Last fall, I interviewed six women and non-males who have exciting careers in cybersecurity. Those articles were all published in Tripwire’s State of Security blog.
Ideally, all people in our field, regardless of gender, race, ethnicity, age, nationality, and sexual orientation, would simply be regarded as “people who work in information security.” Unfortunately, we work in a male dominated field, and sometimes dealing with sexism affects our careers.
I think it’s especially important to encourage more women and transgender people to consider careers in cybersecurity. So my interview series shines a spotlight on some of the brightest minds in our field — who just so happen to not be male.
My series was very well received. So, as spring arrived I decided to continue it. As of this writing, most of those new interviews have been done already and their corresponding articles have been sent to my editor at Tripwire. You can look forward to them being published on Tripwire’s blog in the coming weeks, probably starting in April.
Until then, I’ve decided to republish my interview series from last fall here. Please enjoy them!
And if you can spare a few bucks, please consider contributing to my Patreon. I don’t get paid for my Medium published articles, and the trickle of money here and there that I receive from my generous patrons helps keep me going. Thank you!
There’s also a way you can help me that won’t cost you any money at all. Click on the little green heart if you like my article, it’ll help with my visibility. Most appreciated!
Information security really needs female professionals. There aren’t a lot of us, but all the women in infosec I’ve met so far have been fascinating. In my first interview, I spoke with Tiberius Hefflin, a Security Assurance Analyst.
The second woman I spoke to was Tracy Z. Maleeff, who is well known on Twitter as @InfoSecSherpa.
Kim Crawley: How would you describe your current job and title?
Tracy Maleeff: Technically, I am the Principal of Sherpa Intelligence LLC. I am an independent information professional providing research and social media management services to clients. I created the business to help my transition from the law firm library world into infosec.
KC: I have a vague memory about how you went from library sciences to infosec.
TM: I joked recently on a podcast that all my past careers were just preparing me for infosec. I spent most of my twenties as a travel agent. I went back to school and earned three college diplomas in six years.
I set off on a librarian path. I worked in corporations and academia before landing in private law firms, where I stayed for about ten years. I have a Master of Library and Information Science degree, and I very much enjoy librarian work. It’s just that I feel like I can do more and found myself remembering how much I liked tech aspects of every job I’ve had.
That led me about two years ago to start dipping a toe into the tech waters to see if that excitement was still there for me. I attended every tech meet-up in Philadelphia and beyond. I signed up for Girl Develop It classes and events. I was a sponge and tried to absorb everything.
I pretty quickly realized that the programmer, developer, front-end tech world just wasn’t my cup of tea. I kept feeling myself drawn towards the tech articles about security and signed up for a Cybersecurity Fundamentals class. It had everything that I wanted and I felt that I truly had transferrable skills for this industry based on my past work and life experiences.
KC: Was there ever friction in your transition to IT due to sexism?
TM: I don’t feel like I’m completely in IT or security yet, so I don’t know if I can answer that accurately or fairly.
I can tell you that I attended a WordPress conference last year, and that was my first experience being at a mostly male professional event. The librarian world is mostly female, so that was a big culture shock for me. I witnessed and experienced some terrible behavior at that WordPress conference that was eye opening. But I do have to truly say that thus far, my experience in security has been positive.
Plenty of my male colleagues have been very helpful in educating me and encouraging me. I’m also being strategic and making sure that I am involved with the female-centric security groups and associations out there, so that I can meet other women to learn from their experiences, as well.
KC: That sounds like a good, balanced approach. How did you get the attention of those podcasters?
TM: You mean PVCSec?
KC: Exactly.
TM: Through my involvement on Twitter, basically. I got to know Edgar Rojas via Twitter and his promotion of the Tactical Edge conference. I started doing some work with him on Tactical Edge, plus I think the PVCSec co-hosts interacted with me on Twitter.
One day, I was asked to be a guest on a podcast episode. Next thing I know, they asked me to be a co-host. I’ve also done some other guest podcast recordings, and I have to say that those all came out me being active on Twitter as @InfoSecSherpa and being a contributing member of the infosec community.
KC: That is some fortunate networking.
TM: I don’t think everyone understands the power of social media when it comes to professional development and professional networking within an industry or professional community.
KC: How has PVCSec benefitted you?
TM: I do a lot of speaking engagements in the librarian world about professional networking, in person and online.
So far, I believe that PVCSec has benefited me through getting my name out there more. More Twitter followers, more LinkedIn views, plus more invitations to write and speak. I was surprised how many people knew who I was at Hacker Summer Camp in Las Vegas. Plus, I just learn a lot from my co-hosts. I learn more about infosec from my co-hosts, and that is a great experience!
