How Women’s Society of Cyberjutsu is diversifying security

Mari Galloway, CEO of Women's Society of Cyberjutsu, and Cyber Work podcast host Chris Sienko discuss Mari's career journey, the ethos of Women's Society of Cyberjutsu, and insights on how to diversify the cybersecurity workforce.

  • View transcript
    • Chris Sienko: Welcome to this week’s episode of the cyber work with Infosec podcast Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how these trends are affecting the work of Infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. One major issue in the cybersecurity industry that Infosec has been actively promoting is bringing a more diverse population into the cybersecurity workforce. We’ve offered scholarships that are extended to female cybersecurity professionals, people of color, military professionals, and graduating college students, among others. On this podcast, I’ve been happy and proud to speak to a number of the female cybersecurity professionals about their security journeys and the pitfalls in the industry that they weathered to overcome. So today, I’m very, very proud to be speaking to Mari Galloway, the CEO and founding member of Women’s Society of Cyberjutsu, a Northern Virginia based, but worldwide in its reach, 501C3 nonprofit organization that is passionate about helping and empowering women to succeed in the cybersecurity field. Mari’s going to tell us about Women’s Society of Cyberjutsu’s mission, its successes and its plans for the future. Mari Galloway is the CEO and founding board member of the Women’s Society of CyberJutsu, WSC, one of the fastest growing 501C3 nonprofit cybersecurity communities dedicated to bringing more women and girls to cyber. WSC provides its members with the resources and support required to enter and advance as a cybersecurity professional. Mari began her cyber career with Accenture where she excelled as a network engineer over nine years of information technology, eight of which are in cybersecurity. Her experience spans network designs, risk assessments, vulnerability assessments, incident response and policy development across governmental and commercial industries. She holds a variety of technical management certifications, CISP, GIAC, CCNA, et cetera, as well as the bachelor degree in computer information systems from Columbus State University and a masters of Science and Information Systems from Strayer University. Mari is currently a resident of Las Vegas, working to secure the gaming industry of the Southwest as a senior security architect. She regularly contributes to content to security blogs and training companies outside of the country as well as an adjunct professor for UMUC. Outside of being a geek, Mari enjoys arts, puzzles and Legos. And you can find her on Twitter at Mari Galloway. That’s M-A-R-I-G-A-L-L-O-W-A-Y, Mari. Thank you so much for being here today.

      Mari Galloway: Thank you for having me, I’m really excited.

      Chris: Great, so to start at the very beginning, this is the question we ask everybody, how and when did you first get started in computers and cybersecurity? where these things sort of always interested in your life? It sounds like you identify as a lifelong geek. Is this something that came later, or?

      Mari: So throughout my life growing up, my folks would give me computers and things like that. I remember one time I got this super old school computer where you can like look up the dates for the past 200 on it. And so I Would always look up my birthday on this thing. It was, I don’t even remember when this was or what this was, but it was this really cool like computer system they had bought. And at the time I didn’t really think anything of it. And then I actually wanted to be an architecture, major. So I went to school for architecture.

      Chris: Okay.

      Mari: In high school I dealt with AutoCAD and using computer systems, so design and all that.

      Chris: Sure.

      Mari: And so it kinda just flowed for me to go into my bachelor’s degree program in computers.

      Chris: Okay.

      Mari: That’s kinda where it got started. I actually was doing database administration. That was my major cause I wanted to build stuff out an access, don’t know why. But at the time that’s what I wanted to–

      Chris: Seems like a good idea, yeah .

      Mari: You’re thinking back on it, it probably still would have been since we’re coming full circle with security–

      Chris: Sure.

      Mari: In that world, but that’s kinda where that took off.

      Chris: Okay.

      Mari: So yeah, it’s always been a thing. I’ve always loved to build stuff and so that’s the, where the challenge part comes and doing security. There’s always this challenge ’cause we’re trying to fix something that wasn’t implemented originally.

      Chris: Yeah, there’s a puzzle solving element to it.

      Mari: Exactly.

      Chris: Okay, so what are some of the highlights and big transitions of your security career? You know, we’re always sort of trying to make this, break this down for people who are just trying to get into cybersecurity, but, so like what jumps did you make in terms of, you know, experiences or knowledge or research or education or job changes that sort of took you from your early interests to where you are now?

      Mari: So like you mentioned, I started as a network engineer and so I was messing dealing with routers and switches and encryption vices for one of those big three-letter agencies in the government. And I went to a training class and the instructor, he showed us how to pull up router configs on the internet and plain text. And I was like, wait a minute. That’s probably not a good thing. And so that week it was a security plus class too. And that week it was like, Oh, I probably should go on this side of the field versus this side. And I thought it was interesting that he was able to pull that stuff up so quickly and see that, and so that’s kind of one of the ways that jump-started me into going down the role of ethical hacking and penetration testing. The next big jump was when I started working for the department of the army. I was still in a networking role, but they forced me to do the accreditation and certification for our high rjx level systems.  So I had never really, I mean I had done some stuff in security, but doing that really, really helped me understand, you know, vulnerabilities, how to configure routers and switches how to do documentation for like training plans and testing documents. And so that really just kinda skyrocketed me into wanting to go more into cybersecurity and into the security side, mostly offensive side of the industry.

      Chris: Okay, yeah, were there particular did you like study for search? Did you, were there like particular schooling things that sort of were foundational for you?

      Mari: So what the government, you have to have your security plus for most places with the DOD 8570. So that kind of laid the groundwork. We were a Cisco office, so I ended up doing a lot of Cisco stuff and what I really liked about since the CCNA security, which I don’t know if it’s still called that now–as well, and I’m supposed to stay on top of that. I think it’s changing again anyway. They had the stuff that I learned in that class was really, really beneficial. And so I like bootcamps. I think they’re cool. I think they serve a purpose, but for me, I’m more of a self studier and so I picked up the book, started reading, started doing some labs. I was like, Oh, and I was able to use that stuff that I learned in the security class or the CCNA security on the job, and then as I’ve gone through, I tend to get, I have a lot of certifications. I tend to get them if my job requires them or if it’s something I’m interested in learning more about. So a lot of my certifications are gonna be on the offensive side. So pen testing, configuring things like that. CH all of that good jazz.

      Chris: Okay, I think one thing that’s also noteworthy, we haven’t seen with a lot of cybersecurity professionals is that you sort of, you have sort of equal footing in both the sort of networking side and the security side. you tell me, tell me a little bit about how that’s sort of influenced, you know, both of those disciplines in your interests.

      Mari: So it’s, I think it’s really important. If you don’t know what systems you have, if you don’t know how they operate, how they work, it’s really difficult to try to secure them or figure out what’s wrong with them.

      Chris: Yeah.

      Mari: Can it be done? Yeah, I know a lot of people that have come in without a networking background to do the technical stuff and they’ve been super successful, but they had to work really, really hard to do that. And so having that networking foundation helps has helped me better do architects systems here. Like where I’m at now helped me understand the vulnerabilities associated with having these particular systems together. You know, understanding how the lands work and how we can do segmentation and helping the organization, just be more cognizant and better about their security processes and their standards. So it’s important, you don’t have to do help desk. People were like, Oh, you gotta do a help desk job, we’ll help desk job work. Yeah, maybe. But if you can get into network administration, systems administration, any of those areas for a little bit, it’s definitely, definitely worth it. And it’s definitely going to give you a leg up when it’s time to move into a security role.

      Chris: Yeah, that’s worth noting that there’s a lot more input points than people think. You don’t just go from help desk right into security message or you can, but you don’t have to,

      Mari: You don’t have to, right.

      Chris: Right, so you’ve obviously you’ve have a lot of plates spinning at any given time. Could you tell our listeners a little bit about what your day to day schedule looks like? You know, you’re a senior architect for the Southwestern gaming industry. You’re an associate professor. You’re the CEO of Women’s Society of Cyberjutsu, Like…

      Mari: I do a lot of other volunteers—

      Chris: Are you offended of sleeping at all

      Mari: I do, I can sleep anywhere at anytime of the day. Doesn’t matter where we’re at. But honestly it’s taken a long time to figure out a routine for doing all that stuff. But I also do like other volunteer things and I like to do the arts and crafts stuff, so I have to find time for that. I try to keep my day job separate from the other stuff. So at the university of Maryland, I only teach every other semester, so that’s not too big of an issue. And then I do a lot of that stuff in the evening anyway so that I can talk to the students and be available for them if they need assistance.

