Changing careers to cybersecurity

Dara Gibson of Optiv and the Phoenix, Arizona, branch of Women in Cybersecurity has developed and managed cybersecurity services for five years. After years of being an educator, Gibson felt the pull of cybersecurity and tech. For those of you who are thinking of making a later-in-life, life-changing career shift into cybersecurity and feeling a bit overwhelmed, do not miss this episode! Gibson strikes the perfect balance between pushing you out of the nest without pushing you off a cliff!

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free

– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

0:00 - Changing to a cybersecurity role from another profession

2:56 - Dara Gibson’s start in cybersecurity

7:28 - Guidance in cybersecurity

10:00 - Working as a cyber insurance specialist

15:00 - Phoenix Women in Cybersecurity

17:06 - Where Women in Cybersecurity members come from

21:00 - How to get past the HR barrier in cybersecurity

24:20 - Applying to cybersecurity jobs

26:52 - Common paths in cybersecurity for job changers

29:00 - Tips for cybersecurity job posting

34:40 - Advice to attract women to cybersecurity

36:35 - Get involved in Women in Cybersecurity

38:35 - Barriers to getting women in cybersecurity

40:42 - Learn more about Dara Gibson

41:15 - Outro

[00:00:00] Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office? Or did he just forget his badge again? Find out with Work Bytes, a new security awareness training series from Infosec. This series features a colorful array of fantastical characters, including vampires, pirates, aliens and zombies as they interact in the workplace and encounter today's most common cybersecurity threats.

Infosec created Work Bytes to help organizations empower employees by delivering short, entertaining and impactful training to teach them how to recognize and keep the company secure from cyber threats. Compelling stories and likable characters mean that the lessons will stick. Go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

Today on Cyber Work, I'm happy to welcome Dara Gibson of Optiv and the Phoenix Arizona branch of Women in Cybersecurity as my guest. Dara has developed and managed cybersecurity services for five years. After years of being an educator, Dara felt the pull of cybersecurity and tech.

Now for those of you who are thinking of making a later in life life-changing career shift into cybersecurity and you're feeling a little bit overwhelmed, do not miss this episode. Dara strikes the perfect balance between pushing you onto the nest without pushing you off a cliff. And we're also going to talk a little bit about Women in Cybersecurity. So stick around for that and keep it right here for Cyber Work.

[00:01:42] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Today's guest, Dara Gibson, has developed and managed cybersecurity services for five years. By blending cutting-edge technologies, unique skill sets and proven cyber strategies, she creates lasting partnerships with clients to protect shareholder value and corporate reputations.

As a nationally-recognized information security leader, Gibson is responsible for designing cybersecurity awareness programs to foster expertise in relationship management with industry-leading cyber insurance and legal providers for proactive and reactive cybersecurity capabilities.

I'm always excited to talk to someone who has come to cybersecurity via say the scenic route. Not all of us have been taking apart computers since we were five-years-old and so forth. And there's plenty of room for the rest of us as well in cybersecurity. Dara already has a tremendous career in cyber. On its way. And I want to talk to her about some of her advice for changing to a cyber role from another profession.

Dara, thank you so much for joining me today. And welcome to Cyber Work.

[00:03:05] Dara Gibson: Oh, thank you so much for having me. I'm really excited to be on your show today.

[00:03:09] CS: Absolutely. My pleasure. Yeah, let's talk about your origin story. Like I said, how did you first get interested in computers and tech? Without spoiling too much about the arc of the conversation, which I just said, you started an elementary education. So what was it about cybersecurity, or security, or tech in general that intrigued you?

[00:03:28] DG: Well, to be honest, I vividly remember the first time we actually had a computer lab at my grade school. We had 15 Apple 2e's. And that kind of dates me a little bit. But that's okay. We would pair up to learn how to use them. And to be honest, it was just for typing. That's all they were good for, right?

[00:03:45] CS: Yep.

[00:03:46] DG: I was much more interested in music than I ever was in technical capabilities. But many moons later, my son actually introduced me to cybersecurity. And when he was the commander of his cyber patriot unit in high school. Now all the boys would bring over their laptops and desktop computers over to our house. And they created their mini cyber cave where they would create their own cyber command unit. And they would complete all their missions.

Looking back, to be honest, it was the human interaction from pairing together with the Apple 2e's to the kids learning what cybersecurity was in high school. But it was a human interaction that intrigued me the most.

[00:04:31] CS: Yeah. Can you talk a little bit about just maybe the conversations you had with your son about like what he was doing and sort of getting – were you looking over your shoulder or are you like, "Hey, what is that? Do you think I could do that?" Because there're just as many people that could have looked at that and said, "Oh, that's no business of mine," or whatever. But the fact that it hooked you. I'm just curious what the hook point was.

[00:04:54] DG: As an avid learner, I constantly would ask questions. And I would ask the kids and see if they could direct me to kind of educate me on what the capture the flag game really was that they were trying to achieve and how it interacted and how they were protecting from the threat actors.

And so, I always asked questions. And that was what intrigued me to see how they would interact together, and work together and understand that it wasn't just the scary guy behind the computer. There were human beings on the good side of the computers and that needed to do the other aspects of computer technology, cybersecurity aspects of it.

[00:05:34] CS: What was the next step after this? Did you start trying CTFs for yourself? Did you start looking into sort of computer fundamentals? How did it progress from this initial seedling?

[00:05:45] DG: No. Actually, my son actually questioned the fact that how did I get into cybersecurity? We were at a networking event. And because of my education background, I have a master's degree in education, the company actually wanted to expand their services into America. They were a Canadian cybersecurity company. And they had found me on LinkedIn and understood that, with my education background, I could help them develop their cybersecurity awareness campaigns and educate people moving forward on the importance of cybersecurity.

And my son and his team actually joked, they're like, "How did you get the job in cybersecurity? How come they didn't ask us?" Right? And so, that's when I kind of did my micro mini master's degree in cybersecurity at that stage because, as he said, "You didn't even know how to say the word cybersecurity, mom. Let alone know what it was."

I had to educate myself before I could educate others. And I had the opportunity to really grow there the company's cybersecurity awareness campaign. Because developing an education campaign depending on just – doesn't matter the topic. You can always learn the topic and just understanding how to educate others in a manner that's appropriate for them. That's where it led me down the cyber path.

And that company actually gave me a lot of mentorship opportunities. And so, for that reason, I really dove into incident response, and business management and leadership. And I took on a lot of the business aspects of the American components of that cybersecurity company at the time, which forced me to really emphasize the business aspects of cybersecurity. Not just the technical side.

[00:07:29] CS: Right. Now, okay, that's a great point. And there's I think some – absolutely, a gold nugget of advice here, which is that you were already working for this education organization and you were interested in cybersecurity. And so, you approached someone within your company and said, "I'm interested in this other aspect." And they were willing and able to help you train. You were able to get excited about incident response while still doing it within a job's capacity.

Because I think one of the barriers we see with people who want to jump into that is that they think that they have to sort of uproot their entire life at their current job and find – I don't know. Like a cybersecurity, like boxing gym or something like that and train for seven years or whatever. But yeah, I mean, I think it's worth noting that if you want to make that jump, you could do worse than to start looking in your own organization and saying, "I'm interested in this." And they're probably – I mean, in your case especially, they were very interested in that. And it was a life changer.

[00:08:33] DG: Absolutely.

[00:08:35] CS: So, that's cool.

[00:08:35] DG: Oh, yeah. I get questions all the time, as I'm the president of the Arizona Affiliate for Women in Cybersecurity. People ask me for guidance all the time. And their first point of reference is, "I'm about to quit my job and jump into cyber." And I will always tell them to pause for just two seconds, "Please don't quit your job. You still need to pay your rent, and eat food and pay your cell phone bill, right?"

With that in mind, I always encourage them to look inside their own ecosystem. Find out what's going on underneath the hood of their own business. And find out how they can learn about cybersecurity in their own ventures.

I had one time a pharmacist came to me and said, "I'm quitting pharmacy. I can't take it anymore." I said, "But wait. Hold on. You know HIPAA regulations. You know everything when it comes to that part of correspondence and GRC." And she's like, "I do." She's like, "But how does that relate to cyber?"

And once we walked down that path, within two weeks she had actually found a HIPAA compliance officer role because she was able to transfer in her own ecosystem. And she didn't have to count out the medicines anymore. But she was able to transcribe the HIPAA compliance regulations. And she never had to quit her job. She never had to leave her own spot in her location. She was able to transfer into cyber that way because she knew the compliance regulations.

[00:09:59] CS: That's so cool. I love that. These are great examples. And we'll probably break into plenty more of them. But before we get more into the career change aspect of your story, because a lot of our listeners are sort of using our show to sort of mentally imagine their future careers, I want to know a bit more about your current role.

You're Senior Cyber Insurance Manager for Optiv, a cyber advisory community that advises, deploys and operates cybersecurity programs for your nearly 6,000 clients. Can you tell me about how your role as cyber insurance manager fits with the rest of the roles in the company?

[00:10:33] DG: Absolutely. As a certified cyber insurance specialist, I have the honor of advocacy waiting for the clients with a cybersecurity mindset. I get to focus on the client as well as the insurance mindset for the insurance industry.

For many years, I heard clients would comment, "I have insurance. I don't need cyber controls." Or, "I have a strong cyber platform. I don't need insurance." But it's interesting since one of the good things about COVID was that, over the past couple of years, the mind-shift has totally shifted, that businesses now understand it's a dual role; cyber controls and cyber insurance. They play two totally different roles in the risk management process. And companies need to evaluate the importance of having both into their risk management programs.

The Optiv cybersecurity controls allow business entities to truly determine the features of their cyber maturity level within their organization. And they can understand and mitigate risk accordingly in alignment with their insurance policy. They get to fully truly understand that the financial risk transfer of an insurance policy really helps influence their cyber maturity level. But it must be defined in the underwriting stage.

It's really great to have this opportunity to showcase the cybersecurity mindset along with the insurance mindset. In that conversation for the client where I get to advocate for the client, I'm not advocating for the insurance company or cybersecurity. I get to advocate truly for the client what's best for them.

[00:12:10] CS: Okay. And just for my own clarification, I want to get a little more granular with this. Optiv does not provide cyber insurance. You're acting as someone where they say we need a cyber plan. Also, we need insurance. We're thinking of using this insurance provider. And you're the intermediary, if I'm hearing this right, that is able to read the cyber insurance plan and then see how it connects to. And then you say, "Okay. Well, if you want this plan at this price, you're going to have to implement these security features." Am I getting it?

[00:12:43] DG: Even better. I don't ever have to discuss price, or sales, or have that pushy sales quota because I'm a consultant. I truly get to advise and look at their insurance policy and read what it says. If it says A, B and C, I can transcribe what A, B and C is in insurance talk. And then I can also transcribe what the insurance – the cybersecurity level mindset talks about on the cybersecurity side.

I can bridge that communication gap for the client because the client is really good at selling whatever widget they're selling, right? They really, really need that comprehensive bridge to understand where the cybersecurity conversation comes in and how to understand all those acronyms that we love to use so much in cybersecurity land. And also, the acronyms for the insurance might land where they have all their own acronyms that come into play and really be able to translate that. Somebody actually mentioned that I'm a nerd translator. I translate nerd into business communication skills.

[00:13:42] CS: Yeah, a nerd to C-suite translator. Yeah. Yeah. Yeah.

[00:13:45] DG: Right? Yes, exactly.

[00:13:48] CS: You took the next question right out of my mouth there. I was going to ask if you – it sounds like communication skills is a huge part of your job. And being able to break down, but also understanding the sort of the nerdy nuts and bolts of the insurance plan and then explaining it to them in a way that doesn't seem like you're a teacher wrapping their knuckles with a ruler or something like that. Yeah. Yeah.

Okay. Yeah. I mean, did you learn a lot? I mean, obviously, you probably learned a lot of that communication skill from being an educator, right? Can you talk about how that sort of directly played into the way that you sort of like craft arguments or explain things to people?

[00:14:27] DG: Absolutely. It's truly just education at its core. Providing that concept of learning and communicating the importance of what is the outcome or the objective of whatever they're trying to read or understand. And understand that that's where you want to end up is truly have that comprehension of the overall atmosphere of what we're talking about.

[00:14:50] CS: Yeah. Well, I've heard so many great stories from our guests, as well as a number of Infosec inspire scholarship winners. And this is going to be one that I'll – your story is one that I'll add to my list. From elementary educator to cyber insurance consultant. But we've had people who said that the best person on their digital forensics team was a former child psychiatrist who was able to decode text messages from a teen's phone. Former heavy machine specialist turned SOC managers. Lawyers turned risk management compliance professionals. And the list goes on.

But before we get into all that, I want to start by talking about Women in Cybersecurity, the Phoenix chapter as you said, of which you are president. Can you tell me about the work that Women in Cybersecurity does and the services you provide to help place women into cybersecurity roles?

[00:15:42] DG: Absolutely. WiCyS we call it. Women in Cybersecurity. Or WiCyS, like we sisters, actually originated in Tennessee as a facet to create opportunities for women to advance in cybersecurity. Today it has matured into a global community of women, allies and advocates to truly – and who are dedicated to bring their talented women and together to celebrate and foster a passion and drive for cybersecurity.

Our local affiliate here in Arizona, we unite communities of aspiring and thriving women of cybersecurity professionals to collaborate and share our knowledge, our network, as well as mentorship. We create opportunities through professional development programs, conferences, webinars, career fairs. And sometimes it's just wine conversations and networking.

We provide that outreach of – again, it goes back to my human interactions, to create those touch points where people can call and say, "Hey, Dara, can you just take a peek at my resume and see if it's actually saying who I am?"

[00:16:48] CS: Got it.

[00:16:49] DG: Or provide that outreach so people can just get together and say, "You know what? Hey, I have an opening in this particular role. Do you have anybody in Arizona that would be interested?"

[00:16:59] CS: Yeah. I mean, that's great. Now how do you – what is your sort of outreach plan to find people? Do most of your new members sort of knock on your doors? Do you go to trade shows? Do you advertise on forums? Were would you say on average the future WiCyS's of America or of Phoenix are coming from?

[00:17:23] DG: The answer is yes to all of the above, right? We make sure we do our outreach at least once a month. WiCyS global gives us the opportunity to reach all 57 affiliates worldwide. And we have our page, a link on the WiCyS global, which is wicys.org website, where they can just type in their information there. Say they're interested in learning more about the Arizona affiliate. And that comes directly to our Arizona affiliate email account.

We also do tradeshows. We're blessed to have the opportunity to have a lot of the cybersecurity conferences will give us a free booth because we are a non-profit. They'll give us the opportunity to have a free booth just to get our word out there and our mission out there with people to say, "Hey, you can sign up for us."

Our local affiliates, totally free of charge. We don't have any fees associated with our local affiliate. The global one, should people choose, it's like $95 for professional affiliates memberships. Student memberships are almost nominal because they're really trying to help the college students get into that realm of cybersecurity. And of course, they also have different organizations, larger business entities that they'll do their own WiCyS within their business entity.

[00:18:43] CS: Got it. Oh, go ahead. I'm sorry.

[00:18:46] DG: Oh, that's okay. No. I was just going to lead on that earlier this year we actually had a trade show that we did have one of those free booths. And one of the ladies came up to me and she said, "I'm graduating in May with my cybersecurity degree. Where should I even go?" She wasn't sure on even where to go at this stage.

She was a transfer like myself. She had many, many years in her first career. But she did see that the decline of her current operations and the importance of seeking that next career. She chose to come to a couple of our meetings since then. And now I have her as my events coordinator for our women in cybersecurity here in Phoenix, Arizona.

She actually has the opportunity to now network with professionals and say, "Hey, I'm the events coordinator for Phoenix affiliate. Would you like to present at our organization?" That gives her that outreach to really meet new people as well.

[00:19:41] CS: Oh, that's great. I love that. Thank you very much. Yeah, I was just going to ask about sort of like what the average pipeline was from someone introducing themselves at a conference. But you walked it through beautifully. That's awesome.

[00:19:53] DG: But I do want people to know we're not a hiring firm. I cannot guarantee they'll get any position or any such thing. As I say, you can use my LinkedIn account. Use me and abuse me as much as you want. But I can't guarantee you'll get a position. But the opportunity for that human networking is always apparent. Like you said, at trade shows, networking events, as well as educational outreach.

[00:20:17] CS: Yeah. And also, you said it yourself, that someone basically just sent you their resume and said, "Can you make sure that I'm actually showing who I actually am and so forth?" And I think that's one of those things that a lot of people feel alone in, is that they feel like they have to sort of like make all this stuff in the void and then send it off into the void and then get rejected in the void. And so, it's good that you have this kind of sort of structured discussion model where you can sort of talk through things, talk through issues. Yeah, that's a huge, huge service I imagine. Yeah.

[00:20:53] DG: Very well received. Yes.

[00:20:54] CS: One of the most common things that I hear from our guests on the show who are also helping to try and close the skills gap, bring in new diverse populations and new workers, they'll always say things like, "If you have the passion and you can show it, then we can find a place for you." Which sounds great. Of course, people in our comments who write in during our Cyber Work live events tell a different story sometimes. They might have two, three certifications or a bachelor's degree and can't even get a first interview. There's a disconnect happening a little bit.

I don't doubt that every single person on here who says they're looking for passion and invention, not certain names, is sincere. But there's still something not working. I'll start by asking you how you recommend young professionals or especially later career job changers to get past the HR or hired manager barrier to show off their talents in a position they'd likely be great for but have a hard time demonstrating capabilities of?

[00:21:52] DG: Well, I know this first-hand. During COVID, as I mentioned earlier, I was working for a Canadian company. Once the borders got shut, I was one of those unfortunate souls of COVID job displacement. With that in mind, it is a very important component to get hired and get past that initial gatekeeper of the API of resumes. During COVID, I actually put out 700 applications. Yes, 700. And I received a lot of silence along the way.

Looking back, I should have just appreciated the time off because it would have been much more productive than 700 applications. But I am a firm believer in networking again. And thank goodness for LinkedIn, because it's that human interaction.

I just definitely understand the fact that it's the old adage. It's not what you know but who you know. It still plays an important role in any industry today. And I truly believe cybersecurity is one of those roles. Um, a lot of the HR API gatekeepers, you have to make sure the words match. If what you're saying in the first jet line of your bullet point of your resume doesn't match what the job description is saying, you're not going to pass that first line of gatekeeper.

[00:23:20] CS: Yeah.

[00:23:21] DG: Make sure you're entering those career fairs. There're so many. I mean, WiCyS does their own virtual career fair twice a year. They do one and then a real live one at the Women in Cybersecurity conference. That's so beneficial because you get the opportunity to talk to the people that have those open positions. And maybe they don't have your open position today. But they do have an open position eventually.

I did actually – honest, on a funny note, I did hear back from one of those 700 applications just yesterday.

[00:23:53] CS: Really? Whoa.

[00:23:55] DG: You would have thought by this stage I probably would have gotten rid of my resume. But apparently, it was still out there. But I graciously declined because I'm very happy where I'm at Optiv. And it was weird that they were reaching out after three years of silence.

[00:24:11] CS: Three years. Wow. I don't know if this is even possible. But I'm wondering if we can do sort of like an alternate timeline here. You've said, "I wish I just enjoyed the time off. I sent out 700 resumes." Can you sort of imagine like what a more – if that was just a good learning experience? Or if there would have been a specifically better way of doing that than just firing those 700 resumes into the void like that?

Obviously, you mentioned networking, and mentors and so forth. Can you talk about a way of crossing the gap between the 700 scattershot applications and maybe 50 targeted really good ones? How did you get to that point where you –

[00:25:01] DG: Well, and that was a lesson I had to learn, right? And so, I'm happy to share with others now to save them from their 700 applications.

[00:25:09] CS: Yeah. Right. Right.

[00:25:11] DG: But it is truly looking at the job description and making sure that you have a clean resume that the resume reader can actually scan and read. And have those first bullet points be matching that job description. Because that right there is the most critical component of it.

I made it all fancy. I had pictures. I had bullet points. I made sure all my spacing. And to be honest, it's a Microsoft Word, black and white. Boom. Boom. Boom. Boom. Boom.

[00:25:42] CS: Yeah, text format kind of –

[00:25:44] DG: Yeah.

[00:25:45] CS: I mean, something like that, right? There's no – you can't – like it rejects like that decoration –

[00:25:48] DG: It immediately rejects all that fancy everything I made sure I had in my resume. But now as I review people's resume, I tell them right off the bat, "Get rid of the picture. Get rid of this. Make sure it's just black and white rich text. Because that's all those scanning things are looking for."

[00:26:08] CS: Okay. Now to that end, is there a benefit for the artistically-minded among us? Is there a benefit to having the RTF doc go through the machine and then maybe on your person-to-person interview giving them the nicely photographed? Is there a benefit to still making it I guess is my question?

[00:26:28] DG: I think when you talk to those people in person and have that face-to-face conversation, that's when you can give them the pretty one. Because then you want them to recognize your face as they go through the pile. I agree with that. Yeah.

[00:26:39] CS: Yeah. And you can walk them through a demonstration about you.

[00:26:46] DG: The storyline of who you are and where you got to where you are. Mm-hmm. Absolutely. Mm-hmm.

[00:26:50] CS: Absolutely. Continuing on the theme that we just discussed here, many guests have said that if you have the passion and the affinity for problem-solving and the inquisitive personality, the tools you'd use on the job can be taught in the first few weeks on the job, which is definitely true in some cases. But even more than that, not everyone knows, but regularly listeners of the show know because I never stopped talking about it. There're plenty of careers in cybersecurity that required nearly no technology or experience. I mean, whether it's compliance officer, or a threat model, or numerous other jobs. You can leverage your existing skill set into a cybersecurity career. Dara, what are some common paths that you see mid-career job changers excelling in based on what they did before?

[00:27:34] DG: Oh, you name it. I'll go back to my tech team hates when I open up my laptop because I don't have those tech skills, right? I have the business acumen and the relationship building acumen. Absolutely, there're many other facets of cybersecurity that you can get into.

There are law firms that focus truly on data privacy and incident response. I've seen professional writers go from – English teacher, English college teachers, professors, to experts in technical writing. I've seen health professionals also become CISOs because of their expertise in HIPAA. It truly becomes a lifelong learner that wants to excel in the career changes. And you have to have that desire to better yourself.

Again, you don't have to be the tech guru that counts the zeros and ones or what they magically know how to do on the tech side of things. But you can have that business focus. There's HR that focuses on cybersecurity. There's marketing that focuses on cybersecurity. There's so many other avenues that people can get into. And even contract writing. Helping people understand the sales team. If you're really good at sales, you're really good at cybersecurity sales. It can vary from career to career.

[00:28:56] CS: Yeah. If you're listening and you're an HR person or a hiring manager, I apologize for all the times I dunk on you for all the gatekeeping. But as we talk about the gap between the unicorn candidate and the people who you should be at least interviewing, or if you have pull with them at your company, what tips do you have for HR or hiring managers for resolving these contradictions in the creation of job posting or the very nature of where you look for candidates at all?

We say it would be great if they stopped using the APIs to sift out these things. And you said, obviously, one way to get around that is to like have your resume be clean for gene and really give them exactly what they want to put in their hands. Can you talk to the other side of that? Is there a way of sort of loosening the aperture in a way that more candidates who don't know enough to do that but might still be great could still get in?

[00:29:52] DG: Absolutely. We can talk about that because the gap does exist. But we have to understand that, as an HR company, we don't want to dog on them. Because those gatekeepers do exist for a reason. Every LinkedIn application probably receives a thousand applications. And so, if you're one of a thousand applications, you want to make sure yours does stand out. But that HR person does not have time to read all 1,000 applications.

[00:30:17] CS: Yeah. The person who's a specialist in partying or something like that who just sends it to every job ever.

[00:30:22] DG: Right. Exactly.

[00:30:22] CS: Yeah. Right. Right.

[00:30:23] DG: That's why they do have those gatekeepers in place. And truly, the gap does exist. And I believe that the wrong stakeholders write the job descriptions. And we need to understand that the actual managers looking for those candidates, they need to be the stakeholder that's writing those job descriptions. And they're the ones providing those to the HR manager.

Because sometimes people will just look at the shiny new terminology and put that into the job description. And it may not have anything to do with with that particular job. And so, what we need to make sure is that if the SOC, security operation analyst, and the security operations manager, those two people need to be writing that job description for the security analyst. Not the talent acquisition person. That person needs to receive it from the appropriate people and say, "Oh, that's what the job description should actually say."

And make it truly align with the day-to-day activities or the operations of that specific person. Because the talent acquisition team, they're fantastic at what they do. But they also need to be helped and focused in the right path. Because we can't expect them to know what the security analyst does on a day-to-day basis when the talent acquisition person should be writing their job description. Because they do hire for those too.

And that's why we need to make sure that the correct stakeholders are writing the job descriptions to align with the correct positions. And I think the understanding of who do you know, that's going to help us find those unicorns. Because there are those positions within every or organization, that is very unique.

I mean, a cyber insurance specialist is a very unique position at a cybersecurity firm. The question of who do you know, that does come into play. I guarantee, someone on your team knows someone that can work and fill the need at that time. We don't have to be filling out thousands and thousands of resumes or online portals just to make sure because we have the opportunity to say, "Oh, I do know the person that fits all of those characteristics."

