Ah, the holidays. As we roll up to the end of the year, one thing’s certain as the office party and failed New Year’s resolutions – cybersecurity 2022 trend articles.    And like festive holiday merch in stores, trends pieces seem to appear earlier and earlier each year.    Well this year, we’re taking a stand against ‘trends for 2022’ articles. Why? Here’s just a flavor of what real InfoSec leaders like you said when we talked trends.

And on Twitter, the feeling is similar… My prediction? The majority of 2022 cybersecurity predictions will again be “More of the same, packaged a bit differently” because that is how evolution works. It is only from an appreciable vantage point that one sees the scale of incremental change. 1/x — Rik Fërgüson (@rik_ferguson) November 1, 2021 My 2022 Cybersecurity Predictions: pic.twitter.com/7r4AC328q2 — c🎃e (@caseyjohnellis) November 2, 2021

So while someone, somewhere might fall for a high profile deepfake attack or AI generated breach, the main issues faced by the vast majority of InfoSec for next year will be… the same as last year, and similar to the years before that.    We like to call these The Infinity Trends, so pass the eggnog, throw another yule log on the fire, and let’s explore the five gems that’ll be taking up 91.4% of your time in the next 365 days.   Infinity Trend One: People are (still ) gonna fall for the same ol’ sh*t Year in, year out, there’s always a risk that someone is going to click on a malicious link. And when bad actors are using sweet, juicy bait like early access to Series 2 of Squid Games, you can see why. You're only as strong as your weakest link. Human error wins every time. Awareness training is key. #InfoSec pic.twitter.com/tPD9yBEse3 — Khalil (@sehnaoui) June 21, 2017 You can’t stop people clicking links any more than you can prevent them from sending or receiving them in the first place; for many people, that’s their job. Their inbox is a revolving door of links to documents, webpages, forms, and databases.   Infinity Trend Two: You’ll (still ) have to explain why cybersecurity matters to the CEO An important "soft skill" as you move up in leadership roles is brevity, the ability to not only be succinct but also flexible when presenting; knowing how to adjust your content on the fly. This is crucial when presenting to higher level business leaders. Practice this! — Alyssa Miller 👑 Duchess of Hackington (@AlyssaM_InfoSec) October 28, 2021 Looking back to the ‘before times’ circa 2012, a predicted trend was cybersecurity moving from being solely an IT department issue, to a C-suite issue. (Here’s Phil Gardner, founder of IANS, talking about exactly this back in the day.) Yet here we are, 10 years later, and despite the 2021 PwC Annual Global CEO Survey, revealing chief executives see cyber threats as the number one risk, the same report goes on to note that the majority of CISOs overall — 63% of organizations — don’t get the kind of support they need from their CEO. If you’ve got a CEO who gets security in all its forms, you’re one of the lucky ones. For everyone else, here’s the only three metrics they care about.  

Infinity Trend Three: Attacks will (still ) come after lunch or at the end of the day (on a Tuesday) Bad actors have a preferred time to strike. We know this because we analyzed four billion emails in a 12-month period and found that 2 million of them were malicious, and slipped past secure email gateways (SEGs). Further examination found that mid-afternoon, or just before the end of the day, is when most attacks occur. Why? Because our research shows that 45% of employees say they’ve clicked on a phishing email because they were distracted.

Interestingly, Tuesday – not Friday – was the time employees sent and received the most emails, and that’s also the preferred time for spear phishing. One particular Friday does rank the very highest however, Black Friday. So if you’re reading this….  incoming! It’s not all bad news, though. Our research also showed that, like everyone else, even the bad guys take a break over New Year, perhaps to make their own New Year’s resolutions? Infinity Trend Four: Your biggest risks will (still ) come from ‘inside the house’ The spear phishing of staff was an exotic emerging threat trend in 2012, and it’ll still be your number one threat a decade later. Then there’s the risk from misdirected emails, sending the wrong attachments, and deliberate exfiltration. You can see why Forrester’s recent report of over a 1,000 security professionals found that 61% think an employee will cause their next data breach.

  Infinity Trend Five: Hiring a diverse team will (still ) be one of your biggest priorities… and challenges Back in 2016, 72% of Black Hat attendees were saying that “they do not have enough staff to meet current threats”, and those trends have only gotten worse with 2021’s Great Resignation.    Add to this the fact that the average CISO is in post for a little over 26 months (plus a doesn’t-get-it-CEO), and you can see why it can be hard to foster a solid security culture.    InfoSec has a high turnover rate, too; keeping your people together, focused, and motivated was a challenge in 2012, and it’s still a challenge now.    So despite a decade passing, the problems most InfoSec, SOC teams, CISOs, and CTOs face daily haven’t really changed. What has changed is that everything has gotten bigger and more complicated – from the frequency and sophistication of attacks, to your attack surface and perimeter, to the sums of money and number of people involved.    So our number one cybersecurity trend’ for 2022?    Same as it ever was: cybersecurity is still primarily a people problem. This time of year we all make resolutions: get fit, quit that bad habit, be better at what we do. If you’re thinking about one more, why not make 2022 the year you secure your Human Layer?   Until then, Happy Holidays!

We asked leading CISOs who trust Tessian to protect their business, what was the one metric their CEOs always asked about. Here’s what they told us, so that you can help your CEO (and the rest of the C-suite) see the value in cybersecurity, in ways they’ll understand Cybersecurity attacks can be highly damaging not only for businesses, but also CEOs themselves, often (very sadly) resulting in their resignation. Examples include Target CEO, Gregg Steinhafel, Equifax’s CEO Richard Smith, LandMark White’s Keith Perrett, and Chris Hylen of Imperva.   A decade ago, a breach might have been seen as an IT issue, and often it was the CIO or other technology-focussed C-suite executive who would take the blame. More recently, though, with the fallout from an attack having financial, operational, reputation and increasingly regulatory ramifications, the buck now stops at the CEO. Indeed by 2024, CEOs will be held personally accountable for breaches according to Gartner. Have we piqued your interest?   Do CEOs understand cybersecurity? According to the 2021 PwC Annual Global CEO Survey, chief executives cited cyber threats as the number-two risk to business prospects — topped only by pandemics and other health crises. In North America and Western Europe, cyber was number one.   Yet the same report goes on to note that while the top 10% that are “most advanced” in cyber practices or “most improved” on cyber outcomes are in a good position… the majority overall — 63% of organizations — don’t get the kind of support they need from their CEO. The fact is, both the CEO and CISO need to work together to benefit the company.   Here are some more startling facts: 64% of CISOs fear their companies are at risk of a major cybersecurity attack in the upcoming year 66% feel their organization is unprepared to handle it Just 7% of security leaders report directly to the CEO, according to a recent study from Ponemon Institute.   So if your CEO doesn’t get it (or even if they do), here’s our advice on how to update them and the wider C-suite, with answers to metrics that are meaningful, productive, and easily understood.   Metric 1: The Threat Question   One of the first metrics a CEO might want to know can broadly be defined as ‘the threat question’.   Here they’ll ask questions like ‘how big is our attack surface?’ or ‘how well do we understand the threat?’ or ‘where is our biggest source of threats?”. You’ll need up-to-the-minute data on this, but also deeper context of the potential harm these threats could have done to the business.

Metric 2: The Money Question   All CEOs (and CFOs) want to know exactly where the money goes.    Risk calculators can quickly ballpark the cost of a breach depending on your company’s size, sector, and location. This can help give you a Return on Investment (ROI) for your tech stack.. Using Hiscox Group’s Risk Calculator for example, gives $4.7m as the estimated cost of breach for a US healthcare company with revenue of up to $5m, with most of that cost in fines for loss of PII. 

The ‘money question’ actually comes in several parts, there’s the immediate loss of revenue while systems are down; fixing this also consumes the company’s time and resources, which also have a cost. But these are relatively small compared to the later costs of regulatory fines and legal action, as well as long-term reputation damage.

Metric 3: The Time Question   Finally, there’s the ‘time’ question. If you’re in InfoSec, you’re realistic enough to know that, at some point, an attack is going to come.   When it does, your ‘identify, deal with, and recover’ times are the metrics you need to communicate to the team, because ‘how quickly can we recover from an attack?’ is the sort of time question your CEO will ask you.   For South African businesses like the Rand Merchant Bank, the Protection of Personal Information Act (POPI Act) came into effect on July 1, 2020, giving organizations one year to be fully compliant. With that time now elapsed, any breach has to be reported to the regulator which is a huge time sink (and can incur several fines).   Get everyone focused on the same metrics   Cybersecurity is a mirror in which the wider C-suite team only sees what matters to each of them, depending on their role:-   The CFO is concerned about potential financial impact.   The CRO focuses on risk insurance.   The General Council is worried about the compliance and regulatory fallout. As a CISO, you’re probably thinking about the technology and potential vulnerabilities.   The CEO meanwhile, has to pick and mix from this salad bar of metrics and try and formulate a response. A breach will impact everyone in these areas, and so in a sense, they’re everyone’s problem. As the CISO, you need to work with your CEO to iron these out into specific, trackable metrics based on threat, money and time.     What’s the wrong metric to measure for cybersecurity?   We asked cybersecurity professionals via Twitter which was the one metric CEOs always asked about. In previous jobs, there was never just one… but the most common one across all stakeholders was "how much are we spending on security compared to our peers". I would then spend time helping them understand why this was the wrong metric to look at. — Helen Patton (@CisoHelen) October 13, 2021   The thinking here being that bad actors might choose a softer, less secure target. So as long as we’re better protected than that guy over there, we’re ok. Sadly it doesn’t always work like that. There are a few issues with this type of question. Firstly, that sort of data isn’t easy to come by, and secondly (and more importantly) security spend is a product of risk appetite, which varies from peer to peer. So you have to ask yourself, “do you feel lucky, punk?”.   As a CISO, putting the detail on the bones of risk, money and time, is what your CEO will want to hear. Tessian can help you with that, from numbers of threats stopped, to amount of time saved.

We’re excited to announce that Tessian has been recognized as one of the top three medium-sized companies in the UK’s Best Workplaces™ for Women for 2021.  Our Human First value, its commitment to Diversity, Equity and Inclusion (DEI), and its Employee Resource Group (ERG) for women – Tes-She-An – are just some of the reasons why people love working at the company. This recognition confirms that:  Tessian is a great workplace for all employees, including women. Tessian recognizes that women represent a valuable talent pool in increasingly talent–constrained industries such as cybersecurity and technology.  Tessian lives up to its company values of ‘Human First’ and ‘We Do the Right Thing’, as its leaders make meaningful changes to improve their ability to recruit, retain and nurture top female employees.

Education and training have been foundational first steps in Tessian’s DEI strategy. We partnered with Jeff Turner, former International Learning and Development Director for Facebook, to deliver company-wide training around diversity, unconscious bias and inclusion. We’ve also taken the time to establish our long-term DEI roadmap – which includes a diversity recruitment strategy across all hiring levels, expanding the entry-level talent pool by creating junior jobs for people entering the tech industry, and prioritizing the development of future leaders through well-defined growth frameworks across the company. 

In addition, Tessian’s ERG group – Tes-She-An – provides a space to support all employees who identify as women, celebrate their achievements, and help each other “shine even brighter” by focusing on career progression. The group runs monthly workshops for women, and invites inspiring external guests who are leading the charge in creating equal opportunities in the tech industry, to speak to employees. Importantly, these events do not operate in a closed network. They’re open to the entire company – not just women.  As a result of these initiatives and programs, 99% of Tessian employees surveyed by Great Place to Work® agreed that people at the company are treated fairly regardless of their gender.  Paige Rinke, Head of People at Tessian, says: “We are so proud to be recognized as a Best Workplace for Women and hear first-hand from our employees that our initiatives to create an inclusive workplace are resonating. One of our core values is Human First, and we’re committed to ensuring every employee feels supported and valued, and to improving gender and ethnicity representation across all levels of seniority at Tessian through our DEI efforts. “Why? Because empowering our people to thrive in an inclusive environment and challenging the status quo to create more equal opportunities in the tech industry is, ultimately, the right thing to do.”  Benedict Gautrey, Managing Director of Great Place to Work® UK, explains: “We’re delighted to recognize so many great organizations in this fourth year of the UK’s Best Workplaces™ for Women list. The issues affecting women in the workplace, particularly what we’ve witnessed in the face of the pandemic including parity of pay and advancement opportunities, continue to be important topics. “What our 2021 UK’s Best Workplaces™ for Women clearly show is the positive impact their practices have on business. As a result, they are better able to attract and retain women of talent, encouraging them to develop professionally and personally, and in turn, contribute exponentially to the success of the organizations they work for.” Want to work at Tessian? See if we have a role that interests you today.

