Click here or press enter for the accessibility optimised version

Diversity in
Cybersecurity:
A Mosaic of Career
Possibilities
Click here or press enter for the accessibility optimised version

Cybersecurity
Careers: Off the
beaten path
In this eBook you can read the stories
of professionals from around the world
and hear how they got their starts in
cybersecurity. No two answers are the
same.

Our contributors also talk about advice

they would give their younger selves at
the start of their cybersecurity careers,
and whether they would do anything
differently.

We hope this eBook proves that we are

a stronger security community when
we embrace diverse backgrounds and
skills.
Click here or press enter for the accessibility optimised version

Question 1
What was the path that led you into the cybersecurity
industry?
Christine Izuakor
CEO of Cyber Pop-up | @Stineology | LinkedIn

I was in school trying to become an eye doctor and realized very quickly
that it was not the right path for me. And so I started taking different electives,
really trying to explore and figure out what I wanted to do with my life and
career.

I came across a cybersecurity class, and I'll never forget the exact assignment
when I knew. We had this task to decrypt a string of encrypted texts. Things
like that can be a pretty tedious process. I was up until probably two or three
o'clock in the morning trying to figure this thing out. And I'll never forget the I'll never forget the adrenaline rush that I felt when I
adrenaline rush that I felt when I finally cracked it and got it right. It was almost finally cracked it and got it right. It was almost like I had
like I had won a game or like I had solved a puzzle. I couldn't help but think to won a game or like I had solved a puzzle.
myself, “Oh my gosh, this is what some people do for work. This is an actual Christine Izuakor | CEO of Cyber Pop-up
job.”

Share
Share
on
Share
Ton LinkedIn
on Facebook
Jane Frankland
CEO, KnewStart | @JaneFrankland | LinkedIn

My story goes back almost 23 years. I came straight into it with no

experience of technology. (My background actually is in art and design.) Whilst
I had worked in sales, I actually went straight into starting a tech company with
a partner who understood technology.

Because I didn't know anything about technology, I looked at what was available
in tech. The only two things that interested me were AI and security. AI was too
new at that time. Security sounded really exciting and dynamic. I thought it
sounded a little bit like James Bond. (I’m a big Bond fan.) That's how I got into
this industry, and that’s what led me here. One thing that I love about cybersecurity is the people.
The people are interesting. The people are challenging.
One thing that I love about cybersecurity is the people. The people are The people are frustrating, and the people are incredibly
interesting. The people are challenging. The people are frustrating, and the diverse. I love hanging out with people in cybersecurity.
people are incredibly diverse. I love hanging out with people in cybersecurity. Jane Frankland

The way that I see it is we really are securing the world’s operations. We are
Share
Share
on
Share
Ton LinkedIn
on Facebook
really securing the world’s freedom, which is a really important thing to do. And
certainly as a woman, because we see risk in a different way than men, I feel
that the industry really needs us as women to come in and add to it.
Sophia McCall
Junior Security Consultant | @spookphia | LinkedIn

After school, when I was about 16, I progressed to college to complete a

BTEC Level 3 Extended Diploma in Software Development. Over two years, I
learned to build and program everything you could think of: websites, games,
mobile applications, scripts and more. On this diploma course, we had a
networking module that focused on security. It was at this point when I
definitely had my “calling.” After nearly two years of building things, I
discovered that breaking them was much more fun!

Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber After nearly two years of building things, I discovered that
Security Management. Four years later, including a year’s placement in industry breaking them was much more fun!
and a huge amount of community involvement, I completed my degree with Sophia McCall | Junior Security Consultant
First Class Honors. I’m now about to commence my first role in the industry as
a Junior Security Consultant of penetration testing.
Share
Share
on
Share
Ton LinkedIn
on Facebook
Jason Lau
Chief Information Security Officer, Crypto.com | @JasonCISO | LinkedIn

In my spare time while getting my engineering degree, I researched and

“hacked” the boot sequence of a PlayStation with a “ModChip” I programmed,
and I was able to play video games from different regions around the world.
(Back in those days, games were on CDs and had country regional restrictions
on them. Some of the best games never came to my region!)

I was one of the first with these ModChips at that time, so my friend and I
started to help others on the side. This freelance job was quite thrilling and
exciting! This was my first experience with hacking and reverse engineering. It
taught me how to use root cause analysis to really dig deeper in order to
understand the underlying technology and reasons for why things worked (and I used root cause analysis to really dig deeper in order to
didn’t work). This is a fundamental skill which I have found useful in my understand the underlying technology and reasons for
cybersecurity career. why things worked (and didn’t work).
Jason Lau

Share
Share
on
Share
Ton LinkedIn
on Facebook
Katie Moussouris
CEO of Luta Security | @k8em0 | LinkedIn

Well, there wasn't a defining moment for me because cybersecurity as an

industry wasn't really called an industry yet. I became a hacker at an early age,
but back then, we were just focusing on computer security, which was an
offshoot of computer science.