[00:32:33] CS: Right.

[00:32:33] DG: So utilize your network.

[00:32:35] CS: Yeah. I almost wonder if there might be like also a benefit to almost at the application stage telling them exactly this is what we want you to submit. Because a lot of the – like you said, the thousand, phony or not phony, but not so great applications are just people just indiscriminately pushing a button. And there're so many of those sort of thought exercises where it's like you have to read the entire instructions first. And then at the end you're like, "Oh, you should have read them. I don't do any of the stuff. Just put your name at the top." You know?

And if you tell them like structure your resume this way on the application page and explain how you came to this and blah-blah-blah, I think that's – yeah, I think there's probably just so many different ways. Because yeah, you're right, a lot of times a thousand worthless applications will come through. But then the opposite happens as well where it's so choked that you might get one application or no applications and you're like, "Well, apparently no one wants this job."

[00:33:33] DG: Right. But if you walk the people through, that also shows the the person that's filling out the application, they have some stake into the game as well. They've read through all that criteria and said, "You know what? I can meet this. I can do this. I can meet all of this." And they've taken the time to be a stakeholder in their own application process."

I think that would be an excellent avenue because then you're not going to get those weird ones where they're just putting their resumes through just to get a resume count for the day. I think it's going to cause everybody to pause and say, "Okay, let's look through this in a more cohesive brand and work together with the organization as a whole."

[00:34:11] CS: Yeah. I mean, that's sort of an HR axiom of many years, is that you're – once your company hires you, they want you to succeed. They're not like trying to get you to fail because they don't want to hire somebody else. And it's like the applications people want you to succeed at showing them what they want to see because they don't want to look at 5,000 more applications in the next two weeks.

[00:34:31] DG: Right. Exactly. Exactly.

[00:34:32] CS: Yeah. Yeah. Yeah. Please just give us what we want and we can finish this whole thing.

As the president of the Arizona branch of WiCyS, what specific advice do you have for companies to find, attract, encourage and retain women and diverse candidates in cybersecurity role? And if you're a woman, BIPOC, LGBTQ+, physically disabled, neurodivergent or have other traits that make you more invisible to far too many companies, what are some resources, strategies, or people, or mentor groups who can help you to be seen and hired and promoted?

[00:35:07] DG: Well, wicys.org is a great resource. They actually have affiliate organizations that fit all of those needs within their website as just a click on the link right there. They have virtual career fairs. They have job boards. They can connect people. They have sponsorship opportunities for classes, for certifications. They have webinars. They have professional development. They have community organizations. And they have student affiliates to connect with as well.

People can get that in-person network. They can create their larger community of cybersecurity professionals. And they have a general resource of abundance of resources on their website.

DEI is now not a new concept, right? But it has recently gotten a lot of new more attention. Reach out to local meetup groups as well. Provide additional opportunities for you to network in-person. Because, again, who do you know? Who do you know that's for this? Who do you know that does this? Who do you know that – and those are always great questions to ask at an in-person networking event?

There're cybersecurity summits and conferences, gosh, weekly. Everywhere you look, you can just type that in and find one that you can go to. And of course, the Infosec Institute is a great resource as well along with Google and LinkedIn. They all come in handy when you're trying to create that network and find out where you're going to be going towards next to get hired or promoted.

[00:36:36] CS: Yeah, thank you very much. I've had the pleasure of talking to and working with organizations at bringing women and more diverse groups, people in the cybersecurity workforce, including Women's Society of Cyberjutsu, the Wicked6 Cyber Games, Women in Identity and others.

As we start to wrap up today, if people want to get involved in Women in Cybersecurity, not necessarily in a looking for a job, but in a helping others capacity to take advantage of these programs, how should they sort of reach out? And if they want to give back in that way, how can they do that?

[00:37:12] DG: Wicys.org will get them to connect with their local affiliate of wherever they're located at. For example, the people here in Arizona can go to wicys.org and click on the Phoenix, Arizona affiliate link. And immediately the information comes back to us. And we reach out with our information of who our board of trustees – who our leadership team is? Where our next events are? And we like to have tacos. We're having a taco Tuesday networking night next week, April 18th here in Phoenix. It gives people that opportunity to come together.

