Cyber Security is yet another technical industry where stereotypes abound – hackers in basements wearing dark hoodies, protecting systems and businesses from other hackers in other basements. But that couldn’t be further from the truth! Cyber Security is all about solving problems, collaborating and thinking critically.
We spoke to 18 women breaking the mould and making their mark on the industry (two of them couldn’t even tell us their names because their work is top secret!). To find out why you should consider a career in Cyber Security and how to make a career shift into the industry, read from our experts below!
Why should women consider a career in Cyber Security?
Helen Rabe, Global Director of IT Security at AbcamUK: Progressive security leaders put people at the heart of their strategy. There are various roles within security, so don’t exclude yourself because you believe that a career in security is only for those with skills in cryptography and architecture design. Security is going to be with us for as long as we use technology, so it is a safe bet for a long-term career and a transferable skill set. Dr Jessica Barker is a prime example of a successful woman in cyber security and her career is based on human psychology and behavior in the security domain.
Emma Leith, Chief Information Security Officer at Santander UK: As a woman who has 15 years’ experience in the Cyber Security industry, I can attest that it is such a rewarding and diverse career where you have the opportunity to work across many different industry sectors. Cyber Security is a Board level concern and can be disastrous for an organization if not managed effectively. The need for everyone in every type of organization to understand cyber security fully and to adopt secure behaviors is imperative. This results in cyber security professionals engaging with everyone from marketing, facilities, and business operations to the executive committee. This provides the opportunity for an extremely varied and rewarding career. There is also the sense that you are trail blazing and making a difference.
Catherine Burke, Lead Compliance & Security Analyst at TfGM (Transport for Greater Manchester) UK:
Cyber Security is a fantastic opportunity for many young girls/women. Cyber Security is now vital for everyone as computers/devices are now the center of our lives, even more so due to COVID-19 outbreak. Knowing how to stay safe on-line at home and in the workplace is now more important than ever before. Cyber is not an individual problem, it is worldwide. Cyber Security specialists are continuously working to keep their business, assets and people safe & secure.
Martha McKeen, Executive Manager Cyber Outreach at Commonwealth Bank: Despite some of the persistent stereotypes out there, the security industry is all about collaboration, solving problems and critical thinking. Forget the dark basements and black hoodies. Working in security is about being surrounded by brilliant people, from different backgrounds and with different experiences and perspectives, to work on a common purpose to protect people online. Regardless of industry, what unites a security professional is a desire to have a positive impact on people and the communities in which we all live. Attracting more women to the security sector is critical to combating an ever growing wave of cyber-crime. Cyber criminals have a variety of backgrounds making it imperative that our cyber workforce match this diversity, ensuring we can defend our organizations and ourselves from their attacks. Women should view a career in cyber as a means to positively impact not only their own organization but also the broader community.
Bronwyn Mercer, Cybersecurity Consultant at [Microsoft]https://us.work180.co/employer/microsoft): Cybersecurity is an extremely impactful and interesting career which combines diverse skillsets to protect individuals, organizations, and critical infrastructure against cyber threats. Despite what popular culture portrays, not everyone who works in cybersecurity is a hacker or a coder. Some of the most talented people I have worked with have studied Arts or Business backgrounds and use these skills to better understand the psychological and business drivers for security.
Stacey, Cyberspace Warfare Officer at Australian Defence Force Australian Defence Force cyber teams work diligently to protect Defence networks and intelligence from digital threats: Like a vast majority of IT roles, cyber security is still viewed by a large proportion of the population as a male dominated role and stereotyped to a specific type of person (introvert, hacker, typically male). However, there is no physical requirement to employ a specific type of person and no reason why women cannot enjoy a successful career in cyber security. If you have an interest in problem solving, are willing to learn and have the desire to work in a challenging and rewarding field, you should consider a career in cyber security.
Corporal “K”, Electronic Warfare Operator, 138 Signal Squadron, Australian Army (Reserve), working remotely in Canada. And, Lieutenant “N”, Cyberspace Specialist Support Team Member, 138 Signal Squadron, Australian Army (Reserve) Due to the nature of their roles, their names are protected. Australian Defence Force cyber teams work diligently to protect Defence networks and intelligence from digital threats: Like many IT fields, cyber security contains many jobs that are very suitable for flexible working hours and conditions. There are many roles in the industry where you don’t need to be in an office, or be working office hours. After all, the internet never sleeps, and cyber criminals don’t stick to office hours. In addition, we have had some great opportunities with the Army Reserve allowing us to develop skills we can’t always practice in our civilian jobs.
Emma Lovell, Senior Manager – Cyber Security Governance at Woolworths Group: Cyber security is at the nexus of a number of compelling themes in the IT industry right now – digitization of business, the rise of accessible AI, data as an asset and ubiquitous connectivity. It is a rapidly evolving space that needs talented people with multidisciplinary skillsets to help navigate. Cyber security has moved way beyond scenes from the hit 1992 Robert Redford film ‘Sneakers’ – modern cyber security teams are front of house and embedded in business. We need a synergistic balance of smart, savvy technologists, white hats, communicators, process thinkers and leaders with commercial experience.
