle with. I wrote a Tripwire article
about the importance of communication and how it can take careers further than tech skills alone.
What misconceptions do other cybersecurity professionals have about the security engineer role, especially as it pertains to large organizations?
Two misconceptions that I frequently see: engineers work alone and only computer science grads are suitable for these roles. Both couldn’t be further from the truth. Although pop culture makes it appear that security professionals work alone in dark rooms, that is not the reality for anyone that I know in the industry. Being a people person is an asset, not a liability.
Regarding formal education, my Bachelor's is in business management, and I just finished my Master's in cybersecurity a few weeks ago. I want other women to know that lack of a Comp Sci degree did not prevent me from having a great career and that it does not have to stop them, either. Large orgs will hire you if you have the right skills (not to be confused with education), passion, and the ability to articulate how security enables the business to function. An often-overlooked path into large orgs is via security product companies such as Tripwire, Splunk, Cisco and others. Do not limit yourself to applying to just large orgs because they do hire from tech companies if the need exists.
Congratulations on your Master's degree! Pardon my ignorance, but are there purely cybersecurity post-graduate paths now? I'm only aware of general computer science programs with cybersecurity electives.
Thank you! Yes, there are now undergraduate- and Master's-level cybersecurity programs. Academia has been slow to catch up, but I'm starting to see more schools offering cyber degrees, even here in Houston.
Some schools are even offering specialized tracks. For example, I just completed UMUC's M.S. in Cybersecurity legacy program. The program changed last year, and they now offer Cybersecurity Technology, Management/Policy and Digital Forensics tracks. As you know, the discipline has many domains and subdomains. I expect to see more educational institutions offering specialized tracks as the industry matures and demands it.
Either in industry roles, in academia, or both, has being a female cybersecurity professional ever been a challenge?
It has been a challenge in both environments. The industry is male-dominated, so needless to say, the academic programs are male-dominated, as well. Often left out of the conversation is that the James Damores (Google Manifesto author) and Richard Spencers (Alt-right leader) of the world are in academia, on hiring panels, CFP committees, and everywhere in between. Those people have a bigger influence on the lack of diversity than this being merely a vague “pipeline issue” or “women just are not interested” in this type of work.
In my graduate program, it did not matter that I already had three security certifications and was gainfully employed in the industry. People bring their biases everywhere they go, try to impose their inferiority complexes on you, and treat you like an “other” even if you have receipts showing you’re just as capable. Despite the challenges, I remained dedicated to the discipline and landed on a team that is both supportive and inclusive. That made it all worth it.
"I want other women to know that yes, you will encounter people along your academic and professional journey who will make you want to quit. Those situations are temporary. Whatever you do, just keep going."
So, what advice would you have for a young girl who's fascinated by hackers and might be discouraged to pursue a cybersecurity career?
The first thing I’d tell her is that security is not all about hacking and that she should conduct research to learn about all the cybersecurity career options available to those willing to put in the work. I have the utmost respect for pen testers, but pop culture and even some people I admire tend to romanticize and glorify hackers. I believe this can lead some young people to believe that hacking is the entire discipline. It is not. There will always be a higher demand for people who defend organizations than those who hunt for/exploit vulnerabilities.
If you look at all the mind maps and other visual representations of security programs, it is clear how many different career paths exist that are not related to hacking. I’m not trying to discourage anyone from pursuing a pen testing career path, but I think it’s important that we encourage young people to open their minds to the myriad of career possibilities that exist in cybersecurity. If they do that, then they’ll see women who look like them thriving as engineers, architects, specialists, analysts, administrators, consultants, and many other variations of these titles depending on the org. Some of these roles can also prepare you to be a better hacker if that is the end goal.
Finally, do not be discouraged by the stereotypes because some of us are actively working to create new ones.
How do you think the cybersecurity field can encourage greater diversity? Not just with gender, but perhaps race and disability, as well?
The best way to encourage diversity is for people of various backgrounds to make themselves more visible in the places it matters most: schools and online. Young people consume the bulk of their images from the media and are encouraged or discouraged by what they see. Unfortunately, they continue to see the mostly stereotypical images of white men dominating movies, TV shows, photos, and talks from infosec conferences.
Therefore, it is important for us to volunteer our time in schools and have publicly available content to refer them to, so they can see themselves through our stories. This is the best way to plant those “Hey, if she can do it, then I can do it, too” seeds.
I also believe it is important for conferences to do a better job of ensuring that speaker lineups and panels reflect an inclusive culture. That part will be harder to change, though.
That's good advice. Is there anything else you'd like to say before we go?
Yes, relationships are critical in this industry. Develop relationships in your LOCAL security community, including local chapters of OWASP, ISSA, (ISC)2, ISACA, etc. Many security product companies have user group meetups, as well. Give back as often as you can before you need a job. Stay humble.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.