Women are vital to the information security field, but there are relatively few of us. Speaking to women in our industry gleams insights about how we've ended up in that male dominated field and perhaps how to attract more of us. I first interviewed Tiberius Hefflin, a Scottish security analyst who's working in the United States. Then I spoke to Tracy Maleeff, otherwise known as @InfoSecSherpa on Twitter. After years of working in different fields, including as a legal librarian, she found infosec and her own business. Then I spoke to Isly, who's a penetration tester for a defense contractor. For my fourth interview, I spoke to Kat Sweet. She's an example of how learning to code may sometimes open doors. Kim Crawley: Hello, Kat! How would you describe your job and title? Kat Sweet: I'm a full-time network security student, and I also recently started a job as an information security analyst. KC: That's impressive! How did you get the analyst job? KS: At the entry-level, it seems like what matters most is showing dedication and a desire to learn. I had also just finished up interning in a SOC, so I'm sure having that technical experience helped. KC: Did you show technical aptitude as a little girl? KS: I'm a latecomer to tech. As a kid, I had qualities that were transferrable to tech. I like to create things, and I was curious about the world around me. But tech wasn't a huge part of my life. We didn't have a computer in the house until the late 90s. KC: How did you get into computing? KS: A few years back, in the midst of trying to figure out a new career, a few friends suggested that I try learning to code. I struggled with it quite a bit, but it opened up a whole new realm of things for me to learn about. I knew a few people who worked in security, and the more conversations that I had with them, the more I got intrigued by what they were working on. Of course, I still had it in my head that it was too late for me to work in security because I hadn't started hacking as a child. It wasn't until about two years ago that I realized I could make a career of it. KC: Do you think you would've gotten into it earlier if you were male? KS: Maybe the option would have been presented to me somewhere along the way. The influence wouldn't have come from my parents, though. They were never tech-forward people, and I don't think it ever occurred to them that tech was something they could push me or my brother toward. KC: Did you face any sexism while pursuing code and IT? KS: While I've been fortunate to have a great group of friends, men and women, who've supported me throughout my career change into security, I've encountered my fair share of sexist behavior. One of the first things that happened to me at my first security convention was get hit on. When I was still new to the community, various people would mistake me as just someone's non-technical “plus one.” (Which is not true, by the way. Non-technical does not mean "not worth talking to" or "not worthy of respect.") KC: What sort of development did you get into when you started to learn how to code? KS: The first language I started learning was Ruby. In hindsight, it's not a very friendly first language to learn. Later I started learning some front-end web development. I took a class and went through some tutorials on HTML, CSS and JavaScript. I found myself wanting something broader than just code... I wanted to learn more about all of the systems that my code was controlling. I wanted to see how it fit into the larger picture of computing. KC: Was it pretty much all web development? Frontend and backend? KS: Mainly, though I was having trouble figuring out how to bridge the gap between doing introductory-level tutorials and being able to think like a programmer. It's only recently that I've been able to start taking a problem-solving mindset and apply it to scripting. KC: What helped you with that epiphany? KS: I had an instructor last semester for System Administration Security (basically Bash and PowerShell scripting) who was very good at imparting that problem-solving process. Taking a large, overwhelming problem and breaking it down into granular steps. But on a larger scale, another part of that epiphany came with not being so scared to fail at technical tasks anymore. When I first started getting into tech, I felt so much pressure to be a beacon of perfection, like my whole gender was on trial. KC: So, that was one way that sexism in tech may have affected you. KS: Absolutely. We need to be given license to fail in order to learn and grow. When we feel like we can't do that, it helps no one. KC: I think impostor syndrome is very common in us. Do you think there are advantages to being a woman in infosec? KS: It is to infosec's advantage to have more women involved. Studies have shown repeatedly that everyone problem-solve better in more diverse groups, and having a wider range of life experiences gives people a more complete picture of the security landscape. KC: How did web dev (eventually) lead you into infosec? KS: I should clarify that I never worked as a dev; this was always just self-teaching on the side while working in a non-tech job and trying to figure out the next move. KC: But you were learning it. KS: Yup! As I mentioned, I kept wanting the larger picture, and security is great for that. It touches every field of technology. I knew a few people who worked in security and started going to cons. My fascination with it really took off when I started playing around with CTF practice sites like Hack This Site and Over the Wire. I loved the puzzle aspect of it, and I loved that every challenge prompted me to go learn something I didn't know. I could spend hours getting sucked into solving challenges, and I still do! KC: That's awesome. Did you need any credentials for your current analyst position? KS: I don't know whether it helped that I already had a bachelor's degree, (Not in a tech field; it was gender and women's studies.) but I think the degree and certs probably fell into the category of "nice to have, but not required." KC: Now, you're in Wisconsin. Is that really a tech hot spot? KS: Madison has a growing tech presence. It's the state capital and the home of a large research university, so those are two big tech employers. Epic, the medical software company, is just outside of Madison. In recent years, more dev shops, startups and game development companies have started to pop up here. Google even has a small office in Madison. KC: You learn something new every day! If a young girl was reading this who was curious about an infosec career, what would you say to her? KS: "Get in, loser. We're going hacking." KC: Nice. What do you think is the biggest problem in infosec these days? KS: Empathy, both within infosec and in interactions with the non-infosec world. We spend so much time trying to understand how technology works and forget to understand how the humans behind the technology work. KC: Yeah. Social engineering's a huge problem. Laypeople assume that "hacking" is a guy in a hoodie typing 100 words per minute. I find social engineering's the biggest vulnerability by far. Trojans are exploding. Do you have any last words about women in infosec? KS: Oh man, I have so many words! But I will say, if you're a woman of any age who's interested in infosec, we want you to succeed, and we want to give you the tools to help make that happen. There may be roadblocks along the way, but to quote one of my favorite drag queens Latrice Royale: "It's okay to make mistakes; it's okay to fall down. Get up. Look sickening. And make them eat it."
Conclusion
Tune in next time for my next interview with Jess Dodson, another woman in information security.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