I think a lot of people who have been in cybersecurity for as long as I have—over
20 years professionally—have a very meandering path that led them down this
career rabbit hole. For myself, I was a molecular biologist, and I was working on
the human genome project at MIT. I decided molecular biology wasn't for me,
but I wasn't quite sure what I wanted to do. So I took a detour, which I thought
was temporary, into the systems administrators group at the genome center at This was all before there was an actual cybersecurity
MIT. I helped them build those systems out, and then, I took another systems profession. So for me, my security origin story is murky
administration job at MIT in the Department of Aeronautics and Astronautics. because it's coupled with the origin story of
There, I took care of the network that helped launch some Mars rovers. This cybersecurity itself.
was the late 90s we're talking about here. Katie Moussouris | CEO of Luta Security

From there, defending the systems that I was in charge of led me back into the
Share
Share
on
Share
Ton LinkedIn
on Facebook
nascent security fold. But this was all before there was an actual cybersecurity
profession. So for me, my security origin story is murky because it's coupled
with the origin story of cybersecurity itself.
Ken Westin
Head of Competitive Intelligence, Elastic | @kwestin | LinkedIn

I was working as the Webmaster and Linux Administrator for a company

whose endpoint security product blocked USB flash drives from connecting to
systems. At that time, my only exposure to security was on the defensive side. I
was curious about how the USB malware we were trying to block worked and
how it got into forums where some of these tools were being traded.

I went down a lot of rabbit holes in my research, and I even built a website
called USBHacks.com that provided samples of the USB malware to help
educate network admins. (This was also the first time the FBI reached out to We joked about what would have happened if a thief had
me.) stolen my bag and plugged in one of my weaponized flash
drives into a computer.
Around this time, one of my co-workers had his car broken into and his laptop Ken Westin | Head of Competitive Intelligence, Elastic
bag stolen. We joked about what would have happened if a thief had stolen my
bag and plugged in one of my weaponized flash drives into a computer. After
Share
Share
on
Share
Ton LinkedIn
on Facebook
the conversation, I started building tools based on my USB malware that were
designed to protect devices and data if they were stolen.
Jelena Milosevic
Registered Nurse | @_j3lena_ | LinkedIn

There was no “calling” moment. It just kind of happened that I realized I was
part of the information security community.

When I started working as a nurse at a lot of different healthcare institutions, I

didn’t have my own login codes. My colleagues were helpful insofar as they let
me use theirs. I quickly realized how dangerous this shared access was; I could
work under my colleagues’ names and use that access to change information
in the stored medical records. I also found out that medical devices were
connected to the same PC, allowing me to control some of those products I decided to contact the security team. At first, they were
from that computer. It was around that time that I became curious. Could surprised (and suspicious) that a nurse showed interest in
someone from the outside establish a connection with the PC? If so, what security.
could they do? Jelena Milosevic | Registered Nurse

I decided to contact the security team. At first, they were surprised (and
Share
Share
on
Share
Ton LinkedIn
on Facebook
suspicious) that a nurse showed interest in security. But they quickly saw that I
really wanted to deepen my understanding and learn.
Jelena Milosevic (Continued)

In no time, I received a lot of information and made contacts with many infosec I got depressed thinking that I’d never be able to learn a
professionals from all over the world who were ready and open to help me. subject, that I’d never be able to learn enough. But I didn’t
They explained a lot to me, sometimes in too many details. They also showed give up.
me the tools that I could use to learn by myself. Jelena Milosevic | Registered Nurse

I discovered Mozilla Observatory, NMAP, Wireshark, Shodan and much more. I

Share
Share
on
Share
Ton LinkedIn
on Facebook
often lost myself in trying to find the meaning of every word I couldn’t
understand with regards to using these and other tools. It was a lot. Many
times, I got depressed thinking that I’d never be able to learn a subject, that I’d
never be able to learn enough. But I didn’t give up. There was a lot of different
stuff to learn. I wanted to find out where my place was in all of it.

By already knowing the medical side of things and by building my

understanding of security, I was able to develop a deep and global picture of
the security situation in healthcare. I’ve used that understanding to try to
connect medical security and privacy and to help individuals from both sides
hear and understand each other so that we can all work together. I strongly
believe that medical security and privacy departments can make the healthcare
system not just more safe and secure, but also better for everyone by working
as a team.
Richard Archdeacon
Advisory Chief Information Security Officer, Duo Security, Cisco | LinkedIn

Like most people, I fell into cybersecurity through exposure to some really
big security events.

Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the
time (security was still low on the radar unless you worked at a bank or financial
organization). In one of the virus attacks, I saw a whole corporation lose its
email system.

It struck me that this meant nobody knew how to prevent or respond to these
attacks and that security was going to be vital going forward. All our digital
transformations would come to naught if a simple attack could cripple us. So I think the final confirmation for me came when we read
we had to develop security in the same way that we were changing IT. reports from SOCA and other organizations that showed
the link between hackers and organized crime.
I think the final confirmation for me came when we read reports from SOCA Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco
and other organizations that showed the link between hackers and organized
crime. It struck me then that we were not dealing with script kiddies but bad
Share
Share
on
Share
Ton LinkedIn
on Facebook
people who were committed to doing bad things to innocent victims. This was
more than just a job; it was a calling.
Ambler T. Jackson
Senior Privacy Subject Matter Expert | LinkedIn

I knew that the cybersecurity industry was the right industry for me when
I began working on assignments that required not only an understanding of the
law and general business processes, but also the ability to understand an
organization’s data governance practices and speak “security.” My confidence
with respect to my career path increased once I understood how my skill set
obtained throughout my law career, coupled with my technical aptitude,
transferred to the cybersecurity space and specifically to the data privacy and
protection area of cybersecurity.
Cybersecurity is a very broad discipline, and the field is
enriched by many different skills, capabilities, expertise,
personalities and backgrounds.
Ambler T. Jackson | Senior Privacy Subject Matter Expert

Share
Share
on
Share
Ton LinkedIn
on Facebook
Omar Santos
Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco | @santosomar | LinkedIn

It started when I left college and joined the United States Marines. I was
in the U.S. Marine Corps, and my military occupational specialty was in
electronics and secure communications. From there, I shifted into networking
and specifically network security. That’s when I knew that cybersecurity was
for me.