While the title “Chief Information Security Officer” (CISO) is highly sought after, the job is tough.    On top of preventing threats and avoiding breaches, CISOs are also tasked with communicating risk, aligning with key stakeholders across the business, and – of course – managing a team of IT professionals.   So, how do you keep your head above water and excel in your role?    We can’t offer a prescriptive answer to that question (sorry!), but we can tell you that staying connected with your peers – regardless of industry or company size – can help. After all, they’re right there in the trenches with you.   Here’s a list of 12 CISOs you should connect with on both LinkedIn and Twitter for tips, advice, anecdotes, industry news, open tech roles, and even the occasional joke. “The more you know”, right?    P.S. If you’re looking for tips on how to build better relationships and influence change within your organization, check out this article: Relationship 15: A Framework For Security Leaders.    Name: Bob Lord    Bio: CSO The Democrats, former CISO Yahoo, Rapid7 CISO in Residence, Twitter alum.   Handle: LinkedIn | @BobLord   Follow him for: Bob Lord is the Chief Security Officer at the Democratic Nationalist Committee and has held senior executive infosec positions at Twitter and Yahoo (he was actually Twitter’s first-ever security hire). He’s particularly active on Twitter and shares personal security hacks, debunks cybersecurity myths for his followers, and shares great advice for security leaders.     Name: Window Snyder   Bio: A security industry veteran and former Chief Security Officer at Square, Fastly, and Mozilla.   Handle: LinkedIn | @window   Follow her for: Window Snyder has more than 20 years of experience in cybersecurity and has held positions at some of the world’s biggest brands. She worked with Apple leading security and privacy features for OS X and iOS. Follow Window for posts about her experiences as a CISO (and a parent!) and details of her favorite cybersecurity events.     Name: Michael Coates    Bio: Co-founder & CEO @Altitude Past: CISO @Twitter, Head of Security @Mozilla, @OWASP Chairman, Top 30 Security Startup.   Handle: LinkedIn | @_mwc   Follow him for: Michael Coates is the former CISO of Twitter and is the co-founder and CEO of a cloud data protection company. He’s made TV appearances and has been a speaker at the RSA Conference to share his experiences of being a leading CISO. Follow Michael for tips for CISOs and advice on how to work with security vendors.      Name: Azeem Bashir    Bio: Award-winning Global CISO | CDO |Cyber Security & Cyber Risk Leader | NED | Advisor | Speaker   Handle: LinkedIn    Follow him for: Azeem Bashi held a number of CISO and CIO positions at confidential companies. Although his previous companies are a mystery, he must be pretty good given the endless awards he’s won and certifications he’s achieved. He’s also a board advisor, CISO mentor, speaker, and government advisor. Follow Azeem for the latest cybersecurity news about data breaches, attacks and, industry research.      Name: Kevin Fielder    Bio: Dad, CISO, Health and resilience coach, Podcaster. Lover of life and learning.  Passionate about helping people and building high-performing (security) teams.   Handle: LinkedIn | @kevin_fielder   Follow him for: Kevin has a huge range of CISO experience at companies ranging from Just Eat to WorldPay and FNZ Group. He’s also an active cybersecurity speaker, podcaster and is particularly active in the LinkedIn cybersecurity community. Follow Kevin for honest posts about life as a CISO (as well as honest posts about life as a Dad) and for his perspective on security attacks or breaches.      Name: Troels Ortering    Bio: Chairman, NED, award-winning CSO, passionate cybersecurity leader with a long track record in cybersecurity and privacy.   Handle: LinkedIn    Follow him for: Troels has over 20 years of cybersecurity experience, including intelligence roles within the Danish Police, Group Chief Security Officer at Barclays, cybersecurity lecturing roles and, multiple board positions. Follow Troels for his perspective on the latest cybersecurity attacks and threat actors – as well as his views on best practices and how to stay protected.      Name: Lynwen Connick   Bio: Chief Information Security Officer at Australia and New Zealand banking group(ANZ) Loves Travelling, Skiing, Mountain Biking & Orienteering.   Handle: LinkedIn | @LynwenConnick    Follow her for: With 25 years of cybersecurity experience ranging from working in Australia’s Department of the Prime Minister and Cabinet to the CISO of one of the biggest banks in Australia – Lynwen is a great addition to your social timelines. Lynwen is highly active in the women in cybersecurity community, and shares cybersecurity events and groups that other women can get involved in. Follow Lynwen to hear about the work she’s done with the Australian Government, and for cybersecurity advice for the financial services and banking industry. Name: Dinis Cruz    Bio: CTO and CISO of @GlasswallCDR, Transformation agent, project leader of OWASP SBot and O2 Platform projects.   Handle: LinkedIn | @DinisCruz    Follow him for: Dinis Cruz has over 20 years of experience in cybersecurity and software development, he’s also been nominated for CISO of the year and is currently writing a book. On social media, Dinis is all about knowledge sharing and contributing to the cybersecurity community. Follow Dinis for cybersecurity and general tech hacks, advice on how to apply for security roles, and details of cybersecurity events (plus you might even come across his TikTok account).      Name: Moty Jacob   Bio: Moty is a long-time CISSP, holds Security Clearance, and has several Industry certifications including checkpoint’s CCSE, PCI-DSS AUDITOR, CCNA, Certified Ethical Hacker, and many others.   Handle: LinkedIn   Follow him for: Moty Jacob has a huge list of experiences in security from start-ups to Fortune 500 companies and national governments. As well as being a top leader in cybersecurity, Moty is also a leader in Diversity and Inclusion, with almost half of his security team being made up of women. Follow Moty for his hilarious and relatable cybersecurity memes and for honest posts about his experiences as the CISO at Dunnhumby.      Name: Christopher Porter    Bio: CISO, student of infosec, manager of risk, Dad, exerciser, and @UVA alum. Former @vzdbir author, @verisframework creator.    Handle: LinkedIn | @cdporter00   Follow him for: Christopher Porter is the CISO at Fannie Mae, he previously worked with Verizon to author Verizon’s Data Breach Investigations Report series and co-created the VERIS framework (Vocabulary for Event Recording and Incident Sharing). On social media, Christopher is committed to sharing cybersecurity research and posts about how to help close the diversity gap in the industry. Follow Christopher for the latest phishing intel, information about how the pandemic is affecting cybersecurity, and the occasional cybersecurity joke!      Name: Becky Pinkard   Bio: Cyber security exec, published author & professional speaker. I do security because I love it.    Handle: LinkedIn | @BeckyPinkard   Follow her for: Becky Pinkard has worked in the cybersecurity industry at some of the world’s leading brands since 1996 – from Blackberry and Vodafone to Aldemore and Barclays. She’s also a published author, a regular commentator on infosec events, and won CISO of the Year at the 2020 SC Awards, Europe. Becky is an active advocate for diversity and inclusion in cybersecurity on social media. Follow Becky for posts about open cybersecurity roles, her honest advice to other security leaders, and her incredible sense of humor.      Name: Bobby Ford   Bio: Senior Vice President/Chief Security Officer at Hewlett Packard Enterprise   Handle: LinkedIn   Follow him for: Bobby Ford has held the position of CISO at world-leading organizations from Unilever and Abbott Labs to his current company – Hewlett Packard Enterprise. Bobby has also been an information security analyst for the Pentagon’s incident response team and spent much of his career in the Aerospace and Defence industry. Bobby is an active member of the cybersecurity community on social media – follow him for posts about improving diversity in cybersecurity, open tech roles, and the occasional throwback picture of his days in the army.      And, if you want to be the first to get your hands on blogs like this and others written just for security leaders like you, subscribe to our newsletter below.

