Women in Information Security: Isly

Last fall, I interviewed six women and non-males who have exciting careers in cybersecurity. Those articles were all published in Tripwire’s State of Security blog.

Ideally, all people in our field, regardless of gender, race, ethnicity, age, nationality, and sexual orientation, would simply be regarded as “people who work in information security.” Unfortunately, we work in a male dominated field, and sometimes dealing with sexism affects our careers.

I think it’s especially important to encourage more women and transgender people to consider careers in cybersecurity. So my interview series shines a spotlight on some of the brightest minds in our field — who just so happen to not be male.

My series was very well received. So, as spring arrived I decided to continue it. As of this writing, most of those new interviews have been done already and their corresponding articles have been sent to my editor at Tripwire. You can look forward to them being published on Tripwire’s blog in the coming weeks, probably starting in April.

Until then, I’ve decided to republish my interview series from last fall here. Please enjoy them!

And if you can spare a few bucks, please consider contributing to my Patreon. I don’t get paid for my Medium published articles, and the trickle of money here and there that I receive from my generous patrons helps keep me going. Thank you!

There’s also a way you can help me that won’t cost you any money at all. Click on the little green heart if you like my article, it’ll help with my visibility. Most appreciated!

Women in information security, being a minority, deserve a spotlight. Previously, I’ve interviewed Tiberius Hefflin, a Scottish security analyst who is currently working in the United States, and Tracy Maleeff, a woman who went from library sciences to infosec, who’s now a host of the PVCSec podcast, and who runs her own infosec business.

Recent years have brought greater visibility to people who don’t completely identify with binary genders, male or female. I think openly nonbinary people are even less visible in our field than binary women are. Isly identifies as a nonbinary femme, and she works as a penetration tester for the defense industry.

Kim Crawley: Hi, Isly! How would you describe your job and title?

Isly: I’m a penetration tester for the civil department of a defense contractor.

KC: That sounds pretty intense!

I: We’re all pretty laid back.

KC: My (now former) husband did pentesting for the Canadian Forces over a decade ago. Do you have any favourite pentesting suites?

I: If it wasn’t civil and was government, I’d be less hesitant to work there, for sure. We have some folks who are still active reservists.

Suites? Hmm. Depends on the engagement, really. I just did an OSINT engagement, and we made use of Maltego. I mostly stick to Kali and sometimes use Metasploit. I’ve stuck myself with Linux.

KC: Are there a lot of plugins for that? Most of my familiarity is with OpenVAS.

I: Well, we don’t do scanning, really. We have another team for that. Mostly we do black box and fuzzing and then follow-up with Nessus for anything we may have missed. Some of us specialize in industrial control systems (ICS)/SCADA, so they have their own tools. We’re learning Dradis next week, in fact.

KC: I think the earliest versions of Kali were incomplete, package- and feature-wise. But the latest releases are much improved.

I: Yeah, that’s what I’ve heard. It’s quite useful.

KC: Have you done a lot of SCADA work? What do you think of some people speculating about SCADA IoT? I think SCADA systems should only connect to private internal networks, anyway.

I: I haven’t done any, but my mentors and colleagues at work have, and I’m sure I will within the next year. If they’re considering SCADA-based IoT, that makes me nervous. They’re just so uniquely vulnerable, and when one domino topples in an ICS layout, they all do.

KC: Those of us with knowledge of infosec are concerned, but the suits often won’t listen.

I: Also, a lot of people utilizing SCADA have everything on a lateral network connecting to it. That’s very problematic.

KC: Have you seen utilities experience downtime due to that?

I: I personally haven’t, but some of my friends have surrounding the need for engagements over the last few years. They’re people I work with, so I trust the source.

KC: It’s especially scary when it affects stuff like nuclear power and sanitizing water.

I: Yeah, those things are horrifying, I agree. It can be done safely, but it takes careful planning.

KC: So, how did you get into infosec?

I: I started out as a Linux sysadmin, and my company needed help with the abuse department. I kind of flourished there, then went into abuse department management.

But then I enjoyed the technical guts of the work too much, so I moved into other fields in infosec.

KC: So, something must have gotten you into sysadmining in the first place.

I: I worked in a completely unrelated field for a decade. I moved and I wasn’t allowed to keep my job. I got laid off. After not having a job for seven months, I finally applied as tech support for the sysadmin job, so the lowest level.

