[00:00:01] Chris Sienko: Every week on Cyber Work, listeners ask us the same question, “What cyber security skills should I learn?” Well, try this. Go to infosecinstitute.com/free to get your free Cyber Security Talent Development eBook. It’s got in-depth training plans for the 12 most common roles, including SOC analysts, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more.
We took notes from employees and the team of subject matter experts to build training plans that align with the most in-demand skills. You can use the plans as is or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it. Infosecinstitute.com/free.
Now, on with the show.
[00:00:56] CS: Lisa Tetrault of Arctic Wolf joins me to talk about the adhesives that hold cyber security together. I’m talking about communication, collaboration and strong teams. First, Lisa discusses how public speaking at conferences and events made her a better cyber security professional. Second, she talks about how her work mentoring cyber security students helps them fast track their way into the cyber security community. And third, with her work in organizations like Women in Cyber and CyberX, she helps bring diverse cyber security professionals into the community, builds stronger, more multifaceted teams. And with them, a more multi-faceted face of the industry.
I found Lisa to be an inspiring thinker and leader. And I’m looking forward to having you all meet her as well. So, keep it right here for Cyber Work.
[00:01:48] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cyber security industry.
Lisa Tetrault is Senior Director Global Security Operations at Arctic Wolf. In her current role, Lisa is responsible for spearheading external and internal initiatives run by Arctic Wolf’s SOC team. With over two decades of experience in the cyber security and enterprise technology industry, Lisa has worked for powerhouse companies like IBM and Blackberry.
In her spare time, Lisa also volunteers her efforts towards groups like CyberX and Women in Cybersecurity to help mentor the next generation of cyber security professionals. And that’s what we’re going to be talking about. We’ve got some very good skills that we can talk about in terms of career development, in terms of soft skills, in terms of, as you said, enabling the next generation, which are all things we’re very excited about.
Lisa, thank you very much for joining me, and welcome to Cyber Work.
[00:02:54] Lisa Tetrault: Thank you, Chris. Excited to be here.
[00:02:57] CS: Thank you. And I’m excited to have you. To start with, I’d like to get to know our guests by tracing their interests and their sort of origin story. So, where did you first get interested in computers and tech? And what specifically drew you to a career in cyber security? I mean, I see that you had a bachelor’s in computer science and software engineering. So, I’m assuming it goes a while back. But what kept you excited about it initially?
[00:03:20] LT: I’ll probably date myself here. But I loved the Atari.
[00:03:25] CS: Oh, yeah. 2600?
[00:03:27] LT: Yes, exactly. I love playing video games. Dodge ‘Em was my game of choice. I don’t know if you remember that game or heard of it.
[00:03:33] CS: Absolutely.
[00:03:34] LT: Early in my life, my dad actually brought home a computer. And I remember breaking it. Continuously breaking it. But I was fascinated with it.
[00:03:45] CS: Breaking it by trying to learn more about it?
[00:03:46] LT: Absolutely. Exactly. My dad always knew that I had been playing with it, because he would come home, turn it on, go use it, and it was broken all the time. So, it’s quite fun.
[00:03:58] CS: “Lisa!”
[00:04:00] LT: Exactly. Exactly. But I also loved playing boardgames and puzzles. And I play a lot of sports growing up, individual and team sports. My preference is always team sports. And when I reflect back on Cyber, I believe that cyber security is really a big team sports game. Because while we have very smart individuals here, there’s like a lot of creativity that happens. And we’re more effective as a community operating as a team and solutioning ways and either stop bad actors or solving puzzles and problems. That’s kind of how, when I reflect back, all those things together got me kind of into this. So, the Atari, the computers early on. And that’s how I kind of got into it.
[00:04:43] CS: Yeah, the problem solving and the sort of build and rebuild, and the sort of test for stretch vectors, plus the sort of team component. I mean, I feel like you’ve just sort of said cyber security without saying cyber security. That’s really interesting.
[00:04:56] LT: For sure. Yeah.