The role of the CISO and other security professionals has changed. Instead of focusing purely on IT and infrastructure, security leaders are now responsible for communicating risk, enabling individuals and teams, and influencing change at all levels of the organization. But, that’s easier said than done…especially when research shows less than 50% of employees (including executives) can identify their CISO.  The key? Building relationships with the right people. We have a framework that can help you not just build the right relationships, but also support your overall communication strategy. Introducing Relationship 15. What is the Relationship 15 Framework? The Relationship 15 Framework is a personal development tool that helps you map the core strategic relationships you need to forge and foster to be successful. 

Download the Relationship 15 Framework template now.

How can this framework help security leaders?  As we’ve said, the role of the CISO has evolved. But, in many organizations, they still don’t have a seat at the table.  The question is: who can help get you there? Who can help boost your credibility, bolster your influence, and support your key initiatives? To name a few…CEOs, GCs, CFOs, and the board. The list goes on. But credibility, influence, and support have to be earned, and you have to leverage people outside of your cybersecurity bubble.   Patricia Patton – the former Global Head of Professional Development at Barclays and Executive Coach at LinkedIn – has decades of experience helping business leaders and politicians forge better relationships.  To her, it’s easy to see why CISOs and other leaders in the industry would leverage a framework like Relationship 15.  “This framework gives you the opportunity to be intentional about the relationships you want to build and be proactive in making connections versus repairing broken relationships. This helps build trust, which is essential for security leaders who absolutely must build trust with the rest of the business,” she said.  3 steps to map out your Relationship 15 Look inwards. Think about your role, your strengths and weaknesses, and the businesses’ objectives. Before you move on to step two, pause and embrace the notion that relationships really matter. The goal of this exercise isn’t to build perfect relationships overnight, but to help you align, influence, and succeed in partnership with others. Identify 15 people who you need to cultivate relationships with to succeed.  Remember, though, that “success” is multi-faceted. There are people who will help you succeed, people who will help your team succeed, and people who will help the business succeed. We recommend choosing five people for each of these three categories (hence the name Relationship 15!).  Note: these people shouldn’t be limited to your department, your sphere of influence, or even your organization. And, don’t forget to include your peers and mentors. Create a plan to build these relationships. Scheduling regular catch-ups and creating seamless feedback loops will both help, but you have to be intentional. These relationships aren’t purely transactional and it’s not all about you. Both parties need to show up, demonstrate their value, share their expertise, listen to understand, and respond empathetically.  Top tip: Consider your own communication style and take the time to understand everyone else’s. This free assessment is a good place to start.  Looking for more advice? We share 16 tips from security and compliance leaders about getting buy-in in this article: How to Prove the Value of Cybersecurity.  Who’s in your Relationship 15? At Tessian Human Layer Security Summit on March 3, an incredible panel of women discussed Relationship 15 in depth. We asked who they’d include in their security taskforce to help influence change, reduce their organization’s risk, and drive business objectives. Here’s what they had to say. Gaynor Rich, Global Director of Cybersecurity Strategy and Transformation at Unilever  Data Privacy Officer(s) Chief Compliance Officer(s) Audit and Risk Manager(s) The Board Executives and key stakeholders within Unilever’s supply chain Other men and women in similar roles Annick O’Brien, Data Protection Officer and Cyber Risk Officer Chief Information Security Officer Heads of Departments across the organization  HR Director(s) Internal communications team(s) Now, It’s you (and your teams!) turn…  Who within and outside of your organization can you build a relationship with to ensure: You succeed Your team succeeds The business succeeds Carve out some time to fill out the Relationship 15 Framework template and start sketching out a roadmap to strengthen your connective tissue with each person.  Think about the impact. If your team of 5 each identifies 15 people, you’ll have a network of 75 people to learn from and lean on. Have you found this useful? If so, share your Relationship 15 with us on LinkedIn and make sure to pass on the template to your peers. 

According to new research into the future of hybrid working, 85% of IT leaders believe their security teams will be under higher pressure, feel more stretched, and need extra resources in 2021.  Could automation shoulder some of the burden?  In case you missed it, Tessian hosted Karl Knowles, Head of Cyber at HFW, and Timor Ahmad, Head of Data Governance & Privacy at Lloyd’s, for a session that took a deep dive into how organizations can utilize automation to reduce risk on email. You can watch the full video on-demand, but we’ve summarized the highlights from the session along with some actionable advice you can use to give your security posture a boost.  1. Use this shift to remote working to create a more positive security culture  Can employees work remotely? Can they maintain the same quality of work?  These are both questions security and business leaders have asked for years but have been too hesitant to actually test. But now – as we’ve all been forced to make the transition from office to home – we’ve seen how people have adapted and we now have new ways of working. These changes naturally affect your organization’s culture.