After I left the Marine Corps, I joined Cisco in 2000, and I was part of the
technical assistance center. I was supporting firewalls, IPS devices, VPNs and
a lot of encryption.

At the end, I was actually doing penetration testing and ethical hacking against I was actually doing penetration testing and ethical
many large Cisco customers. I shifted gears again, and now I'm part of the hacking against many large Cisco customers.
product security incident response team where we specialize in vulnerability Omar Santos | Principal Engineer - Product Security Incident Response Team (PSIRT),
management. I also concentrate on helping industry-wide efforts. Cisco

Share
Share
on
Share
Ton LinkedIn
on Facebook
Mo Amin
Independent Cyber Security Culture Consultant | @infosecmo | LinkedIn

The defining moment for me was when I got involved in a forensic

investigation after my manager at the time asked if I wanted to shadow him
and learn a few things. I was working in desktop support, and I found it
fascinating. It was the catalyst for me. From there, I made a lot of mistakes,
learned a lot, and adapted. I’ve been fortunate enough to work with some really
good people along the way, and I still find the work interesting.

I made a lot of mistakes, learned a lot, and adapted.

Mo Amin | Independent Cyber Security Culture Consultant

Share
Share
on
Share
Ton LinkedIn
on Facebook
Amanda Honea-Frias
Head of Product Security at Duo, Cisco | @pandaporkchop | LinkedIn

In the second grade, I was placed in college math and English, but a few
years later, I was taken out of public school to be homeschooled. During this
time in the late 80s and early 90s, homeschool was not as evolved as it is
today. In my boredom, I happened to discover BBSs (bulletin board systems)
and, subsequently, the Internet. I quickly adapted to manipulating software and
hardware to do things they were just not made to do.

Eventually, I tested for my General Equivalency Diploma (GED) and started

working in carpentry. I wanted to create things. This career was over quickly,
however, as I was injured about a year into my apprenticeship. The only skill I
had to fall back on was my knowledge and curiosity for tech. So that is what I
did. The only skill I had to fall back on was my knowledge and
curiosity for tech. So that is what I did.
Fast forward a few decades, and I continue to make my way into an area where Amanda Honea-Frias | Head of Product Security at Duo, Cisco
it just feels like a natural fit for me.

Share
Share
on
Share
Ton LinkedIn
on Facebook
Rebecca Herold
CEO and Founder, The Privacy Professor Consultancy | @PrivacyProf | LinkedIn

I got onto the information security, privacy and compliance path at the
beginning of my career as a result of creating and maintaining the change
control system at a large multinational financial/healthcare corporation. I didn’t
even realize change control was a critical information security control at the
time until I started seeing the ways in which human interactions and
noncompliance with procedures caused some major problems, such as down-
time (loss of availability) for the entire corporation.

After I went to the IT Audit area, I performed an enterprise-wide information

security audit. As a result of that audit, I recommended that an information ... I started seeing the ways in which human interactions
security department be created. There, I created all the corporation’s and noncompliance with procedures caused some major
information security and privacy policies along with their supporting procedures, problems, such as down-time (loss of availability) for the
and created the training program, established requirements for the firewalls and entire corporation.
web servers, performed risk assessments, established the requirements for Rebecca Herold
one of the very first online banks at a time before there were any regulatory
requirements for them, and generally oversaw the program. I’ve loved working
Share
Share
on
Share
Ton LinkedIn
on Facebook
in information security and privacy, simultaneously, ever since.
Tazin Khan Norelius
Founder of Cyber Collective | @techwithtaz | LinkedIn

The moment that I realized the security/privacy industry was right for me
was when I made my own path in it. I quit my job at a consulting gig and then
developed Cyber Collective. I was able to make the safe space that I was
looking for in the security industry that I didn’t necessarily have for myself and
for my peers outside of the security industry. I think that dialogue needs to
reach everybody. When I realized that I could turn security into something
creative that benefits people, that reaches the empaths and into people’s ethos
and pathos, that’s really when I realized that security was my calling, that this
was something that I could do.

I was able to make the safe space that I was looking for in
the security industry.
Tazin Khan Norelius | Founder of Cyber Collective

Share
Share
on
Share
Ton LinkedIn
on Facebook
Ben Nahorney
Threat Intelligence Analyst at Cisco Security | @benn333 | LinkedIn

I studied journalism at university with a focus on magazines. I had my

sights set on a career in investigative journalism, and I wrote stories around
personal privacy, individual rights and security issues for campus publications
while finishing my degree. While I had touched on cybersecurity in my writing,
my first brush with it as a career came when I graduated during a recession. I
took an entry-level tech support job at a cybersecurity company, all the while
expecting it would be temporary while I looked for a writing gig.

In demonstrating that I could write, I was moved into a role writing knowledge-
based documents. Eventually, I took on a position within the company’s threat
research group where I wrote virus write-ups based on notes from
cybersecurity engineers.

I don’t think I looked back after that. Researching threats had a very similar vibe Researching threats had a very similar vibe to the
to the investigative journalism work I wanted to do. investigative journalism work I wanted to do.
Ben Nahorney | Threat Intelligence Analyst at Cisco Security

Ben’s Threat of the Month series can be found at cisco.com/

go/threatofthemonth Share
Share
on
Share
Ton LinkedIn
on Facebook
Mary Aiken
Professor, Forensic Cyberpsychology, University of East London | @maryCyPsy | LinkedIn

I first encountered AI when I was working in the Marketing and Advertising

Services sector in the United States in the 90s. A colleague had been working
on an AI project and was about to launch his 'Chatbot' (www.jabberwacky.com)
on the Internet. I was captivated by this AI software that could simulate
conversations with humans. Immediately, I began to think of applications for the
elderly, the lonely, people suffering from mental health conditions or social
isolation and children with specific challenges or learning difficulties.

That being said, I was concerned. What if this form of sophisticated social AI The prospect of a dystopian future in which sophisticated
was deployed as an attack vector? The prospect of a dystopian future in which AI could engage with or even deliberately target some of
sophisticated AI could engage with or even deliberately target some of the the most vulnerable people on the planet was an
most vulnerable people on the planet was an extremely disturbing prospect. I extremely disturbing prospect.
decided to engage and requalify as a Cyberpsychologist, which was an Mary Aiken | Professor, Forensic Cyberpsychology, University of East London
emerging discipline in the early 2000s. Some years later, I embarked on a
completely new career in the cybersecurity and cyber safety sector. All of this
Share
Share
on
Share
Ton LinkedIn
on Facebook
was inspired by a brief but illuminating encounter with a Chatbot.
Jihana Barrett
Founder, CyberSuite LLC | @iamjihana | LinkedIn

While in the Air Force, I was doing military intelligence. I pivoted from that to
specifically cybersecurity. Prior to that, I had no clue about cybersecurity or
what it meant and what it entailed.

The turning point came when I had my first work role in a counter terrorism
office for the NSA. It was so life changing for me because that was when I
actually applied theory with on-the-job training. That counterterrorism office
was high pace. Just nerves on edge all the time. There was a lot going on, but
it was so amazing. I used everything I had learned. I learned how to think on my I used everything I had learned. I learned how to think on
feet, to be creative. It really allowed me to dig deeper into pen testing. Had I my feet, to be creative.
not done that job, I wouldn't have learned that I enjoy pen testing as much as I Jihana Barrett | Founder, CyberSuite LLC
do. It was also very rewarding because you saw the actual result of an action
you took.
Share
Share
on
Share
Ton LinkedIn
on Facebook
Fareedah Shaheed
CEO and Founder, Sekuva | @CyberFareedah | LinkedIn

My corporate job introduced me to the world of security awareness and

the human aspect of security that I didn’t know existed. In that instant, my
entire world changed, and my career in cybersecurity was solidified.

Instead of security being reduced to lines of code or sitting at a desk for eight
hours, it became about the human brain, teaching and authentically connecting
with people.

And once I started my own business and brand, I fell deeply in love with
creating a movement and tribe around security awareness and education.
Now, it’s no longer about the “right career” but about the “right calling.” I’m in
an industry where I can create massive transformation and impact.
Instead of security being reduced to lines of code or
sitting at a desk for eight hours, it became about the
human brain, teaching and authentically connecting with
people.
Fareedah Shaheed | CEO and Founder, Sekuva

Share
Share
on
Share
Ton LinkedIn
on Facebook
Martijn Grooten
Researcher, Writer and Security Professional | @martijn_grooten | LinkedIn

During my very first security conference back in 2007, I saw a talk on the
Julie Amero case: a teacher who faced a long prison sentence because
malware on her laptop had displayed adult content to a class of minors. It
taught me how security can have an impact on people’s lives and also how
different people can have very different threat models.

The latter lesson I think is relevant well beyond IT security. It could help us
understand society better as a whole.

It taught me how security can have an impact on people’s

lives and also how different people can have very
different threat models.
Martijn Grooten | Researcher, Writer and Security Professional

Share
Share
on
Share
Ton LinkedIn
on Facebook
Noureen Njoroge
Cybersecurity Consulting Engineer, Cisco | @EngineerNoureen | LinkedIn

Curiosity led me to a cybersecurity career. I was that one student who

always had questions to ask. Upon obtaining my Bachelor’s Degree in
Information Technology, I landed a Systems Admin role. Those late-night shifts
at the datacenter were the core foundation of my career, as I learned a lot.

While at this role, I attended a lunch-and-learn session that was hosted by the
Infosec team. They shared information on the latest malware trends, tactics,
techniques and procedures used by the threat actors. I was so fascinated by
the knowledge shared, and I asked so many questions to the point where they
offered me the opportunity to shadow the team in order to learn more. It was
this opportunity that deepened my interest in security. Later on, I was offered
an opportunity to join the MIT Cybersecurity program. From the knowledge I I knew that cybersecurity would be the future, and I
had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it.
wanted to be part of it. Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco

Share
Share
on
Share
Ton LinkedIn
on Facebook
Phillimon Zongo
Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | LinkedIn

I would say my eureka moment came around the end of 2015 when I went
back to the drawing board and took a deep look at my career path. I felt like my
career had stagnated.

I wanted to specialize in cybersecurity because by that time it was one of the

fastest growing fields within the technology risk space. It was clearly the center
of attention for the board of directors, regulators, customers and even
investors. Instead of spreading myself thin across every aspect of technology
risk, I wanted to go deep in cybersecurity.

