I started my information security career more than a decade ago, leading security teams at eBay and Zynga. Since then I’ve run a global product management team at Symantec and been a management consultant at Cigital. I’m currently the Vice President of Security Strategy for a Pen Testing as a Service company called Cobalt.io.
In 2010, I was named by the Executive Women’s Forum as a Woman of Influence in the “One to Watch” category. In 2011, I published a best selling textbook with McGraw-Hill on security metrics. Last year, CloudNOW named me as one of their Top 10 Women in Cloud. This year, I joined the North American Advisory Council for ISC2 and SC Magazine included me in their Women to Watch 2018.
I never intended to work in information security. When I graduated from college, I planned to work in IT project management. I reached out to the hiring manager, who told me that there was a hiring freeze in the IT department. He recommended that I apply for a job on the information security team, something I literally knew nothing about. The night before my interview, I memorized the Wikipedia page on information security. I got the job.
A couple of years later, I got another big break. I was chatting with eBay’s new CISO, Dave Cullinane. He asked me what I wanted to do when I grew up, and I told him that I wanted to be the CEO of a small to medium sized company. He offered me a role as the Chief of Staff to the Global Information Security Team.
I’ll never forget what I said - “Dave, you do know that I’m 23 years old and only have a couple years of InfoSec work experience, right?”
“Don’t worry,” he replied. “I know that you know how to get things done, and that’s what this team needs.”
A few months after that initial conversation, I found myself preparing a slide deck asking eBay’s executives for the largest information security budget in the company’s history. Soon I was managing an eight figure budget.
Dave is one of many generous people who have mentored me throughout my career. Even when I doubted myself, he was able to see my potential and advise me beyond my own experience. This is what we need to do to attract new candidates to the information security industry.
It hasn’t always been sunshine and rainbows. I’ve had negative experiences too. I’ve felt intimidated and been bullied. There have been cringeworthy moments where I considered changing my career entirely.
So why do I stay? Because for every interaction I have with one person that sucks, I connect with and surround myself with ten that are awesome.
What else can we do to attract new candidates to the industry?
- Be authentic. Information security is multi-faceted and complex. To new and junior members of the industry, the work can seem very daunting. Leaders and experts can seem intimidating. The reality is, every information security professional is a human being and many of us share common experiences. In the podcast series Humans of Infosec (@humansofinfosec), I chose to share my story and encourage others to share theirs in the hope that a newcomer to the industry or someone learning about it for the first time might hear something that resonates and take an interest. It does not benefit any of us when someone who might otherwise consider joining the workforce decides not to for lack of being able to relate or see themselves in this type of position.
- Give people a chance to try new things. For many hiring managers in the field, the challenge of filling an open position can sometimes seem like a battle to win over a candidate that is already working for another organization. I believe that when organizations approach recruiting for information security roles with thoughtfulness and creativity, it’s possible to identify transferable skills and experiences from other fields. It’s also possible to determine what can be learned on the job. The best fit candidate for any given position is not necessarily the person who has been doing that same exact job for the past 5 years. It might be someone who brings something different to the table.
- Be generous with our knowledge. There are so many problems to solve in this field. I’m grateful to many professionals who speak openly about their experiences - both successes and failures - in trying to address some of these issues at their organizations. When experts choose to share what they know with others, it’s to everyone’s advantage.
This is the first of a three-part blog series from Caroline Wong exclusively on the RSA Conference blog. Stay tuned for the second installment in August which focuses in on retaining infosec professionals.