So what does this mean for security leaders? It means you have the ability to mold and shape a more positive security culture. Take time to understand how your employees are working, what their new behaviors are, and how you can support them in a safe and compliant way.  Now is the time to integrate security awareness into the foundation of your organization and prioritize privacy for employees, clients, and customers wherever and however they work.  2. Be human-first in your approach to security  Working remotely, people may feel isolated, unmotivated, and unsupported. That’s why you have to prioritize employee wellbeing and help everyone adapt.  So, to help make security more human (and yes, fun) Karl and Timor suggested using cartoons, magazines, or digital games to help get employees involved and bring them along on your journey to security maturity.  But it’s not all about fun. It’s also about meaningful connections.  Security is a team sport and employees need to feel comfortable asking questions about security, sharing feedback about new solutions or policies, and reporting incidents and near-misses. You have to foster that environment. How?  Drop into team meetings on occasion, encourage people to open up to you, and always ask questions and provide ways for employees to give feedback.  Building this connective tissue with employees across the organization will help people feel more supported in their new way of working.  3. Share your security wins  According to Karl and Timor, it can be a challenge to help employees feel like they’re actually contributing to the success of the security program. But, they had a tip. Use data.  They explained how they use Tessian’s dashboard to display key charts and statistics around the organization’s security posture both at the board and employee level. The numbers include: How many phishing attacks are reaching employees How many of those were flagged to their security team  What the outcome would have been if the attack was successful.  Everyone contributes to a safe working environment, and these dashboards can help security leaders communicate that message with both technical and non-technical audiences.

4. Make your solutions work for you  Are you spending a lot of time configuring solutions and updating rules? Most security leaders are.  That’s because rules are static, meaning they don’t change over time. But – as we all know – over the last year, organizations have undergone a lot of change. People are working on different devices, in different locations, and are using different methods to share information. Hackers have changed their attack methods accordingly.   It’s unrealistic to expect security teams to be able to update rules at pace with all of the above. At Tessian, we think solutions should work for you.  How? Automation. Across three solutions, Tessian uses machine learning to understand employee behavior and communication patterns. And, it gets smarter over time. That means it can detect and prevent threats in real-time – without any manual investigation or rules – and keeps pace with the evolving threat landscape. 

5. Understand why your employees circumvent policies  According to Tessian research, over half of employees say they’ll find a workaround for security software or policies that make their job difficult or impossible to do. It’s essential, then, that security leaders understand why. The key is visibility into employee behavior.  Both customers explained how they use Tessian to get a more granular look at how employees handle data.   In one example, Karl looked at the data provided by Tessian Enforcer to understand why employees send emails to personal devices. In this case, Karl realized a key tool used by HFW was slowing employees down and making it hard to do their jobs on their work devices. That’s why people were sending work documents to their personal accounts  — so that they could work faster on their personal devices. With this understanding, HFW was able to create new policies that empowered people to work safely without security getting in the way.  6. Leverage in-the-moment warnings to reinforce existing policies  Whether it’s data exfiltration, misdirected emails, or spear phishing attacks, humans make mistakes. But, as Karl and Timor detailed, contextual, in-the-moment notifications can help raise awareness and train employees in real-time. According to Karl, data exfiltration has always been a problem in the Legal Industry. But HFW has revolutionized the way they tackle it by implementing real-time alerts that remind employees that sending data externally is a major security risk. Tessian Enforcer warnings look something like this:

Over time, these warnings have nudged employees towards safer behavior to help HFW downtrend risk and reduce the number of emails being sent externally.  Karl explained this in more detail by showing his Tessian dashboard. “In the graph, you can see exactly where we implemented the warning and our employees’ response to that new system. So we can see data exfiltration has decreased massively,” he said. 

Now that they’ve tackled this problem, their next focus is around bad leavers and how to reduce the risk of data exfiltration after someone exits the company. Here’s their plan: Once someone has handed in their notice, HR and compliance teams will monitor the employee’s behavior and see if it deviates from the norm. Are they sending more emails to personal accounts than usual? Do those emails contain sensitive information? Are they emailing new contacts? Tessian will instantly flag any anomalous behavior to help HFW stop the exfiltration attempts.  Want to learn more about how Tessian has helped HFW and Lloyds level-up their security without burdening security teams? Watch the full interview now.

There are currently over 4 million unfilled positions in cybersecurity. The question is: Why? To find out, Tessian released the Opportunity in Cybersecurity Report 2020. Based on interviews with over a dozen practitioners from some of the world’s biggest and most innovative organizations (including Google, KPMG, and IBM), survey results from hundreds of female cybersecurity professionals, and quantitative research from the Centre for Economics and Business Research, we revealed that: There’d be a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK if the number of women working in cybersecurity rose to equal that of men A lack of awareness/knowledge about the industry is the biggest challenge female cybersecurity professionals face at the start of their career The industry has a major image problem. Women working in cybersecurity believe a more accurate perception of the industry in the media would be the biggest driver of new entrants  A different perspective of the same problem While we examined the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field, we were recently introduced to a different perspective. Hackers’.  HackerOne released The 2020 Hacker Report earlier this year and, on April 21, Tessian welcomed Ben Sadeghipour, the platform’s Head of Hacker Education, to present the key findings from the report during one of our Human Layer Security Virtual Roundtables. The message was simple: Hackers can (and do) help bridge the cybersecurity skills gap.  Now, by combining highlights from The 2020 Hacker Report with our own Opportunity in Cybersecurity Report 2020, we’ve identified 3 key reasons why hackers have the potential to make a positive impact on the industry. 

1. Hackers have the skills the cybersecurity industry needs When asked why there’s a skills gap in the industry, 47% of those women surveyed said it’s because there’s a lack of qualified talent. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Likewise, 33% of women currently working in cybersecurity say that a lack of requisite skills was the biggest challenge they faced at the start of their career. This came behind a lack of clear career development paths (43%) and a lack of awareness/knowledge of the industry (43%). !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); While a greater emphasis on STEM subjects in primary/high school, more apprenticeship programs, and cybersecurity-specific curriculums at universities would certainly help, we need to look beyond formal education. According to HackerOne’s report, “Most [43%] hackers consider themselves self-taught… since formalized cybersecurity engineering educations have yet to become common, bug bounty programs and public VDPs give promising hackers the ability to quickly learn, grow, and contribute to everyone’s increased security.” What’s more, hackers are putting these self-taught skills to use, with 78% of hackers saying they’ve used or plan to use their hacking experience to help them land a job. On top of that, the majority of hackers (59%) say they hack as a hobby or in their free time and 27% describe themselves as students.  That means a large percentage of hackers could, in theory, transition into cybersecurity. It’s important to note, too, that different cybersecurity roles attract different types of talent. We asked our survey respondents to identify the skills needed to thrive in different roles, and the results demonstrate how diverse the opportunities are. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");  

