Half the chairs are empty. Out-of-office messages are pinging in.
You’ve got a budget review at 11, a stakeholder update by Friday, and a project milestone that can’t slip.
Here’s the question:
Does your team barely notice the absences – because people step up, cover gaps, and keep everything moving?
Or does it feel like dragging a three-legged chair – slow, wobbly, and exhausting?
Why August shows you the truth
When resources are stretched, culture becomes visible. In a high-performing team:
Everyone knows the shared goal – and works toward it, even if it’s not “their” task.
Asking for help feels safe, offering help is second nature.
Trust and respect are built into daily behaviour.
When that’s missing:
Silos harden.
Work slows.
Stress rises.
People quietly start looking elsewhere.
If August is exposing cracks, now’s the time to act
Ask yourself:
Is turnover eroding relationships?
Is your vision clear – and repeated often enough to stick?
Are individual priorities outweighing shared team goals?
Two ways to reset before the autumn push
Team Walkshop – Get your people moving, talking, and reconnecting in a fresh environment that sparks ideas.
Away Day Design – A targeted, high-impact day to rebuild trust, reignite collaboration, and set your team up for high performance.
The evidence is clear
Team off-sites aren’t “just a jolly”. Done well, they build trust and psychological safety – both strongly linked to higher collaboration, productivity, and retention. Face to face connection sparks a deeper, faster impact than any email thread or Teams meeting ever will.
Let’s make sure your September team is stronger than your July team.
Today, an impressive thunderstorm rolled through London. The air had been heavy – hot, humid, oppressive. We knew a storm was coming, but we didn’t know when. And then, suddenly, it broke. Loud, dramatic, and unavoidable. But once it passed? The air felt clearer. Lighter. Easier to breathe.
There’s a leadership lesson in this.
We can’t control the weather, but we can influence the climate in our teams. And sometimes, we sense that something’s off – tension in the room, silence that speaks volumes, short answers, overreactions, withdrawal. We know a storm is brewing. We just don’t know when it’ll break.
So what do we do?
We don’t wait for lightning to strike. We lean in.
We stay present.
We notice tone, body language, and what isn’t being said.
We ask questions that invite honesty, not just agreement.
And most importantly, when people give us feedback, we do something with it – even if that’s simply acknowledging it and explaining a decision, rather than brushing it aside.
Clear air doesn’t come from pretending everything’s fine. It comes from surfacing what’s hard, listening fully, and navigating the storm before it catches us by surprise.
What are you noticing in your team right now? Are there signs a storm is brewing?
If you’re sensing tension, uncertainty, or just that something isn’t quite right – don’t wait for the storm to break. I work with leaders and teams to create space for honest conversations, clear the air, and move forward with purpose.
Get in touch if you’d like to chat – no pressure, just a conversation.
Yesterday I ran a walkshop through the heart of Spitalfields. It was hot. It was crowded. It was loud. The kind of day that tests your patience, your focus, your tolerance.
And yet, in that messiness, something powerful happened.
We found quiet side streets with no traffic. Bursts of colour from flower stalls. A peaceful pond with pigeons and lilies, hidden in plain sight. Bronze elephants quietly observing the mayhem. A slogan on a passing bus landed like a powerful message. A flower seller gifted one of our group a bunch of blooms – just because.
Despite the noise, each participant found a moment of peace.
A pause.
A shift.
A new perspective.
That’s the power of the walkshop.
It doesn’t need silence to work – just presence, permission, and a willingness to tune in.
Imagine what might shift if your whole team experienced this together.
Curious?
Get in touch to find out more about how a Team Walkshop can boost engagement, creativity and productivity.
They started the Tour with fire in their legs and a dream stitched into their jerseys.
Alpecin–Deceuninck came to the 2025 Tour de France with a clear plan: get Jasper Philipsen into green and keep him there. With Mathieu van der Poel as his leadout engine, they had precision, power, and belief.
Stage 1 made it all look easy – Jasper flying over the line, yellow on his shoulders, green within reach.
The energy was electric. The plan was working.
But cycling, like life, doesn’t always stick to the plan.
Stage 3 hit like a thunderclap. Jasper, favourite once again, pushing hard for intermediate sprint points, went down – hard. A controversial crash that shattered more than bones. A broken collarbone, two ribs, and a brutal silence in the team bus afterward.
Just like that, the man they’d built the strategy around was out.
The green dream gone in an instant.
It was a crossroads. And every rider, mechanic, and staff member knew it.
The easy move would have been to lower expectations. Play it safe. Drift into the rest of the Tour and just survive. But instead, they did what true teams do when tested: they gathered. Talked. Opened up. No egos. No blame. Just honesty.
What now? What’s our purpose if the green jersey is no longer the goal?
It wasn’t a loud conversation, but it was a brave one.
They talked about identity – not just results. About showing up. For each other. About continuing to ride with intent.
Mathieu van der Poel, never one to back down from a challenge, took the weight of yellow on his back into Stage 4. It wasn’t his original mission, but it was the mission now. His legs screamed on that final climb.
Pogacar was coming, relentless as always.
Van der Poel didn’t win the stage. But he fought. Gritted. Held on. Second on the stage. We held our breath as the commissaires did the countback.
YES! Still in yellow. Still standing.
And that, more than any sprint, was the moment the team found itself again.
Not built around one leader, but bound together by trust. Not chasing jerseys, but riding with purpose. They didn’t fracture. They reformed.
They became more than a sprint train – they became a unit. Every bottle handed up, every pull on the front, every painful turn on the pedals meant something more.
They belonged. Together. Even when plans fall apart. Especially then.
The cybersecurity career path appeals to women because it is purpose-driven. But most of technological innovation is driven by profit. Dr. Jacqui Taylor believes that the best of both worlds can be combined in what she calls a profit-for-purpose model. As the co-founder and CEO of Flying Binary, Jacqui is on a mission to create an inclusive technological future for everyone, and she believes the profit-for-purpose is the way to do it. In this conversation with Sherry, she explains how she made her way to a cybersecurity career and the massive role she’s now playing in detecting and fighting bad actors, including in what’s widely-considered to be the world’s first cyber-warfare history, which is currently underway in Ukraine. She also explains why the cybersecurity space is especially conducive to inclusion initiatives and how women and other underrepresented sectors can start their career path in the industry.