And it turns out I had a knack for it, moved up from lowest level to admin to tech management within five years.

KC: From a helpdesk background, I always thought that was the lowest level of IT. I think sysadmining can be more stressful, but it generally pays better.

I: Yeah, helpdesk, call centre, chats… it’s very low level. I’m glad my company then gave me the chance to earn my way into a sysadmin role. More complex problems with a bright side: fewer issues about billing and people yelling in my ear.

KC: Did your employer realize your gender identity?

I: Yes. There were fewer and fewer females the higher up I got into the admin department.

KC: Did you ever feel like you had to fight against sexism in IT?

I: I was the first non-male technical leader in the admin department, as a supervisor for admins, the company had ever had. So yeah, I did. I felt like I had to prove myself double. I worked extra hard. There were men in that role who didn’t pull their weight.

KC: Did you have a lot of private sector experience before you got into the public sector?

I: No, I had no private sector experience. I’ve had very few employers, as once I like somewhere, I tend to stick around. It’s kind of against what people do now, with changing jobs every year or two for greener grass. Now people expect to do that.

KC: I guess you’re kind of lucky that way. Aside from my long helpdesk gig, all of my infosec work has been contracting.

I: I’m a consultant, full-time, so luckily not contract, and a lot of the people I work with have been with the company for several years and enjoy it. It’s nice for family life. That can also let you travel.

KC: Okay. See, I was writing study material for CISSP and CEH programs and I had to self-teach. I learned those exams that way, and that’s backwards.

I: Same on self-teaching, the last job where I did some security sysadmin work was barely scratching the surface. And they didn’t wanna pay for anything but Security+, which is garbage compared to what’s out there.

KC: Do you think infosec employers are getting stingier like that?

I: I can’t really say. That employer wasn’t an infosec employer. They just needed some attention to security, so it wasn’t their primary focus. If you wanted the RHCSA/RHCE, they’d pay and give you a promotion.

Here at this employer, they really do care. I got signed on with a ninety days paid OSCP lab because they recognize it’s a good certification. We all get one training or cert paid per year. They also pitch in for bigger security conferences.

KC: You should count your blessings.

I: I really do. One of my female friends on Twitter is required to speak at four conventions a year, but I don’t know about certs. I’m sure they also provide them, but they’re a huge company she works for.

KC: Do you think you’ve had a socially progressive influence?

I: Oh yes. That said, in all these years, I’ve been doing technical work. So there have been few females or non-males.

That said, I have tattoos and some minor facial piercings and coloured hair. I leave the latter two visible but demure and wear long sleeves. I applied to about twenty things before I got the job I’m in now, and that was only because a friend who works there referred me. So yeah, it’s hard with how I am and how it is.

KC: You couldn’t just demonstrate that you could reverse engineer a piece of malware (that obviously isn’t Stuxnet?)

I: I don’t know how to reverse engineer! I applied as a SOC Analyst because I didn’t think I could do anything more complex after being just a sysadmin who read logs. But with this shop, I applied to a SOC Analyst position, and they felt I had the brain for pentesting, so here I am. I don’t have a lot of self-confidence at the end of the day.

KC: I think all that loganalysis can hurt your eyes if you don’t have a bunch of metrics monitors and log analysis software. But then, what if the log analysis software has a catastrophic bug?

I: I didn’t have the luxury of using software back at my old job. I got very used to using ‘less’ and ‘grep’ and ‘regex’ to pull what I found.

KC: Wow, you get extra respect from me. But back to the idea of women in infosec, do you think it’s detrimental to the field when 99% of us seem to be male? The lack of diversity?

I: Yes, but that can be spread to a large portion of the IT world. I know way more femme and non-male developers than I do in infosec. I’m only one of maybe three non-males in a team of twenty-six, I think. The ratio was worse at my old job for admins. Even worse for tech support. Though there are lots of females in non-technical roles there, like sales and billing.

KC: What would you say to a young girl who’s interested in an infosec career who might be reading this?

I: I’d quote Dual Core’s paraphrasing of his own rhymes, and say, “Find all the clues, hack all the things.”

KC: Make IoT Barbie say “Math is not hard.”

I: Ha, IoT Barbie! I forgot that existed.

If you enjoyed my article, there are two ways that you can help me.

First, you can click on the little green heart to recommend my article.

Secondly, you can make a small donation to my Patreon. Thank you!