I realized that there was a major problem in cybersecurity: a lot of the material
that I was reading was very technical in nature, but it was almost impossible for
me to link cybersecurity tools to strategic business goals. I realized that the
subject of cybersecurity was confined within the corridors of IT. It was I realized that I needed to develop skills that would help
supposed to be a responsibility of everyone from the front office staff to the me translate the complex side of cybersecurity into a
board of directors and cybersecurity professionals themselves. That’s when I language that was understandable by senior business
realized there was a major gap. After months of researching and talking to leaders.
other people, I realized that I needed to develop skills that would help me Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute
translate the complex side of cybersecurity into a language that was
understandable by senior business leaders.
Share
Share
on
Share
Ton LinkedIn
on Facebook
Click here or press enter for the accessibility optimised version

Question 2
If given the chance, what advice would you give
yourself when you first joined the industry?
Jihana Barrett
Founder, CyberSuite LLC | @iamjihana | LinkedIn

If I could go back and tell myself anything, it would have been to pace
myself. I would have reassured myself that I was on the right track, that things
would turn out the way they're supposed to. And I would encourage myself to
learn as much as I could but to be patient with my learning. A lot of times,
newbies want to be experts, and they don't give themselves the chance to take
the steps to get to that point. Having been in the industry for about 11 years
now, I totally see that even if you have all the books behind it, you still don’t
have the experience when starting out. That experience is what helps me
execute my tasks and examine a problem the way that I do. I would have just told myself to be patient. You’re on the
right track. You’re doing all the right things. You’re
So I would have just told myself to be patient. You’re on the right track. You’re learning.
doing all the right things. You’re learning. You’re getting the foundations and Jihana Barrett | Founder, CyberSuite LLC
fundamentals. And every aspect of that industry is going to involve learning.
The learning never stops. Basically, I would have taken the pressure off of
Share
Share
on
Share
Ton LinkedIn
on Facebook
myself to know everything in the beginning so that I could add value to a space
and just know that it was going to come with time.
Tazin Khan Norelius
Founder of Cyber Collective | @techwithtaz | LinkedIn

The advice that I would give myself when I first joined the industry would be
to trust the process. I don’t necessarily know if I would give my past self any
new advice because I’m thankful for the journey that led me to where I am. But
trusting the process has been something that I tell everyone and myself often.
You can only do what you can do. The rest is up to the process of contributions
and reaping the benefit of the work that you put in. So if you trust the process
and stay disciplined, great things can happen for you.

If you trust the process and stay disciplined, great things

can happen for you.
Tazin Khan Norelius | Founder of Cyber Collective

Share
Share
on
Share
Ton LinkedIn
on Facebook
Ben Nahorney
Threat Intelligence Analyst at Cisco Security | @benn333 | LinkedIn

I would remind my younger self not to internalize criticism. If you’re a

writer your work is going to be critiqued. Nine out of ten times it’ll be stronger
for it.

In cybersecurity, personal feelings sometimes take a backseat to quickly

responding to an issue. It has definitely changed for the better over time, but
there is an above-average number of plain-spoken and direct people in this
industry.

When coming from a non-computer related field, not everyone will immediately
see the value of what you bring, and you’ll have to spend extra time proving
your worth. Stand your ground when necessary, but pin your ears back for Stand your ground when necessary, but pin your ears
other ideas and perspectives. You’ll pick up some very valuable information. back for other ideas and perspectives.
Ben Nahorney | Threat Intelligence Analyst at Cisco Security
So ultimately, my advice to myself would be to learn to take things in stride.
That, and don’t get too attached to that hairline.
Share
Share
on
Share
Ton LinkedIn
on Facebook
Noureen Njoroge
Cybersecurity Consulting Engineer, Cisco | @EngineerNoureen | LinkedIn

Looking back, I would advise myself as follows:

1. BE PATIENT with yourself, as it takes time to grasp the vast domains of

cybersecurity.
2. EMBRACE CHANGE, as this industry is constantly evolving, and you have to
constantly learn to adapt.
3. GET A MENTOR ASAP to help answer your discrete career questions and
provide you with tailored career advice.
4. Do not rush into certifications, as they can be costly. Instead, gain some
experience, and then consider which specific domain certificate you’d like
to pursue, if necessary.
5. Network with others in the industry by attending local meetups, chapters Cybersecurity is indeed a journey, not a destination.
and social media platform group gatherings. Noureen Njoroge | Cybersecurity Consulting Engineer, Cisco
6. Lastly, don’t be too hard on yourself. Cybersecurity is indeed a journey, not
a destination.
Share
Share
on
Share
Ton LinkedIn
on Facebook
Martijn Grooten
Researcher, Writer and Security Professional | @martijn_grooten | LinkedIn

Security likes “rock stars,” that is, people who have very good technical skills
or who are loud, very present and can tell a good story. When you’re new in the
industry, as I once was, it’s tempting to look up to them and try hard to be liked
by them. This might give you a short-term career or confidence boost, but in
the long run, I have learned it is much more important to look out for people
who are kind and who have a good moral compass.

I have learned it is much more important to look out for

people who are kind and who have a good moral
compass.
Martijn Grooten | Researcher, Writer and Security Professional

Share
Share
on
Share
Ton LinkedIn
on Facebook
Jason Lau
Chief Information Security Officer, Crypto.com | @JasonCISO | LinkedIn

Looking back, I would have told myself much earlier on to focus on the
human element of cybersecurity.

There was already so much focus on technology, systems and software in the
early days of cybersecurity and not enough on the “people” side of things,
which is the initial cause of many incidents. Focusing on this topic could have
made a much bigger impact on the early days of the security awareness
training industry.

Cybersecurity is a shared responsibility, so the more sharing we do, the safer

we will all become as a whole. There was already so much focus on technology, systems
and software in the early days of cybersecurity and not
enough on the “people” side of things...
Jason Lau | Chief Information Security Officer, Crypto.com

Share
Share
on
Share
Ton LinkedIn
on Facebook
Phillimon Zongo
Chief Executive Officer at Cyber Leadership Institute | @PhilZongo | LinkedIn

There’s certainly things that I could have done better. Now that I have
spent a lot of time mentoring people, I would say it would have been better if I
had looked for a highly experienced mentor from day one. That would have
accelerated my career trajectory in those five years that I've been pushing
myself.

However, if I were to go back, there’s not much that I would change. Before I
start doing something, I ask myself, “Am I scared?” If I'm not scared, then I
don’t do it because it is through doing things that we are afraid of that we grow
the most.

If there is one critical piece of advice that I’d give to aspiring cybersecurity
professionals, it would be to place yourself as someone who can communicate
persuasively and with impact, who can simplify that critical message and push it I would say it would have been better if I had looked for a
to the wider business community, you'll be able to differentiate yourself. Every highly experienced mentor from day one.
time I mentor people, I see people doing the same old thing. They get Phillimon Zongo | Chief Executive Officer at Cyber Leadership Institute
certification after certification but forget that maybe 10 million people look like
you. How are you different? What is something different that you bring to the
Share
Share
on
Share
Ton LinkedIn
on Facebook
table?
Fareedah Shaheed
CEO and Founder, Sekuva | @CyberFareedah | LinkedIn

When I first joined the industry, I wasn’t aware of all the options and diversity
of paths, so I got sucked into the “you MUST be technical to be worthy of
anything” world.

If I were to go back, I would tell myself to not worry about how technical I was
or wasn’t. I would put more focus on knowing my strengths, interests and
hobbies. I would then spend time figuring out how I could combine them all to
make a difference in someone’s life.
I would tell myself to not worry about how technical I was
Not everyone gets to do that, but if you can find that combination, it can be life- or wasn’t. I would put more focus on knowing my
changing. I eventually found it, but I would definitely tell myself to stop stressing strengths, interests and hobbies.
over grades, certifications, job titles, compensation and technical abilities Fareedah Shaheed | CEO and Founder, Sekuva
because it doesn’t matter. It didn’t for my journey, at least.

Share
Share
on
Share
Ton LinkedIn
on Facebook
I would tell myself that the impact I was called on to make in this world was
bigger than any of that, and that I didn’t have to squeeze myself into a box of
degrees, certs, job titles and career paths.
Omar Santos
Principal Engineer - Product Security Incident Response Team (PSIRT), Cisco | @santosomar | LinkedIn

I would basically say to pace yourself and to understand that you're not going
to be able to learn everything overnight. Cybersecurity is very broad. You have
things from ethical hacking, pen testing, digital forensics and incident response,
exploit development, etc.

So yes, become familiar with all the different domains and the ones that you
want to specialize in and that attract you the most. Then dive deeply into it
while always recognizing that you will never be an expert in every single area in
cybersecurity. Pick your niche and concentrate on it.

Pick your niche and concentrate on it.

Omar Santos | Principal Engineer - Product Security Incident Response Team (PSIRT),
Cisco

Share
Share
on
Share
Ton LinkedIn
on Facebook
Sophia McCall
Junior Security Consultant | @spookphia | LinkedIn

By attending a huge amount of conferences and events over the years, I

have been able to build a network of professional connections and friends who
have helped to support me along my security journey.

If I could turn back time, I definitely would have told myself to not be afraid and
to start networking earlier! At first, I was scared to attend events and I didn’t
start doing so until nearly the end of my first year at university.

In my opinion, it’s never too early to start networking. The earlier you start, the
sooner you can grow your network and utilize it as a stepping stone to help you
kickstart your career.
In my opinion, it’s never too early to start networking. The
earlier you start, the sooner you can grow your network
and utilize it as a stepping stone to help you kickstart
your career.
Sophia McCall | Junior Security Consultant

Share
Share
on
Share
Ton LinkedIn
on Facebook
Amanda Honea-Frias
Head of Product Security at Duo, Cisco | @pandaporkchop | LinkedIn

I am not one to wish for a time machine in general. I believe each success
and failure has made me who I am today. I do not want to sound like I have had
a perfect journey and that I have achieved all that I have intended to
accomplish. Quite the contrary. My life is a continuous journey, and my
occupation is just a part of that journey.

