Job Title: Information Security Transformation Manager
Company: Covea Insurance
Tell us an interesting or fun fact about you.
I have attended over 300 weddings!
What drew you towards a career in cyber security?
When I decided I wanted to retrain for a career in tech at age 30, I was instantly drawn to cyber security. It appealed to me because in my opinion, although the tech side was really cool and interesting, I was fascinated by the psychology of it all. Both from the end user (what makes them undertake risky behaviour or fall for scams?) and the psychology of the cyber criminal – why they do the things they do. I wanted to see if I could use the social engineering tools that cyber criminals were using on us to get us to act unsafely, to nudge towards safe cyber practices.
What do you enjoy most about what you do in the industry?
Everyday brings a new challenge: a new technology to protect, a new vulnerability to fix.
What things are the most challenging in your role?
Changing people’s opinions about cyber security. We need a major rebrand to move away from our rigid authoritarian demeanor aka, ‘security says ‘no’’. It isn’t serving us, it is holding us back from collaborating and getting our message across.
Have you come up against any challenges or roadblocks and if so, what were they and how did you overcome them? I became a software developer but I couldn’t see a way into cyber security from my background. Although this skill has been extremely useful in my cyber security job, I think as an industry we could do more to encourage people from non-traditional backgrounds. To help tackle this I do a lot of public speaking about my journey into tech and I am currently writing a series of talks about why the cyber security industry needs to hire more anthropologists. I hope by sharing my journey, I raise awareness not just for people wanting to get into the industry, but also employers. I am always very quick to remind people hiring for cyber jobs, that they should consider non-traditional routes into the industry.
What have been your career defining moments?
Winning and being nominated for 10 industry awards in my first ‘proper’ year in tech was quite an achievement. Setting up an adult code club at NHS Digital to teach non-technical staff how to code is something I am very proud of. It was such a buzz to see people who had never written a line of code in their lives, create websites from scratch in a matter of hours. I set these up to show people 1. anyone can learn a technical skill, and 2., so that they had the confidence to talk ‘tech’ and collaborate with their technical peers more. I am also really proud of the health-tech company I set up during lockdown, Liria Digital Health, aimed at creating technological solutions for the menopause.
What changes have you seen in the cyber security industry in the time that you have been in it?
I think it is definitely on more executive and board’s priorities at the moment. I think this is down to the fact that we can’t go a day without a major hack or breach. I don’t think that has quite trickled down into budgets (hiring more people, more tools etc), at least we as professionals are being listened to more.
What trends or changes do you think we will see in cyber security in the next 10 years?
I’m hoping for some interesting changes around passwords. I’d really like to see some viable alternatives to the logging in process.
How much job demand have you seen for cyber security professionals, and what things to you think will shape this demand in the coming years?
The job market is still difficult in my opinion. I think it is down to the fact that because there are so few of us working in this industry, it tends to mean we get paid well (or sometimes more) than other digital jobs, which is great for the individual but it makes smaller organisations struggle to actually bring a robust security team on board. I am really interested in digital innovation so I’ll often speak to start ups and ask them about their security and although they all recognise it is really important, I have yet to come across anyone who is at a position to hire a specific security person. In tech, people would much rather hire more developers than security people and it is a trend I dont see changing anytime soon. I think our job as security professionals is to sell the value we bring, which is hard because how do you show value when hopefully, if you are doing your job, nothing has happened?
Has the coronavirus pandemic impacted on your career, and if so in what ways?
My work has quadrupled in the pandemic and I think burnout is a very big risk to this profession. The cyber criminals are loving the fact that we are all at home, stressed and bored and are leveraging it to great success.
What soft skills do you think are important for women in cyber security to have?
Don’t listen to that voice in your head – interject more in meetings.
Why do you think more women should consider a career in cyber security?
More than half of people online are women – insight into their lives and experiences with the way they engage with digital products and services will help us make our security posture stronger. It’s not that we just need more women in cyber security for this, we need more diversity and diversity of experience in general to tackle these threats.
How does someone from another industry make the move into cyber security?
Passion got me here, passion and perseverance. I didn’t take no for an answer when I went to the heads of the cyber department and asked them to take me on. I asked them every other day for about 8 months if I could join their team before they finally let me in. I demonstrated I love the subject through paying to go to cyber conferences out of my own money, spending evenings on Hack the box, and reading everything I could on the subject. Learning python can’t hurt either!
What advice would you give to a women looking to make the move into cyber security?
It’s lonely being a woman in cyber security so find your tech tribe and when things get tough or you’ve had a bad day, lean on them for support.
In your perspective – what are the biggest cyber security threats to companies presently?
The cyber security team’s own hubris. We think we know best but often forget that the business we work in, isn’t actually a security business. We are a function of a larger business, of which security is a small (but important) part, but it isn’t the be all and end all. As soon as we start thinking in terms of our commercial contribution, for example, providing solutions not blockers to the development pipeline, then we will really see great movement in our field. People will WANT to engage with us, not avoid us.
Do you think it is important to close the gender gap in cyber security and if so, how do you think this could be done? My first proper cyber job was doing tier one activities in a SOC. After a week I was absolutely furious. I had been desperate to get into this role only to find out that at that level, it is a glorified admin job. I think it is one of the biggest secrets in the industry! I often think that an ex-administrator would be so much better at cyber security than a lot of the people I have known who have done the traditional computer science/cyber security degree route. You need impeccable attention to detail, the ability to improve processes to improve productivity and good communication skills. Everything an admin person finds easy. So I often tell people who are looking to hire junior roles, look to the admin pool. As administration tends to be mostly women in this role, can you imagine how great it would be to gain those amazing expertise and also bring more women into the industry?
While the situation in the cyber security industry has marginally improved in recent years, it is still a very male dominated world. What are your thoughts on this, and have you seen an improvement yourself?
I’m lucky that my current team has good diversity and is led by a CISO who is a staunch advocate for diversity and inclusion. As a woman in this industry I am seeing more and more awareness of the need for diversity which is great but it can also be a bit cringey. In my previous job I remember I came into work dressed differently because I was doing an important presentation and I wanted to make a good impression. A male colleague noticed and said I looked nice (nothing leary, just that I looked nice). My old boss who was sitting nearby jumped on this poor guy and told him not to objectify me and appologise for what he said. I calmly replied that I was happy for the compliment and didn’t feel objectified and, if I did, I could fight my own battles, thank you very much. I do worry that, although their hearts are in a good place and they want to do right by women, I think there is a danger of women being ‘over protected’. The Guardian did a great article on benevolent sexism that really resonates with a lot of the experiences I have had in tech. We need support from our allies, not saving. https://www.theguardian.com/books/2020/aug/13/benevolent-sexism-a-feminist-comic-explains-how-it-holds-women-back.
Finally, is there anything else you would like to share with our readers?
My favourite quote: “Diversity is being invited to the party. Inclusion is being asked to dance” – Verna Myers, Diversity and Inclusion Expert.
“The Rise of the Cyber Women: Volume 2” is available now via the links below: