Industry Observations

Women in AppSec: Post-Webinar Thoughts and Q&A

We had an amazing turnout and response to our webinar Growing the Ranks of Women in AppSec. I played host and moderator, and really want to thank my colleagues for their enthusiastic participation and input. And I have even bigger thanks to all of the people who dialed in, sent us questions, and offered to share links and other experiences.

Security is a field which inspires a lot of passion. The summary that I hope everyone took as a lesson learned or something to think about: You can’t fake passion, and you can’t train for it. You can, however, train a person to learn a new shell script, or how to use and troubleshoot a technology.

Years ago, when I was the trainer for a Network Operations Center, my favorite VP came to me and said he had a special request: He knew a woman going through some tough times. He wanted to give her a job. Did I think I could make her into a NOC operator?

“Sure,” I said. “What’s her background?”

She was his babysitter. She was a 50+ year-old woman with no prior technology skills whatsoever.

“Okay. But I’m going to need an extra two weeks to train her.”
And I did – because I needed to go back and diagram for her how information and bytes flowed from one application through the session and on down the OSI stack into the wires to find their way around the world. I had to explain how firewalls worked, and what kinds of things network monitoring tools looked at, and what was a database’s error conditions so that she’d know what a red light meant on her console. There was a lot of whiteboard drawing, and simplification of concepts.

But she learned it. And in a month, she could be trusted on her own for short shifts, monitoring our whole co-lo datacenter. In three months, she could explain it to others. She never made a mistake, because I trained her from the ground up, and provided a manual (I wrote) to look things up if she couldn’t remember.

Sparking that passion in candidates will take everyone farther than a specific technology expertise which, frankly, can be trained. Maybe that passion starts as desperation for a job, a place, a company to call home. Maybe it comes from a love of storytelling, or of creating order out of chaos. I think once I introduce the ideas of Security, of securing digital business and making the Internet safer for kids and untrained people, it sells itself as a career.

Here’s a copy of the slides we used for the webinar presentation.

We didn’t get to a couple of the chat comments during the preso, so here are the questions and answers from the presenters, and comments that some of our audience wanted to share.

Questions we didn’t get to answer specifically:

Q: How much of coding level is expected from a fresher in information security field?

A: Only Katie was a coder – and as she stated, she doesn’t use it. Jeannie learned shell scripting, which she found terribly useful. You can get most of that from something like The Absolute Beginner’s Guide to Unix, or other very fine books out there. There’s a lot of security technology built on GREP.

Q: Can anyone speak to the growing shift away from heavy cert centric in infosec? 

A: Having a certification doesn’t mean you can do the job you were hired for – it only means you’re capable of absorbing concepts and repeating them back in a test-like environment. Nevertheless, the basic Security+ certification is a great place to start, and will get you a long way toward a CISSP. Frankly, I know that’s gotten me a couple jobs over other candidates, having mine.

Q: What is the most appropriate way to make the case for a 50% increase in pay with the same employer (vs. having to change employers to get market pay)?

A: That’s a tricky question. It’s easier to change companies if you want the increase, because often your manager has your headcount pigeon-holed at a certain level.  But if you want to stay, I’d advise you to start right now with a sit-down with your manager, and your manager’s manager, and talk about your career aspirations and ambition. Keep in mind that acquiring the requisite knowledge and experience is going to be a 1.5-3 year process for that bump – so set up a plan to get yourself there with key performance indicators, milestones, and education/certification goals.

Q: Can you recommend a role/roles for a Lead Usability Analyst/Business Analyst interested in security?

A: Depends on what you like best about your job. There’s opportunity in Project Management, Junior Program Manager, keeping to the process, procedure, compliance side of the force. If you want to jump into slightly technical (while still avoiding learning how to code) try security operations work. (I started there after network operations, so there’s some bias on my part.) ANYONE who can analyze a process flow, break down a business functionality, and describe use cases is going to find someone who loves them in security.

Q: Any advice for an experienced professional woman who has an IT background, light in Security, but strong in IT Audit/Risk that would like a stronger transition into a Security management role?

A: See previous answer. You’re going to need more understanding of what security technologies actually do, what they monitor, and how they work together. You would be surprised at how much free vendor training is out there! I’d recommend starting with learning about IDS/IPS, A/V and signature technology, understand the OWASP ideas of AppSec. I found this link the other day for lots of free training. But if you know audit and risk, you’re a prime candidate to look at Incident Response and Handling. They often don’t need skills in specific technology so much as they want to find people good at troubleshooting, communication, and following process.

Comments from the audience:

  • I think if you have less than 5 years of experience, you can still become an ‘Associate of (ISC)2′ until you have the years of experience if you take the test. (True! Thanks, Melanie!)
  • In the Seattle area, please have attendees check out the Seattle Women in Cyber Security and Information Security (SWiCSIS) group on Meetup and LinkedIn. (Yes! Agreed, Melodye!)
  • It would be great to have some of us develop some sessions at Defcon to share with other women, they have a lot of great talks, maybe there is a big meetup there I just haven’t see it yet. (We agree again! Frankly, we started a Women in WhiteHat chat group at our work, and I recommend it for yours if you have the capability.)
  • LinkedIn has so many great females now sharing ideas, resouces etc. now for infosec.
  • Most managers don’t seem to want to hire without experience. Chicken and Egg. (TRUTH. However, look carefully at the job description. Find the elements in your own work history which are similar in idea and emphasize them. Write an Objective that is SPECIFIC about your new passion to get into Security. Emphasize that you are quick to learn, and good at documentation as you go. That’ll get their attention.)
Tags: Education, security, whitehat security