I like to say that I didn’t really choose a career in cybersecurity – it chose me. The field naturally suits my personality, which has always been safety conscious. My cybersecurity journey began at Georgia Tech Research Institute, where my work exposed me to the challenges of using electronic systems to secure physical spaces. Intrigued, I wanted to build on that insight, so after graduation I looked for a job in the embedded systems space that would keep me on my toes. It didn’t occur to me that the expansive field of cybersecurity largely intersects with embedded systems.
When I first joined Cisco, my experience was making secure embedded systems, not breaking them. I had to drastically change my point-of-view tobecome an effective vulnerability researcher of Cisco products. I started by learning secure coding best practices and anything unique to Cisco product code. Coming from a developer’s mindset, I also wanted to know how Cisco products worked—the intended product functionality and the underlying implementation. Next, I immersed myself in the latest research to further understand the current state of network security and common issues with networking products. A lesson that transferred from my time in academia to my time in industry is that research is often built from prior work. As I studied up on the continually changing threat landscape, I realized cybersecurity had the challenges I was looking for.
Now in my eighth year at Cisco, I am senior security researcher in the Security & Trust Organization. Utilizing my embedded systems background, I study the hardware and firmware of Cisco’s products for security vulnerabilities. I use this knowledge to make recommendations on improving product security taking into account the delicate balance of usability and security. My work has a direct effect on keeping our products, and thereby our customers, more secure.
Along my professional journey, my reporting chain has supported my growth. With my manager’s guidance, I have further developed my career by attending trainings and conferences. The Women in Cybersecurity initiative (WiCyS) founded by Dr. Ambareen Siraj hosts my favorite conference each year. Each WiCyS conference provides both technical and personal development with an incredibly positive and supportive atmosphere.
At my first WiCyS conference in 2015, I was inspired by Dr. Lorrie Cranor’s password research; but this conference was also where I first learned about “imposter syndrome” that frequently affects women working in STEM fields. The wise Dr. Tracy Camp offered us some great tips on coping with this self-doubt phenomenon. I kept following authentication-related research and gave my first conference presentation on password managers later that year at the Grace Hopper Celebration of Women in Computing!
Cyber threats move fast, and things have changed dramatically since I entered the InfoSec workforce. High profile hacks have popularized—and glamorized—the profession, so entry level jobs are now more competitive. Today there are also many degrees in information security, more robust and thorough than the elective track available when I was in college. Because these new degrees concentrate on tools and processes, knowing how the underlying technology works is more important than ever.
Still, it will take a lot to solve the cyber talent shortage. In my opinion, businesses can truly help by being more open to different worker backgrounds and training those looking to make a switch into information security. Infosec degrees and certifications are very recent, so the credentialed talent pool is rather small. Creativity and problem-solving skills are the most essential to have; everything else can be taught.
My advice to anyone, but especially women, who are considering a career in cybersecurity? There are many cybersecurity conferences and networking events available. Find one that welcomes you and actively participate. Keep an open mind and take a lot of notes. Ask questions. Network meaningfully. When it comes to conferences, you get out as much as you put in. And when you’ve paved your own path to the cybersecurity field, help others find their way.