Build a career in cybersecurity: tips, tricks… and traps

Build a career in cybersecurity: tips, tricks and traps

On 19 Feb 2021, I spoke about how to build a career in cybersecurity at the Women4Cyber Masterclass with a Role Model. Happening every month, the Masterclass aims to highlight the achievements and expertise of women who shape cybersecurity in the EU today. Women4Cyber is a non-profit European private foundation with the objective to promote, encourage and support the participation of women in the field of cybersecurity. The strategic objectives and actions of the Foundation are supported by the Women4Cyber Council, an ad hoc advisory body, of which I am a proud member.

Yes, girls outperform boys at school. Yes, women managers outperform their men counterparts at work. Watt zillion initiatives exist to encourage more entry-level diversity. But how many initiatives exist to tackle the leaky pipeline?

So, is there a perfect profile to build a career in cybersecurity? Or is it more of a perfect combination of skills? How, as a woman, do we tackle ambition? Let’s talk about navigating those avenues because helping other women move forward with their career is good business.

The effort is there, but why doesn’t it transform into fast change? Cultural change for gender equality requires system change. It is not just about women “leaning in”. It is also about men reaching out and stepping aside. You can invite a diverse crowd to a party; but then, you also need to invite them to dance.

You can watch the recording with the Q&A session by clicking the “Play” button.

A summary of the discussion and the recording are also available over at the Women4Cyber Foundation website. Below are the full notes of what I discussed along with additional notes we didn’t address. Hope that helps!

🎧 Listen to this post!

Thanks to everyone at the Women4Cyber Foundation who make the Masterclass series happen, it is a great opportunity for each and everyone to grow. And thanks, of course, to everyone who attended the live sessions and reads this post. I am humbled to know that achieving diversity in cybersecurity is growing in importance to all of us.

The task of this Masterclass is particularly challenging for me: I don’t like talking about myself. And yet, as time goes by, I find myself a trusted advisor to people in the field who are wondering about how things are in their professional lives. Inevitably comes the question: what should I do next?

I realised that what I perceived as talking about myself is in fact sharing experience and thoughts with people who needed them. And incidentally, they also get to realise that being an outspoken professional comes at a price 🙂

How do you grow in your career?

So, for today, I would love to have us discussing growth. How do you grow in your career? Cybersecurity is a dynamic field that also has come to a certain maturity. We have a better idea of what is right and is wrong there. That is to say that we have a much clearer path forward navigating opportunities and constraints.

Which brings me to the main question: how do I build a career in cybersecurity? Truth be said, I have no simple answer to that. But I have seen quite a few people around me grow and I know that my professional path is far from ordinary. I have come to the realisation that what helps moving forward is your brand and your ability to make decisions.

Don’t get me wrong: I am not here to give you a crash course on personal branding. Instead, let’s think of what this word means. When we think in terms of brands, a leitmotiv comes to mind. Take “Just Do It”: saying this most probably brings the image of a Nike sneaker and people running and getting medals for it. The underlying message is quite clear: Nike makes stuff that helps people do great things. In other words, Nike’s statement is quality and excellence; it is said clearly and simply in a way that people remember.

This brings me to what a brand is: it is a statement for the values that shape you and the unique impact you are able to make. If I say I am the VP for Public Affairs at YesWeHack, this doesn’t mean much. How about if I said that I build bridges between ethical hackers and policy-makers to make the Internet a safer space? Much better, right. Will you remember the VP for Public Affairs or instead that I shine creating a safer Internet? I bet ya 10 euros on the latter 🙂

What makes me unique

What have you concluded from this? That there are unique things about me and my work, and those are my values. Transforming them into what people call a value proposition is creating a brand. Mine is about owning who I am and being honest about it with myself and others. It is about equity and justice, too. A significant part of my work today is to contribute to legal clarity for well-intentioned hackers who wish to disclose vulnerabilities. Doing so helps companies fix those vulnerabilities, thus reducing digital risk and making our connected lives safer. But since we don’t have a clear legal framework for those actions, ethical hackers hesitate to report vulnerabilities. Do you see how my values for justice and equity translate into the work I do?