I believe each success and failure has made me who I am

today.
Amanda Honea-Frias | Head of Product Security at Duo, Cisco

Share
Share
on
Share
Ton LinkedIn
on Facebook
Jane Frankland
CEO, KnewStart | @JaneFrankland | LinkedIn
If I could go back to the point when I was just joining information security, I
would tell myself to not shy away from being visible. I would urge myself to use
my voice and network. Visibility is the most important thing that a woman needs
to do in order to advance her career.
When I talk about visibility, I mean it in a sense of using your voice so that
people know about you. You need to get yourself out there. They need to be
able to see and understand the work that you are doing. So it's really important
that women build their visibility.
Use your voice, demonstrate your value, really focus on building your network
and use all of the tools around you.
Finally, don’t worry about your age. Don’t worry about how young you look, and
don’t worry about not being considered technical. For me, I had a great big
hang-up about being really young. I wasn’t actually bothered about being a
woman. I didn’t see that as being a disadvantage at all, but I was really
concerned that I looked so young and that I wasn’t technical. So I would go
back and tell myself to not worry about looking young and to not worry about
not being technical. I was able to do my job and to do it really well even though
I wasn’t technical in those days.
Don’t worry about your age. Don’t worry about how young
you look, and don’t worry about not being considered
technical.
Jane Frankland | CEO, KnewStart
Share
Share
on
Share
Ton LinkedIn
on Facebook
Katie Moussouris
CEO of Luta Security | @k8em0 | LinkedIn

If I were to go back and give myself my younger self advice, I would

probably aim myself towards early ventures that accumulated a lot of capital, a
lot of cash. And the reason for that is not that everything comes down to
money, but money makes a lot of things easier, such as making your ideas
come to fruition.

When you're a minority woman in any industry, I think it's a challenge for us to
be taken seriously early in our careers, mid-career and even later on in our
careers. I think that having access to capital, and the means to make some of
our ideas come true, is important. I think that would have been the advice that I
would have given myself back then. And now, we'll see what I do with some
capital, since I've earned enough to bring a few new ideas to reality.
Mo Amin
Independent Cyber Security Culture Consultant | @infosecmo | LinkedIn

If you can, try and find a mentor. There are more avenues and channels now
than when I was starting out. When you find someone, make sure that you play
your part in the relationship. You need to put the effort in, too. Also, remember
to be patient with yourself. You can’t know everything at once. Pick an area that
interests you and try to become the best that you can be in it.

You can’t know everything at once. Pick an area that

interests you and try to become the best that you can be
in it.
Mo Amin | Independent Cyber Security Culture Consultant

Share
Share
on
Share
Ton LinkedIn
on Facebook
Rebecca Herold
CEO and Founder, The Privacy Professor Consultancy | @PrivacyProf | LinkedIn

At one point I realized I needed to do more to understand executive and

other management views of information security and privacy. I could then take
those perspectives, and use them in effective ways to raise awareness of all
levels in the organization chart about the need for strong security. That was the
only way to obtain executive buy-in.

Another piece of advice to myself would be to not wait until I feel I am confident
I know and can do everything related to information security and privacy before
offering ideas or being proactive with actions. Early in my career, I did not
speak up with my ideas that likely would have propelled me much further and
more quickly in my career if I had. No one will ever know, though. We need to have confidence and faith in our own
capabilities as well as to always approach issues
We need to have confidence and faith in our own capabilities as well as to logically.
always approach issues logically. We also need to be aware that others who Rebecca Herold | CEO and Founder, The Privacy Professor Consultancy
may be less knowledgeable and/or experienced than you will advance more
quickly because they didn’t wait to be 100% knowledgeable or fit 100% of an
Share
Share
on
Share
Ton LinkedIn
on Facebook
advertised position within which they ultimately excelled.
Mary Aiken
Professor, Forensic Cyberpsychology, University of East London | @maryCyPsy | LinkedIn

I believe that regret simply serves to undermine decision making, not just
in the past, but importantly going forward, as well.

Bottom line: don’t second guess your own judgement, that is, the ability to
make considered decisions and come to a sensible conclusion. My only advice
to those who seek a career in cybersecurity is to do what I did and don’t view
opportunity through the myopic lens of a singular discipline. Try to adopt a
transdisciplinary approach, and don’t underestimate the incredible value of the
arts. In terms of decision making, Robert Frost’s “The Road Not Taken” sums it
up:

Two roads diverged in a wood, and I— Bottom line: don’t second guess your own judgement
I took the one less traveled by, Mary Aiken | Professor, Forensic Cyberpsychology, University of East London
And that has made all the difference.

Share
Share
on
Share
Ton LinkedIn
on Facebook
Ambler T. Jackson
Senior Privacy Subject Matter Expert | LinkedIn

If I had an opportunity to go back to the beginning of my career, I would have

dedicated some additional time to learning about the technical considerations
of data governance first. While I later studied data governance, what you learn
from databases, data models and data management helps to provide the big
“forest-from-the-trees” picture for understanding why and how organizations
capture data and how data elements move throughout the data lifecycle. I wish
that I had obtained the formal education at the outset, as it would have helped
to set the stage for fully understanding the lifecycle of a data element early on.
I wish that I had obtained the formal education at the
outset, as it would have helped to set the stage for fully
understanding the lifecycle of a data element early on.
Ambler T. Jackson | Senior Privacy Subject Matter Expert

Share
Share
on
Share
Ton LinkedIn
on Facebook
Ken Westin
Head of Competitive Intelligence, Elastic | @kwestin | LinkedIn

When I was a kid, I was diagnosed with Dysgraphia, a learning disorder related
to Dyslexia. This didn’t happen until rather late in my childhood. Up until that
point, I believed I was "stupid and lazy," as that is what many teachers told me.

