Eight years ago, when we started building the DefCamp community, one of the things we really cared about was to help people share their personal experiences. No matter their role, backgrounds, or levels of expertise, we focused on creating a context where people felt comfortable discussing the good and the bad in their professional and even personal lives.
The goal was to help them learn from one another and understand what it was like to go through those stages in real life.
Do you remember the 1st edition, the one held at Bran? We’re very fond of those early memories.
This essential element of our mission holds true to this day and it’s one of those things that are unlikely to change in the next decade.
To build on this, we’re starting a series of articles that tell the true stories of people who work in information security. We hope you’ll enjoy reading these personal and genuine accounts that cover a wide range of roles, both technical and non-technical.
A big thank you to our wonderful speakers who’ll join us at Ladies in Cybersecurity on March 21st, as they’re the first ones to share what it was like for them to go into infosec and what they’ve learned so far.
- Laura Tamas – Technical Project Manager at TypingDNA
- Valentina Galea – Ethical Hacker at Bit Sentinel
- Jelena Milosevic – Nurse / Speaker / Independent infosecurity researcher
- Corina Nebela – Big Data & Cyber Security Architect at Atos
- Alexandra Stefanescu – Co-founder of Security Espresso
What helped me build a professional path in infosec
Laura Tamas highlights one of the most important things in… life:
One thing I would recommend to anyone who tries to build a new career is to engage with experts in the field to acquire knowledge and experience from them.
The internet is an important source of information and access to learning materials, yet real-life examples and hands-on experience are beyond compare. The learning curve is also faster this way.
Our own experience strengthens our belief that it’s all about the people, no matter how far you get in this industry or any other for that matter.
Naturally, having a supportive team is a fantastic asset, especially if you’re new to the field:
I started raising more interest in infosec when meeting the TypingDNA team. Not only are they good professionals, but also very passionate about security and authentication. Make sure you add passion to your expertise because it’s like adding salt to your hashes!
Valentina Galea also talks about the importance of interpersonal relationships. She mentions that empathy is the one thing that got accelerated her learning curve and made it easier to internalize infosec knowledge and practices.
The skill to see and feel things from others’ perspective. It’s the perfect ingredient if you wish to follow a career in infosec.
Jelena Milosevic talks about personal motivation and its role in figuring your way into cybersecurity. She told us that a key catalyst was:
Believing in what I am doing and going for the cause.
Nurturing this personal proclivity towards infosec entails another important discipline:
Being open to learning,to listening and hearing, investing time to search for answers yourself.
With an open mind to learn, listen and hear what infosecurity professionals have to say, I searched for myself for every word whose meaning I didn’t understand. In no time I was juggling with multiple windows open, getting desperate that I know nothing!
So if you’ve ever felt like Jelena, please know this is part of the journey and that you will reach a point where you have strong knowledge and understanding of key concepts. When you get there, the frustration of not knowing enough can be replaced with the excitement of always having something new to learn.
Corina Nebela’s experience echoes Jelena’s advice on determination and a desire to overcome personal barriers:
I took an indirect path in infosec, mixing and matching various job profiles and skills. My personal advice for anyone would be to cross their personal boundaries and to be on a constant quest for knowledge.
Alexandra Stefanescu also brings an interesting perspective to the table. She says the one thing that helped her break into infosec was:
Being able to shadow people and watch them work through complex issues.
We often think that professionals know what a problem is the moment they hear about a bug.
We think they know precisely what parameters to type into the command line to get beautifully filtered results from a scan. We think they look at a cryptic error message and, to them, it’s obvious what caused it. This is false.
Being able to sit next to someone and troubleshoot with them, or code with them shows you exactly what the work looks like even after 20 years of experience.
You still google “what was that parameter that showed the time elapsed in hours?”.
You still refer to the RFC, or the manual, or to that one Stack Overflow post you discovered three years ago and bookmarked.
You still slice a list incorrectly when moving from one language to another.
And you still overlook simple settings or skip steps when you’re under pressure.
Watching people push through difficult issues was invaluable for me.
I learned how they think about the most likely cause of a problem. I saw them sketch topologies out on a paper because trying to work through a packet loss problem in their heads would have made them overlook obvious things. I saw them use checklists. I stole the checklists. It was great.
What I noticed about diversity in cybersecurity teams
We talked about diversity in a recent article because it’s a central theme at Ladies in Cybersecurity and a hot topic in the industry across regions and continents. We couldn’t miss the opportunity to see how our speakers relate to this issue and what their experience around it is.
Corina Nebela highlights how important is it to pay attention to diversity in light of the great results it can have for both workplace culture and results:
Such a volatile industry benefits greatly from gender diversity, not only because it ensures the best talent pool as an employer, but also because it leads to diversity of thought which ultimately broadens the innovation spectrum.
Alexandra Stefanescu also speaks about the subtle but impactful risks of monocultures, where people hire others like themselves, breeding uniformity:
When all you have is a hammer, every problem is a nail.
When your team is composed of individuals with the same education, experience, and perspective, you have a laser-like view of a problem, instead of a broad view. You miss things. You make assumptions. You sneak bias into the architecture. In short, you end up with a weaker solution.
I’ve sat in rooms with low-level developers, UI developers, QAs, project managers and the marketing people. Both genders were at the table. We differed across nationalities and across technical backgrounds. The discussion was amazing! You could watch the puzzle being assembled under your eyes.
A project manager would cite a customer complaint, the QA would immediately hop in and describe how they reproduced it and cited the most relevant log messages. The C developer would suggest a possible fix and the marketing person would cut in and cite the RFC – “we are forbidden from doing this”. The UI developer would chime in and say: “hey, maybe the customer assumes this is possible because the UI makes it appear so.”
Having diverse people at a single table saves hours or back and forth emailing, it saves countless iterations and, most importantly, it brings in much-needed perspective on what humans assume when they see a control scheme.
The roles in this anecdote aren’t enough to ensure diversity. You can have a data scientist and a networking engineer whose perspectives align perfectly. Between the two of them, they will never look at a problem from a new angle.
Sure, a man and a woman can be in the same situation. This goes to show that
there isn’t a single criterion that ensures diversity.
Diversity is the opposite of homogeneity. When everyone at the table has walked the exact same path to get where they are, their experiences align.
In order to achieve diversity, one must make a conscious effort to hire and promote the people who can act as missing puzzle pieces.
The most uncomfortable thing is that people with perspectives that differ from our own are people who differ from us. Diversity thrives on empathy.
Diversity within a workplace clearly yields creativity and allows teams to problem-solve from various perspectives.
From my experience, working in teams with low diversity can lead to the rise of subcultures which involves the risk of decreased efficiency.
Diversity motivates people to embrace exchanging opinions and to leave their comfort zone.
Valentina Galea shares her own story about being the only woman on a team of cybersecurity specialists and how that influences the social dynamic and the work itself:
So far I had only a short time a female co-worker (3 months) so I must say that in this field the ladies presence is very poor.
As from my personal experience, being the lead for almost a year to an ethical hacking testing team – all men – I can tell you it wasn’t easy but surely it brought great benefits.
I always say that is the person who matters, not the gender or age but sometimes the gender can influence approach towards an idea or perspective over a topic.
I strongly believe that teams work well and have amazing results if they cultivate open and honest communication in order to achieve goals.
Jelena Milosevic firmly believes that infosec is an open industry precisely because most people working in it are self-taught:
Infosecurity is, I believe, the only place where you can get the job based on your knowledge and know-how and not only based on a diploma. Because of rapid developments in infosecurity and open source, everyone can find available courses and learn for themselves. So, everyone can do that if they want to.
Still, I could find many people that do understand the need for keeping privacy and security on a high level, even if they didn’t come from tech or security.
One awesome side of the infosec community is that they understand what it’s like to be different and can accept others with their own ways of being different.
This needs to change to make infosec more appealing for a wider range of specialists
As far as Alexandra Stefanescu is concerned:
There is no silver bullet for this. A few things need to happen so that their combined effect generates a more diverse workforce.
First, hiring needs to stray from the model of “bringing in more apples in a team of apples”. Cybersecurity is especially welcoming to different technical backgrounds.
Second, people still completing their education need to be exposed to role models they relate to. I think the people in the industry should step forward, if it’s within their possibilities, and become visible to those still in training.
You can’t become something you’ve never seen.
Third, kids need to see how fun and rewarding it is to take things apart and put them back together. There is no child who is bored with a sense of achievement. No girl or boy will say “I built this awesome gadget and it blinks and it whirrs and it moves around – how tedious.”
As adults, we know how happy building something ourselves makes us – that’s why Ikea is thriving. We should not deprive any of our children of this experience.
If you feel like skipping off to doing something you love right now, we completely understand. Genuine and honest stories like these tend to have this effect on people.
When you come back, there’s more where that came from, like this perspective on contributing from Laura Tamas:
In my opinion, cybersecurity is an appealing field of work, but perhaps the reason it doesn’t seem to be welcoming to new entrants is the way it has been marketed.
However, it is our responsibility to contribute to making it more attractive to the workforce regardless of age, gender or ethnic background.
Events such as “Ladies in Cybersecurity” represent great opportunities to bring women in infosec together and therefore build a stronger community.
We definitely should encourage more people to go ahead and promote cybersecurity in their circles.
Speaking of a mindset change, Valentina Galea has something important to say about that:
In Romania, I believe that the most important thing that needs to change is the mindset and education.
