Where’s My Cyber Fairy Godmother?

“Oh wow, we don’t see a lot of African-American students majoring in Computer Science,” I remember an undergraduate guidance counselor telling me, as I told her my scholastic intentions. “It’s a hard major. Are you sure you want this as your major?”

Yes, I did. And I had wanted it since I was 16-years old. That was when I learned about information security from a conversation in a Yahoo! Group. The group was discussing cryptography, and I was especially interested in the different encryption algorithms. They could transform words and sentences to gibberish upon inspection from the naked eye, and then convert them back into their original form. I learned that cryptography was part of a career in information security. But I didn’t have any immediate family or friends who could guide me with finding a mentor in this field.

I knew that if I wanted to seriously pursue information security, I would need to get the expertise. That conversation with my guidance counselor taught me one of my first, and most important lessons of pursuing a cybersecurity career: you need a tough skin to enter the field, and you need to be your own cheerleader when others say you aren’t good enough, or don’t have the skills to be successful. I pursued the Computer Science major, and was one of a small group of African-Americans (probably fewer than 10) that graduated in 2009 with that major and Mathematics minor.

After graduating, I moved to Charlotte, North Carolina to pursue my Masters in Computer Science along with a Graduate Certificate in Information Security and Privacy. Once again, I was one of a small group of African-Americans (fewer than 10) graduating with that major. Even with my education, I’ve found it challenging to rise through the information security field, especially as a African-American professional woman. Sometimes, I find myself wishing that back when I was 16, I’d had a fairy godmother who could tell me the struggles I would encounter along the way.

Even with my education, I’ve found it challenging to rise through the information security field, especially as a African-American professional woman. Sometimes, I find myself wishing that back when I was 16, I’d had a fairy godmother who could tell me the struggles I would encounter along the way.

With this article, I’d like to be your fairy godmother – to tell you what kind of challenges may lay ahead so you can prepare for them, and surmount them.

Challenge #1: Opportunities may not come your way immediately. Create them for yourself. Though my first job out of school in 2011 was working as a developer, my 16-year-old self still wanted to pursue an information security career. But when I asked my then-manager about finding assignments or projects where I could gain that experience, she only came up with excuses. “Jasmine, at this location we only do development, testing, or project management,” my manager said. “ We don’t do security here. If you want to do it you will need to move to our other location in the northeast.”

Frustrated and angry, after the meeting I took matters into my own hands. I created my blog (www.passionforpentesting.com) where I wrote about my experiences as an application developer and how I used those skills to transfer to information security. As my blog grew, I began solving Capture the Flags (CTFs) and providing write-ups of my solutions. Now, the blog outlines strategies to enter the Information Security field without hurting your wallet. I know in the beginning of my Information Security journey, most of the courses I found cost thousands of dollars that I did not have. My goal: promote awareness to other Information Security hopefuls so they won’t feel as discouraged as I did when I tried to gain entry into the Information Security field. Starting a blog isn’t the only way to promote or obtain cybersecurity skills -- you can also do an internship, volunteer or even start a YouTube channel. The key takeaway is when people say no, you tell yourself yes, and become the change you want to see.

Challenge #2: In cybersecurity, like in many fields, “your network determines your net worth.” So build a crew of supporters. It’s no secret that your network determines how far your advance in the information security field. There are many ways to go about growing yours – join MeetUps, OWASP (Open Web Application Security Program), ISSA (Information Systems Security Association), OWASPWIA (Women in Application Security), be involved on Twitter (check out the #BlackTechTwitter and #InfoSec hashtags) and attend conferences in your city. I have found that most professionals at conferences are warm and inviting to new professionals in the field. I would also read Keirsten Brager’s (@KeirstenBrager) book, “Secure the InfoSec Bag: Six Figure Career Guide for Women in Information Security” which describes how to navigate in the workplace, how to dress for success, defining goals, and using education at your current company to gain better employment.

Challenge #3: If you’re part of an underrepresented group, people may have preconceived notions about you and treat you prejudicially. Expose and eradicate biased behaviors for the professionals coming after you.

There’s a saying in the black community that “you have to work twice as hard to get half as much.” In my experience this has applied to the Information Security field, too. For instance, I had an experience with an older co-worker (White woman) where she became hostile to me after I gained more educational credentials than she had. In this particular instance, I was the first woman in my group to obtain security certificates (GSEC, and GSSP-JAVA), even though my co-workers’ job as a security architect required a CISSP. When I entered the group, she didn’t have her CISSP even though she had been a security architect for four years. I remember calling this coworker for guidance (per my manager’s request), and she was warm and inviting. After I received the certifications, she became cold and distant.

I experienced bias once again when another White co-worker who started as a scheduler advanced through the company to become an Information Security Engineer in less than a year. Even though I had been at the company longer than her, and had expressed interest in the same certification she received, I was denied access. I found out because she told me in front of her manager. I remember having a conversation with my manager eight months prior to this revelation about taking the certification. After my coworker’s revelation, I brought this disparity to my manager and I had him contact my coworker’s manager. During the meeting, I demanded to know why I was told that I needed the prerequisite certifications when this policy wasn’t enforced throughout the department. My coworker’s manager stated that an employee could be exempt from completing the prerequisite certifications with manager’s approval. I remember after the meeting feeling upset, as I realized I was being set up for failure on multiple levels. First, I could have studied and completed the certification in the time I was being re-routed to prerequisite certifications that weren’t needed. Second, I would not have known about the certificate exemption without my coworker telling me she was completing the certificate. After this experience, I made it a point to tell other professionals that if something doesn’t feel right, speak up and demand answers. One cannot be silent when presented with biased behaviors and attitudes or else they will not change.

Challenge #4: There will be times where you feel you’re going crazy and nothing in your life is going right. This is the time where you double down on learning a new technology or improving yourself. Your next opportunity is around the corner.

I always wanted to attend AppSec USA to network with other security professionals and stay abreast with the latest trends in the field, and I had the opportunity to attend last year. The downside was I had to pay for most of my expenses. I was able to get reimbursement through my OWASP chapter for my car and hotel. I asked my then-manager three months before the event, if the company could pay for my flight and rental car; he told me there was no budget for it. Later on, I found out the same co-worker who advanced so quickly through the company and other team members who started after me were allowed to attend DEFCON on the company’s dime. When I asked my then-manager why other co-workers who started after me were allowed to have their travel expenses paid for by the company, I was told travel expenses were handled at “manager’s discretion.”

But there was a major silver lining here. In the midst of my networking, I met a young woman in my “Introduction to Penetration Testing” course whose company (cobalt.io) was looking for penetration testers. After the conference, myself and the young woman kept in touch and I applied for the position. I am now proud to say I am a security researcher with cobalt.io. This opportunity would not have happened if I did not attend the conference - and hadn’t focused on improving myself in the face of adversity.