—
Listen to the podcast here
National Cybersecurity Awareness Month Special: The Profit For Purpose Mission In Cybersecurity With Dr. Jacqui Taylor Of Flying Binary
In this mini-series to celebrate National Cyber Security Awareness Month, I’m talking to a range of women about their careers in cybersecurity. I’m delighted to be talking to Dr. Jacqui Taylor. A very warm welcome to you, Jacqui. Thank you so much for joining me.
It’s great to be here with you, Sherry.
I feel very honored to have Jacqui as a guest and there’s so much I could say about her. She’s been voted one of the most influential women in UK technology. One of the most inspiring women in cyber. She’s been awarded an honorary Doctorate of Science and recognition for her international science work. There’s so much I could say.
In 2016, she pivoted her company FlyingBinary to meet the challenges of Web3, metaverse, and the industrial internet of things with spectacular results. Let’s jump right in to find out more about Jacqui’s career journey in the cyber world. Jacqui, I know you’ve been involved in technology in cybersecurity for a long time, but how did you get started?
I was due to take a management role in the UK’s post office and my mother took very serious ill and ultimately died in a few months. My whole career was upended because I had done an internship at a local aerospace engineering company. They came to me and said, “We can support you. We can support the family.” That was helped by the fact that my father was one of the directors, but they saw what I’d done as an intern and were keen to keep me.
I went into that and that was my start in aerospace engineering. It all went swimmingly well until I qualified. My dissertation was at a new jet engine technology to reduce the noise pollution in our cities and the first aircraft off the production were for a Middle East client. As a female engineer, I was not somebody suitable to run that.
My managing director said, “I wonder what will happen if I put an aerospace engineer into the technology department.” Then the answer was nothing because I was horrified by what I found. The long story short was, effectively, that was the beginning of software engineering for the aerospace industry because we needed to put engineering at the core of what we did because otherwise, planes would fall out of the skies, and it wouldn’t be a good thing. That’s a subtle piece that I did in terms of an industry intervention to solve the noise pollution of our aircraft. It’s something that has been a thread throughout my career.
How did you get started specifically in Cybersecurity then?
As a technologist, it’s something I have been interested in because it’s out there. It’s that societal piece. I have been a white hat for some time and I have worked with many people to do many different things. FlyingBinary’s mission is inclusion, leave no one behind. We firmly believe the future’s female and that the GDP growth that an inclusion agenda drives because I have done the assessment for 60% of the world’s GDP, so it’s a very powerful agenda.
Everything we do for the government across the world has a cyber component. We are a cyber essentials company using the national cybersecurity center accreditation, but that wasn’t our focus. Our focus was building technology for Generation Z or until I spoke at Davos in 2019 Generation Alpha and to unlock their talents for the world. We knew that technology could be leveraged and be an enabler and we were building that deep technology.
The websites that we pioneered that I got the honorary Doctorate for was the foundation of our engineering background because my cofounders are electrical engineers. The combination of that science, pioneering science and the engineering background gave us an offering that hadn’t been seen before and it’s still unique across the industry.
I created the blueprint for Europe. I started my work in 2014 as an independent advisor to Minister Calvin’s office. I had the opportunity to create the blueprint for the future of Europe and for the industrial internet of things. That’s when we are all connected up and humans and robots. The day I did that was a major day in my life. I’d written my second book. I was there to present that work. It was the day that I had to come home to the UK.
I had to be on the last Eurostar train from Brussels and they guaranteed that for me. At 5:00, the doors opened. The men with guns arrived and said, “Which one of you is going to London?” That was the day that Paris was attacked. The reality of it was the technology we’d been building to create that societal intervention was also technology that the criminals didn’t have access to that allowed us to see what they brought to.
I came home on that Eurostar. I did my intervention with the high commissioner of Bangladesh on Saturday in London. We got back on that Eurostar on Sunday. Having pivoted the company to be accounts terrorism company and deploy that technology to safeguard us all against the terrorists, drug traffickers, and people traffickers. The reality of it was we had unlocked the societal piece, but there were those within society that were determined to destroy it.
800 people, 16 companies of what we built up far, down to 200 people, 6 companies that moved in to cancel terrorism agenda. Now up to seven companies because we have added something. That was around changing the way other people looked at technology, which was profit-driven. How do you make money out of this tag? To something that for us was purpose-driven, but it was with profit. It was a profit-for-purpose agenda, and that was the day that began and that caused me to look at everything in the world very differently.
Particularly what cyber was going to mean to us in the future, given the criminal activity that we had uncovered and why that was a key change in our whole industry, and then what we were going to do about it. We have been in that domain ever since. I have been in working in Ukraine since 10th of February, 2022 and we are in our seventh month now and the first ever cyber warfare that the world’s ever known. We will stay here. Our world has gotten more dangerous since that day on the 13th of November, 2015. FlyingBinary’s mission is inclusion but in a cyber safe way.
It’s very interesting that you mention this societal mission, this profit with purpose, because for lots of women, that appeals having a career with purpose. It seems to me that cyber security fits that brief. If you are working in cyber security, in very simplistic terms, it’s the goodies versus the baddies. If you are on the goodies side, then it fits that career with purpose that a lot of women want. I wondered how you feel about that.
It’s very interesting. It’s why I say the future’s female because we are able to look in a wider perspective as females. I want to stress one thing. I might be an engineer and I can spin you up some tech of whatever you need out of the top fifteen influential women in tech. Both Poppy and I can still do that. The rest of the women are guarding that agenda and are moving it forward.
It’s not a technical agenda cyber. It’s a multifaceted industry. Since the 13th of November of 2015, we have changed the way we look at it. When I stood on stage at Davos in January 2019, I articulated that all we needed was one event that we call a Zero-day Exploit in our cyber world. One event that would transform everybody’s view of what our industry was.
At the time, when I was speaking on stage, I was imagining because I knew they were under million children not vaccinated for measles in the US. I was imagining a measles epidemic. That would sweep across America and we would lose our children because we didn’t have a holistic view of what was happening, and that measles, once it’s ripe, as we find in other countries, just sweeps across the country.
I didn’t know that was going to be a Coronavirus. I was using that example because one of my colleagues from NATO in the audience challenged me. It’s so like, “What, Jacqui? What’s this Zero-day you imagine?” That’s what I said. That’s what happened and 1 billion more people came online, which gave us in our industry a new perspective on what cyber looked like.
We could no longer deal with a threat. The threat was there and it was omnipresent, and now we had to look at risk. That was where the delivery of the Empathy Economy technology. Profit-for-purpose is a new business model, but the overarching agenda is the Empathy Economy, which literally takes that original cyber view of saying technology is in the sharing economy. You get a premium model. You get this for free. You got to pay for that.
That has created the leaky bucket that I was talking about at Davos and the Empathy Economy is reimagine technology using deep tech to change the way we look at how we leverage technology. That profit for purpose and I find for many men, it’s not a female agenda, but the fact that what you are doing creates impact. What you do every day, what I do every day and what we all do in our industry is we do the work we do in order to create the world we all want to live in.
We do the work we do in order to create the world we all want to live in.
I’m talking to Sherry now when we are literally talking nuclear war or we are not talking any of that. Let’s say the chief protagonist is talking about that. We are all in our industry working towards a world we want to live in. That profit-for-purpose model has resonated hugely in the sense of that has to be the way technology is leveraged.
It’s not for its own rights. It’s not because it’s geeky. It’s not because it’s technically interesting. It’s all of those things, but what purpose does it have? What does it enable? What can we create with it? That’s where the profit-for-purpose sweet spot is. That’s unusual in our industry. Lots of great debates on it, but the societal approach is the underpinning piece of that, and the fact that we can all create the world we all want to live in. Its impact and purpose-driven.
What I find so fascinating about cybersecurity is when you are talking about Coronavirus, for example, and the way that pandemic spread. What I find quite fascinating about the cybersecurity in industry is that the biggest challenges it’s faced or the biggest is it’s overcome that we don’t hear about them because we’d be too scared if we knew everything that people who are working in information security and cyber security. If we heard everything that you’d tackled and dealt with and shut down. I’m sure we’d all be feeling a bit more anxious and nervous. I find that aspect of it. You are doing something with purpose, but it’s not something you can necessarily go and publicize.
One of the things that we say to our engineers is very much, “You’ll be zero to hero. You’ll be the most famous person that nobody ever knows.” If we are successful at what we do, you won’t hear from us. It’s very interesting. I was running an event about 25 minutes after I’d received the Russian translation about what Vladimir Putin had said. I said to them, “Who’s panicked here?” Everybody said, “No, because we are with you. You are not panicked. We are not panicked.”
Profit For Purpose: As a cybersecurity engineer, you’ll be zero to hero. You’ll be the most famous person that nobody ever knows because if you’re successful at what you do, no one will ever hear from you.
The thing about it is we are susceptible to what we hear. We don’t question the providence of what we hear very much because in the sharing economy. It’s a free resource. I always say the thing about that is that anything that’s free is an opinion and opinion is the lowest form of knowledge, but we consume that on a daily basis. Most of us.
The reality of it is because of that, we are affected by it. That’s because, from a neuroscience point of view, that’s how we work. Our input determines our experience and, therefore, what we create. It’s deliberate that we don’t say that. Not because we are trying to keep secrets from you, but because we want to make sure everybody else can get on with what only they can do.
We do this as cyber specialists, but then we know that enables you all to do what you are doing. For those that join our industry, that’s one of the biggest motivators. We unlock a society that allows people to imagine a completely new future. We are quite happy with that agenda because, in our own world, we are not in it for the ego.
That for-profit approach to this is where perhaps that ego piece has come in. Once you attach purpose to it, then effectively, we are all contributing the key differences. It’s competitive in the sharing economy. In the Empathy Economy, it’s collaborative. We all contribute and between us, we envisage and we build that new future.
To be honest with you, it’s a fascinating place to be and there’s absolutely room for everybody. I’m visually disabled. I’m also neuro-diverse. The world’s a hostile place to me before I start, but then that’s the perfect place to me to be in a hostile world. Dealing with other people who don’t have my learning differences and don’t have my approach in the world. They can’t outrun me because I don’t think the way they do.
I think that’s the thing. Everybody has talents. There’s a place for them in our industry. The first ever cyber warfare since 24th February 2022 means that those opportunities got bigger and interesting because so many people are now saying, “Even if I’m not in the industry, I need to take account of that.” I have got something to give to Sherry as a download because you’ve met me by Sherry. I will give you a download of what we have done in the World Economic Forum. I will tell you about being cyber safe and even if you don’t join our industry, how we are looking after you and also how to keep your home safe. What’s the most attacked device in your home and it’s not what you think?
There is a place for everybody’s talents in the cybersecurity space.
Thank you so much, Jacqui. That’s much appreciated. There is so much that we could talk about in cyber security. It’s one of those all-pervasive topics. It’s everywhere, isn’t it? Cybersecurity now in the same way as technology is everywhere now. We were talking earlier, before we started, how manufacturing companies, for example, are so much more technology-driven than they were decades ago. What do you see as being the real opportunities for people joining the sector, but in particular for women joining the sector is what I’m most interested in?
As an industry, certainly in the UK, we have repositioned during the pandemic because so many people came to join the efforts of what we were doing and we were given advice and were bringing people into our world that caused us to think again about career paths. We are looking for something that we are always going to use technology. That’s only going to be on the increase, but how do we use that inclusively? We need to perhaps take the biases of what we do now and make it a more inclusive agenda.
The thing that I love about it, the young people, I was advising a young lady who’s getting ready to do internships on this. She was saying, “How did you choose?” I said, “Don’t choose. Just start because it’s all laid out for us as women.” As we are purpose-driven and because we have a more holistic view of the world. I would argue more of a societal view because of the roles that we play.
The hardest thing is how to choose, and I always say, “Just start. Just pick the piece.” Perhaps aligns with what you are doing now, and then take it from there. The one thing that’s perhaps different about our cyber world that perhaps you wouldn’t find in any other career path is non-ecstatic. The criminals never tell us what they are going to do tomorrow. What we have to do tomorrow is always different.
Profit For Purpose: The cybersecurity career path is non-static. The criminals never tell us what they’re going to do tomorrow. So what we have to do tomorrow is always going to be different. And that means you get to make your own career pathway.
For that, that means you make your own career pathway. You pretty much can choose and tomorrow is always going to be more interesting than today. Every time we shut something down, understand what they are using, make it inaccessible, they will find something else. Then that means we are the real problem solvers to say, “Now I’m going to evolve what I do.”
The fact that there are no days the same means that any part you fancy doing has a role for you, whether it’s within our sector directly like in FlyingBinary or within like we were talking about manufacturing. The cyber piece is because we move to the industrial internet of things where everything’s connected. The cyber response becomes very different.
There’s unlikely several years from now that anybody reading this won’t be in some way involved. Whether you are in the midst of what we are doing and helping pioneer the next steps, that’s a choice. If you wanted to tell people about what we are thinking about and you wanted to share what’s going forward, then this show is great because effectively, you can share this show and say, “It’s going to be all of us, so do we want to know more?”
We are curious as females. We love the idea what’s that about. I want to understand that a bit better and it’s not scary because everything we all do makes the world a safer place. That’s why I turned that on its head and was interested to hear the pioneers I was talking to. We are not scared because you are here and you are quite calm.
Given the news we have had, I’m quite calm because I know that as a group, community, or as a collaborative force, we won’t be outsmarted. All of you reading may welcome to join us and enhance that purpose. I’m so confident it will be where I am and how exciting that we can design the world we want to live in because the technology allows us to do that, and the cyber response is a wrapper around it all.
Profit For Purpose: It’s exciting how we can design the world we want to live in because of technology. And the cyber-response is a wrapper around it all.
I love that expression. Don’t choose. Just start. That’s perfect for anybody trying to break into the technology or into the cyber security sector. Into any sector that you are trying to break into, just start because then paths will open up for you. Getting started is something I often say to people. Just do it. Just get started. Don’t dither. It’s never too soon. Never too late. Before we finish, Jacqui, I love talking to you and find it fascinating, but what’s your top tip for anybody who wants to know more about cyber security?
There are lots of resources out there, but it’s the people. You’ve got other cyber specialists. I count myself and that around this show. Find out more about what we are all doing. You’ve got, however many people you’ve got in this series. You’ve got immediate connections. We are all very open to talking about what we do. We put resources out. I predominantly put cyber resources out on LinkedIn because that’s where my community of businesses look to consume that, but we are all very approachable. We are all of us quite enthusiastic about what we do and why creating impact with the work we do is so rewarding.
Ping us, interact on a post, ask some questions because we know that effectively, it’s all of our responses that collective. The one thing we can guarantee is community defeats terrorists, drug traffickers, and people traffickers. Being part of that community, connecting with us all, asking questions, and reading the rest of the talks on this series. You are part of us because you are reading this and then you are part of the change we will make across the world. That’s my top tip. We are very approachable and very enthusiastic and just ask.
Community defeats terrorists, drugs traffickers, and people traffickers. And so being part of the community, connecting with cybersecurity professionals, asking questions, and listening to talks makes you part of the change that cybersecurity makes across the world.
Thank you so much to you, Jacqui. I have enjoyed talking to you about your career and your purpose mission. That is absolutely fascinating. I could go on talking for hours, but we won’t. For those of you who’ve been reading, I hope you’ve enjoyed this episode. More episodes on the show at SherryBevan.co.uk. If it sparked a thought in your mind, please do connect and let’s talk and book an exploratory call with me to give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining your female talent. Email me at SherryBevan.co.uk to book your call. Thank you so much, Jacqui, for joining me.
It’s been a real pleasure. Thanks for reading, everybody.
As #15 Most Influential Woman in UK Technology and 21 Most Inspiring Women in Cyber Dr Jacqui Taylor was awarded an Honorary Doctorate of Science in recognition of her international web science work. One of the 250 Founders of the UK’s Digital Economy, in 2016 she pivoted her company FlyingBinary to meet the challenges of Web 3.0, the Metaverse and the Industrial Internet of Things (IIoT) with spectacular results.
Joining us for another episode of our special National Cybersecurity Awareness Month series is Ashley Baich. Ashley is the Readiness and Crisis Management Security Consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, responsible for helping organizations flex their crisis response capabilities. She chats with host Sherry Bevan about her journey into cybersecurity and why she had her sights set on the field before even graduating. Ashley also speaks on the challenges and possible turnoffs going into such a male-dominated industry, the strides being made to close the gaps, and the opportunities for more women entering the field. Tune into this episode to learn more.
—
Listen to the podcast here
Interview With Ashley Baich Of Accenture To Celebrate National Cybersecurity Awareness Month
In this mini-series, to celebrate National Cybersecurity Awareness Month, I’m talking to several women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Ashley Baich. Welcome, Ashley. Thank you so much for joining me.
Thanks for having me, Sherry.
Ashley is a readiness and crisis management security consultant and has been working for Accenture for the past two years. Let’s jump right in to find out more about Ashley’s career in cybersecurity. Ashley, I know you’re a fairly recent graduate. What did you study before you got started in your consultancy career?
I graduated from the University of North Carolina, Chapel Hill, which is on the East Coast of the United States. I graduated with a BS in Information Science and a BA in Journalism.
Information Science and Journalism are quite an interesting mix. Was there a lot of overlap between the two?
Not overlap, but they complemented each other pretty well. I always knew I wanted to go into cybersecurity in some capacity and use those four years of undergrad to decide what aspect of security I wanted to be a part of. My Journalism degree came from the desire to bridge the communication gap between IT and business. Unfortunately, my university didn’t have a degree in Cybersecurity. Information Science was the closest thing that I could major in that gave me a little glimpse into the cybersecurity world, but I still had a lot to know when I graduated in 2020.
I’m curious because I don’t know many people who go to university thinking they want to get a career in cybersecurity. What is it about cybersecurity that piqued your interest so young?
My father has been in cybersecurity for the past 30 years. It was definitely a topic at the dinner table. That’s definitely where I initially found a spark, but then I was gifted the very unique opportunity in my senior year of high school to write a white paper for a startup. I’ve always been very passionate about writing. I didn’t know what type of writing I necessarily would want to do long-term.
The startup approached me and asked if I would be interested in writing a white paper. That white paper turned into five wonderful years being on their marketing team as an independent contractor as I went through my university years. By the end, I was the longest-standing member of their marketing team. They were acquired by Symantec, which had turned into Broadcom.
It was a great experience, but that was my first exposure to cybersecurity personally, besides hearing about it. I saw the wide variety of opportunities within the field. Even if at the end of the day, I only wanted to write, it was a cool thing to write about. That passion shifted more to the incident response crisis management side of the house, but that’s how I started. It was in my senior year of high school. I was eighteen years old trying to make a little extra money and here I am now.
There’s a wide variety of opportunities within the field.
My father worked for IBM so it was almost a given that I was going to end up in technology in some shape or form, but it certainly wasn’t the career that I had planned on doing. Often, it’s those conversations around the dinner table that spark or ignite a thought of what you might want to do later in life. How did you make the move into the role that you are doing now? Tell us about what you do now.
In between my junior and senior years of college, I realized I probably should get myself an internship. I had a lot of Business major friends who were applying to consulting. I was like, “Interesting.” I didn’t know that much about it. I started looking and saw that cybersecurity is an aspect of consulting. You can consult for cybersecurity. As someone who didn’t have a lot of experience in cybersecurity besides my marketing experience and then my Information Science degree, I was like, “We can do that.”
I had the opportunity to intern for Accenture between my junior and senior years. I worked for Accenture Labs. It was internally facing. I was helping them bridge the communication gap between all the awesome research that our researchers were doing and their ability to communicate that with the consultants to then be able to share with our clients. I still got to use my journalism degree and do that, but get to touch on different aspects of cybersecurity that I didn’t have the opportunity to do on the marketing team.
I then received my return offer going into my senior year of college, which was great. I got to enjoy that senior year knowing that I had a full-time job waiting for me at the end. I joined our technology development program as a security analyst. It’s a soft line to financial services. What was great about that start was I got to touch on a wide variety of cybersecurity projects. I did policy writing, a merger of two large financial institutions, and picking and choosing the best of each security program. I got asked to be part of surge support for nine days for a client who needed more hands and more help. Nine days turned into four months. I enjoyed the crisis management and response work that I had the opportunity to do for that client.
Slowly but surely, I found my way to the CIFR team and officially joined in November of 2021. That was my journey to my current role. As part of the Cyber Investigation, Forensics and Response team, I have the opportunity to help organizations prepare for crises as a readiness consultant, but then I also have the opportunity to go in as part of the crisis management team during actual incident response to help the C-Suite manage the crisis.
That sounds like you’ve crafted your journey into cybersecurity and it sounds like you’ve landed on your feet. I can tell from your enthusiasm that you love what you do, which is always good when you’ve got work that you enjoy. Ashley, clearly you love what you do and you’re very passionate about it. What’s been your biggest challenge working in the cybersecurity world?
I think the biggest challenge that I’ve had to deal with is something that a lot of people have dealt with working through the reality of a huge organization. With Accenture, I think we are at 750,000 employees now. It’s a huge organization and what comes with that is a set of rules and procedures that must be followed. The largest challenge I have seen as it relates to that is when it comes to the promotion cycle. While I wish at the end of the day, it was solely based on performance and what you’re bringing to the cap table and what you’re capable of and the experiences that you’ve had, at the end of the day, there are rules around how long you have to stay at a level before you can be promoted.
Crisis Management: At the end of the day, there are rules around how long you have to stay at level before you can be promoted.
That can be a frustrating challenge to endure because as part of the crisis management team, I’ve had experiences where I am sitting next to the global CISO of a Fortune 100 company, working with them directly day-to-day, and have made considerable impacts on their crisis response. While that might fall under the roles and responsibilities of someone at a much higher level than myself, I am still under the pay band and roles and responsibilities of a consultant.
It’s a challenge I deal with daily, but one thing that makes it enjoyable still is the team that I work for. Having the opportunity to sit next to the CISO, even with the title of consultant is quite an honor. We run a relatively flat team, which makes me have those opportunities. While it’s still a challenge, I’m able to overcome it by thinking about it that way. At the end of the day, if I’m still able to perform the responsibilities that let’s say a manager would perform, I’m still fulfilled.
What about your proudest achievement?
I would say my proudest achievement to date was the opportunity to set foot on a client site during a major cyber crisis. I walked into their war room and see the absolute dread on some of these C-Suite faces not knowing what the week was going to hold and how they were going to recover from this incident. Sitting beside them for three months over the Christmas holiday and not leaving that project until there were smiles on their faces. We had overcome all of the challenges.
They were in recovery. They were transforming their security posture and had the buy-in from the rest of the C-Suite to do so. They were getting the money they needed from the board of directors to continue to make this transformation into a stronger security team. I can’t put into words how that makes you feel. You go in when they’re at their absolute worst and you don’t leave until they’re in a much better situation.
It gives you that warm fuzzy feeling to know that you’ve gone in when they’re in a crisis and you’ve left when they’ve got those smiles on their faces again.
You can see the impact that you’ve made. I truly feel like I’m making a difference and that’s very rewarding.
What do you see as being the most valuable skills working in this sector?
In my role, I would say that the most valuable skills are oftentimes soft skills. I have a wonderful incident response team that goes in and does the more technical responsibilities when it comes to responding to a crisis like doing the forensics, eDiscovery, and all of that. My role specifically is more soft skill driven. It’s the ability to understand what the incident response team is doing, what the findings are, and drive the business value from that. Also, be able to communicate that with my key stakeholders, but then also help my key stakeholders communicate that to the rest of the organization.
The most valuable skills are oftentimes the soft skills.
In the meantime also, the organization is a huge one. During a crisis, there are a lot of different workstreams going on. There are a lot of cooks in the kitchen and third parties that need to be considered and things of that nature. Helping the C-Suite be able to organize themselves and develop relevant tasks, prioritize those tasks, and assign them to the right individual is extremely valuable. In a high-stress “what’s going on” situation, it takes a lot of organization and the ability to step back, remove yourself from the stress, have an open mind, and think through the strategy of how you’re going to tackle the day, the hour, the next ten minutes, and things of that nature.
Those are the two key skills that have helped me be extremely successful in the crisis setting. In the readiness setting, since I don’t just do crises, those are very high intense and long day situations. When I have the opportunity to take a step back and do readiness work, go into a client and help them enhance their incident response plan or run a crisis simulation and things of that nature, communication is still important. Also, being able to think outside the box and think through the crisis situations that I’ve been a part of. Helping organizations proactively continue to improve their incident response capabilities so that they can respond the best when they do fall victim is another skill that is important in the incident response crisis management world.
Opportunities for women in the sector, I know that there seems to be a skills shortage generally, but what are the opportunities for women in the sector?
They’re endless. I’ve talked to marketing. I’ve talked to communications and the business side of things. There’s a huge technical shortage as well. For me, being a part of that technology development program to start helping me identify what niche I wanted to be a part of, and there are endless niches. You can create your own.