2. All hackers aren’t “bad” While a lack of requisite skills is perpetuating the skills gap, 51% of the women surveyed in Tessian’s Opportunity in Cybersecurity Report 2020 said that a more accurate perception of the industry in the media would encourage more women into cybersecurity roles. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hillary Benson, Director, Product at StackRox and one of the contributors to our report summed it up nicely when she said, “People hear ‘cybersecurity’ and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.” Unfortunately, this “caricature” of hackers tends to be negative as pop culture and headlines about nation-state hacking groups have conditioned us to associate hackers with criminal or solitary activity. HackerOne even commissioned a survey of over 2,000 US adults to gauge their perception of hackers.  The survey found that 82% of Americans believe hackers can help expose system weaknesses to improve security in future versions. However, a nearly identical share said they believe hacking to be an illegal activity.  But, hackers feel confident this perception is changing for the better, with:  55% saying they see a more positive perception from friends and family 47% saying they see a more positive perception from the general public 38% saying they see a more positive perception from businesses 35% saying they see a more positive perception from the media

3. Hackers already have a strong community 23% of Tessian’s respondents said that a lack of role models was a challenge they faced at the start of their career, and a further 26% said that more diverse role models would encourage more women to enter cybersecurity roles. The impact of role models is even more important for the younger generations. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); Hackers already have a strong community. Katie (@Insider_PHD) was quoted in HackerOne’s report saying “The community is super encouraging. The community is super willing to help out. It’s, as far as I’m concerned, my home.”  Likewise, Corben (@CDL) was quoted as saying “Being part of the hacker community means the world to me. I’ve met a ton of people. I’ve made a ton of friends through it. It’s really become a big part of my identity. Everyone who is a part of the community is bringing something important.” Beyond that, 15% of those surveyed got interested in ethical hacking because of online forums or chatrooms.  The bottom line is: Mentorship is important. Role models are important. Community is important. Unlike cybersecurity professionals – specifically female cybersecurity professionals – hackers have these things in abundance. Cybersecurity is more important now than ever Data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year. And now, with new security challenges around remote-working and a marked spike in COVID-19-related phishing attacks, cybersecurity is more business-critical than ever before. While we should continue encouraging gender diversity in cybersecurity, we should also encourage other types of diversity as well. The field is wide open for a range of educational and professional backgrounds…including hackers.  Challenge perceptions, make an impact.  Learn how cybersecurity professionals kick-started their career   So, what is cybersecurity actually like? It depends on your role within the field. And contrary to popular belief, the opportunities available are incredibly diverse.  To learn more about how the 12 women we interviewed broke into the industry, read their profiles. #TheFutureIsCyber

In case you missed it, Tessian released the Opportunity in Cybersecurity Report 2020 earlier this month. In it, we examine the growing skills gap in cybersecurity through the lens of the disproportionately low percentage of women currently working in the field.  While the report was released in time for Women’s History Month and addresses the issue of gender bias in the industry, we found that it’s actually inaccurate perceptions of cybersecurity that are preventing people from considering the opportunities available. So, how can organizations tailor recruitment efforts to help candidates overcome this barrier to entry? To find out, we invited three of the contributors to the report to join Kelli Hogan, Tessian’s Head of Marketing Communications, for a webinar: “Cybersecurity skills gap: talent shortage or image problem?” You can view the full webinar here, and we’ve compiled the key takeaways for you in this blog. Cybersecurity is an incredibly diverse field Cybersecurity isn’t limited to hackers, developers, and engineers.

This is perhaps best demonstrated by the women themselves.  Carolann Shields, the former CISO at KPMG, is something of an industry veteran, having driven more than fifteen large-scale company-wide cybersecurity initiatives throughout her career. But, she didn’t study anything related to computer science. Instead, she earned her degree in Business Studies before starting down her path to cybersecurity. On the other hand, Hayley Bly, a Cybersecurity Architect at Nielsen, earned her Bachelor’s Degree in Computer Science almost four years ago and is currently working towards her Master’s of Science in Cybersecurity. Finally, Tess Frieswick, who earned her Bachelor’s Degree in World Politics with a minor in Islamic World Studies, became interested in cybersecurity after learning about Russian bot interference in the 2016 US presidential election. She recently started a new job as a Client Success Manager at Kivu Consulting after spending a year working at Uber as a security analyst. Learn more about their backgrounds by reading their profiles on our blog.  Organizations should enable internal recruitment as well as external recruitment  While most of us think of recruitment outside of our organization when we consider growing our security teams, Carolann has, throughout her career, made a point to look internally first.

Importantly, internal recruitment was only possible because of the environment KPMG created through job shadow programs and other initiatives that encouraged cross-functional movement and communication between teams.  Internal recruitment can do more than just fill vacancies, though. It also gives other individuals and even full departments a chance to better understand the function of cybersecurity teams which, in turn, helps build a stronger, more positive security culture.  Collaborative and open environments attract new talent We know from our research that creativity and collaboration rank in the top five skills needed to thrive in a cybersecurity role, but it’s clear that these are also attractive traits in an organization to applicants. That means if you want new, diverse talent, you have to communicate the scope of the opportunity, the open-mindedness of senior executives, and the organization’s overall propensity to engage with new ideas.  COVID-19 means more for cybersecurity than just a transition from office-to-home Given the current climate, it’s no surprise that the conversation turned to COVID-19.  When asked by an audience member during the live Q&A what the outbreak meant for the future of cybersecurity, all three of the women were steadfast that the impact goes far beyond just the transition from office-to-home, especially as attackers are taking advantage of the situation with opportunistic phishing attacks. 

But, this doesn’t just impact professionals in client services. Organizations are relying more heavily on cybersecurity teams to lock down internal systems and networks. The question is: Are teams going to have to do more with the same resource? Or will teams expand as necessary? Increased remote-working could mean more opportunities in cybersecurity  According to Carolann, it’s inevitable that this sudden transition necessitates a larger security team. 

