How to become a security awareness manager
Today we're talking about security awareness, specifically about the role of a security awareness manager, with Tiffany Franklin of Optiv. We talk about the importance of C-suite buy-in to a security awareness program, how to create challenging phishing simulators without making employees feel like victims of a gotcha attack and how being a fifth-grade math teacher can make you a better security awareness manager.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- 0:00 - Intro
- 2:13 - Getting into cybersecurity
- 3:57 - Instructional design and technology
- 4:58 - Primary responsibilities in her role
- 6:38 - Security awareness work
- 9:40 - What is the division of work?
- 11:55 - Skills needed for this role
- 15:04 - Helping people when they fail
- 17:12 - Daily tasks
- 18:15 - Highs and lows of the job
- 22:00 - COVID phishing emails
- 22:40 - GoDaddy phishing and ethics
- 26:20 - Creating security awareness campaigns
- 31:14 - Optimal combo of tech and savvy
- 34:20 - How to get into cybersecurity
- 37:10 - Outro
[00:00:01] Chris Sienko: Today on Cyber Work I get to talk with Tiffany Franklin of Optiv Security about the role of security awareness manager. We talk about the importance of a c-suite buy-in to a security awareness program, how to create challenging phishing simulators without making employees feel like the victim of a gotcha attack and how being a fifth grade math teacher can make you a better security awareness manager. That's all today on Cyber Work.
Also, mark your calendars because Cyber Work is going live on the internet of course. Our first ever Cyber Work live episode is happening on Thursday, March 25th at 11 a.m. Central Standard Time. On the show I’ll have three guests, Gene Yoo of Resecurity, Mari Galloway of Women's Society of Cyberjutsu and Vic Malloy of CyberTexas who will be answering all of your questions about breaking into the cyber security industry. You can ask these questions during the episode, but if you want a good place in line, send your questions now to firstname.lastname@example.org and tell us what you want to know about getting started in cyber security. That's email@example.com and ask our panel of experts where to get started. That's firstname.lastname@example.org.
And now on with the show.
[00:01:13] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends are affecting the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry. Tiffany Franklin has over 13 years’ experience as a learning and development professional and is currently manager of cyber security education at Optiv. Tiffany and her team developed solutions that address unique challenges of global organizations facing a wider array of cyber security risks including security awareness training program courses, simulated phishing attacks and training reinforcement materials. She has a background in education and has a master’s in industrial design and technology.
So in today's episode we're going to talk specifically about security awareness and more specifically about the job role of a security awareness manager and the skills that you need to have one – To be one rather. Tiffany, thank you for being here today.
[00:02:09] Tiffany Franklin: Well, thank you, Chris.
[00:02:11] CS: So I’d like to start with the usual origin story question here. How did you get interested in cyber security? Like you said, you started out in an education track before moving over the security field. What brought about that career change?
[00:02:24] TF: Yeah. So you may have seen when you looked at my profile, I came from middle school math, which is quite the leap if you will.
[00:02:30] CS: Yeah, I suppose so.
[00:02:32] TF: So I guess you could say I heard I hate math one too many times. I kind of lost it, but no. I think I think we all know. It's no surprise that teaching is an underpaid, underappreciated field. And as a single woman trying to live off of one salary, I found myself having to work a second job or coaching multiple sports just in order to pay the bills and kind of wanted something more out of life. So I got my master's in instructional design and technology. Did that kind of night classes for a couple years, and out of that came an opportunity to be a courseware developer for a company called FishNet Security, which is now Optive Security. And eight years later here I am. I guess you could say an accidental cyber security awareness professional.
No. I mean, I think the draw of the type of industry, because I could have applied for several different corporate learning and development positions, but the thing I liked about teaching was that no day was the same, right? Needs were always changing. The students were always changing. Things like that. So cyber security, very much the same. The threat landscape's always changing and you got to keep up with it.
[00:03:49] CS: Yeah. Now, can you tell me a little bit about – I don't know the concept of industrial design and technology. What does that entail as an education track?
[00:03:58] TF: Great question. It's actually instructional design.
