Impostor syndrome, burnout and the challenges of a career in security

Susan Morrow, head of research and development at Avoco Secure, returns to the podcast to discuss her 20 years in the security industry, how she landed a fortune 500 client working from her bedroom, and the growing role of women in the industry.

  • View transcript
    • Chris Sienko: Hello, and welcome to another episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how these trends are affecting the work of infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. As part of Infosec’s effort to close the skills gap and empower people through security education, Cyber Work will continue to be speaking with diverse and interesting women in the cybersecurity industry and hearing their stories, including today’s guest.

      Today on the show we have Susan Morrow, a frequent contributor to our Infosec resources website, which you can check out at resources.infosecinstitute.com, as well as several well-attended webinars that we’ve hosted in the past year. Susan has been working in the security sector for over 20 years. She is currently the head of research and development and Avoco Secure and specializes in designing solutions for consumer and citizen identity systems. She says that she has always tried to put the human being at the center of technology while balancing security, which can sometimes be quite a challenge. Today, she is coming to speak with us about her experience of being a woman in the tech industry. Susan, thank you once again for being here.

      Susan: Thank you, Chris. Hello.

      Chris: Hi. To start at the very beginning, how and when did you first get started in computers and security, and where did the interest come from?

      Susan: Oh, gosh. Okay. I originally… My original profession was as an analytical chemist in industry. I did quite a few years in the labs, analyzing things, running labs, that type of thing. Then it’s a long story but I moved… I transitioned through that into… Also, shortly, for a brief period, was a science teacher. My background is actually in science. I feel like a scientist rather than a technologist. It’s really weird. I can’t seem to shake that. My original career was in science, and then I moved over to tech, because myself and my partner were originally working on scientific software just to sort of make money on the side. Chemists are poorly paid.

      Chris: Right, right. Yeah, that’s where the money is.

      Susan: We really wanted to work together as well. We enjoyed being together, wanted to work together, what we do… In those days, you could start a company in your bedroom, and we did. We literally did. We sold one of the world’s largest installs of security software to a major Fortune 500 company. And they probably still don’t know to this day, this was years ago, so I can say this now, it was written, created, bagged up, the lot, in our bedroom.

      Chris: Wow.

      Susan: I know.

      Chris: When would this have been?

      Susan: This would’ve been early ’90s.

      Chris: Wow. Okay. Yeah, yeah. Absolutely.

      Susan: Early ’90s. Anyway-

      Chris: Was it just for one client, or did you sell it to multiple people, or was it a custom?

      Susan: Yeah, so we got the break from SC magazine.

      Chris: Oh, yeah. I know SC Magazine, yeah.

      Susan: I noted that they were running reviews of products, which they still do. And [inaudible 00:03:16] go to SC Magazine. I said, “Oh, let’s just see what they say.” You know, naively. Naivete is a wonderful thing.

      Chris: It worked for you.

      Susan: We got five stars.

      Chris: Wow.

      Susan: The product was a file/folder level encryption product and big Fortune 500 company needed that. They didn’t care. They just wanted to know that it worked, that it did the job. And we got a massive deal and we were able to quit our jobs and start the company properly.

      Chris: I love it. Did you get the gig based on the five star review in SC?

      Susan: Yes.

      Chris: I love it. That’s even better.

      Susan: Yeah, it was good.

      Chris: I know you as someone who wears a lot of different hats, so could you tell me a little bit about your various roles with Avoco Security and some of your other projects, what do you…?

      Susan: Of course, this is another company on. The whole first company is another complicated story that could be turned into a book, but I learned a lot from that company. I basically learned everything to do with the business and the business of security, the business of security. So in Avoco, Avoco started off as a rights management company and I sort of took the knowledge from the first company, which was in access control, that type of thing, and applied it to rights management which has an access control layer. Obviously it’s a bit more complicated than that. We soon found out, when the perimeter started to be broken and became more fuzzy, we found out that access control is actually a very complicated thing.

      And in the old days, when I say old days, I’m talking about 15 years ago, you probably used some kind of Active Directory to control access to content. Then, the internet became ubiquitous, people were trying to share content with outside parties, didn’t have Active Directory, no accounts. What do you do? Certificates? Nobody wants to use personal certificates. They’re too complicated. We looked at information cards, which was a Microsoft initiative back in the day. It was killed by Microsoft, like literally killed, so we started to think, “Oh, identity. Now there’s a space opening up for identity that crosses, cloud-based identity as a service, that crosses perimeters.”

      Chris: Okay, so this was probably right at the headwaters of cloud.

      Susan: Yeah, we were knocking about. We knew nothing really about identity at that point. This was going back about 10 years. In the past 10 years there’s been an enormous amount of changes in the identity space. IM is firmly, it needs to be more firmly, but it’s firmly in the remit of cybersecurity. Especially with things like the Zero Trust Model, it needs to be more firmly in there. There needs to be more links between traditional cybersecurity and IM because the two are so intrinsically linked, they’re dovetailed. That’s another discussion point.

      My goal in Avoco, and across many areas, I work in product design so I help to design the features and functions of the product so I need to understand protocols, I need to understand the software. I’ve never been a software developer, but I have trained myself to write in certain languages just because it’s useful. I’m just not interested in that.

      Chris: What languages are you trained in?

      Susan: JavaScript. Years ago, C++, that was the original one that I learned. But I’m just not interested in it. I’m more the big picture person so I’ll look at the market. I have to understand the market deeply, understand everything that’s going on, the trends, what’s wrong with them. To be able to understand what’s wrong with things that are coming along, I have to be able to understand at deep level how the software works and how technology works. And solution architecture, I do a lot of solution architecture. I do business analysis. When we have a client, the client will give us requirements. I have to then map those requirements to the functionality and work out how things are going to work so that the developers can then actually configure the product properly. It’s kind of a wide role, but it’s also not because it just means I do a lot of research, a lot of [inaudible 00:02:40].

      Chris: Well, that moves to my next question here. I realize most people, especially if you’re owning a company or high-level exec or whatever, that your days are different, but could you sort of walk me through an approximation of your average day? How many plates or projects are you spinning at any given time and what are some of your favorite parts of your current projects and what do you find most frustrating?

      Susan: It varies. Something I do every single day, though, is write. In some form or another I have to write something and so I’ve been doing a lot of, just the past couple of weeks, for example, I’ve been doing a lot of RFPs, that type of thing. I find them very boring to do. But to be able to do them, you have to really be able to, again, do this requirement analysis. It’s that kind of mapping things back and being able to see the big picture and put all the pieces in, but also doing it in such a way that you optimize people’s time in the company with what the value of the project is, that type of thing. So there’s all of that going on. I don’t do it on me own, obviously. I do have my little helpers. Just joking. Really big helpers, really I couldn’t do it without you.

      Chris: How many helpers do you have?

      Susan: I don’t know. Actually, very few. We’re a very small company. But they’re very talented people so they’re incredibly helpful. The past few weeks has been a lot of focus on that. But then I might have a period where, for example, I have to do an enormous amount of things like working out user journey analysis and writing out…

      The last mega-project that we did was the U.K. government’s Verify system and that was a big project. We were the technology behind two of the big brands that gave the citizens in the U.K. identities. I had to write this user journey document and had to write it in such a way that I could give it to the developers who could then configure the platform in such a way, so the system architects could take it and develop this configuration that would match the requirements. So I had to do an enormous amount of work on user journeys and because it was a very complicated system of many moving parts across a massively wide demographic and the UX of it was very complex, that was a massive job. It took months to do that. That was one of my main jobs and that took a lot of my bandwidth. And when I’m doing things like that, it’s very difficult for me to fit other things in.

      But what I like doing the best, and there’s not always a remit for this, but when I get the opportunity, what I do best, I think, is to take an idea for maybe an extra function or maybe a new component. The product that we have is actually an API so what I’m talking about here is a different expression of the API to productize it. That is one of my favorite jobs to do, designing specs for productization using API features.

      Chris: What is the appeal of that specific task?

