Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security.

Kacy Zurkus:
Hello listeners, and welcome to this installment of our RSAC 365 podcast series. I'm excited to welcome today's guest, Mari Galloway, who's joining us to talk about how to take your cybersecurity career to the next level. Here at RSAC we have podcast twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app, so you can be notified when new tracks are posted. And now I'd like to ask Mari to take a moment to introduce herself before we dive into today's topic. Mari?

Mari Galloway:
Hey, welcome. I'm very excited to be here. My name is Mari Galloway. I am the CEO and Founding Board Member for the Women’s Society of Cyberjutsu. We are a 501(c)3 national nonprofit providing hands-on cybersecurity, training and a community for women and girls looking to enter advance and excel in the industry. By day, I work as a customer success architect. My focus is on SOAR, so security orchestration, automation, and response products. Cool stuff, lots of great things. Been in the industry for a really long time. So I'm really excited to be here to talk about taking your career to the next level.

Kacy Zurkus:
And we are equally as excited to have you. I know that you've been involved with RSA Conference in the past, and we love being able to build these relationships. So thank you for joining us. I'd love it if we could start by maybe taking a look back at your own career. Can you share for our listeners, how you arrived where you at today?

Mari Galloway:
Man, so I got my first job in tech and IT in 2009. I worked for a company called Accenture as an org engineer. It was one of those jobs where I was just like, ah, I really just want to get hands on. I want to get in and pull cables and wreck routers and switches and all that. And I wasn't able to do that. So I almost left the industry. Then I got on this project to help with implementing out-of-band management. So before cloud was a big thing and before all these things were huge in the technology space, we were working on, how can I access my systems remotely and get console access to those devices? And so that's kind of where I got my start.

Mari Galloway:
I moved on through the government for about six or seven years. Different agencies, DOD, Homeland Security, NGA, various agencies on the East Coast, before finally saying, "You know what? I really want to do pen testing and vulnerability management and that type of thing." So let me find a job someplace else. And I ended up leaving the government after becoming a GS-13. I had been there for almost two years and I left to go to Las Vegas to work for, at the time, the Fan's Casino, so the Venetian and the Palazzo, doing their cybersecurity and their vulnerability management, building that program up. And that's kind of when I realized I liked to help organizations build up their security posture. Build up security resources if they don't have them already. So I did that for a little bit and then I transitioned into an architecture role at the casino. So I went from engineering, my whole career, to having to think more strategic and doing strategic planning and architecting different products and vendors into that space.

Mari Galloway:
And so that's kind of what led me to the customer success architect role I'm in now. It was great to work for one company, but then I wanted to work and help multiple companies and organizations. And so that's what I get to do now. I help organizations after they've made the purchase of our product, figure out how they're going to implement it and help them work through their internet response processes and various different processes that their SOC uses to do their day-to-day jobs. I get to help them, get that light bulb like, oh, that's a good idea. Or, oh, let's see how we can save more money for our team and our bottom line.

Kacy Zurkus:
I love it. I absolutely love hearing everyone's story of how they ended up where they are today. It's so fascinating that, these unexpected trajectories and turns that your career takes makes you grow. Today, I wrote my weekly news roundup and I noted a few grant opportunities that are available. I'm sure you saw from [SESAC 00:04:33]. And another one from WiCyS for Women in Cybersecurity. These are grants and scholarships to help grow the cybersecurity workforce. And they're great resources that will likely provide useful tools to people who are looking to take advantage of the offering. So what would you say have been some of the most important tools or resources that you've had access to that has helped you to grow professionally?

Mari Galloway:
One of the biggest things is obviously being a part of Cyberjutsu. So we go by multiple names. But being a part of that community, having that network, having that support system to bounce ideas off of and to say, "Hey, can you help me with my interview? And/or can you help me with my resume? Or can you help me figure out what my roadmap looks like?" I think that's one of the most important resources that I've had over the last seven or eight years to get me to where I'm at now.

Mari Galloway:
Education, so university of Maryland Global Campus and Strayer, those networks have always been super helpful with helping me navigate that space. And then people in general. So folks that I've worked with, that have mentored me informally, not even realizing it or realizing it and helping me see, okay, this is where I want to be. This is where I'm trying to go. Now, figure out what my roadmap looks like. And so those kinds of things have helped. As far as tools, certifications, I've got a bunch of them. Being able to learn the information and then being able to articulate that to somebody else has been really helpful as well.

Mari Galloway:
I teach at the University of Maryland as well. And it's funny, I actually got that job because somebody saw me on LinkedIn and they were like, "Hey, we want you to come teach for us." So just having that passion for education and going out and getting those certifications, and getting those degrees, and continuing to learn has been super helpful as well.

Kacy Zurkus:
So a couple of things there that I want to follow up on. You mentioned having a mentor, either informally or formally. So you've been a mentee before. Have you ever been a mentor or involved in a mentoring program? And can you talk about the influence that that has had on you personally and professionally?