KC: Has that overlapped with the infosec stuff? What have you learned so far?
TM: Oh, how has my speaking engagements overlapped with infosec? I think I see a way that I can also do those same presentations to the infosec community in order to help them. Speaking engagements are a great way to meet people. I’ve learned better ways to educate non-tech types about infosec. I’ve learned some management philosophies and techniques. We had a podcast episode recently where each host gave book recommendations. It was fascinating to hear which books they selected and why and how that fits into infosec.
I’d say the biggest thing I’ve learned from the podcast is how there are many different skills, not just tech, that go into being a good infosec professional. You need communication skills, empathy, problem-solving, time management, organization, and more. It’s not just a straight-up tech job, and that’s also what drew me to it.
KC: Do you think the need for soft skills is a benefit of women in infosec?
TM: I think soft skills are things that everyone in infosec needs to have. I don’t see that as gender-specific. Not all women have good soft skills. It’s an everybody skill!
KC: So, you think ability in soft skills is pretty gender-balanced.
TM: I don’t think it’s fair to put a gender on soft skills. Sometimes they are abilities that people have naturally, like empathy and communication. But, the bottom line, in my opinion, that they are skills that everyone can learn. Some may be better at them than others, but they can be learned. That’s how I teach people about professional networking. It’s a skill that can be learned, some may just have to work harder or adapt differently to it.
KC: What would you say to a little girl who’s interested in computing, assuming she was taught that computer tech is “for boys”?
TM: Question authority. In my very first computer science class in middle school, the teacher was female. I didn’t realize at the time how big of a deal that was. So, I never thought that a woman couldn’t teach computers or be in comp sci. Role models are very important. Women need to be visible to young girls to show them what’s possible.
I think actions and visibility have more of an impact than words. I was (and still am) pretty terrible at math. I had my own personal hangups about doing more in comp sci. It had nothing to do with me being female. It had to do with me struggling with math. However, there was a time in college when being one of the only females online and in the computer lab did create some uncomfortable moments that may have impacted me moving away from computers. But, in my earlier years, gender wasn’t a factor.
The digital divide concerns me and it’s not just a gender issue. I’m concerned about the lack of POC in tech, and that’s something we should all care about. Tech needs to be more diverse. Diversity of thought helps to solve problems.
KC: I agree completely. Do you think some of the lack of diversity in infosec comes from the top? Like when Silicon Valley talks about candidates being a “culture fit?”
TM: I feel like I don’t know enough about Silicon Valley culture to make an educated statement about this. I feel like companies could do more to help with creating a more diverse tech workforce. However, and this came up at a BlackHat luncheon, do you want to be hired just to be trotted out by the company to show how diverse they are?
KC: I can understand that. So, what do you think is the biggest problem in infosec at the moment?
TM: Lack of respect and value. It feels like people treat security as a nuisance and inconvenience. Companies are interested in protecting themselves but then give more responsibility to already overworked IT people or don’t fully support the message of security awareness. A culture of security needs to be embraced by a company, but from stories that I hear and read, it feels like they want to be protected just as long as it doesn’t interfere with anything they do.
KC: I think often the CEO, and especially the CFO, messes with the CTO.
TM: So, that leaves infosec people feeling like they are constantly herding cats and being Sisyphus in regards to security matters. Honestly, it’s not much different than how a library feels within an organization. Another reason why I feel like I fit in.
KC: I heard that often infosec gets cut because the shareholders don’t think we generate profit. Sometimes, even a super expensive POS system attack won’t change their minds.
TM: Same thing with libraries. They are overhead. But yet, when people need research or materials, they need the library. I know all about proving value within an organization.
KC: You’re practical, then?
TM: I like to think so. I also think that I see big picture things better than some. I like to think a few steps ahead. I had a coworker once who used to implement change without thinking through scenarios, and it used to drive me nuts. I think I work well as a hub with a lot of spokes.
KC: Do you have any last words about women in infosec?
TM: Don’t be afraid to be a trailblazer. Look to persons of any gender identity and POC for advice and feedback. Diversity strengthens us all. Pay it forward and help others by welcoming them into infosec and giving your own tips or wisdom. I like that there are some all-female infosec groups, but make sure that your professional network is inclusive of everyone in the industry. Make your voice heard and be a beacon for others.
Tracy Z. Maleeff is one of PVCSec’s hosts. Check out PVCSec.com. Tracy also blogs at sherpaintel.com.
If you enjoyed my article, there are two ways that you can help me.
First, you can click on the little green heart to recommend my article.
Secondly, you can make a small donation to my Patreon. Thank you!