      Susan: I think it’s because I can link what I know about the market and what the market wants, and by market, I mean people, what people want, with the remit of identity data and personal data. It’s just being able to map those two things together and then at the end we get what is essentially, it becomes almost like a baby. I like to garden when I get the chance and when you grow a plant, it’s the same sort of thing. You put the seed in and you water it and you give it food and you watch it grow and then you might sort of take clippings from it and so on. It’s the same sort of thing. It feels like you’re growing something.

      Chris: I love that. So based on what you’re telling me about these huge projects, I’m guessing you’re not really keeping banker’s hours. How many hours a day are you working on your various projects?

      Susan: I’ve never really thought about this as a 9 to 5 job. It’s not a 9 to 5 job, but I try not to work in the mornings anymore because I’ve been told off by a therapist for doing that because it interferes with my mental health so I try not to do that in the morning. And I [inaudible 00:12:18] get up early and I want to go immediately to the computer and work, but now I try to watch things like Community and Parks and Recreation.

      Chris: Start out in a lower gear to start with.

      Susan: Yeah, exactly.

      Chris: Work your way into it. Okay, that’s a really interesting point. So you’re sort of easing back a little bit, but do you sort of stop at a certain point of the day? Is there a point where your brain shuts off or are you still up at 10:00, 11:00 at night?

      Susan: No, I stop. And I do this on purpose now. This is something that I taught myself to do, again, because I didn’t stop and it’s really important. Now, I’m lucky in my life that I don’t have small children now. My children are grown up. But this is particularly important if you’ve got small children, and I had to force myself to do this, I now have a cutoff point. And when I started in this company, which has been over 13 years now, when I started with this company I was so used to working all the hours God sends that when I came to this company I said to myself, “Susan, you’ve got to stop. You’ve got to have a cutoff point and tell everybody from day one, this is my cutoff point and I don’t work after.” I mean, I do. Yeah, I do.

      Chris: But they don’t have to know that.

      Susan: But they don’t have to know that and they respect it. And they do sometimes ring me up at like eight, nine o’clock and I do take the call because in the main they respect it, in the main. But it wasn’t important.

      Chris: Absolutely. I think that’s a really good, everyone needs to know that. You need to set boundaries and make people respect them. It’s absolutely true.

      Susan: You make yourself very ill and I did at one point get really ill because of overwork.

      Chris: Oh, yeah. No, you can’t be on all hours of the day. So moving on, you recently wrote an article for our site, resources.infosecinstitute.com, titled, “Women in Cybersecurity to Know.” And you included a bit of autobiography at the start, specifically about the days when the only women on the floor of a cybersecurity conference were the so-called Booth Babes. As you noted, the women of these conferences at the time weren’t really there to bring knowledge or insight, but were as “as a kind of prize for the male attendees.” And obviously things have changed a bit in the intervening years, but obviously a lot more is needed. You posted a tweet from a colleague that expressed anger that this kind of thing is still going on. With platforms like Twitter making it harder to pretend that organizers didn’t get the negative feedback for their actions, do you think that speaking up about these things in public spaces is making any difference?

      Susan: Yes, definitely. To be perfectly honest, back in the day I didn’t have a lot of confidence to speak up about things like that. I had some bad experiences and it took a lot of maturity to build my confidence. A lot younger women now seem to have the confidence that I lacked and they’re not frightened of standing up and it’s made a massive difference. I’m really grateful to them for having the courage to say, “This is wrong.” And when I think back, I feel quite ashamed that I didn’t pull people up in certain circumstances when they embarrassed me and it made me feel ashamed and were outrageously sexist to me. I didn’t say anything to them. I should have said something to them but I was fearful over my job and of upsetting people, but, no, you’ve got to stand up.

      Now, it upsets a lot of people and I know that there’s a little bit of a backlash and men are thinking, “Oh, God, not another [inaudible 00:15:51]” And I get it because it could be really annoying. It would be really annoying because they just feel a sudden tsunami of angry women. But, oh my God, the alternative is to have submissive, suppressed women. Do you really want that? Gosh, we need to work together in this world, especially in cybersecurity because it touches everything now. We have to work together. We have to all use our talents together. So I’m grateful to those young women who have got the courage to speak up.

      Chris: I think I would also note that for the younger women now who are able to speak up, they’re able to do it because people 20 years ago like yourself were able to do… With more and more women, you have this sort of union of people who have your back and people in leadership who have your back and that can only help.

      Susan: Well, there’s things like Women in Tech, Women in Cybersecurity, Women in Identity. There’s a lot of groups as well who… Can I tell you a funny story the other day?

      Chris: Please, yeah.

      Susan: So I’m a member of Women in Identity, which is a support group. It’s not just actually for women, it’s actually for men and women, but it’s a support group to try and encourage more women to have voices in the industry. Anyway, so I was talking to this bloke the other day. You’ll know who you are if you hear this. He’s actually a really great bloke and he’s a friend, not just a colleague, he’s a friend. He’s a great bloke and honestly I don’t want anybody to think anything badly of him. But he said this to me. So we’re talking about Women in Identity and the conversation went something like this. “Oh, yeah, Women in Identity, that’s just like all women together, just looking after each other in that you’ve got all your powerful women and you can open doors for each other.” He’s a consultant. “You can open doors for each other.”

      I just burst out laughing. I says, sorry, I almost went into accent there. I said, “You have got to be kidding me.” I said, “Do you mean a bit like the old boys’ network? Do you think just like that?” Now, he’s a nice bloke, he’s a nice man, and he thought that it was giving women an unfair advantage over men.

      Chris: There’s so many stories of that in different industries. There’s Women in Publishing or Women in Medical and they always end up having to be disclaimered with, “Oh, but men can join, too.” is fine and good and whatever, but it’s funny to me that there has to be that disclaimer of, “Don’t worry, don’t worry, we’re not excluding you. It’s okay.” Even though you’ve been excluded for so many decades that… I don’t know. It’s challenging for sure, I understand.

      Susan: Honestly, I don’t mind men being involved in it personally. They just have to realize that we sometimes have to have groups where, because women have got this really weird thing, a lot of women, obviously not all of them, have now got this thing called imposter syndrome and it’s real. It’s real and it’s alive and kicking. And one of my problems when I was younger and coming into this industry, I just didn’t have the confidence and it felt like all these techy men who were talking about encryption all the time and I was learning it on the job, talking about encryption all the time. “Oh, I’m not as good as they are.” Really, that’s exactly what went through my head. “I’m just not as good as they are. I just need to hide. I don’t want to speak to anybody.”

      You need for people who understand what that feels like to give you a hand, just hold a hand out and say, “Come on, I’ll help you along.” And just give you a hand because I probably would, in a competition between me and a man of equal standing, I probably wouldn’t win because that person just had more confidence than me and it would come through. It’s fine now. I’m fine now. 20 years ago…

      Chris: Oh, yeah. You don’t got to prove nothing to nobody now. But two points from that, one is that I think that it needs to be said in a lot of different aspects of work, but especially with this, five minutes of help now can make hours worth of productivity later. Sometimes it’s just like, “I need five minutes of your time to help me through this problem.” But sometimes it’s just, “I need five minutes of reinforcement from someone who I respect and it’s going to get me through several weeks.” And those are important things.

      Chris: And we’ve talked to several other women in the industry and so many of them mentioned mentoring programs, whether women with women or men with women or what have you. But a good way to break through imposter syndrome is to have someone in your corner and just let you talk out your fears and say there’s nothing to be worried about and that can last you for weeks.

      Susan: Absolutely. And you know what, it’s not just women who have this. It’s not just women who have lack of confidence. There’s lots of men who do as well and we just need to support each other, right?

      Chris: This guy.

      Susan: It’s crazy but you can’t help it and you just need to have people to be a bit more understanding, that’s all. I hate using this word but it’s how it feels, mature. I’ll take mature over you’ve got to pretend, fake it until you make it, this sort of thing and all these sort of cultural overlays of how you should act. And men are definitely as disadvantaged by that as women are. And it’s in our software products. It’s actually reflected in our software products.

      Chris: How so?

      Susan: Great ideas and great innovations are held back because people are frightened to say, “Oh, I’m stupid. Nobody’s going to listen to me.”

      Chris: So has that been an issue at all with things that you’ve worked on? Have you found out after the fact someone had a really good idea but it went to market without it?

      Susan: Well, this gets complicated because sometimes clients, in certainly what we do, sometimes the clients will have a view in their head of what they want and even if it’s not ideal you still have to do it because they’ve gone through internal… Who knows what goes on inside? Who knows? But I’ve had a lot of times where I’ve done things and other people have taken the credit for it. That’s really annoying. That’s an annoying thing that happens but I think probably everybody experiences that at some point in their career.

      Chris: Yeah, but again with, if you have someone in your corner it’s a lot easier to make your case maybe now, potentially, than it would have been when “just go along to get along” or what have you.

      Susan: Yeah, but surely mentoring and support groups that are specific to industry sectors like Women in Cybersecurity and Women in Identity are great because they can give you a structured way of having support.

      Chris: So we’ve sort of been talking about this but what were the biggest challenges to being a woman in the cybersecurity field when you started and how if at all have these challenges changed?

      Susan: Well, I think one of the biggest annoyances, I don’t know if it was a challenge, but it was an annoyance, was that I was never taken seriously. And everybody always assumed that I worked in marketing. I don’t know why that was exactly. It was a weird thing and I always had to put them right and…

      Chris: You’ve got a certain marketing stride about you or something.

      Susan: Maybe. I’m actually quite interested in marketing because I’m quite interested in human behavior side but I wasn’t in marketing and people used to pigeonhole me into it. It was really irritating. And also, in those days, I have actually been in a situation where, even though I was running the company, I was the managing director of the company, I was ignored, not spoken to and the man who I was with, I’m thinking of one particular instance where it was a sales director, he was assumed to be managing director. They spoke directly to him. I’ve even had one company, this is going to be hard to believe but this is what was said, that they refused to have any more meetings with me if I turned up in trousers. I had to wear a skirt.

      Chris: And I’m assuming from your career this is in the last 20 years. This isn’t like 1955 or something like that.

      Susan: That company’s not in business anymore and it was a big company as well. And so I’ve had a lot of that. That was a pain. And I was always the only woman in the room and it still happens. I mentioned in the blog post I was at a recent meeting with a very well-known, large financial organization and there were 22 people in the room, it was a technical meeting, there was 22 people in the room and I was the only woman. And you just think, “Really?”

      But then I have women who say to me, I have women who work in women dominant industries who say to me, “Oh, you’re really lucky, Susan. It’s horrible with women because women are horrible. They’re really bitchy and horrible.” But I can only talk about my experiences.

      Chris: Yeah, and one’s not necessarily better than the other but it would be nice to have something in the middle there. So obviously things have gotten better in the intervening time but what if anything has gotten worse? Has there been any sort of backlash or people getting sick of…? Or do you get more accusations of, “Oh, you just got here because they wanted to fill a quota?”

      Susan: Yeah, there’s definitely that. We wouldn’t be doing this, now, if there wasn’t a little bit of sort of positive bias going on, but that’s a good thing, in my view. Well, it’s good to a point. Obviously you want the best person for the job and you want to feel like you were the best person for the job. But the fact is, is that in the past the best person for the job wasn’t chosen. They were chosen not on merit, they were chosen because they were a particular sex. And I’m sorry, but that is true. Anybody who denies it is in denial.

      But it does feel, maybe I’m just being paranoid because the world’s a bit weird at the minute, but it does feel like there’s a bit of a backlash. Certain things are afoot and people are angry about it and they don’t want this to happen and there is a little bit… But in the ’70s when there was, I was still a kid then so I don’t remember it directly but from what I’ve heard, in the ’70s when women were raising consciousness they called it then and first-wave feminism was happening… I actually don’t know if that was the first wave of feminism. And it had a lot of backlash then if you remember. And in fact, hearing as a kid, “Oh, they’re taking our jobs. Women are taking our jobs. Get back in the kitchen.” That type of thing. There’s a little bit of an undercurrent of that again, just a little bit. I’m picking it up in certain places.

      What I will say is that I don’t know if that’s just my experience but I am surrounded by really, really great men who will fight that for me. Not just allow me to do it, but they’ll come and fight that for me. I do know some not very nice men who are part of that whole thing but the vast majority of men in my life will actively fight against that. Now, I don’t know if that existed in the ’70s or not.

      Chris: We’ve talked about a lot of them but what negative aspects and ingrained behaviors of the industry do you think are most likely to push away women who might otherwise be inclined to get involved in cybersecurity?

      Susan: In cybersecurity, cybersecurity is still a little bit, it’s a little bit this feeling that you have to be a software developer to be involved in it. So going back to these groups, there’s a lot of groups for women and try and get women involved in software development. Now, I’ve got a view of software development that might not be held by everybody, but I think that the way software development is going is becoming a lot more… Well, let’s put it this way. When I first doing the C++, it was blooming hard work. Maybe that’s why I don’t this because it’s a really hard language to learn. You have to keep a lot of things in your head, all the variables, they’re called variables in that.

      But now, you can pick up a language really quickly because a lot of it is you’ve got a lot of libraries to help you and a lot of it is automated. R is really easy to pick up. Now, that’s not a bad thing, or I have a view on that but I’m not going to discuss it here, but what it means is that there’s a potential for it to become even more automated. There’s a potential for it to be pushed into the long grass and things like software architecture and design being a much more satisfying job because there’s a lot more thought and you’re thinking about the actual interactions of lots of different… Because everything now is API-based, as well, but I think with most things that are API-based, they have to interact in a much bigger ecosystem. Yes, sure, you’ve still got point solutions like apps and stuff like that, but a lot of platforms have got a lot of touchpoints.

      So I think that we need to be a lot more… It feels like there’s too much emphasis on the program side and not enough emphasis on the design side and the reason for that is because it’s seen as a soft part of it, a soft skill to do design and solution architecture, but it’s not. It’s actually just as complicated as programming. I think there needs to be more emphasis on that and I think if you do that, you’ll naturally draw women in because they’ll find it interesting because the big picture.

      Chris: And there’s not that sort of that specific type of barrier to entry of, “Well, if you don’t know every single one of these C++ commands…” And then it just becomes a thumbs up or a thumbs down or whatever like that.

      Susan: There’s more to cybersecurity than being able to write a bit of software code.

      Chris: Ones and zeroes, yeah. I’ve heard tech leaders say things like, “Well, we’d like to have more women in our company, but none of them answer our job applications.” And there’s this statistic that says that if a listing is posted asking for 10 requirements that women won’t apply for it unless they have at least eight of those 10, but a lot of men will apply for it even if they have two or three of those 10 and, again, it speaks to a confidence differential. But do you think crafting job listings and targeting them correctly is part of the process of finding and recruiting diverse candidates?

      Susan: I have to put my hand up here. I have had problems recruiting women and I’ve even actively gone out and contacted women and said, “Please, apply for this job because we’d love you to.” Now, that could be because they don’t want to take the risk of working at a small company. It could be because I always just pretty much recruit developers, always developers that I recruit of one type or another, so maybe they’re just not interested. But these are women developers that I’m actively going out to and saying, “Please, apply for this job.”

      Now, I have found it very difficult and I’m aware of it. I’m aware of it and I find it difficult. The trouble is is that if you’re looking for a very specific type of person, a developer we’re talking about here, if you’re looking for a very specific developer, they have to have a particular list of skills unless you’re prepared to train them on the job or whatever. But if you’re looking for an experienced developer, there’s a set of skills and you have to list them. But, yeah, sure, lack of confidence must play a part in that.

      Chris: Obviously you’re a strong advocate for the goal of creating gender parity and racial parity in cybersecurity, including in management and leadership roles. And I’ve talked with a few other leaders about this and this is sort of a multifaceted challenge because it’s not just a matter of getting lots of women in at the entry-level. There has to be this sort of deep bench that allows you to hire into management, hire into these leadership roles and even stakeholder positions and it requires undoing decades of industry-wide short-sightedness at the most charitable and outright discrimination at the worst. So what are some of the most vital strategies, do you think, to bring more women and minority professionals into the cybersecurity profession at all levels, not just the help desk or what have you?