Nicola Hermansson, Partner – Consulting at EY: It’s awesome! It’s exciting and fast-paced. No two days are the same. The threats are constantly changing, which means we need to always be at the top of our game. Always learning and always trying to be a step ahead. Cybersecurity is fundamentally about protecting people and organizations from harm – I want to protect and keep people and organizations safe. It feels awesome to bring a diverse team to my clients, made up of outstanding men AND women who love what they do, operate effectively as a supportive and collaborative team; and not only enjoy working together but really care about each other.
Shiva Mierczak, Security Engineer at J.P. Morgan, Australia and New Zealand: The field of security has almost endless career options. You can focus on a sub-field, or take a broader approach across multiple different fields. Finding solutions to an ever evolving set of problems is what draws me in. Technology continues to advance and become more complex, and the dynamic nature of the field provides constant learning opportunities.
Jane Hogan, Manager Information Security at QSuper: Cybersecurity is essentially a specialized form of risk management. There is no single way to manage a risk, which is why diversity of thought and skill is so essential in our space. I understand that some people may be deterred from considering cybersecurity as a career, as it is often portrayed as being all about coding and hacking – there is certainly some of that going on, and to be honest I don’t understand much about those things! There is so much more than that. I’ve also noticed that there really is not much ego in our industry – generally everyone is very friendly, welcoming and respectful of new and different ideas. We are a very curious bunch in cyber, we love learning and evolving.
Jasmin Brain, Cyber Assurance Lead at Woodside Energy: With the importance of our global digital connectivity, especially with current working from home arrangements, cyber security is only growing in importance for all sectors and is now being recognized as a huge risk to business. Most CEOs and Boards are now requesting specific cyber risk and mitigation strategies so the visibility of cyber is only increasing. If you are in cyber security, you have the ability to shape the security posture and play an integral part in mitigating the digital risk of the company.
How to make the shift to Cyber Security
Helen Rabe at AbcamUK: Take the time to build out your skill set. Use free resources like Cybrary to educate yourself so you are familiar with the concepts and nomenclature of the security domain. If you can afford to, become a member of organizations like ISACA or ISC2 and get yourself accredited with a marketable qualification like the CISSP or CISM/CRISK. The market is competitive, and these certifications help you get your foot in the door if your experience in security is limited. Engage with your internal security teams to see if they are open to offering you support and, in some cases, secondment roles, take the initiative.
Emma Leith at Santander UK: The main difference to a technical role is the mindset shift. It will no longer be “how can I get this working or enhance the service?” but “how would someone break it?”. That in itself can be very creative where all cyber threat scenarios are modelled, and attack vectors explored. With that in mind if you have the enthusiasm to explore this different side to technology then it can be easy to make the switch over to cyber security with existing tech experience. Making a lateral move within an organization where you have trusted referees and already know how the organization works can make it easier to get your first break. Or just apply. I often find women will not apply for a role unless they have 100% of the accountabilities. However very few, if any, candidates meet the job description fully and often the intention is for the individual to grow in the role. Don’t underestimate your skills and what you can bring to a role and an organization.
Catherine Burke at TfGM (Transport for Greater Manchester) UK: I would personally look at all the various roles and see if you have a passion in any of the subjects, engage with people and networks, complete a roadmap of where you are and where you want to be.
Emma Lovell at Woolworths Group: Prior to considering a role in cyber security, I had only experienced it from an employee perspective – reminders to lock my workstation and report suspicious emails. Fast-forward, and a little over a year ago I made the move into cyber security. I had built up many years of experience in problem solving, process design and improvement, governance, communication and coaching. Today I use those same skills to solve new problems – in a new field and industry. I learn new things every day and love what I do!
Corporal “K” And, Lieutenant “N” at Australian Army (Reserve): If you are looking for a new job in a new organization, you could benefit from formal training. Talk to people in the industry, reach out through social media, your IT department and conduct online research. There are a lot of training providers and universities that offer online and/or face to face courses ranging from penetration testing, forensics investigation, intrusion analysis, and so on. However, if you already work in a technical role, your current organization may already have cyber security related jobs. After all, if your organization uses computers, then it should care about cyber security!
Martha McKeen at Commonwealth Bank: There are number of great technical meet-ups for those with tech experience looking to learn more about roles in cyber. SECTalks is by far the most recognized and popular. SECtalks is an Australian grassroots meet-up that takes place in seven Australian major cities. SECtalks is a great place to connect with security professionals and hear about the newest security trends and listen to technical talks. There are also plenty of free online resources to help introduce technical professionals to security skills and concepts. VulnHub and Hack the Box are great examples of free resources that can help educate techies (and non techies) looking to gain exposure to the security. There is a fantastic national network of women in cyber called the Australian Women in Security Network (AWSN). When I entered the security sector in 2015, I joined AWSN and met so many incredible role models working in a variety of roles. This helped me find my way and learn more about the sector. Finally, CommBank supports a free technical cyber security training conference for women called 0xCC. The conference welcomes anyone who identifies as female and covers everything from malware reverse analysis to striking the best work-life balance in the modern world. The bottom line I suppose is be brave, stay creative and reach out to those working in cyber, we’re a lovely bunch!