Now more than ever, organizations have to recruit new and diverse talent in order to not just fill the 4 million vacancies that already exist, but to accommodate the increased reliance on cybersecurity teams to help us all safely transition to remote-working. For more insight on how to improve your recruitment efforts, listen to the webinar. #TheFutureIsCyber

Despite higher-than-average salaries, the opportunity to solve real-world problems, and unlimited growth potential, there’s a skills shortage in cybersecurity. In fact, the cybersecurity workforce needs to grow by 145% to meet the current global demand.  That’s over four million unfilled jobs. But, there isn’t just a skills gap. There’s also a gender gap, with women making up less than a quarter of the workforce. The question is: Why? To find out, Tessian: Worked with the Centre for Economics and Business Research to analyze the economic impact if the number of women working in the industry equaled the number of men Surveyed hundreds of female cybersecurity professionals in the US and the UK with Opinion Matters Interviewed over a dozen practitioners from some of the world’s biggest and most innovative organizations – including Google, KPMG, and IBM –  about their own experiences. To download the full report, click here.

An economic boost worth billions Today, the cybersecurity industry contributes $107.7 billion in the US and £28.7 billion in the UK, and that’s in spite of four million job vacancies. So, what would happen if we minimized both the skills gap and the gender gap, and the number of women working in cybersecurity rose to equal that of men? Our research reveals that we’d see an economic boost of $30.4 billion in the US and of £12.6 billion the UK, bringing the total contribution of the cybersecurity industry up to $150.8 billion and £45.7 billion in each respective country.   But, without a clear understanding of the challenges women currently working in the industry faced at the start of their career, organizations and governments will continue to struggle with recruitment.  And the challenges aren’t necessarily what you’d expect… Cybersecurity has an image problem While it’s easy to cite the gender gap as a barrier to entry – especially with 66% of women in cybersecurity agreeing there is a gender bias problem in the industry – it actually isn’t one of the biggest challenges women currently working in the industry have faced.

Instead, women cite a lack of awareness or knowledge of the industry and a lack of clear career development paths as the biggest challenges, meaning a general demystification of the industry is required to encourage new entrants. What’s more, 51% of women believe more accurate perceptions of the industry in the media would encourage more women to explore cybersecurity roles. This came first, beating out a more gender-balanced workforce, equal pay, and cybersecurity-specific school curriculums. So, what is the industry actually like? Read the full report to find out the top 5 skills needed for a range of cybersecurity roles, including CISO, network engineer, data scientist, and risk & compliance. You can also read the profiles of each of our contributors which prove there is no “stereotypical” cybersecurity professional.  The industry is future-proof Demystifying the industry truly is essential, especially because the industry is one of the most important today, with over half of those surveyed saying that they joined for exactly that reason. But, it’s not just the opinion of cybersecurity professionals.  In fact, the global cybersecurity market is booming, having grown 30x in the last 13 years. That’s because cybersecurity professionals are solving real-world problems and are making a positive impact doing so. After all, data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year.

Perhaps that’s why the vast majority of women surveyed feel so stable in their jobs; 93% saying they feel secure or very secure working in this industry. Unfortunately, though, without encouraging more people to join the industry, professionals will struggle to keep pace with the ever-evolving threat landscape.  The cybersecurity industry – like all other industries – requires diversity to thrive. And we don’t just mean gender diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between. Read the full report to learn more, including: How opinions of the industry differ based on age, company size, and region The economic impact the industry would have if the number of women working in cybersecurity equaled the number of men and the wage gap was eliminated The five most important developments in the cybersecurity industry today Resources – including cybersecurity groups, female empowerment groups, and industry-specific certifications to help you make a start in the field Challenge perceptions, make an impact.  #TheFutureIsCyber

Shamla Naidoo – who has 37 years of industry experience in technology and security – is currently leading C-Suite strategy and integrating security with digital transformation at IBM, where she previously served as the Global Chief Information Officer. Having held Senior Officer roles at Starwood Hotels and Resorts, WellPoint, and Northern Trust, she’s a true veteran in the industry and has used her professional and personal experiences to help mentor and motivate teams and individuals across departments within all the organizations she’s served.  Earlier in her technology career, she earned degrees in Information Systems and Economics (her fail-safe!) and, afterwards, went on to receive her Juris Doctor degree.

Q. Describe your role as a CISO in 300 characters or less. A CISO’s job is to protect an organization’s brand and reputation by managing cybersecurity threats. Protecting a corporation’s digital footprint supports business growth enables the acceleration of innovation. Q. How did you get started in cybersecurity? This is my 38th year working in technology and initially, security wasn’t a separate function, role or organization; it was completely integrated. As a developer, my job was to write code that worked and that included working in a secure way.  As a network engineer, I built networks, in a secure way. I never envisioned security would become a free-standing profession. But, after almost 20 years of integrating security into my technology roles, I realized Security was becoming important and that I was actually knowledgeable on the subject. Not because I had a security title at that stage, but simply because I had done it before. Q. What does this integration of tech and security roles mean for the cybersecurity industry? There’s now an entire ecosystem for security and because of that, you can participate without having technical skills or a hardcore technical background. You can now become a security expert without ever having written a line of code in your life; you can become a security expert without ever having built any kind of technology solution. It’s really expanded the opportunities for career paths in security. Q. Do you think people are aware that technical skills aren’t necessarily required to succeed in cybersecurity? There’s still a lot of mystery surrounding what exactly a profession in cybersecurity entails. The information isn’t that forthcoming. It’s not clear or simple to understand. This requires us to demystify the opportunities and talk about them not just in business terms, but in relatable terms.  Perhaps we’re just missing the mark on how to market jobs in this industry… Q. Do you think that the industry has an image problem? To many people, cybersecurity equates to – and is limited to – someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry. Q. How did your role as a CISO enable you to champion the industry and the people in it? I believe leaders take ordinary people and enable them to do extraordinary things. I have been able to do that; I’ve been able to mentor and coach people to be better versions of themselves, better professionals, better employees, more productive, more engaged, better community leaders…  My goal is to help people connect hard work and aspiration.  Sure, you could go out and read a book on cybersecurity, but if you don’t understand the vocabulary or the required outcomes, and you don’t understand what impact these types of roles can have, you miss the plot. If you can contextualize it, it becomes real quickly.  When I coach people, I ask them to pick a person who they aspire to be. I ask them to tell me their name. You learn best by observation! If you can pick a person and you can visualize the role you want, it’s more attainable. If it’s a role that you want to have rather than a person you want to be like, then find the role you want, seek out the person doing that role, and try to understand what led them to that position. What do they know? How did they prepare? What do they deliver?  How are they recognized for it? That research will help you to create a roadmap of how to get there. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber

Hayley Bly is a Cybersecurity Architect at Nielsen, where she’s worked since graduating from the University of Miami with a Bachelor’s Degree in Computer Science almost four years ago. Since starting her career, she’s championed the industry by going back to her alma mater for recruiting events to raise awareness about cybersecurity and has participated in events in collaboration with Women in Technology International (WITI). She’s also found time to further her education and is currently working towards her Master’s of Science in Cybersecurity.