I know a lot of organizations and affiliates have strong networking capabilities and opportunities to get together. Sometimes our events are virtual. Sometimes they're in-person. Sometimes we just may meet at the local conference that's here at this Arizona locations. I would definitely suggest that people reach out to the wicys.org and click on their affiliate link and find out what's local to them.

They also published the global calendar. They can also pop in and find out anything that's listed on the global affiliate calendar. If it's a webinar, those are all virtual. It doesn't matter whether you're attending the Washington, D.C. affiliate or the California affiliate. If it's a webinar, you can attend. And again, those are free of charge.

[00:38:34] CS: Love it. As we wrap up today, can we just sort of talk on big picture way? What are some of the big barriers you've seen to bringing more women into cybersecurity? And what can people or organizations do to start breaking those barriers down?

[00:38:50] DG: Well, in a world where the power of the dollar prevails, we must recognize that the economy can impact hiring and layoffs of any sized organization. But we also – as an industry professional, we recognize that enterprise organizations get compromised up to 10,000 times per day. They may not be having that many events. But there's that many of indicators of compromise coming to get them.

The threat actors aren't quitting anytime soon. We need to just continue to learn. Stay to up to date with the cybersecurity news. And that will make you the next valuable candidate because you'll be able to speak the language and speak the talk and understand what the current situation is looking like.

Breaking down barriers may take time. But as long as we continue to chip away at those barriers, we have the opportunity to meet new people along the way. And once we break down the barriers, the people are going to be there – the new people are going to be able to enter. We create that pipeline at that workforce of college students, career changers, local universities create – I know ASU has their own workforce pipeline that they're creating specifically for cybersecurity. You don't have to be an ASU student to participate. Again, that creates the workforce pipeline in the state of Arizona.

[00:40:15] CS: Nice.

[00:40:15] DG: One cybersecurity company took a chance on me. Why can't other cybersecurity companies take a chance on others? There're a lot of great opportunities for people to take that one chance and that one leap. And I'm sure there's a lot of people listening today that have, like myself, the opportunity to mentor and bring others into that ecosystem and say, "You know what? Let me give back. Someone took a chance on me. Let's take a chance on you."

[00:40:40] CS: Awesome. Great place to end here. One last question for all the marbles. If our listeners want to know more about Dara Gibson and your various activities and insights, where should they go online?

[00:40:49] DG: I love LinkedIn. LinkedIn is where I share most of my viewpoints. They are welcome to connect with me on LinkedIn, as well as WiCyS Phoenix, Arizona affiliate. We have our own LinkedIn page. And we post something almost every day. LinkedIn, you can find me for sure. I don't post much on Facebook because that's just where I used to post as a family thing. That's more social for me. But professional, definitely seek me out on LinkedIn.

[00:41:15] CS: That's great. Yeah, no. Yeah, it's invaluable and not just a punch line for standup comedians about whatever.

Thank you, Dara. Thank you so much for joining me today. Getting our listeners excited to keep pushing through towards their goals. This has been super inspiring.

[00:41:33] DG: Well, thank you for having me. I appreciate the opportunity.

[00:41:37] CS: Thank you, and thank you all who have been listening to and watching Cyber Work podcast on a massive scale. The numbers just keep growing. And we couldn't be more thrilled. Thank you for all the new subscriptions on YouTube and all the new join-ups on various pod catchers. We really appreciate having you along for the ride.

Before I go, I just want to invite all listeners to visit infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners. First up, our new security awareness training series, Work Bytes, which is a series of short films that feature a host of fantastical employees, including a zombie, a vampire, a princess and a pirate making security mistakes and hopefully learning from them. It's so much fun. I've seen several of them now.

Also visit infosecinstitute.com/free for your free Cybersecurity Talent Development eBook. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. You got lots to see if you go to infosecinstitute.com/free.

As soon as you're done here, go check it out. And then go friend Dara Gibson on LinkedIn and tell her that you heard her on our show. And past this prologue, I have a feeling a lot of our listeners will contact you because we have a lot of past guests who have said, "Yeah, they like talking to the guests."

Thank you again. Thanks so much, Dara. And thank you so much Optiv and WiCyS at Arizona. And thank you all so much for watching and listening. And as always, we'll talk to you next week. Take care.

[00:43:07] DG: Have a great week. Bye-bye.

[00:43:09] CS: Bye.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.