      Chris: What classes are they again?

      Mari: So it just depends.

      Chris: Okay.

      Mari: My next class is network security, which is it helps you prepare for security class. The last semester, I taught a class on trends in cybersecurity and so the students went through like building out AWS instances and talking about IOT devices and AI and just kinda touching on each of those different topics for eight weeks. So that was a cool class. WSC it’s a little bit harder to separate because somebody, I’m on the West coast, so I’m three hours behind like to have those conversations at like nine in the morning, six in the morning for me. And so it’s a little bit harder to manage. But my current job they’re pretty flexible with when I need to do stuff like this. And so it works out, but yeah, I don’t know when I find time to do anything, but I love to have wine and Hendrickson the evening after work .

      Chris: Perfect, oh my God. Yeah, now that solves a lot of problems .

      Mari: It really does

      Chris: Yeah, so did, I mean did you just sort of keep sort of acquiring projects until you felt you’d hit a maximum and you’re like, I can’t deal with any more of this? Like how do you, you know, ’cause I think a lot of people, like they get sort of flustered after doing two things or you know, or they try to do too many things and it falls apart. But it sounds like you’ve really sort of like mastered a thing here. So like, I’m sure people would wanna know more about that.

      Mari: I think what works for me is, so I have a very supportive husband. He was in the army for 13 and a half years. And so a lot of that time that I did a lot of this stuff, he was either deployed or often in the field somewhere doing military stuff. And so it kinda worked out to where I could do some of this other stuff that I wanted to, but he’s been since he’s been out, he’s been really supportive. And I think for folks to be able to do these kinds of things, you have to have a support system. You have to have friends and family that, you know, they’re gonna encourage you to be involved and encourage you to help and they’ll wanna help with you and do those kinds of things. Otherwise it makes it really, really difficult.

      Chris: Yeah, yeah, so I keep sort of wending off here, but before we get into the main topic of today’s podcast, I’m really curious about your work on the cybersecurity architecture of the gaming industry of the Southwest. I mean, that seems like an enormous project. So what is the scope exactly, of such a project and what’s the jurisdiction of this? Is this all the casinos in the American Southwest?

      Mari: No, it’s just one specific one– But it’s an interesting dynamic. So this is my first job outside of the government.

      Chris: Okay.

      Mari: I made the jump, I was a GS 13, almost two years and I decided to, as you know, I was tired of it. I wanted to do vulnerability management, pen testing. And so I made that leap out to the private sector. And what’s interesting is a lot of the same things you deal with in the government, you have to deal with outside of the government, however you get stuff through the pipeline a little bit fast. And there’s a little bit more flexibility out here. But the architecture piece of that, it’s really big, bigger than I would’ve ever, ever thought. You know, when I took this job, I didn’t think like, you know, we know that there’s security involved in the casinos, but I was like, wait, they have whole security teams doing like sock knock architecture, all of these things. I didn’t realize how big of an industry there is in the gaming world.

      Chris: Right.

      Mari: The different, it’s a different beast because there’s different rules you have to follow. So in Nevada they have gaming rules that, you know, you have to have so many cameras on each table, otherwise you can’t operate. You have to have your systems online, you know, 24, seven or you can’t operate, right? You’re dealing with industrial con controls systems that he, you know, the HVAC, the elevators, the lights, all of that stuff. And so–

      Chris: I was gonna ask if there’s physical component to this–

      Mari: Oh yeah, there definitely is. So there’s a difference, which is why it’s really important that we encourage folks to go into ICS and IOT and that side of things because there’s a lot of that outside of the government, right? I think like 90% of critical infrastructure is maintained and operated by the private sector.

      Chris: Yes.