Gyle dela Cruz, Cyber Threat Analyst at Cyber Research NZ: For those with existing tech experience and are looking to change into the cyber security field, think of your interests and your transferable skills. For example, if you have programming or development experience, this is useful for pen testing. If you had tech support experience, your attention to details and good documentation skills will be useful for a SOC analyst role. If you like writing, there are security-auditing roles that require good technical writing after the audit has been completed.
Akshaya Kalyan, leading the IAM Managed Services team in Cyber Intelligence Centre at Deloitte: Cyber Security is a vast space giving a security perspective to every sort of business whether in IT or OT. For someone to switch to a career in Cyber Security, it is down to pondering over the security angle. Courses like Cyber Security bootcamps are helpful in shifting that perspective. There are many streams like network security, application security, end point security, data security, identity management, cloud security, mobile security which might be interesting. Reading about those and exploring which one suits you is a good starting point.
Nicola Hermansson at EY: There is some great cyber training available, however in my view the best training is on the job. Be bold. Ask for the opportunity. I would rather have a person on my team that is smart, a team player and cares about keeping their people/company cyber safe, than a security expert who is none of the above. The technical parts can be taught, the human elements can’t – and that is often where women excel.
Tanya Mears, Director – Cyber Security at EY: Obtaining an understanding of all the various services within cyber security is a great start, as each has different levels of technicality and business process involvement. This would assist in determining which area or type of role is most suitable. Reviewing common security frameworks and reference models such as the Essential 8 or ISO27001 can help to provide an overview of the security landscape and structure.
Shiva Mierczak at J.P. Morgan, Australia and New Zealand: I can tell from personal experience that you don’t have to have a security background to get into security. I studied IT and my first job was a desktop support analyst. I knew I wanted to get into cyber security, so during my first week in my previous company, I looked up who the head of security was and I sent an email expressing my interest. I still to this day remember how excited I was when I received a reply saying let’s catch up for a coffee. I was given six thousand page security books to take home – I read them all. As I had done the leg work, as soon as I saw that a role in cyber security came up, I applied and got the job! My advice for anyone is network – connect, join communities, industry bodies – and keep up with developments.
Sarah Young, Azure Security Architect at Microsoft: Most tech roles touch on cyber security in some way anyway. See if you can build on that. Can you shadow your security team or help with a security initiative in your current role? If not, what can you do outside of work in the community? Go to meetups, community conferences, network as much as you can and maybe even prepare a presentation look at open source projects online that you could contribute to – you can build your skills in a meaningful way without spending thousands on certifications.
Bronwyn Mercer at Microsoft: A great way to learn about security is to attend cybersecurity meetups and conferences. We have some excellent community-led events in Australia, including SecTalks, BSides, OzSecCon and Crikeycon (just to name a few). Attending events will help you to meet cybersecurity professionals, grow your knowledge and maybe even lead to job opportunities in the future! In the COVID-19 era, a lot of security events are livestreamed, so I have been enjoying being able to watch some major international conferences without the cost of attending in person. Lastly, if your company has a security team, try to get to know them! Have a chat with your manager to explore the opportunity of doing a secondment or shadowing someone in the security team for a couple of days each week. Not a guarantee, but always worth asking!
Adeline Martin, Cyber Security Operation Analyst at Origin Energy: My advice to anyone starting out in a new career is to get out there, show their passion, their interests and connect with people that are willing to help in the journey. Do not underestimate the power of networking. Good connection is the key.
Jane Hogan at QSuper: For those considering making the switch, I’d recommend seeking out various industry forums such as the Australian Information Security Association (AISA), where you can listen to and meet a wide range of security professionals to expand your network. Seek out your security team at your current workplace, become an advocate, and remember – cybersecurity is not just a technology issue – you can build upon just about any skill to become a desirable security candidate.
Meidi Zhou van der Lee, Full time student – master degree in cyber security at Edith Cowan University: It’s easy for people with tech experience to make the shift as long as they have the flexible mind to see things from different angle. My advice for them is to join social group that specializes in cyber security, thus by talking about the security terms often, they will quickly speak the language too.
Jasmin Brain at Woodside Energy: My advice to anyone thinking of a career in cyber is to go for it – even if you aren’t technically minded (I definitely don’t come from an IT or digital background)! If you want to get into cyber you could look at into some of the different areas that interest you – vulnerability assessment, risk & governance, privacy & awareness, networking & infrastructure – and reach out to some of the industry groups (WiTWA, AISA, AWSN). They should be more than happy to connect you with a member for a chat or give you some information about an industry information event that you can attend to test it out. But don’t pigeonhole yourself into just one area! Most cyber roles need a can-do attitude, a little lateral thinking and problem solving and a whole lot of sensible, clear communication – you can easily learn the tools, it’s the attitude that matters.
The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.