[00:04:57] CS: Yeah. I like let’s get a sense of our guest’s career journey by snooping around your LinkedIn page a little bit. I wanted to ask you about how you move from a network analysts to network technician, into data analysist for IBM and Blackberry, to your current role as Head of Global Security Operations at Arctic Wolf. Is there a point where you wanted to move away from networking and data into security? Or was this the progression that you sort of envisioned all along?
[00:05:24] LT: Yeah. Let’s back up just even a little bit further into my undergrad. Let’s start with even high school, I enjoyed math. So, I decided to go into an undergrad at Western University in London. And in high school, I was kind of exposed to like dial-up internet there. And I think maybe it was even in high school again. Maybe university. It was almost like a journey like many others. There was progression that many people evolved into.
I was good at math. I wasn’t really passionate about it. And then I found this course in university, this CompSci. I loved it. And then I did this internship at the bank. And in Canada, you did it for 16 months. You took a year off in university between third and fourth year.
And what I ended up doing was I got this internship and it was in – I did scripting. And what happened was there was a reorg at the bank, and I ended up in the networking team. And there, what happened, was I found this passion for networking. I had not been exposed to any of my university at that point to networking. And I hit the jackpot. I found I hit the jackpot. And then I got exposure to firewalls, routers, switches, and internet connectivity, and how all things worked. And I found it I love this. And so, how systems were connected?
And then I realized like all the fun things happened at night at a bank, because people bank during the day. And so, you did all the planning for changes. When customers were banking, you did all the planning. And then at night, you got to actually play with things.
[00:06:58] CS: Interesting. Yeah.
[00:06:59] LT: Yeah. So, I ended up finding a passion with operating things and incident management. All of my journey and kind pivoting around ended up being an operations in incident response. The majority of my learning happened during those pieces.
I pulled that through over my career at large – like, all those enterprise companies that you had mentioned, like, IBM and Blackberry. And then stand by. And so, I dabbled in a bit of security and incident response. And then I ended up in security operations.
And so, each of those companies, it kind of taught me a little bit about being in security at each point. From interfacing with customers and then when situations were really difficult or when customers are in their darkest moment, I was able to kind of help them out. And then I learned in each of the career, each of the aspects of my career, how to conduct post-mortems, or how to – lessons learned. Or access in least privileged. Or preventative measures. Hardening of systems. I learned at IBM auditing, and SOC 2, and ISO controls, and insider activities. And each piece of it was like teaching me a little bit about the other.
It wasn’t like I saw something and I pivoted. It was I evolved and I took on something new. And it was always a new project. Or I always had that network theme, but then I would end up in learning something more about security. And at one point, it was like, “Okay, enough of this doing a side hustle of security. I’m just going to go all-in.” And I had all these pieces of security that I had learned along the way. That’s how I ended up here. And so, all of those things prepared me. And then it was a natural movement in there.
[00:08:39] CS: Yeah. And again, listening to the enthusiasm you had for networking, again, just speaks to your excitement about problem solving and sort of clearing blockages and things like that. And the way all of it is like you’re a really major player in sort of making a finished working product like that. And that excitement has absolutely sort of fueled your career car the whole stretch of the way.
[00:09:08] LT: Absolutely.
[00:09:09] CS: Yeah. Thank you for the walk-through history there. Lisa came to our podcast with uh some topic ideas that I think are absolutely crucial for cyber security professionals at all points in their careers. We have had many guests talk about things like networking, and security, and the nuts and bolts, and the DNS over HTTP and all that kind of thing. And those are crucial as well. But I’m very much into the idea of the professional development, the soft skills, the “soft skills”. We talked about that. They’re actually pretty hard sometimes. But at least I wanted to talk about how public speaking and presenting keynote speeches has helped her become a stronger security professional.
Our listeners are probably tired of hearing me talk about this, but I’ll just keep saying it anyway, a hugely deficient skill set in security is the ability to communicate, whether in written reports, presentation to your team, or your C-suite, or even telling conference attendees about your findings. There’re only so many scanning tools you can master. But you can always improve your communication game.
Lisa, can you tell me about your public speaking experience? Your personal approach to communication? And how this improved other aspects of your security skills?