[00:04:00] CS: Oh! Instructional. Sorry. Yes.
[00:04:03] TF: Yeah. I mean, industrial. Hey, we could –
[00:04:04] CS: Pull other things. Yeah. Yeah. Yeah.
[00:04:06] TF: Some pretty awesome stuff with that.
[00:04:08] CS: Yeah. We made some aqueducts. Yeah.
[00:04:09] TF: Right? So instructional design and technology is really being able to craft learning and development, concepts materials, those types of things in order to meet learners where they are with the integration of technology. Now, keep in mind this master's program was 2011 to 2013, so technology has obviously changed a lot even just since then. But that was kind of the verge of e-learning really becoming kind of an industry standard. More corporations were going towards that. We were getting away from pre-recorded DVDs and actually you know learning management systems and such. So it's utilizing that, those types of technologies in order to provide instruction versus just standard instructor-led training. Yeah.
[00:04:58] CS: Thank you. That helps, definitely. So your work at Optiv entails helping Optive clients’ security awareness managers run their program. So what does that entail on a day-to-day basis? What are some of your primary roles and responsibilities like today? Later today, what are you going to go back to?
[00:05:13] TF: Today we're doing cloud security courses. So that's the exciting piece. No. So like you mentioned kind of in my background bio, I have a team that designs, develops and deploys security awareness training programs. Also just program components, because our clients don't always come to us needing an entire program. They just need that final piece into the puzzle to really make it hit the mark. So leading them in doing that – Leading my team and doing that is obviously kind of my number one task, but I often nearly always meet with clients prior to a contract even being signed to just really talk to them about what needs they do have. Uncover some things maybe they haven't thought about. What their goals are and then how our solutions align with that.
I’m also a people manager. So later today I have a one-on-one with one of my team members. Trying to improve their skill set in cybersecurity as well is in the learning and development field. And then on the business side of things, one of my main goals or kind of what I’m tasked with is understanding the budget, running kind of the line of business that we have. Making sure that we're always progressing. Making sure meeting client needs and and keeping up with the pace of things.
[00:06:39] CS: So our topic today is specifically in the career realm. We're talking about the role of security awareness manager. So most of our listeners I think understand the concept of security awareness as a security principle that don't click the pizza coupon, don't open the spreadsheet you're not expecting and so forth. But what is the work that a security awareness professional does on a day-to-day basis?
[00:07:04] TF: Yeah. So the security awareness professional is going to be focused on people, right? A lot of the individuals that I work with here at Optiv are focused on the technology and making sure we're keeping environments safe and secure. But we're really focusing – The security awareness managers that I work with and my team, we're focusing on the individuals themselves and kind of making sure that the organization isn't only relying on that technology. Unfortunately cyber security is not taught like reading, writing and arithmetic as we would hope it was. So you just mentioned that don't click on the pizza coupon. Don't click on the Excel doc, right? Not everybody knows that, and that's the thing that I have to keep reminding our security awareness managers that we work with, is that we can't take for granted what we know that other people don't, right? It's our job to bridge that gap between the knowledge that the security team, the IT team that they have to the end users.
I think the other thing that they do, security awareness managers do most days, is working with other facets of the organization. So you have your stakeholder, your CSO, CIO, security, VP that owns the program and they're often the budget owner and they have an idea of what they want their program to look like. But then your HR department or your learning and development team is the one that kind of rolls out the training, right? So you're working with them. They may even own the calendar of training initiatives. So you might have to be the go-between between them.
You've also got your marketing department that probably controls internal communications. So if you're sending out things to your end users, you're going to have to be working with them. IT and security, they're going to have most of the data that you're going to be analyzing to make sure that your program is going in the direction that you want. And then if you have any GRC stakeholders, like if you have to be compliant for PCI or HIPAA or anything like that, you're going to have to work with them to make sure that what you're doing in your program meets all of their needs as well. So it's really bridging a lot of gaps. So maybe I do need an industrial design to be able to do that.
[00:09:24] CS: Yeah. We’re going to need some sort of information like super highway here and one of those.
[00:09:29] TF: Yeah. Pretty much, right?