I want to share with you the things I heard from my colleagues once I decided to go towards an infosec career: “Are you crazy?”, “haha, you will be a penetration tester? How will you handle penetration as a girl?” These questions made me sad at first because they are very judgmental.
Being an infosec professional is, first of all, a professional which means that you need to own your craft.
I started as a graphic designer, I tried also being a VJ in clubs, then a tester at a gaming company but when I discovered what cybersecurity is and looked over a couple of tutorials. I realized that this is what I want to do for the rest of my life.
So what I am trying to say is the fact that in order to increase the diversity in cybersecurity workforce, each and every one of us who will be on stage on March 21 has the responsibility to share their knowledge in order to let the audience understand better what you need to have in order to become an ethical hacker.
The last thing I want to mention is the fact that nowadays people are a little lazy, they stay in the same job they know without looking further and discovering maybe other fields of activity.
It is clear that not everyone can work in infosec but I am sure that there are still artists who might develop a hacker mindset or even among the bankers. In the end, the only limits we have are the ones we set so get out your comfort zone and let’s secure this world!
It may look like our speakers at Ladies in Cybersecurity coordinated their answers but we can assure you they didn’t get that chance. Here’s Corina Nebela highlighting the importance of how we see things and the benefits of broadening our view:
I believe that our mentality is the first thing that has to change.
Unfortunately, many women feel intimidated by this career.
It is important to make women aware that if they take chances, act with confidence and embrace learning everything is possible.
Even if you’re not a woman, this applies to you too. “We’re only afraid of the things we haven’t done enough”, as Paul Jarvis wisely put it.
Jelena Milosevic wraps this section up with a reminder on the importance of teamwork and collaboration, which is really close to our hearts:
We put everything online and connect everything, even when we don’t need it. Sadly, most of the time without even thinking about making it safe and secure.
All of us, infosecurity and non-infosecurity professionals, need to understand that we need teamwork and that infosecurity is part of everything that is digital or online, everything that has software or hardware and that’s connected.
We need to find a way to talk, walk and work together and understand each others’ needs, working for the same goal – safety and security.
An open mind and an open heart certainly help accomplish a lot, don’t they?
Hear more stories live on March 21st
We can’t wait to publish the second “episode” of the What it’s like to work in cybersecurity series but until then, you can join us on March 21st to hear more stories like these and ask questions to our speakers in person at Ladies in Cybersecurity.
Here’s a bit of what you can expect to learn, straight from our experienced speakers:
Laura Tamas will talk about “Securing sensitive accounts with MFA and Behavioral Biometrics”:
Compromised data as a field of interest requires our undivided attention.
There are too many examples of data breaches and cyber-attacks which resulted not only in enormous financial losses but also in public exposure of sensitive information.
In the course of my presentation, I will present a case study to show how TypingDNA ensures a definite improvement in security and the quality of authentication.
The topics of discussion will include behavioral biometrics as a two-factor authentication method as well as other types of factors which our clients can adopt as additional layers of security.
Jelena Milosevic will tell us all about “Why I didn’t run away from the infosec community”:
By talking about my journey as a nurse and as a woman in infosecurity, I’ll try to explain the situation, to point out the things that helped me keep going and not give up.
At the same time, I’ll talk about the position of women in the world, in the infosecurity community and how we can get the place we deserve to have.
I want to show that if you really want to do something, especially in and with the infosecurity community, you can do it and that you’ll be welcomed, heard and supported.
Corina Nebela will share her experience on what it takes to “Leverage Big Data in Cybersecurity”:
My presentation will encapsulate a non-conventional approach to cybersecurity by leveraging big data and machine learning capabilities.
And Alexandra Stefanescu already has us curious to hear her talk about “WiFi, a cautionary tale. Leakage, pwnage and just plain silliness”:
My talk centers on the current state of WiFi.
The protocol has been around for quite a while and the bar of entry for playing around with it has lowered considerably. Since every smartphone is now WiFi-capable, any smartphone user can be either an attacker or a victim.
It’s all too easy to connect to malicious WiFi networks, and, sometimes, we’re too busy to properly read through pop-ups asking us to accept a certificate.
My talk aims to educate and showcase how these attacks happen and what our best line of defense is.
Moreover, I’m also really enthusiastic about testing things, so I will also go into detail about how one can get started with a few WiFi related projects. The hardware is cheap and GitHub abounds in software and command line utilities. I’ll do a bit of show and tell if the demo Gods smile kindly upon me.
The most important thing is this: turn your WiFi off during my presentation. Don’t say I didn’t warn you.
If you enjoyed reading these stories, we’re fairly certain that you’ll love the cozy atmosphere at Ladies in Cybersecurity, happening just a few days from now.
Get your ticket and meet us at Impact Hub Bucharest to connect with the rest of the community at the first DefCamp event of the year!
See you soon!