I don’t necessarily think that my career path is going to be just crisis management, but even crisis management as a workstream is something that is still so new. There are not many organizations that have invested in that workstream yet. The beauty of the opportunities is endless. You can have an open mind and create your own. At the end of the day, there are a lot of organizations that would love to invest in women who are interested in developing a skillset, and finding what they want their niche to be.
It’s identifying a current gap in the security program where you can use the skillset you have to provide unparalleled value. That’s a hard question to answer because there are so many different ways that I think you could. For anyone that’s interested in getting involved and doesn’t think that they have the background to make a decision on what niche they want to be a part of, to begin with, I know most organizations these days have that development program. They have the opportunity for you to start and look at cybersecurity as a whole. Pick what aspects you want to be a part of and try them out. That is extremely beneficial and a great approach to getting your feet wet.
Crisis Management: There’s a lot of organizations that would love to invest in women who are interested in developing a skill set, finding what they want their niche to be, and identifying a current gap in the security program where you can use the skill set you have to provide unparalleled value.
Ashley, you’ve talked about some of the skills that you use, but what do you think puts women off applying to work in cybersecurity?
There are two things and they go hand in hand. I’ll start with the first and that’s job postings being daunting in and of themselves. You look at the skills required or even what the description of the job is. This is not only in the cybersecurity field. Oftentimes, someone may not be super confident in the fact that they are the right fit. Typically, if I look at a job posting and I’m not sure if I’m the right fit, I would still apply and go through the interview process. That’s the whole point. You’re interviewing the company as much as they’re interviewing you so you can see if there is a good fit.
When it comes to cybersecurity and the gender gap that we already see within the field, it can be a turnoff for women. They look at the job posting. They’re unsure. Maybe they do still have the courage to apply, but then every interview that they have from that point on is by a very successful senior male figure. It’s hard for them to imagine themselves in that role as a female, knowing that they’re going into a very male-dominated environment.
It’s hard for women to imagine themselves in that role as a female, knowing that they’re going into a male-dominated environment.
I am the only female that is on the crisis management team, and one of three females on the readiness team at Accenture. I’ve had a great experience. Someone had to point out to me that I was the only female on the team, but I know everyone doesn’t have that experience. It takes a lot of courage to put yourself in those uncomfortable situations to even apply for a job you’re not fully confident in.
You add that to the mix and it can be extremely daunting and a turnoff to many. I think there’s a lot of change in the cybersecurity field these days. People are aware of the fact that it is male-dominated. I will give a shout-out to my male leaders. They pointed out and they have the conversations. They’re trying to make strides to minimize that gap. As women, we also have to apply for them to be able to minimize the gap. I don’t want to forget that part of the equation too.
Finally, what’s your top tip for anybody that wants to get into cybersecurity? What would you suggest they do?
I would go in head first. If I’m being honest, as we’ve talked a lot about here, there are so many different opportunities and skillset that you can leverage to be successful in the field. The way that I was able to find my path was going in head first trying a wide variety of things until I found my niche. I would encourage anyone who has any potential desire to be in cybersecurity to go in and give it a try. We have such a shortage. Everyone is going to be grateful that you’re there.
Crisis Management: For anyone who has any potential desire to be in cyber security, just go in and give it a try. We have such a shortage. Everyone’s going to be grateful that you’re there.
If you’re on the right team, they’re going to encourage you and teach you along the way. At the end of the day, it’ll be a great learning experience. At the very least, you might find your niche and passion, and years later, be excited to go to work every day and want to have the opportunity to be on shows like this to encourage others. I couldn’t say enough positive things about my experience thus far. I would recommend for anyone that’s potentially interested to go in head first and see how you feel a few months in.
Ashley, thank you so much. I’ve enjoyed hearing about your career, how you got started, and the skills you use. It’s fantastic to hear somebody talking about cybersecurity with such enthusiasm and passion. Thank you very much for joining me in this episode.
Thank you for the opportunity.
If this conversation has sparked or thought in your mind about how you recruit your female talent, let’s have a conversation. To give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining more female talent, simply email me at Sherry@SherryBevan.co.uk to book your call. Thank you and I’ll see you in the next episode.
Ashley is a security consultant whose work is focused on proactively improving organization’s resiliency to cyber threats and advising organizations through cyber crisis’. A readiness and crisis management consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, she is responsible for helping organization’s flex their crisis response capabilities.
Cybersecurity is a mission, not a job. Today’s guest has 20+ years of experience to prove that. As part of our National Cybersecurity Awareness Month miniseries, we talk to Laura Whitt-Winyard, CISSP, CISM, CISA, CRISC, a Fellow at the Institute for Critical Infrastructure Technology and International Advisory Board Member at HMG Strategy. Laura got herself to cybersecurity through a slightly unconventional route. Now, she is one of the industry’s respected thought leaders and a role model for women in the space. Tune in as she joins Sherry Bevan to talk about her typical day as a CISO, the challenges she had to go through in her career, what she enjoys about her work, and the wisdom she can impart to women working in the sector.
—
Listen to the podcast here
National Cybersecurity Awareness Month Special: Cybersecurity Is A Mission, Not A Job With Laura Whitt-Winyard
In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to a range of women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Laura Whitt-Winyard. A very warm welcome to you, Laura.
Thanks, Sherry. Thanks for having me.
Laura has a whole string of letters after her name. She’s got a range of qualifications. She has worked for some leading companies, including Comcast and Bloomberg. Let’s jump right in and find out more about Laura’s career in the cyber world. Laura, could you start by telling us how you started in IT and cybersecurity and how your role has evolved over time?
I have been in cybersecurity for many years. I started in IT, and it was by accident that I went into cybersecurity. One of the companies that I was working for was Allstate Insurance Company. They were doing a lot of business with CNA Insurance Company in Chicago. Having talked with the CISO of a CNA insurance company, it turned out that their security architects had sabotaged their networking.
He asked me if I thought it was something I’d be interested in trying to help him fix, so I did. That’s how I got into cybersecurity. Subsequent to that, I realized that cybersecurity was my passion. It’s always changing. You never get bored. You’re constantly learning. You have the ability to affect positive change. Subsequent to that, I moved from CNA to Bloomberg, where I worked for some amazing people. I went to Comcast and worked for even more amazing people. It was a wonderful experience. It’s always an opportunity to learn.
That was quite a start in cybersecurity, being asked to pick up where somebody else has done some real damage, by the sounds of it.