[00:09:32] CS: So speaking of the sort of managerial aspect of it, this obviously implies the presence of security awareness employees that you're in charge of. So in comparison with the bridge building that you're doing as the person's doing a security and awareness manager, what is the sort of division of work between the people that a security awareness manager is managing and what the ground level people are doing?
[00:09:56] TF: Great question. So I think what I do kind of as my role at Optiv is a little bit different than the average security awareness manager, but I think it's important to talk about both, right? So my team, I have content developers, multimedia specialists and such. A regular security awareness manager may have one person or they may actually have to go out and find that content, right? So I have that team that develops that, platform managers. So for me I have a team that manages a learning management system, an LMS as well as simulated phishing. In an organization, that person may reside on another team. Now they're an extension of your team because you have to work with them to get content rolled out, make sure people are taking it, make sure the communications are there, time frame that you need, all of that kind of stuff. Same thing with simulated phishing. As the awareness manager, you may run that, but it also may be a function of IT and you work with them to deploy that.
I mentioned earlier about working with different people within Optiv, some of those different lines of business. When you are a security awareness manager and you may need some subject matter expertise outside of your group, a lot of our clients have program managers or project managers that do that outreach. Smaller organizations, the awareness manager does that themselves. But when you get into the fortune 500, they have project managers that are doing that for them. So there's lots of different roles within a security awareness team, but that manager is the one kind of bringing the cohesion to all of it. Making sure the consistency is there. That you're meeting the needs and you're listening to feedback, but making sure that you know you're still on the right course. Making sure the ship is still moving forward.
[00:11:53] CS: Nice. Now, what are some skills that people who want to work in the field of security awareness need to succeed? Can you give me some soft skills or technical skills that people should be adding to their tool set to do this job well?
[00:12:06] TF: Yeah. I think there's skills and tool sets, but I also think there's some characteristics that people that we work with as well as the people that are on my team. They're very inquisitive in nature. If you're not a lifelong learner, this is not the role for you, right? Data-driven, so making sure that you understand that just constructive feedback or just feedback from end users is not what's going to drive your program forward. You really have to have that hard data. That's where my math background comes in. I love me a spreadsheet or two. So helping people with that.
I also think some other soft skills, or I guess other characteristics. A big one for me is navigating ambiguity. And what I mean by that, it’s one of our core values here at Optiv. But like 2020 was very ambiguous. Things were rapidly changing, right? And a security awareness manager has to be able to navigate that, right? Modify the program as they go, and that's something that is a struggle for a lot of people. Change is constant and change is hard. And so that's something in this role. Because we deal with the people, you have to be able to navigate that. So soft skills that will help with that, communication I mean, written, verbal communication skills, because you're going to be dealing with people all the time. Customer service skills, your internal customers, those different stakeholders, that's going to be crucial. Problem solving, troubleshooting. Again, you're dealing with end users who, “My password won't reset or I can't remember,” things like that. And that's why I go back to my middle school math roots. And we are teaching those skills of problem solving. And so having that basic skill set is really important when you're in a security awareness role.
I think on the technical side, obviously being computer savvy. You can learn a learning management system if you're a computer savvy. There are a ton of different ones out there. Being able to analyze training and provide feedback, because you're going to have to do that internally on your own stuff if you develop it or if you're getting it from a vendor, a provider, you're going to have to be able to do that too. So some awareness of education – We just added a new hire before the holidays, and one of the things that I was like, “This is a non-negotiable. Like you have to understand what a learning objective is and have some sort of experience in education. The rest of it we can teach you.”
[00:15:03] CS: Okay. Now, in regards to your sort of, you said, your patient teaching background. Now obviously if someone does fall for a fishing scam or what have you and their computer gets – Obviously their first step is going to be IT department. They're going to triage, “Help me.” Do they come to you as the manager later or do you come to them later and sort of patiently, “Now, what did we learn? Now, what do we do now?” What is the actual sort of like the next education path if someone gets on to it?