Mari Galloway:
Yes. I am actually a mentor now. I love my mentee. She's awesome. She's like, "Hey, can you help me with blah, blah, blah." And we'll do interview questions for her interviews and things like that. So it's been beneficial from that perspective of being able to help somebody else one-on-one. People that I know will probably say, I'm their mentor, but I like to have the more organic. I don't really like forced mentorship. Because then it's like okay, what do we talk about? How do we do this? When those relationships build more organically, it's like you start talking to people and it's like, hey, let's have these conversations. Let's talk about what it is you're working on, what it is you're doing. I think it's a more meaningful relationship and you get more out of it.

Mari Galloway:
So we just launched at the WSC, we launched Small Tribes, which is small groups of women together with a similar or same goal. And that's been really helpful because we get to help each other. And we're our only accountability partners within that small group. We work on projects together. Everybody in the group gets to be a presenter each week we meet. And so it helps us to see how other people are doing and where they need assistance, and vice versa.

Kacy Zurkus:
That's great. Yeah. I'm head of the WiCyS Mentor Program. And it's definitely an established program that you are assigned to a group, but it is really cool the topics that we discuss each month and the materials that they share with us. And it's just fun to engage with other people that you may never meet otherwise, if you weren't part of this group. So I love being able to be part of the program.

Kacy Zurkus:
Another thing that I wanted to follow up on that you had mentioned was, that you're teaching because someone had seen you on LinkedIn. And you're very visible on LinkedIn and social media as an industry influencer. And there are definitely other people in the industry. Maybe it's just my network, but I see particularly women that are really strong social influencers that have managed to build this vast network and brands in and of themselves. I definitely think you're one of those women. And I'd love if you could talk a little bit to our listeners about the power of networking and that process of brand building, and how that's shaped you.

Mari Galloway:
So when LinkedIn first came out, I had an account and I was like, oh, this is going to be fun. Cool, whatever. Never really did anything with it. I'm more of a behind the scenes person. For me, being in the spotlight was awkward, was weird. And then I started to talk to people, and they're like, you got to get your LinkedIn up. If you want to get those jobs, if you want to meet new people in the space that can help you, or you can help them, you got to get your LinkedIn up. And so I started to reevaluate how I wanted my LinkedIn to look. And as soon as I did that, as soon as I changed my headline and all these different things on my ... took off the bullets of things that I was supposed to be doing in a job and put my accomplishments on there, it changed who interacts with my page and who interacts with me.

Mari Galloway:
So I thought that was kind of cool. And that was probably maybe five years ago that I actually started to be more engaged in the industry. But the thing is, you can have a LinkedIn page, but you have to use it. You can't just put your stuff up there and then just leave it and be like, oh, they're going to find me. You have to actually go and engage with other people. Engage with the folks that are in the industry with you and that aren't in the industry with you. That's where you get the most diverse trains of thought and those kinds of things.

Mari Galloway:
So it's more than just having that LinkedIn page. It's more than just having that brand. Because everybody goes to LinkedIn to see who you are and to see who you're interacting with, to see what you're doing. If you're vlogging, if you're writing blogs, if you're doing YouTube videos on how to configure a cloud instance or something, they'd want to see that. And that your LinkedIn profile is the perfect place to highlight that, to highlight the volunteer work that you're doing, to highlight the projects that you're working on. To show that you do other stuff outside of just going to work nine to five. And that I think that's the important thing with using your LinkedIn.

Kacy Zurkus:
Yeah, it's this platform to really create the full picture of you and who you are. And the connections that you have, both to your point in and out of the industry. So I want to shift a little bit. And for those listeners who have landed a tech job and want to shift into a cybersecurity career, what does that process look like? How do they decide which path to explore, what additional training they pursue? You mentioned you have multiple certifications, how do you determine which certification is best and what skills are transferrable, versus what new skills you might need? Can you walk everyone through the process?

Mari Galloway:
So this process, it's not as daunting or as scary as most people think. I always recommend people to look at, especially if you don't know what you're trying to do, the workforce framework for cybersecurity on the NICCS website. And it breaks down the different types of categories in cybersecurity. And then it goes down into the specialty areas and then work roles. And what's cool about this website is when you select, or when you search for, let's say an analyst or ... it tells you the tasks that you could do in that role. It tells you the skills that you need. It tells you the knowledge, it tells you what trainings are recommended for that particular role.

Mari Galloway:
So that's a really good resource for anybody that doesn't know, but they're kind of nervous of like, oh, I don't really know what I want to do, but inventory your skills. If you come from the library industry ... I have a friend that she was a librarian first, and now she's in cybersecurity. That translates to-

Kacy Zurkus:
Wow.

Mari Galloway:
You know what I'm saying? Right. She knows how to do research. And that's exactly what open-source intelligence is. You're doing research on IP domains, people. And so she was able to transfer those skills over. So inventory your skills and understand, okay, these are the skills that I have. What can this do on the cybersecurity side, on the tech side? Talk to people. If you're interested in pen testing, find pen testers on social media and talk to [inaudible 00:13:36]. What is it like to do the job that you do? How did you get there? What type of skills do you need to have to do this type of work? This industry is about networking big time. So definitely just talk to people.

Mari Galloway:
And then once you've inventoried your skills, once you've talked to somebody or a few people in different domains in the space, then you start to build your roadmap. So you know what skills you have. Okay, cool. Well, I need to get these skills and I can get these skills through volunteer work, through certifications, through education, through cyber competitions. And then you start to build that roadmap of what that might look like over the next three to five years to get to that point. And that kind of helps you visualize what it is you're trying to do.

Kacy Zurkus:
Right.

Mari Galloway:
Most skills are transferable, to be honest. You just have to know how to do that.

Kacy Zurkus:
Yeah, and it's really interesting.

Mari Galloway:
Like, if you're a general manager.

Kacy Zurkus:
Like I came into the industry through, I was a high school teacher of English. And so you would never think like, oh, that applies to cybersecurity how? And so I came in through, I was a journalist for industry publications. And there's so much that is the top skills piece of cybersecurity that really any skill is transferrable to some pathway in cybersecurity, to your point.

Mari Galloway:
Yes, definitely. It doesn't matter. From restaurants, if you were a manager at a restaurant, you have management skills. You know how to manage projects. You understand the supply chain aspect of that. And so that's transferable to the industry because we do supply chain all the time.

Kacy Zurkus:
Right. Right.

Mari Galloway:
But yes, definitely inventory your skills that you currently have. Talk to people, don't be afraid to talk to people because that's what this industry is about. It's about networking. It's about making those connections so that you can do your job better.

Kacy Zurkus:
Yeah. And I think the important thing too, is that it's not a solely technical industry. I think that that is a misconception of what cybersecurity is and a limitation of what it isn't. And there's a lot of room for all different kinds of diverse backgrounds. So that's the great news for anyone who's interested in transferring into [inaudible 00:16:04]. So, what are some of the key tools and resources that will help listeners navigate the tech space in general?

Mari Galloway:
So obviously that one website, social media. I hate to say it because it's like, eh, but social media is actually a really good source. Like Twitter and LinkedIn, sometimes Facebook a little bit. But there's lots of news on these sites. There's lots of people posting articles and talking about cybersecurity and how to get into cyber, and how to level up and advance in the space. There's the battle of education versus certifications versus experience, which one's better? Always staying educated in the space is really, really important because the moment you stop educating yourself on what's coming out and what the new things are, is the moment you're going to get left behind.

Mari Galloway:
And then network, that's a tool. Network. If you need an organization to come to, you can come to Cyberjutsu. If you need something smaller where it's just like, one-on-one things, reach out to people that are willing to help and have said, "Hey, let me help you." And don't be afraid. Put yourself out there. Be authentic, put yourself out there and it'll help you go a long way.

Kacy Zurkus:
Yeah. And I think, if you ask me, in this industry, what I've seen thus far in the six or seven years that I've been in the industry is filled with people who want to share and help. At the end of the day, these are all people who are looking to make the world a safer place. So they want to share their information. They want to help educate. They want to help bring people in.

Kacy Zurkus:
And so to the point you were making about speak to people, I find especially on social media, I find that people within cybersecurity are super approachable. You reach out to someone and they respond. And they're willing to share and help, and the official or unofficial mentors and so forth. From an organization's perspective though, what are some ways that businesses can help strengthen and grow the future cybersecurity workforce?

Mari Galloway:
The first one is partner with nonprofits, helping train and bring people into the pipeline. So I'm always going to plug Women's Society of Cyberjutsu because that's the baby, but there's a lot of different organizations out there that are doing really good work to help train. So partnering with some of those organizations helps the company pull resources and find that talent.

Mari Galloway:
The other part is when you guys hire somebody, train them and not be afraid that if I train this person, they're going to leave. We have to start looking at, okay, do they have enough skills to be able to come in and get trained, to do the job and then get trained some more to stay doing that job or the next level up? A lot of companies are afraid to do that, I don't know why. We also have to pay people. Pay them what they're worth. You can't find unicorns. You're not going to find somebody that's got 18 certifications that are across the entire sphere of tech and cyber to do a job for $50,000. It's not going to happen. They put a lot of time and effort into getting those better education and those credentials. Pay them what they're worth.

Mari Galloway:
Adjust the job descriptions. And I know that's been a big thing over the last couple of years of finding better ways to write job descriptions that are a little bit more appealing and that are more inviting. If you want to bring in more folks into the cyberspace, you have to look at what you're asking people to do. Don't ask somebody to do three jobs in one job. Just hire three people to do those three jobs.

Mari Galloway:
And the last thing is be open to change and be open to doing things different than you've normally done. That includes recruitment. That includes hiring and putting people in leadership roles. That includes looking at yourself to say, okay, how am I a part of the solution, or how am I part of the problem? And then making adjustments from there.

Kacy Zurkus:
Excellent advice. Mari, thank you so much for taking the time to talk with us today. Listeners, thank you for tuning in. I want to remind you all that here at RSAC, we host podcasts twice a month. And I encourage you to subscribe on SoundCloud or your preferred podcast app, so that you can be notified when new tracks are posted. Interested in being a guest on our podcast? Visit rsaconference.com/becomeacontributor to learn more. Thank you so much for being here today.