      Susan: Yeah, that’s a really hard question to answer because it needs to have… It’s a cultural thing. There tends to be concern about doing certain jobs because if you have kids or you’re going to have kids, you’re going to have to have a bit more flexibility. So, for example, a lot of jobs in the tech sector require a bit of travel, even if it’s to conferences and stuff, but it’s also to clients’ premises and stuff and that could be hard. It’s hard for a man as well. I’m having to always be aware that I might upset a bloke. I’m not trying to upset you, honestly it’s just this is what happens.

      Chris: Stay the hell out of the comment section.

      Susan: I can only talk to my experiences in all that. And also, I’m a grandmother now, as well, and I do whatever I can to help with the kids and traveling takes it out of you. It also affects your family life and you need to have a very supportive partner in that relationship, male or female, you need to have a very supportive partner to be willing to rise through the ranks. So there needs to be some cognizant debate around that.

      It takes a woman with a lot of confidence and to be quite brave to be in a board full of just men, as well, because they do tend to, and I’m talking from experience here, they do tend to talk about, I’ve been in many board meetings where they’ve talked about things like golf and sailing and stuff, which is fine, and rugby. And I was at this meeting once, it was a government thing, and they were showing a video, it was to with some big sort of government initiative thing. They were showing a video and it was all about rugby and they were using all these rugby analogies.

      I complained to them and I said, “Come on, man, think a bit. I cannot relate to this at all in any way, shape or form.” Just like little things. It may seem like, “Oh, God, she’s just complaining. What’s wrong with her.” Actually I don’t know. I take no interest in rugby or any sport. And you just think, “Just think a bit differently. Stop going down these tramlines. Maybe stop doing these things.” Once we’ve started having women filter in through more, and we’ve got more than a 25% employment rate in cybersecurity for women, then maybe it will pick up the pace and snowball.

      Chris: Yeah, and it seems like things are going in that direction anyway, but, yeah, some of it’s time but some of it has to be, I think, strategizing in that direction and really thinking about it on a day to day basis. So you mentioned it before, too, but how can we make the cybersecurity industry understand that more women in tech ultimately makes the entire industry stronger and more capable of solving problems in new and innovative ways? You had mentioned good ideas that get passed by because someone has imposter syndrome or what have you, but can you give me some examples within your team or other teams where having a more diverse force came up with specific solutions?

      Susan: I can point to a Twitter discussion I’ve been having. In the identity industry, there’s a new wave, an identity mechanism called self-sovereign identity. It’s based on distributed ledger technology and it’s about giving user control back to the individual of their identity attributes, verified claims. And the discussion that has been going on in Twitter is between a group of people who are quite diverse, there’s women, there’s men, there’s developers, there’s lawyers, there’s anthropologists, there’s product designers, there’s protocol specialists. There’s a whole group of people discussing some of the sort of complexities of the commercial setting of these new type of way of sharing data. And it’s still ongoing.

      What it’s doing is, it’s bringing people… So I asked a question, someone brought up about, I think it might have been Kim Cameron in a conference, that said that liability for data sharing is moving from the enterprise to the individual. There was a few people come in and said, “No, that doesn’t sound right to me. You can’t do that.” And I asked the question, “Where does the liability…” It was discussing verification, checking of claims, making sure that they are who they say they are. And I said, “How do you trust the people who verify the claims? Where does the liability stand?” Nobody could really answer that, but a lawyer, a privacy lawyer, came in and she was able to shed light on it. She was also able to start a new, side discussion about something that was related, not exactly the same, about the impact of large commercial entities within a truly user-centric system. How would that impact it?

      What that does is, because of all those different people from all different disciplines and men, women, old, young, they were able to open up a debate that there’s no way that… In fact, one of the blokes who was on said to me, “I’m going to bring some of these ideas through into some of my development calls because there’s all these developers on those calls and we’ll be able to discuss these issues.”

      Chris: And I think that also requires… Go ahead. I’m sorry.

      Susan: It does everybody good because at the end you get a better product, more rounded. I did an article for someone recently in the U.K. about disability and identity systems. Unless you’ve actually experienced a disability, it’s very difficult for you to understand. A little, tiny thing that may seem nothing to you, but to someone whose fingers don’t work very well, they can’t do. And unless you’ve got people who’ve got a very wide experience when you’re designing software products and designing security and identity products, if you can’t put those things in, then…

      Chris: Oh, yeah. Make friends with someone with a chronic illness of any sort, you will see all sorts of aspects of the world differently.

      Susan: Yeah, exactly.

      Chris: Also, I was going to point out, I’m sorry, I didn’t mean to stomp over, but I was going to mention that in addition to having diverse voices on the table, there also needs to be a move towards actually listening to even the most initially unlikely explanations and really processing them. It involves getting away from a sort of “we started with the solution and we just want you to reinforce the solution for us” mindset.

      Susan: Exactly. There needs to be an open mic culture in cybersecurity because you mustn’t be frightened to say, because I used to be like this, I don’t give a shit. I don’t care anymore about this. I don’t care if I’m right or wrong or if I look like I’m stupid because I’m at the point in my life where it’s whatever. People are frightened to speak up because they feel like they’ll be embarrassed and ashamed and people will think they’re stupid. There’s no such thing as stupid in cybersecurity. There’s no such thing as stupid in cybersecurity. There’s only questions not asked. We need to ask them because, tell you what, the cyber criminals will be asking them of themselves. They are a clever lot. They know what they’re doing. We need to get one step above them and we can’t do it without really understanding human beings and allowing human beings to speak.

      Chris: Yeah. Boy, that’s a really good point. Almost everything involving breaches or whatever is involving some somewhat arcane aspect of human nature that someone hadn’t thought to watch out for. And then if you’re not in front of it, then you’re behind it.

      Susan: Because you can harden your platforms and follow the OWASP top 10 as much as you want but someone clicks on a phishing email and you haven’t… [crosstalk 00:42:12]. Even with seven-factor authentication there’s ways around it. You put a trojan on your mobile phone and…

      Chris: Yeah. It’s a war of attrition. So having worked in security for more than 20 years, what tips would you give to women entering the world of security now?

      Susan: Try not to be too scared of what you come across and don’t let it faze you. Do as much reading around the subject as you can because it’s a big subject. Try and see outside of things like the sort of hardcore, anatomy of a hack type of a thing. They’re important. They’re really important, because you need to understand what you’re up against, but also look at the wider scope of cybersecurity. See it as more of a holistic exercise because that’s what it is.

      Find your focus. You might find a focus in a particular area which you’re really good at. If you can find your focus quickly, great, but have a look around because it’s a big space, big, big, big, big space and getting bigger. And don’t be scared, ask questions. And try and find a mentor, try and find a group that you can join of supportive women and just take care out there.

      Chris: So what do you think, as we wrap up here, what are some of the major challenges to be addressed in this regard in bringing increased representation of women, minority professionals into the industry? Where do you see all this going as things change?

      Susan: It’s really difficult to predict that because human nature’s up and down. What’s okay one day is not okay the next. I just saw today that Alabama have passed a quite restrictive anti-abortion law. I would never have thought that of the U.S. You just don’t know what happens around the corner. You don’t know how things change. Patterns of behavior change and culture changes, but I’m hoping that we all come together, that we all realize each other’s strengths and weaknesses. That we work together and that men and women are equal and it’s recognized that we’re different but equal. Those things, those differences can actually become our strengths together.

      Chris: We’re all going to get through this together. Susan, I could talk to you for hours, but thank you again for being here today and thank you for all your insights. Really appreciate it.

      Susan: Thank you, Chris. Speak to you soon.

      Chris: And thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos, including this one, are available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast app of choice. To see the current promotional offers available for podcast listeners and to learn more about our Infosec Pro live Boot Camps, Infosec skills on-demand training library and Infosec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description below. Thank you once again to Susan Morrow at Avoco Security and thank you all for watching and listening. We’ll speak to you next week.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.