      Mari: There’s plenty of opportunities out there. But so far it’s been fun. You get to talk to a lot of different vendors. You get to see what new and emerging technologies are coming out.

      Chris: Oh yeah. I’m sure there are, I’m sure

      Mari: Oh my gosh

      Chris: The cutting edge of what you can do with tech and money exchange .

      Mari: Yes, there’s so, and we’re such big targets because of the–

      Chris: That is the other thing I’m imagining without getting into details, I imagine you’re under attack constantly, right?

      Mari: Probably. Yeah, I think so. I have to ask the SOC about that.

      Chris: Sure, sure.

      Mari: But why not? You know what I’m saying? Like you have business everywhere, you know, all of the casinos are everywhere and so there’s money, big money that could come out of these places.

      Chris: And just one more question, Is this sort of a onetime project where you’re just, you’re building the system and then they maintain it or are you gonna be, is a sort of a longterm relationship?

      Mari: So it depends on what the project is. If it’s infrastructure-related we usually help design it and then we let the infrastructure teams take it over.

      Chris: Okay.

      Mari: If it’s specific to our department and there’s no infrastructure involved and will we have a team of folks that can manage it within our team.

      Chris: We don’t get to talk to casino security people very often. So I wanted to get all the questions and so let’s talk specifically now about the Women’s Society of Cyberjutsu. You are the CEO and one of the founding members of the organization. Can you tell me a little about the origin, the organization’s origins and goals and activities and projects you’ve been working on?

      Mari: So we got our start in 2012. Our founder and president, she had went to a few hacker meetups in the DC, Northern Virginia area. But she felt like she didn’t really belong. She felt out of place and she really just wanted to find a group of folks that she could hack with and learn with. And so she started the first workshop. It was backtrack and Linux or backtrack and Metasploit or something like that in 2012. And to her surprise, there was a lot of women that showed up ’cause a lot of women wanted to do the same thing. They just couldn’t find a place to did do it where they felt comfortable and they can network with people. So she decided to start the organization. She wanted to build a community of women that came together that learned, that did penetration testing, incident response, digital forensics, first malware engineering. And just, you know, did competitions together. ‘Cause we love to do the competitions. And so when I came to the organization, I had failed my CSSP by four points and I’m looking for a study group and I was like, Oh, let me find a study group in DC ’cause I’m gonna move back up there soon. And from there, I just, I, you know, I kept going to the workshops. I kept getting involved, I kept going to the networking events and Lisa pulled me in and said, “Hey, I want you on my board.” You know, seven years ago, almost now. I would have never thought we would be at this point. You know, 2,600 plus members. We helped thousands of women and men yearly we help the girls. We just hosted our major event wicked six cyber games where cybersecurity meets e-sports for a cause. This was a really successful event. It’s, you know, it’s the first of its kind to showcase talent through short missions versus six to eight hours of competition, you know, and in these missions they’re doing real world analysis and having to do real world stuff and they’re dealing with, you know, wanna cry and Lue Keith and those kinds of vulnerabilities and having to, you know, look at packets and understand what’s going on in packets. And that’s our, one of our big things. We’re doing it again next year, August the sixth.

      Chris: Okay.

      Mari: It was a really interesting experience ’cause we did it here at the Luxor and that the sporting arena and so on the big screens behind the players, you could see what they were doing. And then we had the shout casters what was going on and you know, why this was important for them to do this? or using these tools and things like that.And so, that’s one of our big goals. The other goals that we have, basically we wanna bring more women and minorities into cybersecurity, right?

      Chris:  Yeah.

      Mari: We are women’s organization. However, we do have male members. We do have male allies. We have the men that come in, they volunteer. They come into our networking events, they come in and do trainings with us. And so we understand that this is not just a one side only thing to have everybody in the conversation and have everybody at the table making these decisions. We’ve got a couple of things coming up next year to help some more of the entry level folks try to figure out which route to go. We have a day in the life series coming up, but we’ll bring in professionals and they’ll talk about what they do day to day to kind of keep an idea for those folks looking for a role. We also plan on doing trainings on malware analysis, threat Intel. Hopefully we can get some virtual reality and AI stuff going on in there just to help the women figure out, okay, we’re interested in this and this is how I do XYZ.

