SAN FRANCISCO — With diversity in infosec looming as an increasingly pivotal topic, a panel of female cybersecurity professionals took the stage at RSA Conference to discuss their experiences.
The panel members talked about the best advice and encouragement they received when starting out in cybersecurity, as well as how to be good mentors and find the right mentees. But first, Caroline Wong, vice president of security strategy at Cobalt.io and the panel moderator, discussed how hiring could be done better to encourage diversity and women in cybersecurity.
Wong said there’s a tendency by recruiters in IT to “look for certain tags” that lead to a certain pool of candidates.
“The hiring managers I know who have diverse teams are simply looking for the best individual to find a job, but they’re personally involved, they spend a lot of time and they look in all sorts of places,” Wong said. “There’s this myth that you can find someone to do X and has been doing X for five years. In many cases, A) that doesn’t exist or B) you’re in a situation where you’re stealing from another company.”
Wong said a better way that she’s seen is for hiring managers to search through specific communities and online demographic groups, like women who code, to find raw talent.
“As a hiring manager, there’s this way in which you can choose to think about the role that you’re hiring for differently and you don’t necessarily need to think to yourself, ‘I want someone who has been doing five years of threat intelligence.’ You can think to yourself, ‘What are the components of this job that a person is going to be able to do and how can I describe that in a way that’s more transferable between different kinds of experiences and different types of skill sets?'”
Best advice for women in cybersecurity
Suzan Nascimento, senior vice president of application security at Union Bank, said she received two great pieces of advice, which were not specific to women in cybersecurity. The first was that success is all about relationships and that it is best to encourage co-workers to feel like co-authors and joint contributors of strategies, even if that means intentionally leaving pieces out of presentations.
Nascimento said the best advice she had received specific to infosec was to “build your strategy or your thought process around something that has credibility or an industry-standard methodology.”
“Whether you’re doing your metrics or I’m in application security, so I build programs around VSAM methodology or Open SAM and then I just tweak it a little bit to make it my own,” Nascimento said. “That way you’re not saying [you build it], you’re referring to industry-approved expert advice and then tweaking it with your own little flare.”
Patricia Titus, CISO and chief privacy officer at Markel Corporation, said a key to translating policy into real-world action was to make sure people understood why it was important to take that action. But, more importantly, women in cybersecurity should “lift as you rise.”
“It’s been a motto that we’ve all kept over the years that when you rise in your position, in your career, to turn around and lift those behind you with you,” Titus said. “We also have another saying that we don’t want to be ‘chick piranhas.’ So, the idea is to bring people along with you, not to turn around and eat your peer.”
Robin Stuart, principal threat researcher at Salesforce, said it was OK to make mistakes “as long as you don’t make the same one twice, and make sure those mistakes don’t get bigger every time because then you know you’re pushing the envelope.”
Stuart also said women in cybersecurity should know that it is OK to change their minds. It’s OK to be curious, to follow your passion and to decide to go back to a previous path.
Being a mentor or a mentee
During the RSAC panel, Nascimento said she preferred to have two mentees — one male and one female — because “men and women think differently.” She said men tend to be more short-term thinkers and more apt to take risks, while women are more risk-averse.
Stuart noted that a key to finding the right mentee — which she learned from one of her own mentors — was identifying someone willing to do the work. She said many people have come to her for help, but say, “I only have an hour.”
“You think you’re going to learn everything in an hour? I’ll pass on that one,” Stuart said. “But when somebody came to me and they were serious about it and demonstrated that they were serious by showing me what they learned when I gave them a reading assignment. When I get people who are willing to do that, I’m more than willing to work with them.”
Based Blockchain Network