Depending on who is asked, there’s either a shortage of people with cybersecurity skills or there are issues with the hiring processes that focus too much on certifications and traditional experience while overlooking candidates who are capable, enthusiastic and willing to learn.
At DEF CON 27, Ismaelle Vixsama, founder of cyberconsulting firm Vix Cyber, discussed her unique pathway into a cybersecurity career and noted that she wasn’t alone in taking a nontraditional path.
Vixsama studied finance and business management in college, but six months into her finance career, she realized she hated it both because of the nature of the work and the culture at her first position. She put her resume online and was contacted by a recruiter looking to fill a position with someone “who was new, who was teachable, who could be trained to do cybersecurity.”
“The first thing I said to him was, ‘Well, what is cybersecurity? I don’t know what that is,'” Vixsama told SearchSecurity. “I started off doing risk assessments for their vulnerability management program, reviewing those and assigning a risk rating and then opening up corrective action plans, and I was really just learning about why this or that is a risk — like learning about OWASP Top 10 before I even knew anything about security.
“I took the opportunity there to network, to shadow with some of the more seasoned infosec [pros] to just ask questions,” Vixsama said. “They told me which certs I should look into, what I should be learning, and at night I would go home and I would pick up a book and read all about information security and computer science. That really was my start.”
The hacker mindset
Vixsama admitted she got lucky with a company looking for someone they could train rather than someone who already had the training, but she quickly found — through her own experience and from those she met who were also attempting to transition into cybersecurity careers — that being successful doesn’t require a specific path or background.
“I think almost all the skills that are out there in the real world can be transferred into cybersecurity. If you are a good person, you can read people, there is a career path for you in social engineering. If you like to break into things, you could be doing physical security. The field is so massive that there’s literally something for everyone,” Vixsama said. “And that’s what I love about cyber; if you ever decide to transition from one field, you can build up your technical skills and then essentially work towards something different.”
Ning Wang, CEO of cybersecurity training firm OffSec, told SearchSecurity her company has people of all backgrounds come to take courses, and she found that “if you want to learn, you’re open-minded, even if you don’t have a security background or IT background, you can do it, [but] you have to figure out how to discover the unknown. And that requires a mindset.”
“That kind of mindset development and training is hard, but when you get it, it’s incredibly powerful. We call it a ‘hacker mindset’ or ‘try-harder mindset.’ To do that, you have to actually do it, and struggle through it, and get stuck, and then see how you make the breakthrough. And then when you do that multiple times, over and over again, you get that mindset. It becomes automatic,” Wang said. “Those are the people that can do anything in security. It doesn’t matter if they have the tools or not, because they know what to look for.”
The keys to success, according to Vixsama, were in understanding who you are, what you’re good at and how it can translate, identifying what cybersecurity skills to work on and being willing to learn and connect with others.
“Find a community of people who are willing to help you learn, to help you grow and ask all the questions,” Vixsama said. “Show them your passion, your hunger. If they like you, they will be willing to refer you into companies and then talk to you about positions that they know that are opening up. Really finding people not only that can mentor you, but that are willing to help you figure out your path and help mold you into the next cybersecurity leader.”
Wang noted that cybersecurity skills and certifications should be considered for certain positions, like red or blue teams, otherwise “the learning curve is steep.”
“Generally speaking, I believe that companies should consider someone’s potential when making hiring decisions and consider someone who is passionate and great at learning new skills and techniques,” Wang said. “But for entry-level security positions where security knowledge is not as critical, getting someone with the right profile and training him or her on the job is a viable option.”
Magen Wu, senior associate at Urbane Security and workshop department lead for DEF CON, is someone Vixsama credited with getting her and other friends interested in attending DEF CON. Wu told SearchSecurity that her cybersecurity career came mostly from networking at conferences after realizing her initial dream of being a forensic pathologist might not work because she “fainted at the sight of blood.”
“I went to my first DEF CON at 20. I was laid off from working accounts receivable for a building materials company. I showed up to DC15, met folks, started going to other conferences and just kept meeting and talking with people online and at cons,” Wu said. “I moved to Seattle (from Florida) and started working in tech support and then software testing before a friend from Twitter sent in my resume and referred me for what would end up being my first infosec job.”
Stephanie, a security analyst for a global law firm that wishes to remain anonymous, said her entry into infosec was filled with false starts. A member of Vixsama’s “Ya-Ya Sisterhood” (the group of friends that attended DEF CON together), Stephanie decided to abandon a journalism major in her junior year of college in favor of computer science and then spent five years in IT before finally getting an opportunity in infosec.
“In every job I’ve had except one, I attempted to advance into security. One time, they killed the part time offering, so I had to quit. Another time they outsourced the security team before I could get promoted into it. And a third time, office politics and bad management prevented me from being promoted to the security team, even though the management of the security team had approved my hire twice,” she told SearchSecurity. “After all of that, a random recruiter was able to do what I could never do myself. Getting into a security role in and of itself is unconventional. No two stories are the same. But that was my story.”
Wu said that in her experience, “hardly anyone in this field started out in infosec.”
“Many of us have degrees that have nothing to do with computers, so if you’re interested, you should go for it. Build a home lab and teach yourself something new, go to conferences and meet people, offer to volunteer when the opportunity comes up,” Wu said. “Invest in yourself and your goals because even if you feel like you’re behind everyone else, chances are you aren’t … or at least not as far behind as you think.”
Vixsama said cultivating a good network will be important “because those are going to be your advocates, those are going to be the people that put you onto those jobs.” And, once someone has a good network, they can become a mentor for others seeking cybersecurity careers and help to address other issues in infosec, like the need for more diversity and inclusion.
“One of the things that I noticed is there’s a lack of intersectionality and what I mean is that we’ll see black people in cyber, or Latinx or Asians. Or we’ll have people in the LGBT [community], but then we don’t see a lot of crossover where there may be someone who’s non-binary, black and/or queer or all these other things. Let’s look for more than just one or two checkboxes in the diversity section,” Vixsama said. “I’m accustomed to being in organizations where I am the only black woman. For me being the only black woman in an all-white, male-dominated field, I don’t really have someone that I can talk to about certain personal things that we do that can relate to me. I think that’s why it’s really important so that we can actually maintain and retain true diversity and actually being able to promote those people into positions of power and leadership.”