      Chris: So is this mostly, I know it says Northern Virginia based. Do you, is it all over the country? Is it mostly in Northern Virginia?

      Mari: So our, we’ve got our start in Northern Virginia. We are a national organization, so we do have chapters across the country. Vegas, SoCal the Bay area here soon. Atlanta Jacksonville, Charlotte, East Carolina, which encompasses Raleigh, Durham, Fayetteville and Jacksonville, North Carolina. And then the DC area has a chapter as well. So we’re always looking to bring more women and more men and to help build out those chapters in those different locations to help do that training onsite. 90% of all of our activities we do remotely. So we’ll have an onsite component and then we’ll have a remote component. That way folks that aren’t in Las Vegas can still participate or watch the videos after the event has occurred. We try to do smaller networking events and each of those locations to help bring women and men together to network to do career development. Any of those areas where we can help the women be successful.

      Chris: Yeah, And I have to imagine that the sort of onsite or the sort of, you know, remote component is gonna be helpful in finding people who might feel that they’re away from sort of like a center of activity and want to get started. But you know, I’m in Northern Wisconsin and I don’t know anybody here and things like that, you know, like is that the case? Have you sort of had people from like remote locations who felt like they were able to kind of get their start?

      Mari: We’ve had a number. We actually have a woman that’s in she’s not in Detroit, she’s near Detroit, but it’s still probably like an hour or so away.

      Chris: Sure, oh, yeah.

      Mari: Participates in a lot of our stuff remotely. Because of that reason. So we definitely see the importance of it. It’s also good for folks that have families. You may not be able to come out of your house because you have to take care of kids or parents or something like that, but you still wanna get that training. If you have disabilities, another way to do it as well. We wanted to make our trainings and our activities and events accessible to folks.

      Chris: So what can you tell me something about some of the accomplishments the organization’s achieved? Like some of the awards citations? I’ve heard you had, you had some pretty good ones.

      Mari: So Lisa was the first CEO, Obviously. She got tons of awards for building out WSC and building this community. And she was recognized by SC magazine. She’s recognized as one of the top 50 women in cybersecurity. We’re constantly making different lists about organizations to be a part of, you know, what we provide. And we’re up there with some of those other organizations that are doing some great stuff as well. And so to be in that same grouping is awesome. I just got an award for diversity for doing, for being a part of WSC from ISC squared. Lisa got one of those awards in the very beginning as well.

      Chris: Yeah.

      Mari: So we definitely get the recognition. People definitely notice. I think a lot of times I just really liked the name ’cause it’s different and it’s like, wait, what does that mean?

      Chris:  It’s memorable, Yeah. Do you wanna talk about that? That apartment I opened specifically .

      Mari: So Lisa is Japanese and black. So she grew up in Japanese and then she moved over to the States to join the military. And so she’s also an artist. And so cyberjitsu is the art of cyber because Jitsu means the art of, so it’s the art of cyber. She kind of felt that cybersecurity is like an art. You know, you have to paint a picture or you have to, you know, figure out how this looks, the bigger picture of it and so it’s like, it’s like you’re painting a picture basically. What does this look like? So that’s where it came from.

      Chris: Okay, so we wanna talk, you know, obviously we started already talking about it, but you know, one of our regular things we’ll talk about is making the cybersecurity field more accessible to women. So what are some things, obviously, you know, your organization’s a big part of that, but how do we sort of make the cybersecurity industry understand that more women in tech ultimately makes the entire industry stronger?

      Mari: So it’s a behavioral thing. And it’s a mindset change that has to happen. And it’s definitely changing. There are tons of organizations that are working towards being more diverse in their hiring practices and bringing in more inclusion. Basically they’re, they hire the diverse candidates and then they include them in the conversations about the day to day, how, what the strategy looks like. But I think the problem is, one, it’s the hiring process. It sucks and everybody talks about it. We all know it. Job descriptions suck. I looked at a job description for a job that I really, really wanted. And I’m looking at this and I’m like, okay, I can do this. And then I was like, wait a minute, but I can’t do like these next six things, but I could do these four things, but I wouldn’t apply, right? ‘Cause I’m like, well, what if they asked me questions about the six things that I can’t do?

      Chris: Right, right.

      Mari: You know, changing the wording in the job descriptions and the posts, will not only help bring in more women, but more minorities.

      Chris: Yes.

      Mari: And a more diverse group of people because a lot of folks won’t apply for things if they don’t feel like they meet at 100%.

      Chris: Right.

      Mari: Being more flexible. A lot of the women that we’ve come across, they were their moms or their new moms or you know, they just had a baby and they’re like, you know, I can’t leave my baby at home or I can’t take them to the daycare. So being able to be flexible with your work schedule having options in the office that allow you to, if you’re a nursing mom, you can still do your nursing thing during the workday. Paternal leave, men, the fathers need that too, right? They need time off to bond with the baby that’s new. Or to help families. It’s usually, you know, the guys work, the women stay home, but that’s changing. And so having that flexibility, having those options available will only help bring more people to those companies that really need this. And then just showcasing and highlighting the fun stuff that goes on in the industry. It’s a lot of fun. Yeah, I can be stressful. You know, if you get breached, it’s like, Oh my God, I’m gonna lose my job. What’s gonna happen? But it’s a fun experience to go through the process of like implementing your disaster recovery plan or your incident response plan or anything like that. You know, finding that first vulnerability and helping your organization. So showcasing that it’s fun is also something that we can do.

      Chris: What are something you mentioned and we talk a lot about the sort of failures or difficulties of getting job descriptions, right? And HR who want, you know, these unicorn candidates with 12 certs and 15 years of experience and the thing to look around for five years and stuff like that, but also that, you know, that there’s studies specifically what you said that, you know, women will look at a job description and say, I can only do four out of these 10 things. I’m not gonna apply, you know, a male candidate will look at the same thing and say, I can only do two of these 10 things. I’m gonna apply anyway, you know? And so there’s, there has to be sort of, you know, this you know, we need to sort of bring everyone up to the same mindset of like, no one’s free, let’s at least see if we can do this, you know. But also the converse of that is, you know, we had another guest in here recently who said like, I’m much more interested in finding out what your problem solving skills are And that’s gonna be sort of a sea change across HR departments and cybersecurity departments in general of like knowing what you’re looking for, right?

      Mari: Right, and how do you, how do you put, you know, critical thinking skills or problem solving skills on a resume?

      Chris: Right

      Mari: It’s hard to put that there.

      Chris: And how do you test them quickly in an interview?

      Mari:  Exactly. And so I think changing that whole interview process, that dynamic going away from simply looking at a resume and actually looking at, you know, what are they doing on LinkedIn? If they had it, what are they doing on other social media? Are they actively out, you know, doing building labs or training people or you know, contributing to open source projects, things that you can’t really put into writing. Which means that the hiring managers are gonna have to actually go out and do something a little bit more engaged.

      Chris: That’s a step up a little bit, yeah. so what, what are some tips, we’ve had quite a few, but what tips would you give to a women entering the world of security? And what are some of the common pitfalls that you’ve learned to sidestep over the years?

      Mari: Take a risk. Just jump in and do it. They’re gonna be people that tell you you can’t do stuff. They’re gonna be people that try to rain on your parade daily. Just do it. You know, the only thing they can do to you is make you hurt, hurt your feelings, right? They can’t take away your education, your training, your skills, none of that stuff. So just jump in and do it. Common pitfalls, man . I don’t know, I’m kinda introverted, even though people, if you think about it, I’m not really, but I do get shy around people and so I tried to avoid conflict when necessary. And so that’s kinda one of those things that I kinda sidestep, I’ve learned over the years to how to communicate with people to make sure there’s no conflicts there. It’s been a work in progress because there’s a lot of times where I just wanna tell them to, you know, go jump in the pond and leave me alone. But yeah, can’t do that in the business world you kinda have to be a little more professional. But that’s–

      Chris: they’ll let you go do a lap around the office before you reply to that email there.

      Mari: Yeah, exactly.