[00:10:21] LT: Sure, Chris. I attended like many conferences over the years. And I quickly realized that many of them were telling sharing their experiences and their stories. And a lot of these experiences I also had. I started by smaller conferences. I did a few webinars. And they were short. And a lot of them were online. So, I could use little cheat sheets. That also helped me kind of get out there and not really worry about having people in front of me. I wasn’t so scared, right? And I did a few webinars that way. And then I talked to students who were breaking into the space. It wasn’t so daunting having all these experts out there getting the cold feet.
And then as I grew confidence and I built that confidence, I was able to speak at larger conferences. I put in a long shot proposal for a larger conference. It was a topic about a couple of anonymous compromises and breaking into the field. Something that my team and I were kind of dealing with on a daily basis.
And I actually took for granted something that I dealt with all the time and didn’t realize that others really didn’t understand and deal with on a regular basis. And I kind of poured hours and hours into preparing for it. And afterwards, I was kind of bombarded with feedback from the conference from a lot of people coming up and talking to me.
And then what I kind of realized was it was such a great way to also network. People were coming up and saying, “Oh, can we talk about this? Or can I ask you a question about that?” And it ended up spawning off other ideas, other conference talks. So, “Oh, they want to know about this.” And sort of getting the same questions about something I had talked about that I also knew a lot of about. It ended up being a spiral event. So, “Oh, I never thought of that.” And then I ended up – that was the next topic that I would present at the next conference.
And it ended up being really good. And then I would meet these people and I would go to their webinars or their conferences. And there’s a couple of people I actually met when I was there. And recently, for instance, I had a training curriculum. We were trying to build on one of the training things that we were doing at our company. And one of the ladies that I had met with, she’s in the training space. And I had reached out to her. And then it’s like it’s kind of we’re building off of each other’s skills.
And so, what I learned through this whole process was how to articulate on a slide what that looks like. The thought process about using fewer words to get your point across. Being articulate. The preparation. And really what helps me do is be more articulate and thoughtful about my words and how to kind of bring people in.
I’ve been to many conferences, and a lot of time on these conferences that you attend, you get a free ticket if you are a presenter. If you like going to conferences, and you like to attend them and hear what others are having to say, that’s a great way to attend, right?
For me, it also helped me learn a lot more about areas that I’m not as confident about, or understood, or skilled, or what have you. And it also helped me kind of pivot into other areas of cyber that I’m not well-versed in. That way, I mean, for me, if you’re able to articulate your thoughts and your views, you’re better able to represent what’s needed in the cyber community. And it also advances your career. I mean, it’s a twofold. It’s a 360, and it really helps you along the way.
[00:13:59] CS: Yeah, I love that. I want to sort of break into a couple of those things. When you said when you were doing it online, you had cheat sheets to help you along. Now, in more recent times, do you speak extemporaneously? Do you speak from a script? I mean, when you say cheat sheet, do you mean you had the facts at hand in case someone asked you a question? Or –
[00:14:24] LT: Yes.
[00:14:25] CS: Oh, okay. A lot of times, you practice. You’ve got your bullet points. You might have a fact sheet. If you wanted to weave in a fact into something you’re presenting, you have your source and the percentage, if you had a bullet point of percentages. Or you obviously need to prepare. You can’t be reading your notes through, because people will obviously know.
But you present. You practice. That type of thing. But then you’re able to articulate your words. And it comes kind of naturally there. And then it’s kind of like your crutch. Because sometimes when people present in front of people, they’ve got their notes, and it’s their crutch, and they can kind of look down. It’s not necessarily as obvious if you’re online. I mean, people see that you’re reading, but you still have your bullet points there.
[00:15:13] CS: Yeah. Do you have any tips for sort of breaking the scripted crutch to get rid of the sort of training wheels? Because I’m assuming that it’s a lot more engaging if you’re able to sort of speak extemporaneously and not get freaked out by and stuff like that. That feels like sort of of like learning to play piano with two hands. Like, one day you can’t do it, and then suddenly you can. Just keep trying. But like, what are your tips for doing that where you can just take bullet points and turn it into sort of free-flowing awesomeness?