[00:15:34] TF: That's a great question, and honestly it depends on how mature your program is, because you're going to – If it is a less mature program, you're going to have to be the one that takes the initiative and go talk to the end user. The more mature of a program, we all have buy-in in it, right? So the end user is coming and saying, “How, did I miss this? Is this a new threat that is out there? Is this something – Why did our technology not catch this?” They want to be part of the solution versus you having to go after them and correct it. I think there are some automated ways that you can help them. Auto enrolling in courses or training when they do fail, but the repeated failures is when you really got to go have a conversation, and it also depends on company culture.
We met with a client last week that just kind of – A quarterly touch point with them and they said someone failed a phishing campaign and they were in tears. They were scared. Like this is something that's going to go against them.
[00:16:39] CS: Yeah, it’s going to end up on their permanent record. Yeah.
[00:16:41] TF: Yeah. So making sure that you have the right culture around your security awareness program, making sure that we are inclusive, we're trying to make everyone better. Because what happens when they're at home and there's no IT team yeah and you click on that phishing email? Like there's value that we're bringing as security awareness managers to them as humans, not just as employees of our organization.
[00:17:05] CS: Now, what are some tasks? I mean, that was a great list of sort of skills and things, but what are some tasks that you'll be doing every day or every week as a security awareness manager? So if you're imagining it, “Well, it's this,” but you what you don't know is that you're going to be doing X for 20 or 30 hours a week. Like what are what are some of the things that people should know that are always going to be on the schedule?
[00:17:30] TF: Yeah. So data analysis.
[00:17:32] CS: Okay.
[00:17:32] TF: If you're going to be successful, you have to know the data in and out. You're likely going to have KPIs, key performance indicators for your program and you always want to be measuring against that. So where do we need more effort? Where is a gap that I need to fill with some sort of training? Whether it be formal, informal, maybe just some reinforcement. Maybe it's a conversation like you just mentioned in order to fill that gap. So making sure that you know your data inside and out I think is something that you don't anticipate as a security awareness manager is really having that tie there.
[00:18:11] CS: Okay. What are some – You've just said some of the aspects of the job you like, but what are some of the aspects of the job you like the most and what are some things that sort of keep you up at night or cause you to worry on Sunday night or what have you?
[00:18:24] TF: Gotcha. Lots of things cause me to worry on Sunday night. No.
[00:18:27] CS: Yeah. Sunday's a night, isn't it? Yeah. Your moment.
[00:18:30] TF: So a couple of things I really like, being creative. So I love having a creative outlet, and because there are very unique issues with different organizations, with different individuals, with different groups within an organization, like you have to be creative in coming up with solutions to make them cyber aware, to change their behavior in a way that meets them, right? So if we think about like just a general organization. They have a sales team. They have a front office team. The way you're going to reach both of those in a meaningful way is going to be very different. And so having the opportunity to be creative and figure out how you're going to do that is something that I like.
I’m also very data-driven. I’m task oriented. Like that's the kind of stuff I like. So that's something that I enjoy. But what keeps me up at night on Sunday night. Despite what a lot of the people that are listening to this podcast and what you and I know as cyber professionals is that cyber security is very important, and unfortunately sometimes we don't have the executive buy-in. Some of the managers I work with don't have the executive buy-in or budget to do much more than check the box, and it's really hard for me to understand that. Kind of when things happen in the industry, like the solar winds and those things. It's like you know the water company in Florida getting hacked. Like that kind of stuff I’m like, “Come on!”
[00:20:19] CS: I feel like there'd be enough of these stories coming through where people would finally go, “Oh, this is a real thing,” but there's still a lot of rubber stamping in your view.
[00:20:27] TF: There is, and I think also arm wrestling for priority, right? If we talk just learning and development, you have your annual anti-harassment, you have your annual other compliance courses, you have teaching managers, you have teaching new hires, all of these things and it's like what piece of the pie does cyber security get? Are we going to arm wrestle over the last eighth of the pie or are we only going to get a 16th of it?
So I think part of it is kind of – Part of what keeps me up is how do I better arm security awareness managers with information that will help them get that executive buy-in? That will help them get that budget? Because we do have organizations that have recognized the value in it and they have amazing programs and then we have others where the manager is like, “Help me grow this to something that is meaningful.” Like, “I have to have that.” So I would say that's probably what keeps me up at night.
[00:21:39] CS: Yeah. Yeah. No. And that's not nothing. That's not like, “I don't want to get up early or whatever.” That's at the core of what you're doing, because if you're not getting the buy-in from the top, like it's a lot harder to sort of do the optimal best. That’s the thing.
[00:21:57] TF: Yeah. Well, and I think one of the other things like that's very prominent right now, obviously COVID, and has been for a while. And there are organizations that will not send out COVID-related phishing emails because it is too sensitive. And while I completely understand that, my question to them back is, “Then what are you doing to educate people around this topic and the risks?” right? Because there has to be value there. I think sometimes I almost care too much about the people like as humans versus just as employees and how secure the network is, but I think that's the thing that really bugs me.
[00:22:39] CS: Well, let me jump a few questions forward, because I was going to ask about your thoughts on the GoDaddy holiday bonus phishing event and you're basically speaking to that with regard to COVID. Can we sort of talk a little more about the ethics of appealing this radically to a person's fear or excitement to keep them cyber secure? What sounds like you're saying is like if you're not going to go that far, at least have another form of education in place. But I’d love to hear your thoughts more on that as well.
[00:23:08] TF: Yeah. That was kind of a hot topic amongst a lot of our clients when that did happen. So I think there're a couple things that we have to talk about. Number one is the different culture of the organizations that we work with, and I kind of just touched on that a little bit, where in some instances the awareness manager has the autonomy to select, create, whatever the content and the phishing emails that go out. In others, they have to have HR approval, legal approval, executive leadership team approval before anything can go out. In those that have to do those multiple rounds of approval, they're less likely to do something that's a little bit disruptive. And I don't know if you're familiar with that term, but in learning and development we talk a lot about disruptive training, right? Something that really kind of jars you, kind of switches things up from the norm.
[00:24:07] CS: Gets your hackles up up.
[00:24:08] TF: Yeah. And I think disruption or disruptive training is a really great tool, but you have to take it in context. So for instance, when I was hired as a courseware developer at Optiv, my initial kind of role was training our sales folks and we would have them do the pitch for the company as if they were trying to help Humpty Dumpty or Little Red Riding Hood. And what that did was it really made them think, right? I wasn't giving them a fake customer profile, right? I was making them bridge a gap. Something that's you know memorable, something that's meaningful, but it's disruptive. And there's value in that because I still have some of those sales folks today that'll come back and be like, “Yeah. Well, I had a couple Humpty Dumpty's,” things like that. I think there is value in that but we can't be insensitive, right?
And one of the things that you always want, and we touched on a little bit earlier, is that the security awareness program needs to be a collective buy-in from everyone. And when you're insensitive, you don't get that buy-in.
[00:25:28] CS: Yeah. There's sort of a hostility there. Like, “Oh, they're constantly screwing with me.”
[00:25:33] TF: Yeah, we want to avoid the gotcha, right? Like that's not the purpose.
[00:25:36] CS: Yes.
[00:25:37] TF: We even tell our customers, “Make sure your employees know that we're doing phishing simulations.” Tell them, because this is something that is happening all the time. And when you get your results, communicate the results and then set the bar a little bit higher for the next one, right? And we're collectively working towards that, and I think that's something that oftentimes we get a little bit of tunnel vision as awareness managers and we need the outside input from various groups, whether it’d be a pilot group or a steering committee that is part of your – Kind of one of those connectors that you have within the organization can really help you be effectively disruptive without it being harmful to the program.
[00:26:22] CS: Now, speaking to that, can you talk about the process of creating security awareness messages or campaigns that'll be sent out to employees or clients? I guess I’m trying to get a sense of where you get the ideas from. Are you looking at current news stories or case studies? Things people fall for usually in phishing emails. Is it possible to sort of keep ahead of those things or is the nature of security awareness that you're sort of playing reaction to things that have already happened somewhere else in the world?