      Chris: It’s like okay, let me not reply to that.

      Mari: But honestly, I’ve been told my very, no, my second job, you know, they were like, Oh, you want to pull cables and install routers and switches? I was like, yeah. They’re like, yeah, but you’re so nicely dressed. I was like, what does that mean? I like to dress nice. I like to, you know I like to be nice. I can still run cables.

      Chris: So what, what’s the implication that people who run cables wear like sweatpants?

      Mari: Yeah

      Chris: And Big Bang Theory t-shirts or something?

      Mari: You know, if you think about a hacker was the black hoodie, right?

      Chris: Right, Oh yeah, yeah.

      Mari: Changing, you know, we see–

      Chris: The Cheetos and the Mountain Dew–

      Mari: Exactly, and so that was just the misconception of what you’re gonna be doing the dirty stuff. You’re gonna have to look a certain way. And I was like, yeah, no, I can take these to the cleaners and it’s done.

      Chris: Right.

      Mari: Not a big deal.

      Chris: Okay. So another thing that I don’t know if there’s necessarily an answer to this, but or I mean, I know there is, but like it’s obviously it’s gonna be a big problem, but how do we sort of build the bench so to speak, for female cybersecurity professionals in the industry? I mean, it’s hope. I mean it seems like we’re getting a good amount. We always have more, but a lot of sort of entry level or incoming, you know, women professionals, but diversifying the upper levels of management, the C-suites and so forth seems like a taller order. Do you have any sort of strategies for female cyber professionals and especially for organizations who want to sort of hire upwards and sort of promote, you know, women and people of color and diverse candidates more quickly?

      Mari: So there’s definitely a few organizations out there. Executive Women’s Forum. It’s a group of executives that’s run by Joyce. And they help women get on the board of organizing patients. They help them develop their leadership skills in that training. There’s also another one that just, that they just started, but they do the same kind of thing with like mentoring and for the upper levels minorities since cybersecurity, that’s another good organization run by Mary Cheney. I see MCP, they have some areas where they do stuff for that higher level, but for companies it’s probably very important that they implement some kind of mentoring program within the organization. We all know mentoring helps significantly. Having somebody to help bounce ideas off of is very important. Having a sponsor that’s somebody that’s gonna go to bat for you in a job. Having those kinds of people are very important. And having that pathway of, you know, if somebody says, how do I go from being an engineer to a manager, having that already drawn out of what that looks like, you know, what kind of things you need to do inside of the organization trainings, going to these kind of events, connecting with executive coaching companies which can be kind of expensive, but I know that there is value in those kinds of companies. Because they help you understand your week misses and how to go about either enhancing those or working with those to become a better leader. So I think too, women just need to see that there is a pathway to that world. Everybody doesn’t want to be technical forever and so having that visually out there to say, Hey, you can do all of these things to get to this point is definitely helpful. And then keeping the finish line at the same place. So don’t say these are the things you need to do to get to X and then you move the finish line to Y.

      Chris: Oh yeah, yeah, right, right.

      Mari: Yeah.

      Chris: Yeah, I mean, how do you, how do you feel about the sort of progression of this at the moment? I mean it seems painfully slow, but like, like are you, do you see sort of Promising signs out there for the sort of thing?

      Mari: I think so. As more as we as more allies come out and as more men are coming out to say, Hey, I wanna mentor, Hey, I wanna help get more women speakers, or Hey, I wanna help do whatever. I think it’s, there’s definitely a shift happening. There are a lot of organizations out there that are trying to help fix the issue.

      Chris: Yes.

      Mari: But it’s a big issue, right? You’re having to change people’s mindset, and that is hard

      Chris: a lot of, unfortunately, a lot of resistance too, yeah.

      Mari: Yes, that’s difficult because they, people don’t wanna just be promoted because of their gender or their race or their disability. They want to be promoted on merit. And so changing that dynamic—

      Chris: And they also rather not be hearing constantly, even if they were promoted on their merit. Well, you just got promoted because of this or that or the other thing. Yeah, it just is irritating. Yeah, it’s total horrible, yeah.

      Mari: You see it on Twitter all the time.

