It seems like every day I see a new articles and posts about how many opportunities there are in cybersecurity and how desperately this industry needs new workers with fresh perspectives. They’re correct, by the way. Certification bodies like ISC2, CompTIA, Google, and Amazon Web Services (AWS) seem to have caught on and are rolling out entry-level certification programs designed for people with no prior experience. It seems there is a boot camp promising a “job in cyber” upon completion around every corner. That said, the majority of entry-level positions for jobs in cybersecurity still require years of experience working in the industry (how does that work?), an advanced computer science or IT degree, or both.
With so much talk about “closing diversity the gap” in cybersecurity, what is actually being done? The demographics for cybersecurity professionals have barely changed over the last few years: 65% white men, 24% women, 9% minorities, and 2% LGBTQIA+. I bring some valuable soft skills to the table, but being a female, mid-career pivoter, without a technical skill set, it was understandably difficult to even get a foot in the door. So many employers just aren’t putting their money where their mouths are in terms of bringing in new and diverse cybersecurity professionals.
Knowing all this, I expected breaking into cyber to be hard. (And, full transparency, it was made a heck of a lot easier when I was accepted into Aquia’s Accelerator program.) But, what I didn’t expect, and what I want to address in this blog, was that many of the challenges I would face would come from within, and that I would have to get in touch with the power of my soft skills to combat them.
Let’s be frank, career pivots suck. I was a Track and Field coach at the NCAA and professional levels for 10+ years before I pivoted into a cybersecurity career, and while I chose to change careers because I wasn’t happy or fulfilled coaching, my confidence in the athletic subject matter was high; I knew what I was talking about and how to do the job. (You can read more about my journey in cybersecurity here)
All that changed when, suddenly, I went from being a ‘badass’ coach, to not knowing what “NIST” (National Institute of Standards and Technology) stood for, and that loss of identity was more brutal than I had anticipated. I felt like a failure for leaving a career that I had worked so hard at and sacrificed so much for. I didn’t have the career runway to break into cybersecurity slowly, and suddenly I was having to contend with a hyper-technical field with no background.
Needless to say, my imposter syndrome was in hyperdrive.
I started to think to myself, “how could I contribute?” Here I am alongside all of these incredible people who have all these intimidating technical skills, what could I possibly add to this environment that would bring any value? The real tragedy of that mindset was I was overlooking the soft skills that had already led me to success in the hyper-competitive, male-dominated, results-driven athletics industry. My imposter syndrome meant that I wasn’t even doing the things I was capable of doing. I had to eat a big slice of humble pie before I could get out of my own way.
In the first few weeks of joining the team at Aquia, while I was battling a lot of doubt and thinking that maybe I wasn’t cut out for this after all. I got some great advice that harkened back to the world of sports:
“If you can’t contribute on the field, be a great locker room woman.”
I had grown up in the world of sports and I knew what being a “great locker room woman” meant. Be someone who was a team player, maybe not a superstar, but someone who is quick to lift up the goal-scorers and the top finishers when they were down. Be the first to show up and the last to leave. Be all about attitude, effort, and commitment: all things anyone in the locker room could do, even if they didn’t have the talent or ability to shine in competition.
And that idea, that I might not know much but I could contribute with humility and enthusiasm, was a revelation for me. Once I realized that I didn’t need to be the one with all the answers, I looked around and realized that the very best security operators I knew:
Weren’t afraid to admit when they didn’t know something.
Were quick to ask for help when they needed it.
Offered help and support with grace and enthusiasm when it was asked of them.
Embracing that it was “okay not to know” was a radical perspective shift for me. How could I be expected to understand how to read a STIG (Security Technical Implementation Guide) in my first few weeks as a GRC analyst? How could I possibly be asked to apply an SRG (Security Requirements Guide) to technical policy and procedure documentation, or use Cybersecurity and Infrastructure Security Agency (CISA) guidance to write an incident response plan? I couldn’t be and that was ok because the people on that team didn’t want me to know — they wanted me to ask and then work to find the answer.
Accepting that not knowing wasn’t detracting from my value, but instead was an opportunity to upskill and ADD value suddenly freed me to look for ways to add value outside of my specific practice team. For me, that meant being active in Slack, offering to proofread blogs, volunteering on teams, and formating documents. And you know what? Something amazing happened. As I contributed and added value, my confidence began to grow, and as my confidence grew, I sought out new opportunities to add value, and the cycle just continued.
Since those early days of my new career, I have learned a lot about technical aspects of cybersecurity, but equally importantly, I have continued to explore ways that my intrinsic skills, strengths, and experiences can add real value to my teams and organization. Getting back in touch with the power of my soft skills reminded me that I had been kicking down doors my whole career as a woman in the coaching profession. I remembered that I am not afraid to challenge the status quo, that I enjoy and am good at communicating with a wide range of people, that I am good at building, leading, and supporting teams, and that I am not afraid to put in the unglamorous, hard work to level up. Additionally, my experience first as an athlete, then a coach, and even the pivot away from my first career, has taught me to view failure and loss as opportunities to gather data, make adjustments in my practice, and ultimately improve.
None of those strengths hinge on my technical ability or my credentials. In fact, it is the strengths I bring from my background that have allowed me to find success, build a small but mighty network of peers and mentors, and create a career and lifestyle on my terms that I am proud of.
Ultimately, it was my ability to take advantage of my soft skills, while I worked on my technical abilities, that helped me create my space in cybersecurity. To bring this conversation full-circle, that focus on who an employee is (character) versus what they can do right now (credentials) is what’s needed for this industry to fix it’s entry-level issues.
There are so many places for all kinds of different professionals in Cybersecurity, and it is long past time for companies to understand that technical qualifications are not all that contributes to an effective security operator. You don’t have to be a CLI (Command Line Interface) cowgirl to occupy space in this industry; so many folks can bring value to the cybersecurity world with their soft skills alone by virtue of the things so many of us take on inherently: multi-tasking, diplomacy, advocacy (especially for ourselves and our accomplishments), budgeting, planning, organization, you name it. Additionally, if this industry truly wants to address the diversity gap in cybersecurity, and welcome more women, minorities, the LGBTQIA+ community, and career pivoters like me, we are going to have to start placing more value on bringing in great team members with powerful soft skills, who can learn the technical skills in different verticals – and invest the time, energy and resources to guide those individuals through that upskilling process - at the pace technology and the threat landscape is evolving, aren’t we all doing that anyway?
If that looks and sounds like a lot of effort, time, and investment, it is, but it is the only way we are going to change the current state of cybersecurity diversity.
I fought hard for a role within Aquia as the first apprentice in their Aquia Accelerator program, and benefitted massively from the time and resources they invested in me, and they can now benefit from having a Security Architect with a GRC background who also has over a decade of experience in leadership and teambuilding, as well as my unique perspective on solutioning for our customers. Thanks for reading and stay tuned for part three of this series documenting my journey into the world of Cybersecurity!
If you have a similar unique background, and are looking to break into cyber or pivot careers, reach out to me on LinkedIn