Let me get to the second point I mentioned earlier: making decisions. It’s perhaps the most terrible thing for me 🙂 Making a decision most often means making a choice, and how I hate choosing…! But to move forward, you have to make choices, and therefore you have to decide.

Making decisions along the career path

When thinking of your next career move, how do you decide? I always think of my values. I list them, on a piece of paper for example. Let’s take the following: gaining knowledge; having fun; getting power; creating human connections; helping people; making money. Those may seem too few but everything boils down to them when you think of it.

So, what matters the most to me? Is it money? Or power? Or having fun? Gaining knowledge has always mattered to me. So is creating meaningful human connections. But for years, the most important was looking for having fun, for adventure, for living through stuff I had never experienced before. So as an international consultant, I’d take up on plenty of missions in places in the world even National Geographic has yet to explore. There was an adventure, for sure, when you do crisis management in conflict zones there are experiences you have never lived before, I can tell you that.

Then, I grew older, not necessarily wiser, but older 🙂 And I went through some soul-searching. I had grown tired of living off on a plane, though. So, the question was: how do I transform my ability to learn and to do good to people into a career? A different value came on top: talent, which is transforming my knowledge into something useful and usable. Exercising talent is when you challenge your knowledge and what makes you grow.

So, this is how I started taking decisions. Matching opportunities to the values that matter to me. Thinking not about getting or keeping a job, but about making a career out of it. And this is where all that discussion about diversity kicks in. The challenges we as women professionals for example have faced shape us in a way that is unique to us.

Diversity and career-building

And this is where all that discussion about diversity kicks in. The challenges we as women professionals for example have faced shape us in a way that is unique to us.

We as an industry have a problem with getting more women in cybersecurity. Only 7 per cent of European cybersecurity professionals are women. The pay gap is real, averaging anywhere between 14.7 and 21 per cent. Women are even less well-represented in the upper echelons of leadership: only 1 per cent of women cybersecurity professionals are in senior management positions.

Those figures leave us with two options. Either there is massive, institutionalised misogyny in cybersecurity, or there are structural trends that produce a terrible work environment.

How do we enter the cybersecurity field?

  1. As a junior professional after an IT/cyber curriculum;
  2. As a midlevel professional through promotion or shifting industry.

Each of these two entry points has its obstacles. Juniors are often disqualified because they lack experience… On the contrary, when a midlevel woman professional aims to pursue a career in cyber, they face a lower wage offer or a “you-don’t-have-technical-knowledge” tune.

Following through is the challenge

We can discuss ways to hone a resume, get certifications, etc. Those are all relevant discussions yet insufficient.

My main concern is fixing a leaky pipeline. In other words, women enter the field but they struggle to make it to the top, be it in a managerial career or in a technical one. The industry is still young, so we do not have tons of longitudinal data to rely on.

However, well-known mishaps and structural issues are already at work. Technical knowledge is important. But it cannot be the sole evaluation of aptitude, especially when it boils down to climbing the managerial ladder. Knowledge to configure a firewall does not magically make me fit to lead a team or assume directorship responsibilities.

That is why we as an industry need to acknowledge that mentorship and career development matter and need to be provided alongside technical training. If we do not help newcomers, men and women alike, grow; if we let talent to waste because they do not know how to better outline their skills; then we are bad leaders. The onus is on us, decision-makers, to understand what keeps diversity away while we are whining about a three-million talent shortage.

Ambition helps level up

A person who comes to mind as an inspiration is Ashley Graham, the so-called “super-size” model. She has been seen as fat and clumsy for years by the entire apparel industry. I distinctly remember an editorial in the British Vogue back in 2016 where the editor accompanied the Graham cover by saying that different brands have refused to send clothes to her. Graham’s reaction was to shrug it off, and see it as a building block: if you are not told “no”, then how do you get challenged?

That’s where I got to think of how I see things. Exercising talents is how your know­ledge gets challenged and how you build. But how do you move on as opposed to being discou­raged? And hello Ashley Graham again: she started her own lingerie collection making sure she’ll always have comfortable and sexy underwear. As oppo­sed to trying and shoehorning herself in the shapes others have for us.

I am not saying every woman has to become an entrepreneur to find a satisfactory role in cybersecurity. I am saying that every woman can be the architect of a satisfactory career should she be willing to have one.