      Chris: Oh God. Oh… I said the better, yeah. So I could talk to you all day. This is, this has been fantastic. But as we wrap up today, can you give us a little teaser of some of the big projects and initiatives or sort of exciting developments that women’s idea of cyber duty will be undertaking in 2020 and beyond?

      Mari: So as I mentioned, we’re gonna do wicked six again.

      Chris: Okay.

      Mari: We’re trying to see if we can expand it into colleges and professionals, so that the professionals can play on the platform as well and kind of, you know, level up and scores and all that. Ideally we wanna make with it six, like a recruiting event. So you come in, you play the game, the recruiters can see what skills you’ve gained from playing those missions inside of the the platform. They give, did we get digital badges? We had some for last year, which was kinda cool. So it shows you, okay, I have these skillsets. We’re gonna do our annual awards event again. Annual cyber jets awards. It’ll be the seventh one. Recognize a women and men for their contributions to cybersecurity. Usually we recognize men as a special award every year. This year we’re actually actually putting that category into rotation so people can nominate folks for that particular role and just bring more visibility to what folks are doing to help bring in more diversity. We’re also going to be doing more workshops, so having more chapters launched. ideally I’d wanna do a conference, maybe virtually.

      Chris: Okay, alright. Can you give me like a five year plan? What’s like the big Cyberjutsu version? Like what, what do you like, yes, we did it , you know, what does that look like?

      Mari: Being international, we wanna be able to expand internationally. We also wanna be able to bring in a paid CEO so I don’t get paid. None of our volunteers get paid. But running a nonprofit and working a full time job is a lot of work and it’s a very active nonprofit and so we’re constantly doing stuff. We’re constantly moving and we’ve gotten a lot of great volunteers in place to do a lot of great things. And so 2020 and beyond, it’s gonna be even better and hopefully we’ll be international. We’ve got a lot of interest internationally and so that’s one of our big plans.

      Chris: So if people wanna know more about Mari Galloway or get involved with Women’s Society of Cyberjutsu or any related organizations, where can they go online?

      – So they can find us on Twitter, LinkedIn, Facebook, Instagram.

      Chris: Okay.

      Mari: Women’s Cyberjutsu. On the website, It’s womenscyberjitsu.org. So Jitsu is J-U-T-S-U .org and come check us out. Sign up for our emailing list down at the very bottom. There’s a little Ninja throwing an envelope like that. And we just had a website redesign. And so that’s kind of, it’s kind of a big deal ’cause we’ve had the same website for years and we’re launching our job board. Oh yeah, next week. So it’s an a new and improved career center for our members and for those that wanna find jobs and experiences like that. So womenscyberjitsu.org is our website. If you wanna reach me, [email protected] I check my emails on often three in the morning I’m checking email, you know, one in the morning I’m checking email when I’m supposed to be sleeping.

      Chris: Before sleeping, yeah….

      Mari: We talked about that before, yeah.

      Chris: Yeah . Yeah, and so we look forward to bringing sponsors, donors, everybody in we can to help bridge this gap.

      Mari: Yeah, we’re pleased as punch to be sort of affiliated with you guys as well. So–

      Chris: We’re excited for you guys to be partnered with us as well.

      Mari: More collaboration In the future.

      Chris: All right, well Mari Galloway. Thank you again so much for joining us today. This was super educational and fun and I hope everyone who is out there listening goes checks, checks out to your organization.

      Mari: Yes, thank you.

      Chris: And thank you all today. As always for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in cyber work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your work day. All of our videos are also available as audio podcasts. Just search cyber work with Infosec in your podcast, catcher of choice to see the current promotional offers available to listeners of this podcast. Go to Infosecinstitute.com/podcast and as we’ve been saying last few couple of weeks, we have a free election security trading resource which you can use to educate your local poll workers and volunteers on the cyber security threats. They may face during the election season. For information about how to download your training packet, visit infosecinstitute.org, infosecinstitute.com sorry, forward slash IQ forward slash election dash security dash training or click the link in the description. Thank you once again to Mari Galloway and thank you all for watching and listening. We’ll speak to you next week.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.