Q. Describe your role as a Cybersecurity Architect in 300 characters or less I build tools that our incident response team uses. This could be implementing a vendor tool or building something from scratch. We do both, and this includes designing how the tools are made, implemented and deployed throughout the larger company.   Q. Since your educational background seems so focused, have you always been motivated to pursue a career in cybersecurity? My parents both worked in banking software so I’ve always been around it. They both really pushed me to explore a career in the field but – you know how it is – I fought it. I never wanted to pursue it just because they told me to do so; I wanted to decide my own path. That’s why I actually applied to college as Pre-med. But, my senior year of high school, there were no other electives to pick so I chose the computer programming class and, of course, fell in love with it. Once I was accepted into the Pre-med program at the University of Miami, I threw them for a loop and asked if I could change my focus to Computer Science and never looked back.  Q. How did you transition from more general Computer Science to cybersecurity specifically? I thought I was going to be a software developer up until I started at Nielsen straight out of college. Since then, I’ve really found my home in cybersecurity.  The team I work with and my managers are absolutely incredible. They have had something to do with every single career decision I’ve made thus far, because the work others do really inspires me. Especially when I first started, their work opened my eyes to how much I didn’t know and what really goes on behind the scenes in a company.   When you’re working in cybersecurity, you’re not just writing code all day. You’re actually dealing with real-world problems and it’s up to you to prevent, detect, and respond to incidents by finding or creating solutions. Q. What do you think would inspire more young women to enter into the field? I think just bringing more awareness to the fact that you can really create your own success. I was let in the door without any real cybersecurity skills or experience and was given the opportunity to prove myself, and I have. It’s a jump-in-and-figure-it-out-as-you-go type of field and people shouldn’t be afraid to do that. Cybersecurity isn’t about who you are or what degree you have. It’s about what you can do, what problems you can solve, and how well you can work with other people to get the job done. You don’t have to play politics because your work speaks for itself. I love that. Q. Do you have any recommendations for resources or groups that might be a good first-step for anyone interested? Meetup.com is a great way to connect with local people who are interested in the same things you are and, speaking specifically about cybersecurity events, people can pique their interest and learn, but in no-pressure situations. And that’s really important. I think sometimes when you’re first starting out at something it’s easy to feel self-conscious or nervous about really getting involved, and these events can give newcomers a chance to try something they haven’t before without any fear of being wrong or feeling out of place.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber

Hillary Benson is the Director, Product at StackRox and has an incredible background in government and military intelligence. She holds two degrees, including a Bachelor’s Degree in Management Science with a focus in Finance from Massachusetts Institute of Technology and a Master’s Degree in Security Studies with a focus in Terrorism and Substate Violence from the Georgetown University Walsh School of Foreign Service. Additionally, she is a Master’s candidate in Computer Science at The Johns Hopkins University. But, her experience isn’t limited to her education. She started her cybersecurity career at the National Security Agency, where she spent almost six years as an intelligence analyst, technical collector, and product leader. She moved into the private sector as a red team operator and has shifted gears in the last three years to focus on building product at a leading container security company called StackRox.

Q. Describe your role as a Director, Product in 300 characters or less My job is to distill business opportunity into a technical vision and development roadmap for our flagship security product, the StackRox Kubernetes Security Platform. We’re building a product that enables security practitioners to rethink their approach to security by leveraging container technology. Q. Your background – both educational and professional – seems very focused. Have you always aspired to have a career in this industry? From a very young age I had an interest in technology, security, the military and intelligence. I can certainly tie all the threads from those interests to where I’ve ended up, but I wouldn’t have been able to predict that my path would look the way it does.  I generally attribute that to the fact that the most interesting opportunities are usually the most difficult to predict, and I am constantly searching for the next interesting problem to solve. My approach to life can lead me down very unexpected rabbit holes. Q. What professional experiences have guided your career path the most? Certainly NSA had a huge impact on my career direction. I landed there by luck, really, after shotgunning online job applications. I applied on the right day, they picked up my resume, and before I had even graduated I was in the clearance process.  I joined as an Intelligence Analyst and participated in a program that allowed me to rotate through a number of offices within NSA to get experience in different disciplines. I gravitated toward technical analysis and collection. That track led me to Tailored Access Operations and stoked my interest in offensive security. The rest is history. Looking back on my career up to this point, many of the contributions I’m most proud of took place during my time with NSA. At certain times, I had an extreme sort of impact that you can’t replicate in the commercial world. From a business perspective, though, I’ve learned more in the last two years than I ever hoped for and am extremely proud of the product that my team has built at StackRox. Q. Since you’ve sampled a lot of different disciplines within cybersecurity, do you think people tend to have a narrow view of the industry and the jobs available in it? People hear “cybersecurity” and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.  A lot of what you do as a security professional involves bridging gaps between security teams and the development and operations teams. So much of the job is convincing people that the security risks you find are worth fixing. You can’t do that if you only have technical skills; you have to be able to talk to people and to influence them. Q. Do you need certifications or a degree to get those skills? Actually, of all the things to get into without formal education or training, there seem to be a lot of people who either cross-train from other fields or enter security without any formal education. Which is pretty awesome, I think. It’s not uncommon to hear someone say something like “Oh, I studied psychology, then took a year off and painted, and now I’m a penetration tester”.  There are many people in security who gained the knowledge and landed a job without a formal degree. A lot of the folks I’ve worked with were independent and curious problem-solvers—I think not in small part because a lot of them fought their way into their role by proving their competence in the field. You don’t necessarily have to take the traditional route and get a four-year degree. If that works for you, great. But if you’re looking to switch careers or you’re confident in your specific passion for the security industry, there are other ways to get the requisite technical skills.  The OSCP is a great training ground for aspiring penetration testers who want to nail down the basics. Joining a bug bounty platform like HackerOne or Bugcrowd is an excellent way to get hands-on experience with finding bugs in the real world. And almost nothing beats learning to code—what better way to understand how security issues materialize when building software but to try to build it for yourself? This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber