Starting a cybersecurity business and building a diverse workforce
Christine Izuakor is a Houston native, born of two parents who immigrated to America from Nigeria to pursue higher education. Starting from humble beginnings, Christine has always been motivated to maximize on the opportunities her parents and community created for her. In 2013, Christine decided to pursue a Ph.D. in Security Engineering at the University of Colorado. Her research contributions were published in numerous international journals, and she presented in international conferences from South Korea to Rome, Italy. During this entire journey, Dr. Izuakor also maintained a full-time job within the cyber security team of a Fortune 100 company.
Most recently, in 2020, Dr. Christine Izuakor shook up the industry with her departure from the corporate arena coupled with the launch of her new cybersecurity startup, Cyber Pop-up (www.cyberpopup.com), an on-demand cybersecurity service platform powered by vetted freelancers.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
[00:00:00] CS: Hitch up the waggons and polish your spurs, cuz it’s High Noon, and The Searchers are looking for a way into your network! October is National Cyber Security Awareness Month, and Infosec is helping to tame the Wild Wild Net with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a Stagecoach full of provisions to run a month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations and more!
Grab Cybersecurity Awareness Month by the horns with this Wild Bunch of free materials from our award-winning LX Labs team. Just as “wanted” posters in the Wild West helped the public recognize the region’s most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020 or click the link in the description to get your free collection of training materials and help spread security awareness.
And now, let’s begin the show, partner.
[00:01:19] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
Christine Izuakor is a Houston native. Born of two parents who immigrated to America from Nigeria to pursue higher education. Started from humble beginnings, Christine has always been motivated to maximize on the opportunities her parents and community created for her. In 2013, despite discouragement and limited role models, Christine decided to pursue a PhD in security engineering at the University of Colorado. “I was told I was too young, too inexperienced, and too naïve to contribute anything to my industry at age 23,” she said.
Nevertheless, Dr. Izuakor completed the program at 27 years old, making her the youngest student and first African-American woman to do so. Her research contributions were published in numerous international journals and she was presented in international conferences from South Korea, to Rome, Italy. During this entire journey, Dr. Izuakor also maintained a full-time job within the cybersecurity team of a Fortune 100 company. Her rapid growth within the business, within the technology industry landed her a spot in Crain's Chicago Businesses Tech 50 List, a roster of influences and names to know in the Chicago technology scene. She’s also featured in the Crain’s 20 in their 20s list.
Prior to this, Christine earned a bachelor’s degree in business administration. She earned a master’s degree in information security systems from the University of Houston while simultaneously completing a year-long internship on the information security team at United Airlines. Soon after, she went on to earn the highly sought after CISSP and the CISM certs. Two certs we’re quite passionate about here at infosec.
Christine is passionate about influencing workplace culture. And in 2015, cofounded Gen Trend, a millennial business resource group. As for the former vice president of the organization, she was a driving force in the development and execution of a critical strategy to engage and retain the next generation of aviation employees and customers.
Dr. Izuakor core is also active in the diversity and inclusion community. She served a two-year term as the head editor of the Illinois Diversity Council Editorial Board, and a member of the National Diversity Council Newsletter Committee. Additionally, she is dedicated to helping close the opportunity divide that challenge people face around the world. She’s launched numerous scholarships and fellowship programs in support of cultivating cyber talent. Most recently, in 2020, Dr. Christine Izuakor shook up the industry with her departure from the corporate arena coupled with the launch of her new cybersecurity startup, Cyber Pop-up. That cyberpopup.com, an on demand cybersecurity service platform powered by vetted freelancers.
An avid world traveler, Dr. Izuakor has been to over 30 countries in the last few years and enjoys learning about various cultures. She enjoys museums, shopping, dining and spending time with her family and friends in Houston. But she is now based in Chicago. When asked about her personal mission, she shared, “I am dedicated to reaching my full potential with hope that as I share the journey, I inspire and encourage those around me to do the same.”
Dr. Izuakor, welcome to Cyber Work today.
Oh! You’re muted.
[00:04:30] CI: Sorry. Thank you so much for having me. I feel like that’s such an in-depth rundown on my entire life. So you know everything about me now.
[00:04:40] CS: You have a fascinating history, and I wanted to make sure we got all of it in there so people know how cool it is that we got you here. So thank you.
So obviously, as I said, you have an amazing and fascinating story, and I have a million questions, of course. But I want to start at the beginning. So what was the lure of tech, and specifically security at an early age? Your bio noted that your parents immigrated to the United States to pursue higher education. So I assume that, clearly, education and advanced knowledge was very important growing up. But what was it specifically about security in tech that you drew you in?
[00:05:10] CI: Yeah! Absolutely. So education was definitely a huge part of it. I think even taking it a step further, it was more so – My parents always drove me to just be the absolute best that I could be. But then also be the absolute best like in whenever industry or vertical I decided to go into. So, initially, I would build a career in the medical industry. I wasn't looking at tech at all. What my culture and family and expected of me. Yeah. So I was trying to be an eye doctor. And started going to school for that. Failed miserably at it. It was absolutely not for me. Kudos to all of the eye doctors out there.
But yeah, it was during that time that I kind of started to explore and just take random classes and try to figure out what other options are out there. Still, wasn’t intentionally looking for cybersecurity or tech. But I happen to take his cybersecurity class, and we had a very distinct assignment that I never forget around encryption and trying to basically reverse engineer this encryption code.
And I’ll never forget that assignment, because I just had so much fun doing it. It felt like a game. It felt like something that I would do whether I was getting paid to or not. And so when I realized that I could get paid to do something like that, I was like, “Oh, yes This is for me.” And so I started pursuing that in school.
[00:06:36] CS: Yeah. Do you remember – Was it came sort of natural to you? I mean, there was obviously the excitement of like there’s a new thing that I’m learning here. But you’re like, “Yes, I get this. I really get this.”
[00:06:47] CI: Yeah. And I think a huge part of it too is I just liked – Especially as a kid, I liked games a lot. I liked math quite honestly. My mom always says that I was a little mischievous, which I feel like is a good trait to have in the cybersecurity space. And so I feel like, yes, there was some preparation that had to happen. But I feel like that natural kind of instinct and interest has always been there.
[00:07:12] CS: Yeah. That’s one sort of huge wing of cybersecurity, is the sort of puzzle solving people. People who are into it because it’s a cool sort of problem to solve that way. So clearly there was a snowball effect with your obsession with knowledge. And you went from business administration bachelor’s to earning a master’s in information security from the University of Houston while simultaneously completing a year-long internship in the information security team at United Airlines before beginning your PhD at 23.
You mentioned you had “discouragement and limited role models to pursue this academic and career direction”. So how did you keep yourself inspired and focused to pursue this supremely difficult course of study?
[00:07:51] CI: Yeah. I think there’re a couple of things. One, I’ve always have this kind of like underdog syndrome, like whatever you want to call it. I’ve had a lot of doubt me. And so it’s been something that I think has always pushed me to prove people wrong and want to do more. But I think the other piece especially in the point that you mentioned on the discouragements or not having the role model. So, I had to realize especially in one very specific conversation with someone I felt was a mentor who basically said you’re too young to pursue this degree. There’s not much you can contribute at this point. And all of these kind of excuses and feedback that quite honestly I didn’t agree with. It was very discouraging.
And so I had to, in that moment and moving forward, realized that that person didn’t mean harm. I think they were trying to give me advice or their perspective. But everybody is looking at the world from their unique lens and people project all the time, whether you’re a mentor, the people you work with, or on social media. There are a lot of projection going on, whether it’s ill-intentioned or not.
And so I had to get better and more intentional about taking in all of the feedback and soaking it in and also being able to separate what is true for me versus what might be projection. And I think that helped me a lot in staying encouraged and not letting some of those sort of naysayers or whatever you want to call them hold me back. But then I feel like the other piece from a role model standpoint is I essentially had to kind of create my own fictional role model.
[00:09:30] CS: Yeah. You’re sort of – Yeah, idealized version.
[00:09:33] CI: Yeah, exactly. So I have this imaginary role model where I pick all of these strong traits and things from different people that I had seen and that I knew and kind of used that to mold this is who I want to be. And this is how I’m going to get there.
[00:09:47] CS: Yeah. I mean, that’s super inspiring. And it’s funny, I appreciate you said that the person maybe didn’t mean ill. But it’s hard to see a story like that and not see ill in it, because I think people are projecting their own sort of fears or insecurities, “Well, I don’t want Christine to have to go through the indignity of failing at this. So I’ll just discourage her,” which is terrible, because obviously it was not appropriate.
[00:10:12] CI: Yeah, exactly.
[00:10:13] CS: So for those of us who don’t know about these sort of things, what does one study and learn about when pursuing security engineering at the PhD level? How much further up the ladder of study and creation is this from, say, a CISSP or a CISM cert?
[00:10:30] CI: Yeah, sure. Essentially, it’s learning how to take a very complex cybersecurity problem or a security related problem in general and break it down into something that is more tangible. So it’s a lot of breaking a problem down into like here is like the root cause and some of those components, and understanding it to a point where you can then build all of that backup into a true design and a solution in a system that solves it.
And so I would say like that’s at a high-level what it is. I think the difference between that and, let’s say, a certification is twofold. One, you’re essentially in a PhD program creating something that doesn’t exist, right? Versus learning what’s the industry standard, which is what you truly do in a CISSP or a CISM. And so, yeah, it was really about like this is something new that I’m creating. But then I think the second piece and difference is CISSP or certifications in general, you’re getting a broad overview or introduction or however you want to call it into the cybersecurity industry. And so you learn about a lot of different domains. Even if it’s something more specific like an ethical hacking certification, for example, you’re still learning about a ton of different elements and domains under that versus –
[00:11:54] CS: Yeah.
[00:11:56] CI: Yeah. Versus in the PhD program, it gets very specific. Like you start out trying to understand like the broader landscape. But then you really focus in on like this little needle piece, and that’s what you get really good at and try to solve for.
[00:12:11] CS: And I suppose you have to sort of decide for yourself to sort of like find a problem that you yourself are going to solve. Is that sort of –
[00:12:18] CI: Right. Yes. Exactly.
[00:12:20] CS: Okay. Does the pursuit of a PhD in security engineering have business application? Or does it mostly pertain to work in higher education? A lot of PhD people, it’s like, “Well, that just qualifies me to work as a doctor or something like that.” Are you creating new processes and methods of security sort of in a business sphere? Do you have a specific area of study within your PhD?
[00:12:40] CI: Yeah. Yeah. Absolutely. So I think it definitely has a business application, for sure. I’ve used it at both ends, because I use it in work. I have taught cybersecurity classes. So it’s been twofold. But I’ll first start by saying kind of what my focus was. So I was trying to solve the problem of identifying critical infrastructure assets at a natural level. So I basically did a ton of research to build this. It’s called like critical infrastructure identification system for the Department of Homeland Security. It’s something that they could use to survey and analyze different systems and figure out what’s truly critical that we need to protect. Because at the end of the day in security, in general, and cybersecurity, you can’t protect everything. You have to know what are your most critical assets. And so I was trying to – And I did build a system to help get better at that.
Now, where does this applies in business is twofold. One, the general concept of a PhD and security engineering, again, is understanding a very complex problem, breaking it down and building a system to solve it. You do that every day.
[00:13:47] CS: Yeah.
[00:13:47] CI: Right? And so I think just getting into that thought process and getting really good at that helped me build so many solutions and so many systems throughout my career that it made a huge difference. But then I feel like the other piece for me, at least, in my personal experience is I always thought that I would get the PhD and contribute this new knowledge that I created and it’d be great. And then later on down the road after I had met all my career goals, I would go back and start teaching classes. I had no idea that I would teach classes one year out of that program.
But I did do that. And it’s been like one of the most rewarding things just to be able to, again, share that insight and help develop the next generation of cybersecurity professionals. That’s something that I wanted to do long-term, but yeah, it happened and it applies. And so I feel like it’s such a win on both ends.
[00:14:45] CS: Yeah. The stuff that you’re creating now could well end up in certification knowledge basis in the future or whatever. This might be the way it’s done going forward. So tell me about Cyber Pop-up, the company that you founded in December 2019. What problems were you attempting to solve by creating this freelance platform and how is it been going in its first months of operation, especially considering that we’re in the midst of a global pandemic?
[00:15:10] CI: Yeah, sure. Cyber Pop-up is an on demand cybersecurity service platform. It’s powered by vetted and highly skilled cybersecurity freelancers. And the way that this kind of came about is we all know that businesses need often fast access to cybersecurity services and cybersecurity help. But a lot of especially small and medium-sized businesses are left with either slow to ramp-up and super expensive traditional consulting agencies. Or if they are trying to go the freelance route, they end up with sort of insecure un-vetted talent in some of the platforms that are out there today. So we were seeing this huge demand without kind of this need being met.
And so we bridge that gap by providing a freelancer experience that’s still trustworthy and efficient and has the right infrastructure to enable that. But then at the same time, we care so much about increasing diversity and creating change in that space and as we build the freelance base, we’re able to do it with that in mind, right? And help tap into some of these resource pools and networks of people who have so much potential and so much skill, such a strong skillset and bring them into to these projects too. And so it’s been going well. We’ve gotten a ton of support and interest. There’s been consistent growth, which is good, and so we’re just looking forward to continuing on that momentum and growing.
[00:16:33] CS: Nice. Now, where are you sort of syncing out these talent pools and things like that? Are you looking at like colleges? Where do you start looking for stuff like this?
[00:16:43] CI: Yeah. In the early stage, it’s been a lot of – Like me, I have a very strong cybersecurity network in general too. And so at early stages, it’s me making sure that I’m going out to the people that I really know and trust, right? And then I think the longer term vision though is to, one, partner with organizations, like universities, like nonprofits, like diversity-focused cyber organizations, for example. There are so many different avenues there. And to partner with them to truly build stronger talent pipelines. That’s a long-term goal there. So we’ll definitely –
[00:17:28] CS: That’s great. That sounds awesome. So, yeah. And is there a way of – If someone’s listening to this and they’re like, “Hey, I’m a freelance cyber person. I want to get involved with Cyber Pop-up.” Where would they start trying to sort of like make themselves known?
[00:17:43] CI: Yeah. Yeah. Sure. So if you go to cyberpopup.com, there is a tab that says for freelancers. There’s an application there. I’m also always – I get a ton of messages. So it might take me a while, but I love to chat with people. So if people are interested, you can always reach out to me on LinkedIn and things like that, and I’d be happy to tell more.
[00:18:04] CS: Are there particular things in people’s sort of resumes or background that you’re especially looking for that sort of show sort of proof of concept or proof of experience?
[00:18:14] CI: Yeah. There are different levels based on the kind of project. Like I said, there’s somewhere we’re planning to partner with universities, which is like earlier scale sets versus there are projects where we are looking for people who are certified ethical hackers, or people who have a CISSP or a CISM or whatever those certifications are. So it really varies.
But I would say like where I’m personally very open-minded when it comes to cybersecurity, I care more about your ethics and your skillsets and really being able to deliver what is written on a piece of paper. So yeah, I think that’s what really comes through. And in the application process for becoming a freelancer, like those are things that we also look for.
[00:19:02] CS: So that end, one of the things that we keep seesawing with and past guests on the show is people who are hiring will say, “I’ll hire anyone. They don’t need to have a degree. As long as they have the skills, if they have a certification, they have some proof that they’ve done it.” But then you also get these sort of HR traps of they basically structure the one add around must have X-number of years of education and things like that. Do you have any thoughts on that? I mean, obviously, you’ve had a quite storied education career. But are you fine with also hiring people who haven’t done like the academic group and are just sort of like jumping right into it?
[00:19:40] CI: Yeah, absolutely. I feel like people come in to cybersecurity from different backgrounds and skillsets, and I think that’s part of the value in bringing people who have different perspectives right to the table as people approach problems very differently. And so, I’m all for it. If feel like there is a huge disconnect in my opinion still between what the reality of the cybersecurity industry is and what I think HR teams and the people responsible for hiring put out there, like great job of hires, 10, 15 years of experience. Then you’re absolutely not going to fill your jobs, right?
And then it becomes a question of like is this really realistic? I still remember the day – I joke around about this all the time. But the day that I think GDPR went live in – When was it? 2016 or 2018. 2018.
[00:20:35] CS: 2018. Yeah.
[00:20:35] CI: Yeah. Okay. So 2018. So I saw this posting that said like you had to have like 10 years of experience like implementing GDPR. And I’m like –
[00:20:46] CS: It’s some time travel business right there.
[00:20:47] CI: Right, exactly. It’s like if you have any applications and anybody saying they have that, like they’re lying.
[00:20:53] CS: Oh, yeah. Yeah. That’s actually the lie detector test right there. Yeah. Yeah. 10 years. For sure. For sure.
[00:20:58] CI: Yeah, I think it’s definitely – There’s definitely a disconnect there. And I feel like I’m very open to, again, like paying attention to what somebody can actually do, which is a lot of those stringent requirements that are out there that quite honestly I feel like that thought process is a little bit antiquated.
[00:21:18] CS: Yeah. Also, having this sort of freelance model is good too, because it’s that other great conundrum of like how do I get experience until I have my first job? But if you’re like straight out of school and you’ve got the skills and you have the – You can do some freelancing and then you get something to show on your resume until so and so comes knocking.
So what are some of the bigger issues that you see facing the cybersecurity in this particular point in time? Are there are any like sweeping changes or improvements either based on your research or just on your experience that you’d like to see happen across the industry?
[00:21:49] CI: I feel like the biggest one to me right now, and I might sound like a broken record, but it’s definitely diversity. I think that there is like – If we look at like who hackers are, right? Or who we’re trying to really defend against. Malicious hackers at least. I know there are good ones. But if we look at like these people come from all around the world and so many different backgrounds. So if we have this kind of one-sided view, then there is no way that we could ever begin to imagine like the amount of breadth that these people have when it comes to their creativity and how they approach some of their attacks.
And so I feel like having that diverse perspective is so important. And I think that as an industry, we have such a long way to go, right? There’re been some improvement, of course. I still remember when I first got into the industry 10 years ago, I could count the number of women that I knew in the industry versus like today. I think the number is probably around like 20% women or so. And so I feel like that’s such a huge improvement.
I think from every angle, be it ethnicity, be it your level of post-secondary education, whatever it is. I feel like there are so many different elements and diversity that we need to really focus on bringing all of those ideas to the table in order to come up with more creative and new ways to address some of these attacks and threats.
[00:23:15] CS: Right, absolutely. Yeah. I mean, at the start of the show you said that you like the reserve engineering cryptography, because it was sort of a puzzle to be solved. But the thing that’s so interesting about cybersecurity is that there’s not one solution. It’s a path to get there. And the best way to get to the path is to see like all of the different possible routes. And the best way to do that is to get lots and lots of different sort of perspectives. Like you said, “More women, more minority candidates, and more people with disabilities and things like that.” It allows you to sort of fundamentally change like how you see the problem even.
[00:23:47] CI: Yup.
[00:23:48] CS: Yeah. So what can we in the cybersecurity field do to make careers like this more accessible or interesting to women and especially women of color? And I guess, conversely, how are we going to make the cybersecurity industry understand that more women and more minority cybersecurity professionals ultimately makes the entire industry stronger? You were saying that it’s a problem solving thing. But it’s not necessarily been maybe noted across the board with everybody.
[00:24:14] CI: Right. Yeah. So I think – And this ties in to what I was saying before, that there is no question that diversity makes business better. There are so many reports. There are so many statistics and all of that, and it definitely applies to the cybersecurity industry, right? We can’t keep approaching these problems with the same view. We’ll get nowhere. Or like they will just continue to grow.
And so I think that a couple of things that need to be done to continue to shift that are, one, constantly looking at barriers to entry. I think that there is this – I always say that our brand as an industry is the biggest detriment right now, quite honestly. And I feel like that’s because people don’t know what they don’t know and get intimidated before they even try. Whether that’s women, whether it’s people of color, whatever the case may be. I feel like that first step in even trying is often missing, because of that lack of awareness. And I can’t tell you how many people that I talk to who may even be in tech. Many of them not. But it’s always the same reaction of I thought that cybersecurity would mean I’m sitting at a computer coding all day.
And like it’s on one end, sure, there might be some rules where you’re doing some of that. But there are so much more. And there is just a complete disconnect between what cybersecurity really is and what it means to work in the industry. And I feel like demystifying that and raising that awareness more will make a world of difference in this space.
[00:25:57] CS: Yeah. I mean, how do we go about that? Because I think a lot of it comes from sort of TV and media and this sort of Mr. Robot type or the perception or the CISs of the sort of keyboard smashers and things like that. But like where do people go to find out that there are things like thread modelers, or risk assessors, or all these other sort of things that might not even require you to know much any tech at all.
[00:26:20] CI: Yeah. I feel like it comes from a couple of different angles. I think the biggest one to your point is like that’s the way that it’s portrayed at media. But that’s the way that it’s portrayed everywhere. And I feel like cybersecurity companies and even professionals continue to just like raise that same message. And so, to me, it’s like the more stories that we can share of people from different backgrounds and doing different things and who look different. The that we can put those out there, the better.
I feel like there is some good things happening on social media and that space, and I feel like we can continue to build on. I think even things as simple as like if you look at our brand at Cyber Pop-up, for example, we were very intentional about not having the same kind of doom and gloom. We’re going to strike fear into your heart kind of vibe.
[00:27:12] CS: Yeah. We did the same thing two years ago. We cut all the sort of like pictures of people with hoodies and black with a green screen on their face and things like that. The black and red color schemes and everything. It just looks terrible.
[00:27:24] CI: Yeah. It’s like I wanted it to be like, “Sure. We need to take this very seriously, of course.” But I still want this to be very approachable and very welcoming. And so I feel like the more people can begin to embrace that and against – Painting it as this very dark doom and gloom, then I think the better. And that’s not to say that companies who take that approach are doing it wrong. I feel like it’s gotten people very far. There are some points where in order for people to understand the magnitude or how serious things, then they have to be scared a little bit. But I think that as we evolve as an industry, I think that’s something that we can continue to change. And I feel like that will help just right in the perception a little bit more.
[00:28:13] CS: Yeah. Totally. So to that end, for companies that truly do want to recruit more women, minority, professionals, the LGBTQ, people with disabilities, what should they not only be doing to finding these candidates and hiring, but making themselves also desirable to the professionals that they’re trying to regroup? Because how do we get beyond the usual excuse of like, “Well, we’d like to hire more inclusivity, but we don’t get any applications from women or minority candidates.” You hear that a lot unfortunately.
[00:28:45] CI: Yeah. That cop out answer.
[00:28:47] CS: Aha. Aha! I don’t know where they are. Yeah.
[00:28:52] CI: Yeah. I mean, I would say like it takes a lot of dedication and work. If you just sort of roll out there and assume that people are going to apply and come from different backgrounds, that’s already fail number one in the strategy, right? It’s like you have to go out and find them. I can give a few very tangible examples. For me, in my last role before starting this company, I was responsible for building cybersecurity talent pipelines within a fortune 100 company, right? And so that’s hundreds of people to just like interview and recruit and like build this pipeline of talent and do that in a way that builds diversity.
And so I would go to like industry conferences. I would go to, for example, Grace Hopper, which is one of the largest tech women conferences. I would go to the National Society of Black Engineers Conference. I would go to all these different conferences, and I would literally headhunt and recruit. I would be like researching through databases. I’d be in people’s DMs. I’ve hired so many people through like DMs on Instagram and LinkedIn. That like I find them. I’d meet with them at the conference that we talked through. That’s how you go and find people versus shifting back and kind of be.
And I think it takes that kind of intention. And then I think in terms of making it desirable for them, because it’s one thing to go out and do all these things. But if you bring people into an environment that is not supportive or will not help them kind of contribute effectively and also grow. Then that still isn’t – That’s missing the mark. So if feel like you also have to build that culture that supports the diverse thinking that it’s not just lip service a check the box program, and that you’re truly living and breathing and caring about diversity. Because quite honestly, especially in today’s day and age, like to some people, diversity is just something that’s cool or something that like we need right now because it’s a –
[00:30:55] CS: Or like a compliance thing or something.
[00:30:56] CI: Right. Exactly. And it’s like that’s not what this is. This is a way of like living and operating and being in something that you have to really ingrain into culture.
[00:31:06] CS: Yeah. It’s a fundamental seed change, or should be. Yeah.
[00:31:10] CI: Yeah.
[00:31:11] CS: So that end, you persevered despite lack of role models and active discouragement in the early days. But in the interest of making black, indigenous, people of color candidates feel like it’s up against – Them against the world. Are there ways that companies can kind of change the overwhelming sort of like whiteness and maleness of the cybersecurity industry? I guess we were just sort of saying this, but like it feels like there needs to be a lot of sort of pre-work done even when you’re starting to build the bench to sort of like prime the pump in your company. Because, otherwise, you’re going to have one or two black people working there and they’re going to feel like, “Here we go.” And stuff like that. And you can be strong and push through that. But why have to? Why not make it more accommodating?
[00:32:02] CI: Right. Yeah, I completely agree.
[00:32:06] CS: Yeah. So, I also have a question regarding sort of hiring cybersecurity professionals, young and straight out of college. Do you have any thoughts on possible issues around hiring people? This is one of those things where it’s your first job out of college. I mean, you are obviously very driven straight out of college. Not everyone is. But just by nature, if you’re coming right out of college, you’re getting your first real job, but you’re also kind of handed the keys to the security kingdom and giving them high-level security clearances. In terms of like relatively little real work experience, are there any issues or safeguards to be considered with sort of like giving security roles to people who might just be sort of learning about work for the first time?
[00:32:52] CI: Yeah, absolutely. I feel like there has to be a balance. To your point, the experience piece is a huge challenge, right? If you go to, I think, any security leader today. If they could hire a team of people who all had 10, 20 years of experience, the risk is much lower, right? But that’s not the reality that we live in. And so I think that’s a risk that people have to be a little bit more open to. Otherwise, you also just have that catch-22 that you mentioned. Like you need to have a job to get experience and you need experience to have a job, right? So it only widens the gap.
And so I think that it’s important to make strategic calculated risks around what you give access to. For example, you talk about getting the keys to the kingdom at an early age or like just out of college. I still remember my first internship. I was still in grad school pursuing my master’s in information system security. But I was also helping lead the roll-out and management of new data loss prevention system.
And so that means that I had access to all kinds of – Like any sensitive data that was leaving our network. I had access to it. I could see it. I could reach out to those people and try to train and teach them like – Or, first, investigate and see what was going on. But often times, it was really training and teaching them, “Hey, don’t send this information and so on.”
And so I say that to say they really trusted me to give me that kind of access and that kind of responsibility. And I think that with came one on the frontend. Just a lot of – Like the tone when I was getting these projects was very serious. I knew that this was like serious business, right? And I knew that there was a huge ethics component to it. But also, I had a lot of guidance and mentoring and the same way that as cybersecurity teams and professionals, we have to monitor generally what people are doing. That’s no exception for interns and things. It’s like monitor and just be there. That’s a part of the process.
And I know, for me, like it helped me contribute value at a much faster rate in that organization and it helped me learn and grow to have that experience that early on. And so, yeah, I think it’s all about calculating the risk and knowing where people are. I was a graduating at that point and had done a little bit, versus somebody maybe isn’t a student at all and if they were just coming in and trying to get their feet wet initially. You may not want to give them that level of access. Dip a toe in first.
And so, you have to make those decisions. And I feel like the biggest thing, whether it’s early in your career or not in cybersecurity is really like vetting and hiring good, ethical people, right? It doesn’t matter what level you’re on. If you don’t have that element, then you can do a lot of damage in this industry, right?
[00:35:56] CS: Right. For sure. So in terms of going back to the sort of talent pipeline and moving people in, officially, people of diverse backgrounds into cybersecurity. Obviously, at the first level, you have kind of a deep bench of like new comers. But like how do we sort of build the bench in terms of hiring more female professionals and promoting them into upper levels of the company? Do you have any sort of thoughts on strategies for sort of keeping it moving so that it’s not just a bunch of diverse candidates kind of in entry level positions? Obviously, time is going to be a part of it. But I feel like there has to be more of a mechanism to that, right?
[00:36:34] CI: Yeah. I agree. I think the biggest thing is to – And this might sound very obvious, but it’s investing in development. I’d be like that’s probably one of the most important ones. Like you can’t just bring somebody in and expect that they’ll grow on their own. I mean, sure, people are driven. They invest in their own development and things to. But I feel like as organizations, that’s something that I think it’s important to dedicate to.
I remember in my career, just doing a ton of development stuff that I had pursued on my own, but also through my employer. And I can tell you like one very specific example, I did like a leadership 360 assessment, which for people who might not be familiar, is where you get anonymous candid feedback from your peers, from anybody who might have reported to you. Even if it’s in a volunteer thing, you’re leaving – Whatever the case may be. You’ll get it from people you’ve reported to, like your bosses. And I feel like, for me, that’s something that I like to go through as often as possible. Because by getting that feedback, I’m able to see like the areas that I need to improve. What I’m doing well in? All of that. Sometimes it can be hard to like look through some of these –
[00:37:53] CS: Oh, I can imagine.
[00:37:53] CI: Look through some of the feedback. But it’s like –
[00:37:56] CS: Even anonymous. That sounds horrifying.
[00:37:57] CI: Right? But it’s like the amount of growth that I’ve gotten from just experiences has helped me tackle things that I know if I didn’t tackle, I would not have been able to grow into more leadership positions. You need that visibility.
[00:38:13] CS: So at the very beginning you told us about a less than helpful mentor that you had who’s really discouraged you along the way. Were you ever given a tip from a mentor that’s sort of stuck with you and sort of helped guide you along the way?
[00:38:28] CI: Yeah. I think the biggest one has been to surround myself with really smart people, especially in the cybersecurity space. And then like watch and learn and soak up as much information as possible. That’s been the best advice that I’ve gotten. And I’ve done that both in terms of just people that I interact with in person, but also researching online kind of what people – What people have done in the past that they look like learning like I learned as much as I can from other people’s journeys and from what they’ve done. And I think that’s also very important to do. No matter how early or far in your career you are, there’s always something you can learn from other people. So I feel like, today, that’s something that still sticks out to me.
[00:39:14] CS: So you’re sort our podcast’s mentor to all the listeners here. Do you have any advice for especially sort of women and people of color looking to enter the industry? Anything that you would specifically say today to them?
[00:39:29] CI: Yeah. I would say the biggest thing for me is being the absolute best that you could be. Like I always say, be so good that people can’t ignore you. I feel like performance speaks louder than anything. And so I think that the more you can hone your skills and the more you can learn as much as possible and make yourself invaluable, the better. And then I feel like the other piece is to network like crazy.
[00:39:58] CS: Yeah.
[00:39:59] CI: Because I feel like, sure, knowing your stuff really well is great. But if you can’t even get the interview or can’t even get the introduction or for whatever reason, then it might not be as impactful. And so I feel like it’s a combination of those things that is really the secret sauce to growing in your career.
[00:40:19] CS: Nice. So as we wrap up today, we talked about Cyber Pop-up a bit in the front. But what are some of your plans for the sort of near and far future? Where do you see the platform going?
[00:40:30] CI: Yeah. So our biggest focus right now is really on just delivering excellence and growing our customer base. I feel like there are so much opportunity for growth in this space. Like if you’ve seen, like there are so much data around like the demand for cybersecurity services especially. And so I feel like it’s really just focusing on building in that space.
The other piece is we’re a bootstrapped tech company and very intentional about that. And so you don’t see many of those especially a black-owned tech business. And so we’ve got a few challenges there. But we’re funded solely on sales, right? And so that’s, again, our biggest focus, is ramping up in those areas. I would say one big project that we’re working on that people can expect though is building the second version of our platform. So as a startup, we watch with an MVP, or a minimum viable product, and did that to really, one, get it out there and then also start to grow with our customers and really learn how this is being used and all of that. So it’s been great, and we’ve worked a ton. And I feel like we now have enough insight and enough data and enough information to build that next iteration. And so you’ll probably start to hear some buzz around that early next year. That’s something that we’re definitely really excited about.
[00:41:57] CS: Okay. Sort of speaking as the sort of head of Cyber Pop-up. Sort of what can you sort of offer to – Like if there are any companies listening to this who are thinking of this. I guess, also, I want to sort of ask about like – Obviously, the freelancers that you’re providing aren’t sort of replacing an existing IT department. These are short-term assignments, right? These are sort of – So give me an example of that. You have like a specific problem that needs to be solved and you’re a mom and pop business, or something like that. What are some examples of things that you’ve done?
[00:42:30] CI: Yeah. Yeah. Sure. So, I’ll give maybe two quick ones. One is probably the more kind of time-pressing one. We had a client who had recently failed an audit or like had done really poorly on a security audit and really needed help to understand what they need to prioritize. Where the biggest risks were in that remediation process and then getting some support to actually remediate.
And so we had a freelancer complete that project for them. Again, to your point there, short-term project. So anything that can be some projects take an hour or two if it’s something really quick. Some can take up to a week. I would say the cutoff point is probably about a month. And so we’ve done that. We’ve had another company who wanted a risk assessment to just understand kind of where am I exposed? We had another company who needed a security program and policy developed. And so we had a freelancer who worked on that. So the scope of projects, again, like there is a certain timeline or lane. But the topics in the areas, there are so many different places where people need help, and we’re really flexible and adapt to that.
[00:43:45] CS: Cool. All right. So finally, if people want to know more about Christine Izuakor or Cyber Pop-up, where can they go online?
[00:43:51] CI: Sure. Of course. Cyber Pop-up’s website is cyberpopup.com. And if you go there, all of the social media links are included there as well. We’re on Instagram, Facebook, LinkedIn, Twitter, all of that. For me, my personal website is christineizuakor.com, and all of my social media platforms are on there too. I’m very active on social media.
[00:44:12] CS: Cool. Okay.
[00:44:14] CI: So yeah, feel free to reach out.
[00:44:14] CS: Your one-stop-shop. All right. Well, Dr. Christine Izuakor, thank you so much for coming on the show today. It was a real pleasure to talk to you.
[00:44:22] CI: Thank you so much for having me. This has been an awesome conversation. I appreciate it.
[00:44:26] CS: And I would also like to thank three-time Cyber Work guest and Infosec Resources author, Susan Morrow, for introducing the two of us. She’s an old buddy of mine, and I’m so glad that we got to meet each other this way.
[00:44:37] CI: Yeah. She’s amazing.
[00:44:39] CS: So thank you all once again, as always for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And if you’re on one of the big podcast platforms, like iTunes, or Stitcher or whatever, we would love a five-star rating and review if you don’t mind. Every bit helps to get us put to the top of the cybersecurity podcast ecosystem.
As mentioned in a video at the top of the show, we want to hear from you, our listeners, about what you want to see more of on the show. So if you can go to www.infosecinstitute.com/survey, you’ll find a short set of questions. Take you about 5 minutes about your listening habits and interests. If you take the survey, you’ll be eligible to win a $100 Amazon gift card. That’s www.infosecinstitute.com/survey.
Thank you once again to Dr. Christine Izuakor, and thank you all again for watching and listening. We will speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.