[00:15:45] LT: Yeah. What I used to do when I was practicing for anything like that is I would definitely do a lot more – I would start with a lot of words. And then I would pare down my words into shorter sentences. Practice. Practice. Practice. I would do slide by slide. And I would just nail down the slide. And then I would start shortening up those sentences. And then I would get it down to a word. And then I would just go and go and go.
And it takes hours to practice a lot, especially your first couple. And then as you do this more often, a lot of times you just repurpose. And when you repurpose your slides, you know what you’re saying. And it comes with time.
[00:16:26] CS: Yeah, it gets easier. Mm-hmm.
[00:16:27] LT: Yes, it does get easier. A lot easier over time, for sure.
[00:16:30] CS: Okay. The other thing I wanted to go back to a little bit was learning from other people at presentations. Can you speak to maybe do you see that there’s maybe a feeling amongst people who might want to present at these things that they just want to get their information out there and don’t care about all the rest of it? How do you sort of communicate with those people the importance of adding your words to the community, but also taking their ideas back and strengthening yourself?
[00:17:05] LT: From like a new student perspective? Or –
[00:17:09] CS: Yeah, someone just getting into the game. And again, I’m speaking [inaudible 00:17:14] here. But I think when you get started, you feel like you have those sort of like I have this one piece of information that I can impart. And you get a little worried if you’re asked too many questions about it or whatever. And so, maybe you don’t look too far left or right or whatever. But if you’re feeling a little like tight, you got the cold feet, you got the whatever. And again, I’m imagining that if you’re seeing lots of other presentations, you’re seeing people at different levels of competency. And maybe that would help with your own sort of concerns. But, yeah, I just wonder if you had any thoughts about that.
[00:17:49] LT: Sure. Yeah. A lot of times what I find is that local meetups. And you don’t have to go to the big conferences. But smaller conferences, BSides. You can also do blogging. You can write some sort of an article on LinkedIn. There’re other ways to share that information out. It doesn’t necessarily even have to be public speaking.
You can also – I know there’s like cyber security meetups here locally in our chapter in Waterloo. If you’re a student, there’s local chapters there. Come to your chapters that you can join and share, and practice sharing that information, and get feedback. And then when you get that feedback, what you do is you iterate on it, because there might be a point of view that you didn’t consider. And then, again, that goes to that whole iteration that I was talking about. When you present something, somebody gives you some other aspect of it that you hadn’t considered. Or, “Oh, I didn’t even make that pivot or that connection.” And then you go away and it gives you another topic.
From my point of view, there’s other mechanisms. A podcast. I mean, you can go talk to somebody on a podcast. You can blog. There’re other ways to get that message out too for sure.
[00:19:00] CS: Yeah. Related to that, if you have students or people just getting started who want to cultivate this skill, but they maybe don’t have venues to do so obviously, I think podcasts or local meetups is a great point. But do you have a way of sort of getting your name out there as sort of a beginner who could speak at these conferences even if it’s at the beginner’s table or whatever? How do you sort of promote yourself in that regard?
[00:19:33] LT: For sure. A couple of team members that I had been mentoring, I had them start to do some Toastmasters, for instance, because they were very, very scared to get out and present. First, let’s start presenting on a topic that has nothing to do with cyber. But just get out there and get that muscle kind of – start to develop it.
I also find that getting out and introducing yourself to people at an event is another step. You can start to develop those things. And talk to them about something, anything, is also putting yourself out there if you’re not really sure.
Co-presenting is another way, because you can talk about a topic. And maybe you alternate on slides or thoughts, a part of the presentation. It’s not so daunting especially if you’re co-presenting with an experienced presenter. Because then they’re also going to impart on you some of the knowledge that they have and experience. And they can practice with you.