National Cybersecurity Awareness Month: Typically, when you start a new company as a female, they assume you understand regulations compliance, and maybe the legal aspect, but definitely not the technical aspect.
It was crazy. I had to learn on the fly, which is probably one of the best ways to learn.
It’s interesting that you’ve got a slightly unconventional route into cybersecurity. That seems to be a common theme in this mini-series. Quite a few of the women I’ve interviewed already have not actively looked for a career in cybersecurity but landed in it by chance, almost.
Back in the day, very few people intended to go into cybersecurity. It wasn’t a career route that most people even knew about.
It’s very true. Perhaps you could tell us a bit more about what you do on a day-to-day basis in your role.
On a day-to-day basis, you spend quite a bit of time working on strategy and vision, trying to discern where the company is going, aligning the security strategy with business objectives, as well as staying on top of the latest trends, understanding a couple of years ago nobody thought too much about quantum computing. They thought it was so far off. Now it seems it’s on our doorstep. You spent a lot of time looking at what’s advancing in security and the latest trend and factors, but then taking that and marrying it with your strategy and the company objectives.
That sounds like a lot of thinking power that goes on in that type of role because you are having to look at what’s coming and predict how that might influence or affect operations for your business.
Cybersecurity is always changing. You never get bored, you’re constantly learning and you have the ability to effect positive change.
There’s quite a bit of a prediction, and I would venture to say even guessing. You look at what’s going on and try to ascertain how it could impact your company and its customers. Sometimes you get it right. Sometimes you get it wrong. Sometimes you’re too advanced for the company or are a little bit ahead of the time, and you’re not ready for it. A good example was when I was at Bloomberg. I was exploring anomalous detection back in 2005 and 2006. The cybersecurity world wasn’t ready for it, and neither was Bloomberg. Now, everybody talks about anomaly detection.
That’s one of the interesting things about working in this sector, particularly in technology, because it’s evolving quickly. There have been quite big changes as well over the last couple of years. Nowadays, the general public has more awareness and understanding of cybersecurity in general.
It’s extremely beneficial to a CISO. There’s a saying that says, “Don’t let a breach go unutilized.” The fact that it’s become more prevalent in the news, less and less executives and companies as a whole are saying, “That happens to other people. It doesn’t happen to companies like ours. We’re too small. Nobody knows who we are.” Now they’re realizing that is not accurate.
That general awareness has increased amongst the business itself rather than just being something that IT and the technical people understood. That’s a real positive in some ways.
It helps security leadership be able to explain the ramifications of not doing certain things and the benefits of doing certain things. It makes it much more applicable to the business in their everyday life when they see what can happen to other companies.
Tell me a bit about your career. What’s been the biggest challenge that you’ve had to deal with?
National Cybersecurity Awareness Month: There’s not one single person in cybersecurity who knows everything. Find your niche, find what you love to do in cybersecurity and focus on it.
I would say probably as a female being perceived as not technical. That’s the biggest challenge. Typically, you start a new company, they see you as a female, and they assume you understand regulations, compliance, and maybe the legal aspect, but not the technical aspect. It’s always, in a way, a little bit fun once they realize how extremely technical I am and the shock on their face. That’s one of the biggest challenges.
How do you get around that challenge? What do you that makes that less of a challenge?
It takes time working with the engineers, engineering leaders, and product leaders and being able to make recommendations that aren’t so along the lines of checking a box for compliance to say, “Maybe we can’t do this, but here are some opportunities and options that we could do something else.” Security coverage is typically surprised about the technical record I make, and it takes time being able to explain that to people.
That’s true in any organization, but perhaps more so for a female entering a very technical career, which is a bit frustrating at times. Hopefully, over the next few years, we’ll start to see that changing, and it would be becoming less of an issue. What about the things you’ve been most proud of in your career so far?
Becoming a CISO. I was very excited and proud. I must admit I was a little bit too excited and in disbelief that I had made it to the pinnacle of my career. Some of the other things I’m proud of is coaching some of the folks that have reported to me into other security leadership roles. I still maintain those relationships with them to this day and ensure that they pay it forward, and then also take chances on people who have never even once worked in cybersecurity but have a security mindset. Maybe they do Capture The Flag competitions and win in their free time, but they’ve never worked in cybersecurity or been educated in taking a chance on them and watching them flourish. That is also a very proud moment for me.
That must be a real fuzzy feeling moment for you to see people you have taken a risk with and to see them flourish. In some ways, it is even more rewarding than taking someone on who’s got the experience and the qualifications, and they flourished. Taking someone on where you’ve taken a risk is something extra.
Cybersecurity is not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees.
I hired a grocery store manager who didn’t have a degree at all, had no cybersecurity certifications, had never worked in cybersecurity, but had a massive server environment in his basement and entered Capture The Flag competitions in his free time. These are hacking competitions and had won several. He did not apply for the job. Someone that was a friend of his said, “You should look at this guy.” In talking to him, I was amazed.
It was the fact that nobody would ever pick a chance on him. He’s now flourishing. He’s doing so well. He’s paying it forward. He’s helping bring new people into the security community, which is half the battle. As you know, we have a skills shortage, and there are not enough cybersecurity people. For him to pay it forward to every person that I help pays it forward is a wonderful thing to see.
Paying it forward is so important, particularly since there is a skills shortage in cyber. The more good people, the more good talent we can bring in. Often they can be the ones who will be perhaps better at persuading others who don’t have that cyber experience. This is a field that you can work in and can flourish. That’s good. What is it that you enjoy about the work that you do? You clearly enjoy developing people, coaching, and watching them grow, but what else is it that you enjoy about the work?
It’s the ability to affect positive change to do good. When you work in cybersecurity, it’s not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees. It has a ripple effect. If I saved one customer from having a security incident or losing their data, that would affect their livelihood.
That also, in turn, affects their family. That ripple effect is part of why I do this. I also love speaking about cybersecurity. I’m passionate about it. You can ask my husband, who rolls his eyes every time we’re watching a show, and I’m talking about cybersecurity. In the cybersecurity community, this mission that we’re on is much bigger than the individual and the company. It’s a global issue.
What do you see as some of the potential barriers or challenges for women, in particular, starting or getting promoted in cybersecurity?
National Cybersecurity Awareness Month: Get as much knowledge as you can. Anytime you read something that is not resonating, Google it, research it, YouTube it, learn as much as you can.