When I received my diagnosis, it made a huge difference. My parents bought a

computer. I took typing classes. I started playing guitar (to help with motor
skills). I ended up being the first in my family to graduate from college, and
since then, I have built things that many people didn’t think were possible.
The impact on my self-esteem is something I carry even today. If I could go
back and tell myself about my disorder, tell myself I wasn’t stupid and to get
into computers sooner, I think it would help my confidence throughout all of my
life.
If I could go back and tell myself about my disorder, tell
myself I wasn’t stupid and to get into computers sooner, I
think it would help my confidence throughout all of my
life.
Ken Westin | Head of Competitive Intelligence, Elastic

Share
Share
on
Share
Ton LinkedIn
on Facebook
Christine Izuakor
CEO of Cyber Pop-up | @Stineology | LinkedIn

The one thing that stands out for me is asking questions and being brave
about asking questions. I still remember early in my career how I often found
myself being the only woman in the room, the only person of color in the room
and/or the youngest person in the room. And on top of that, I already had a
very shy and timid personality. Bundled together with asking questions, it was a
nightmare for me sometimes.

What I would do is I would take out a notepad every time I heard something I
didn’t know or every time there was a concept that I couldn’t quite grasp. I’d go
home and do a ton of Googling and researching to figure it out. That worked for
me. Don’t be afraid to ask questions. No matter how
“beginner level” those questions might sound in your
I think being able to ask questions and really get that information and soak that head or how stupid you think some people might think
in, as well as to build relationships with the people around you is an added plus. they are, all of that doesn’t matter at the end of the day.
Don’t be afraid to ask questions. No matter how “beginner level” those Christine Izuakor | CEO of Cyber Pop-up
questions might sound in your head or how stupid you think some people might
think they are, all of that doesn’t matter at the end of the day. When you get
Share
Share
on
Share
Ton LinkedIn
on Facebook
answers to those questions, that is helping you to evolve and grow into the best
version of you and the best professional that you can be. That is what matters.
Jelena Milosevic
Registered Nurse | @_j3lena_ | LinkedIn

Over time, I realized that I can’t know everything in this field. Nor do I need to.
This helped me learn to take a breath, to take a look around and have more
patience with learning step by step instead of all at once.

There are many sources of information and free courses/training packages that
we can find on the Internet for learning more about security. There are also
many companies that will give you a chance to start working even if you don’t
have your diploma. Reach out to them to show your initiative! The information
security community is awesome. So here I am, a nurse in the information security world.
Jelena Milosevic | Registered Nurse
Thanks to some people and their trust in me, I was able to find my place. I now
find what I want and do what I can to produce change for the better. So here I
Share
Share
on
Share
Ton LinkedIn
on Facebook
am, a nurse in the information security world.
Richard Archdeacon
Advisory Chief Information Security Officer, Duo Security, Cisco | LinkedIn

It’s about people. We have to understand the technology. But the most
important skill is communication. No matter how strong our technology controls
are, we will get nowhere unless we can explain the “what” and the “why.”
Otherwise, we will become an obstruction and not a help.

Our colleagues do not come to work to do security. They come in to carry out
their tasks in their own departments in order to fulfill their role.

Our colleagues do not come to work to do security. They

come in to carry out their tasks in their own departments
in order to fulfill their roles.
Richard Archdeacon | Advisory Chief Information Security Officer, Duo Security, Cisco

Share
Share
on
Share
Ton LinkedIn
on Facebook
Click here or press enter for the accessibility optimised version

Further Thoughts
Job Descriptions, Conclusion, and Resources
Job Descriptions

We couldn’t end this eBook without confronting the topic of job descriptions.

In order to attract and support more people in the cybersecurity industry, they
need to visualize themselves in the roles. But do current job descriptions
enable that, or does the amount of experience and certifications requested up
front lead to a certain amount of soul crushing?
Don’t just build a website asking for applications and
Certifications and accreditations certainly have their importance, but for the assume they will come. Go out into the marketplace, and
majority of people in this industry, they are here because they have a passion go to disadvantaged schools. Talk to them about the
for helping others. The passion of the contributors in this eBook alone clearly industry. Creating a job spec on your website and sending
leaps off the page. it out on social media isn’t good enough.
Theresa Payton, the first female CIO of the White House
People in cybersecurity want to make the world a better place, and they want
to ensure the safety of as many people as possible online. Are the majority of
job descriptions appealing to that nature? We would cautiously suggest that
many of them don’t.
Conclusion

There is no singular footpath into cybersecurity. And that’s not a

bad thing. Our adversaries are diverse and strategic, so we must
ensure our defenders are also diverse, and are made up of
people who also approach solutions from different angles.

Giving people opportunities, even if they don’t tick every box of a

job description’s “Essential Skills” list is one of the best things
you can do to help. This will ensure the future of cybersecurity is
in the hands of those who are passionate learners.

Also, when finding our path in cybersecurity, having a mentor, or

an ally, can help light the way forwards. Allies can open doors
that previously seemed closed.

In short, we must ask ourselves what we want the future of

cybersecurity to be, and support people to be with us on that
journey.
Resources

Security Stories podcast

A discussion on non traditional paths into cybersecurity

Bridging the Cyber Skills Gap

A look back at the 2019 Women in Cybersecurity Conference

Women in Cybersecurity
Explore cybersecurity career paths at Cisco

National Cybersecurity Awareness Month

A monthlong roster of events, activities and educational content

Careers at Cisco
Put your talent to work

Cisco NetAcademy:
Empowering all people with career possibilities
Click here or press enter for the accessibility optimised version

Thank you for reading

Diversity in
Cybersecurity:
A Mosaic of Career
Possibilities

Cookies Terms Privacy