[00:26:52] TF: Well, I think I have a little bit of an edge since I work for a cybersecurity company, right? Where a lot of security awareness managers are going to work for in finance, healthcare, whatever that may be. So I have a little bit of an edge there. But when we think about messages that we're crafting to the individual end users, what we like to do is create a persona that represents that individual, okay? So think about a general end user at my fake company. So company A if you will. My general end user is 35, 40, has a couple kids, lives in the suburbs, has been a professional for 10, 15 years, but their tenure at the company is about five. That's kind of where our average is. And we go ahead and give that person a name. So, Holly, right? This is my persona, Holly. And when I’m creating those messages, okay, what do I want Holly to go do after she reads this message? What do I want Holly to take away from this? What do I want Holly to feel? And when you can have those types of questions around your message, like to Holly specifically, you end up cutting things out, adding things here, right? And those messages get a little bit more clear.
I mean, the same thing at Optiv, what we do with our e-learning portfolios, we have very different styles, right? So we have one that is meant more for a global audience. It resonates really well. We have another one that in a very formalized work environment resonates well. It doesn't like shock people to where they're a little bit put off by it. So that's something that I think is really valuable, but also recognizing that you have messages for your general end user, but then you also have your step above, your IT, your security teams, that are going to ignore Holly's messages because it's too redundant, right?
Okay. So then we got a second persona. So we've got our Rudy's of the world, right? So Rudy is a SOC analyst for you or a security architect who you has his head down doing his job. Like what are things that are going to pique Rudy's interest? What is Rudy motivated by? What do I want Rudy to do as soon as he reads this message? Honestly, that's something that's really valuable, is creating those personas that you know where the messages go. Now where the content comes from? Current events, right? You got to answer the questions that they have in their head when they see it on the news or read it on their Twitter feed. So keeping up to speed with that also means you have to have the communication channels open, right? If you don't have that and the only communication you have is once a year when they have training, that's not going to work, right? So more mature program has that ongoing communication cycle, so you need to have that in place in order to kind of keep up with pace there.
And then I would just say really back to what I mentioned earlier. What are the things that are going to mean? Like have value to that person outside of work? So even if there is a breach at a local retail store, it may not be on national news, it may be on national news. It may not feel pertinent to them in their work day, doesn't mean it's not important. Because if you can show them value of what you and your team are doing outside of just their annual training, they're more apt to listen to you, they're more apt to come to you yeah during those times, right?
[00:30:52] CS: Make sense. Yeah. It’s, again, completely the opposite of feeling like the security awareness team is messing with my head or trying to do a gotcha moment on me. But here, if you give them demonstrable value, then they're more inclined even when it's something that they don't feel like thinking about.
[00:31:10] TF: Yeah.
[00:31:11] CS: I love it. So um this might be a little out of your purview, but I want to sort of talk about where the balance falls in preparing employees to be security savvy versus implementing sort of end user security tech to be used as a secondary line of defense. So like in your mind, what is sort of like the optimal sort of combination of tech and security savvy and like where are groups falling down on that sort of balance at the moment?
[00:31:40] TF: Yeah. Wow! So this brings up a conversation that I recently had. So I picked up my husband from the airport yesterday. The end of last week I sent him down to Houston where my father-in-law lives because he had a pipe burst in that whole winter storm, right? And unfortunately – And my husband's originally from there, down south. He got a number of phone calls last week, because my husband is a plumber by trade. I guess that's an important fact that I left out. A number of calls, “How do I turn my water off? There's water running everywhere. What do I do? What do I do?”
If you think about the plumbing in your house as a security technology, you as an end user have to know how to turn the water off. We have to be arming our people with those basics so that when the power goes out, when the technology fails, when there's something unprecedented that the technology is not prepared for, like snowstorms in Houston, right? That they know what to do. And I think that's where the balance is, is that we need plumbing in place, right? That's got to be crucial. You can't have home life without the plumbing. I mean, you could technically, but –
[00:33:11] CS: Not much of a life. Yeah.
[00:33:13] TF: Yeah, there you go. But we have the cyber security professionals like my husband that come in and can tweak that and fix it when it's broken, but there's that gap and we have to, as homeowners, as residents of these homes, be able to fill that gap. And so I think that's where your balance is, is what happens if it does fail? Do my people know what to do?
[00:33:38] CS: Okay. Yeah. Yeah. Security awareness folks in the north know to have you triple your sink for 24 hours a day until it’s over.
[00:33:44] TF: Exactly. Insulate the pipes, unplug the hose, like all that kind of stuff. My husband posed the question to me, he was like, “Who's supposed to teach these people this?”
[00:33:58] CS: Yeah. Yeah, it's unprecedented, like you said.
[00:34:01] TF: And so in our organizations, who's supposed to teach them not to give information over the phone? Who's supposed to teach them not to post that the card reader's broken at work on their social media? Who's supposed to do all of that? And that's our job.
[00:34:21] CS: Okay. Love it. So as we wrap up today, I want to sort of speak – Again, we're going to do kind of a role here, but someone who maybe is coming into the cyber security midway into their career, like what advice would you have for people who might be interested in getting into cyber security and security awareness but might feel intimidated by the perception of cyber as something as an impossibly high barrier to entry? Like I need a computer science degree or been hacking since I was a kid. What do you recommend for people looking to get their feet wet in cyber security? I know you said that you can sort of teach someone the sort of data crunching and so forth. But like what are some things that you can sort of do to help people from psyching themselves up?
[00:35:05] TF: I feel like I should get really close to the mic and say don't be scared.
[00:35:09] CS: Okay.
[00:35:11] TF: You can't be scared. You can't be intimidated. Cyber is something that is evolving. Even the people like myself, Chris, you, that have been in this industry for a long time, we are still seeing new things every day, right? It's always going to be changing. So there's no computer science degree right now that if you're taking it is going to be enough once you reach the field. It doesn't exist, right? So I think that's first and foremost. You can't be intimidated. There are a ton of options in the cyber security field. I mean, I’m in the education space of that. You can be in threat hunting, which is going to be a little bit more technical, but you can also get in on the legal side and learn the space. You can get in on the purchasing side.
My director, he has a journalism degree and came in writing policies and procedures, right? Kind of that technical writing, and he's been in the field now 15, 20 years, I think, and you just kind of learn as you go. So I would encourage someone that's interested to really explore all of the different options that are out there. Find something that piques their interest, because you want this to be a career and not a job, right? You want it to be something that you enjoy doing that you don't dread on Sunday night having to go to work the next day.
[00:36:48] CS: Within reason, yeah.
[00:36:50] TF: Within reason, yeah.
[00:36:51] CS: There’s always a little dread, yeah.
[00:36:52] TF: But look at all the different aspects, right? And then get your foot in the door. Literally just get your foot in the door. If that means working in purchasing or sales or something like that, you can make your way into cyber security.
[00:37:11] CS: This was awesome. Thank you so much for your time, Tiffany. One last uh big question for all the marbles, if our listeners want to know more about Tiffany Franklin or Optiv Security, where can they find you online?
[00:37:20] TF: So optiv.com, great resource. We have an amazing blog, an amazing library of videos and we're trying to keep up with all of the changes in the threat landscape. So check out optiv.com on the insights blog and then find me on LinkedIn, would love to connect. Part of lots of different groups and reach out if you've got any questions.
[00:37:42] CS: Well, Tiffany, thank you so much for helping us to understand security awareness a little better today. This was a lot of fun.
[00:37:47] TF: Well, thank you, Chris.
[00:37:49] CS: And thank you all as always for listening and watching. New episodes of the Cyber Work podcast are available every Monday at 1 p.m. Central both on video, on our YouTube page and on audio wherever fine podcasts are downloaded. And I’m going to change up the conclusion a little bit here. In late March, March 25th, we are going to do our first ever Cyber Work Live. We're going to have three guests who are going to be answering live questions from the audience about getting into cyber security for the first time. So all you newcomers who are zero to four years and feeling weird about your career, like come let us know what your questions or concerns are, and if you want to write them in early, write them at email@example.com. So check that out, firstname.lastname@example.org. Send us your questions.
Thank you once again to Tiffany Franklin and Optiv, and thank you all again for watching and listening. We will speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.