I remember when I was first starting to present, I also recorded myself. And I would record myself. Then I would go back and say, “Oh, I didn’t like how that was delivered. I didn’t like how that was delivered.” And it would be weeks prior. A lot further ahead you would have to prepare. But then you were able to kind of iterate on it. And so, that was helpful. But being at like a CompTIA chapter or a local WiCyS, which is women in cyber. A local cyber security meetup group is also a great way. Because it’s a smaller group. A lot of times, they’re not recorded. If you love it, it’s gone. You don’t have to worry about it. There’s no social media for you to remember forever and feel terrible about it. And that also kind of helps you.
Another thing that I learned to do early on my career was have somebody in there that you trust, and have them give you true and honest feedback about what you did well and what you could work on. And then you have that person that will kind of give you that feedback. And then you know what you did well. Because I think a lot of times, we’re so critical of ourselves. When we go into these things, it’s like, “Oh, that that went really well.” You would have never thought. I just want to focus on what I need to do next or getting to do better, right? But you miss your wins. So, having that person there will also kind of help you.
[00:21:57] CS: Yeah. As someone who has to go through his own podcast to do various clip timings. Also, the skill of being able to listen to your own voice without up chucking is going to take a little work. But it is worth it.
[00:22:09] LT: For sure. For sure.
[00:22:10] CS: Because there’s those certain days where it’s like I have to get this done. But I’ll have to listen to myself for an hour. And it’s not great.
[00:22:18] LT: Finding a friend to edit might also be good.
[00:22:21] CS: Oh, yeah. Yeah, yeah, yeah. If you got the money, do it. We’re speaking mostly here about people who want to break into public speaking in the security space. But if you’re someone who is terrified of it or don’t consider yourself good at it, but also you know that you have to do it, do you have any suggestions for making it, if not fun then, at least tolerable?
[00:22:45] LT: Yes. I think just setting some milestones for yourself is probably a good thing. Again, if you’re at a meetup and you just cringe at even talking to people, make it a point to, “I’m going to introduce myself to three people.” Finding people that are like you and doing it together is also a good thing to do.
You don’t have to start out with public speaking to get your message out. If that is something that you have to do for your career or a developmental item for you, then that’s what you have to do lean in and find like-minded people, or mentor, or somebody that can help you. Again, I really like the idea of co-presenting. Like, someone who has that muscle. There’s a lot of conferences that do like the co-presenter.
Another thing that really works for presentations is there’s some conferences that do workshops. You don’t have to stand up there and talk the whole time. You give people homework or like work to do. They do some work and then you kind of present at that. That gives you a break. It’s not all about you. It’s kind of in the audience. Those types of presentations and workshops go a long way for a lot of people. That’s also another one, a style of workshop that works well for people that are in there that have expertise to share.
[00:24:12] CS: Yep.
[00:24:13] LT: And I assure you, communicating with people over time, like, you’re going to develop a better skill set and comfort level. And again, you don’t have to start out with public speaking blogs, sharing information. You’ll get it down. You’ll get it down.
[00:24:28] CS: Yeah, I know that if I’m at a conference and feel like kind of a drift or whatever, if I know a few people there, I’ll introduce myself to people I already know. Because you get a few wins going. And then you’re like, “Oh, this is easy. I don’t know what I was worried about.” Then you can just start just pressing the flesh to your heart’s content. Yeah. Yeah.
[00:24:45] LT: For sure. Even extroverts. I’m an extrovert. I get peopled out. If you’re a more introverted in nature, I understand. I understand. It’s not something that you – You sometimes have to get dialed up for it. Having the conditions right if you’re in a place where there’s a thousand people, it’s probably not the great condition. Leaning yourself into um like a better condition that’s more for you, like a smaller conference, is probably a better place for you. Consider those conditions that would set you better up for success is another area that I would suggest.
[00:25:22] CS: That is an excellent insight. Thank you. Another topic that you mentioned that you’d like to discuss that I’m very excited about is volunteerism at a student and university level to help the next generation of security professionals to achieve their goals. I’ll say that a number of my guests have described their extensive mentoring experience, albeit, maybe mostly to workplace professionals. But I’ve definitely seen that a nice chunk of the security industry sees the benefits of paying their gifts forward and receives as much back in return.
First off, do you work with any existing volunteer or mentor groups? And if so, can you recommend places to start, to start looking for places to put yourself into?
[00:26:02] LT: Okay. A lot of the universities and organizations have groups that do this as part of their organization. I’m just going to list off a couple. On LinkedIn, I would suggest you create a profile and then follow cyber companies and programs, first of all. If you’re a student at a local chapter university, there’s groups like CompTIA groups or WiCyS groups. There’re all sorts of groups there. And many businesses are starting to do talks with affiliates, and they’re supporting those groups. Get in there, because they also offer mentorship. Even like a one-time mentorship or an ongoing mentorship.
Join a club if you are or even if you’re not a student. Blacks in Cyber, WiCyS, Out In Tech, Cyberjutsu. Again, many of the businesses are starting to sponsor them. Go on Twitter. Twitter has a lot of followings there. And a lot of the companies there, they’re giving you a lot of insight. And when they tweet things out, they have mentorship programs now. There’s a lot of opportunities to have out there now, like programs once a year or twice a year that say, “Hey, we’ve got this mentorship program that we’re kicking off. Please come and let us know.” Apply. Attend these.
There’s a lot of affordable local conferences now, like BSides for instance, that they also have mentorship opportunities there. And for me, a lot of times I’ve had cold calls with people that have said, “Hey, I’m following you on LinkedIn. Your path through networking has been intriguing. I’m doing a pivot into cyber. Can I just have a conversation and see? I just have a couple of questions.”
I am very willing – I think a lot of people are very willing to have conversations. I know other people may not have the same experience. I know I very much am open to having conversations with people. I also know a lot of my staff are very open to having conversations with people. And these meetups that I’m talking about, you find them, they’re free. You meet up. And you have the conversation there too.
[00:28:08] CS: Yeah. Now, what sort of things do you do specifically as a security volunteer with students? Do you act as a career counselor or a sounding board? Do you check their homework? What do you what do you find students need to hear that they aren’t hearing in their educational lives, volunteers, like you’ve been a part?
[00:28:26] LT: Yeah. I think in some of the universities, they sometimes have some industry professionals coming in at night time and do a talk. And I think sometimes the students may or may not make time for industry professionals to come in. They’re like, “Oh, I don’t ever want to work at that company.” And they shouldn’t be necessarily looking at it from a company perspective. That person hasn’t only worked at that company a lot of times. They’ve worked at 20 other companies, or five other companies. And they may have had a path that is like wildly crazy that have got them there. And they might say something that resonates with them.
First thing that I look for is like what are you looking for? I’m not going to come and tell you. You can’t say to me, “I don’t know what to do with my career.” I’m going to say, “Okay, what are you interested in?” I am looking for somebody with very clear, like, “I am struggling with this.” Or, “What do you want to get out of this?” I’m not going to go and be able to give you a very direct path into certain things. But if you come to me with some direction as to, “I’m struggling between this and this.” I’m going to say, “Well, do you like this? Or do you like that?” Or, “These are the things I enjoy. These are the things I don’t enjoy. Let’s have that conversation.” Or, “I can’t break this into this. Let’s have a different conversation.”
The more narrow you are on what you’re looking for in a mentor, I think it’s a lot easier it is for the cyber community to help you, if I’m being honest. Because that clarity is going to help you get the answers you need. I’m going to tell you right now, I am a lot more effective as a mentor to people. And I’m also very picky with my mentors. Like, I might have like nine mentors at any given time, because I’m going to them with a very specific skill set. I’m looking to develop this. You embody this. This is what I’m looking for. And they help me with that. That’s what I find to be useful for me. It’s worked for me.
[00:30:32] CS: Yeah. Well, I’m glad you also mentioned the part about not handing it directly. I didn’t want to interrupt before. But we have another former guest who, every time she’s on, she gets 50 requests for and things. And she said so many of them get on a Zoom call with her for five minutes and say, “I don’t know where to start. I don’t know –” And then just kind of like can you cut my hamburger up for me? Or something like that.
You definitely want to be cognizant of not wasting your mentor’s time and actually know what your question is and so forth. But, yeah, I think there’s a lot to be said for – I think everyone in college feels already a little bit. Or studying independently feels a little unmoored in terms of like what is this all for? And how do I apply it appropriately? And so, it is definitely super helpful to get someone with real-world experience who can say, “Yeah, watch out for this.” Or, “Don’t spend so much time on that.”
[00:31:35] LT: Yeah, I always tell a lot of people that I talk to, like there’s this thing called the NICE framework. NICE. And I tell people like that is the world of cyber. All the jobs you can think of, all the disciplines. It’s huge. So, when you say, “I don’t know what I want to do.” I’m like, “I don’t even know what I want to do.” If I don’t know what I’m going to do, I’m certainly not gonna be able to help you know what you’re going to want to do.
[00:31:58] CS: Right. Yeah. But the good news is, is that there’s plenty of activity sheets that you can sort of print out and say, “If you like this, then try this. If you like this, then try this.”
[00:32:07] LT: Exactly. And this is what this would look like. And this is what a day in life of this looks like. For sure.
[00:32:13] CS: Yeah. And it’s another thing that I say way too often, but like no decision you make is permanent. If you’re like, “This seems like the best thing ever.” And then you’re like, “Ugh! This is the worst thing ever.” Then do something else. Yeah. Do something else. It doesn’t really – it’s a-okay.
[00:32:27] LT: For sure.
[00:32:28] CS: You also mentioned in our initial conversation that you work with groups like Women in Cybersecurity, and CyberX. And you just mentioned Cyberjutsu, which we love, in efforts to bring more gender diversity into the industry. We’ve talked with many guests over the years about the places where cyber security has implicitly and at times explicitly been unwelcoming to people of diverse genders, races, economic backgrounds, degrees of able-bodiedness or neurodiversity. What are some of the specific strategies that organizations like Women in Cybersecurity and CyberX are using to make hiring creating and leadership roles more accessible to women and other diverse candidates?
[00:33:10] LT: Sure. I think awareness is one fundamental area. But I think they’re developing programs and pathways in support of pipeline development for diverse talent pools. And that’s helping the community see more success on this front. There’s a shift going on right now to attract, retain and grow resources. Attracting new talent into cyberspace, that is happening. And I think companies and organizations are now finding candidates that historically didn’t exist or they didn’t have.
I don’t remember anyone coming to my school when I was a kid suggesting that girls should be in STEM or a related field.
[00:33:47] CS: Oh, for sure. Yeah.
[00:33:48] LT: I just don’t remember that happening. And I know that I’ve actively been doing outreach personally. And I know that that’s happening. I know we’re not yet reaching all of the schools. Like, I know that there are underrepresented groups that we’re not hitting their schools yet. And I know we need to. There are strides happening that are kind of making that happen. We’re just not there yet.
I think retaining is an interesting topic. I think companies are very much aware that retaining talent is a key factor. We need to see more companies invest in their employees. There’s a lot of opportunities to go to other companies right now. And if you don’t treat your employees well and invest in them, the underrepresented, the diversity of thought, I think somebody else will.
In Women in Cyber and CyberX give underrepresented groups the ability to also have a voice in a community, that if you don’t have that in your own organization, they do feel like they have that. That’s a great win in my opinion, and something that is very valuable there.
Growing resources. I think really investing in careers, in development as a person. We want our people to have a long and rewarding careers with companies. Many studies show that this is something that generation – Like, one or two generations ago, they stayed with companies for a very, very long time, right?
[00:35:14] CS: Oh, yeah. Oh, yeah. Mm-hmm.
[00:35:15] LT: And I think if you find a way to keep an employee growing in their career, they’re going to be wildly successful as an organization. And I think WiCyS and CiberX is tackling these problems very well and bringing like-minded people together, and giving them a voice, and training, and supporting in a platform, and then connecting businesses to solve this very problem. But there is also a school I need to give a big shout out to, is the Rogers Catalyst Program at Toronto Metropolitan, or Rogers Cybersecure Catalyst program. They’re doing such wonderful things for diversity and those transitioning in their careers as well. Those organizations are really trying to capitalize on like finding spaces and helping people kind of get in there. I think that we’re not in a place where it’s perfect. But I know that there’s active movement in that area to do something different. And that’s good, right?
[00:36:13] CS: Yeah. Yeah. I mean, in the four years that I’ve been hosting this podcast, I’ve seen the conversation changed slowly, but real. Originally it was, “Well, why hire diverse candidates? We just look for diverse thought.” And then it grounds slowly towards, “Well, we’d like to hire diverse candidates, but they just never answer our job listings.” To sort of a slowly growing understanding of the need to change the way you market your job listings and where you advertise your job.
Where are you seeing us still falling failing on the job in this regard? And especially in terms of mobility within the organization. How do we go about addressing job mobility in a way that we don’t end up having a diverse SOC, but a monocultural c-suite?
[00:36:56] LT: Right. 67% more job seekers are now looking for diversity according to bgc.com. How diverse leadership teams boost innovation. That was one of the quotes I had on a cheat sheet note. Okay? Which is good. This is a good thing. I think many companies have started to develop programs for up and coming diverse and underrepresented talent. I know a lot of companies have executive coaching and mentorship and training programs to show up this gap. and I think there’s a strong desire for change and visible action by many companies on this front.
I know we’re not all there yet, but I think that there’s a lot more awareness. There’s a lot more diversity, like, a focus on it right now. And I think we’re all coming from a place of learning and trying to figure this out. I don’t think we have the answer yet in a lot of places. But the more we try, and learn, and support these different avenues, the WiCyS, all of – the Blacks in Tech, that kind of thing. I think at the end of the day, if we come from a place of belonging, and inclusion, and diversity, I think this whole ecosystem of cyber talent, it’s going to get better, it’s going to get stronger. And nothing’s going to stop us. We’re going to get this.
[00:38:27] CS: Yeah. Let’s sort of use our crystal balls here. Where do you see these initiatives in terms of diversity of hiring, training, retention? What do you see the landscape like in another four, or five, or ten years from now? What are some of the sort of positive signs that you’re seeing that suggests that things will keep moving in the right direction?
[00:38:53] LT: Well, I’ll tell you. Jen from [inaudible 00:38:55] says, by 2030, I think it’s 2030, she’s hoping we’re driving for 50-50 female-male representation in cyber by 2030. So, let’s hit it.
[00:39:11] CS: Yes. Fantastic. Yeah.
[00:39:13] LT: Let’s hit it. I’m going with her production. Let’s do it.
[00:39:16] CS: Yeah, I love it. Yeah. Yeah, that’s an awesome place to wrap up, and something to work towards here. As we wrap up today, if our listeners want to connect and learn more about Lisa Tetrault, some of the organizations we discussed, and more, where can they go online?
[00:39:35] LT: Hit me up on LinkedIn. I’m on LinkedIn. I’m on Twitter. I will make sure that all my handles – if you hit me up on LinkedIn at Lisa Tetralut. I am on LinkedIn. We’ll put it in the show notes. Can we put it in the show notes?
[00:39:49] CS: Yes. Absolutely.
[00:39:49] LT: Okay?
[00:39:49] CS: Yes, yes, yes.
[00:39:50] LT: I’ll make sure everything’s in the show notes. And I’ll get you my Twitter handle and we’ll connect there.
[00:39:57] CS: Love it. Lisa, thank you so much for your time and all your great insights today. This was an absolute blast.
[00:40:02] LT: So happy to be here. Thanks so much for having me.
[00:40:05] CS: All right. And as always, thank you all who are listening to and watching the Cyber Work podcast on an unprecedented scale. We’ve had a great 2022. And we’re so happy to have you along for the ride. I would like to say thank you very much once again to Lisa Tetrault. And thank you all for watching and listening. This is Cyber Work. We release every Monday at 1 PM central time. Make sure to check us out on YouTube or on your podcast catchers of choice. But until then, we will see you next week. Bye now.