One of the barriers is that they’re afraid of not knowing something and looking like a fool. One thing I’ve always said is there’s not one single person in cybersecurity who knows everything. It’s impossible. Find your niche. Find what you love to do in cybersecurity and focus on it. Don’t let anyone tell you that you don’t have enough skills or knowledge because you will get it. Not everyone has all of it.
What do you see as being the most important skills for anybody working in cybersecurity?
It’s the ability to translate technical into business. Being bilingual is one of the hardest skills to learn to be able to explain to the business something extremely technical but in a manner in which it relates to them and their business.
It’s that communication piece. That’s true no matter what part of technology you go into, particularly cybersecurity because it has a potential impact on the business itself. You need to be able to explain things in a way that others can understand so that it makes sense to them and that they know what decisions they’re making and what the ramifications are.
I still struggle with that. Many people in cybersecurity are of a different mindset. We’re very technical, logical, literal, and to be able to go into a conversation with varying personalities, if you’re speaking to the board or someone in risk, or development even, and to be able to set aside your technical knowledge and put it into language they understand. I have trouble with it even still to this day.
That’s true, no matter what field you work in. When you’re an expert in what you do and that knowledge is part of who you are, then it’s easy enough to take for granted what other people’s knowledge and understanding are. It’s such a common thing. What are the tips that you might have for women who are thinking about getting into cybersecurity? What would you suggest they do if it’s getting into the sector or want to make progress in the sector?
It’s really important to find out what your passion is within cybersecurity – what interests you, what really drives you. Hone in on that and learn as much as you can.
Read as much as you can. By read, I don’t mean books. By the time a book is released, some of that technology is already legacy. Read cybersecurity news. Set up alerts on your phone about anything cybersecurity. If you read a news article and you’re wondering, “What does this mean?” google it. Learn it. Try and research it. There’s free cybersecurity training out there all over the place. Go to security conferences. The security community nowadays is very different from what it was several years ago.
The security community nowadays is very much a community. Whereas several years ago, it was the most knowledge wins. I’m not sharing my information with you because you’ll be as smart as I am. There are things called BSides. There are tons of security conferences. The one I go to every year is DEF CON. It’s an annual hackers convention where anywhere from 20,000 to 30,000 hackers from around the world attend. It’s a very inexpensive conference compared to the others. Get as much knowledge as you can. Anytime you read something that is not resonating, google it. Research it. YouTube it. Learn as much as you can.
I was talking to somebody on a completely different subject the other day. We’re talking about bike mechanics. I cycle. I remember her saying, “You can learn whatever you need to learn nowadays. You can just YouTube it, and you’ll find out whatever it is you need to know.” The same is true for cybersecurity because so many people now are sharing their knowledge so much more openly on the podcast, YouTube, blogs, and things like that.
How many times have you had something going on at home, like your dishwasher or something, and you go to YouTube for a video on how to fix it? The same is true with cybersecurity. There’s so much to learn. There are so many different aspects of cybersecurity as well. Like I said, it’s important for you to find out, “What is your passion within the cybersecurity arena? What interests you? What drives you?” Hone in on that and learn as much as you can.
Thank you so much for sharing those tips. That knowledge piece is helpful. Often, women tend to have a tendency to think if they don’t know all the answers, therefore, they’re not good enough, expert enough, or don’t have the relevant experience. As you say, you can research so much nowadays online that there’s no reason to feel like that.
That happened to me early on in my career. I would not speak up. I would not say much in meetings for fear of looking like I didn’t know what I was talking about. It’s that insecurity. If I could say something to myself back then, it would be, “Don’t worry about being insecure. Almost everyone at the table is as insecure as you are. Not everybody knows everything.”
National Cybersecurity Awareness Month: Don’t worry about being insecure. Almost everyone at the table is just as insecure as you are and not everybody knows everything.
It’s such a good thing to remember. Thank you so much for your time, Laura. If people want to get in touch with you, is LinkedIn the best place to do that?
Thank you so much for joining us. I’ve enjoyed hearing about your career in cybersecurity. I love the fact that your start in cybersecurity was less than conventional, but being asked to go in and fix something that had gotten broken. That’s good to hear from that point of view how you got into cybersecurity. It’s clearly an industry that you’re passionate about and love.
Thank you so much for having me. Anyone who would like some free tips, coaching, or any websites I recommend for following the news or free cybersecurity training, can always reach out to me on LinkedIn or Twitter.
Thank you so much. If you’ve enjoyed reading about Laura’s career as a woman in cybersecurity, you can find more episodes at SherryBevan.co.uk. If this has sparked a thought in your mind about how to develop and retain your female talent in cybersecurity, please do get in touch with me, and let’s arrange an exploratory call. Thank you so much, Laura. Thank you to everyone who’s reading. See you next episode.
Laura Whitt-Winyard is a Fellow at the Institute for Critical Infrastructure Technology and an International Advisory Board Member and Women in Technology board member at HMG Strategy. Previously, she was the CISO of Malwarebytes, Global CISO for DLL Group, Director of Security for Billtrust, and held senior leadership positions in security at Comcast and Bloomberg, LP.
This episode offers you the senior consultant of Crowdstrike, Emma Jones, to celebrate National Cybersecurity Awareness Month. Emma shares the unintentional move of her career in cybersecurity. Given that she has no background in the role, the transferable core skills she possessed allowed her to fare pretty well in the space. She enjoyed each moment of her journey and never looked back on her previous career. Like everyone else, Emma faced some challenges along the way in her career, but how did she deal with them? What insights could she offer to anyone thinking of taking the cybersecurity route? Tune in to this episode and learn more.
—
Listen to the podcast here
National Cybersecurity Awareness Month Special: Navigating The Unconventional Route A Cybersecurity Career With Emma Jones
In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to women about their careers in cybersecurity. I’m delighted to be talking to Emma Jones from CrowdStrike. Welcome, Emma. Thank you so much for joining me.
Thanks for having me. It’s a pleasure to be on the show. Thank you.
Emma is a Senior Consultant at CrowdStrike. She’s going to tell us a bit more what that involves. Let’s get started and find out about her career journey. To set it into context, could you start by telling us a little bit more about CrowdStrike and what they do?
CrowdStrike, for those who haven’t heard of them, we are a global cybersecurity technology company. Our mission is ultimately to stop breaches. Essentially, they work with a whole range of products and services and strategies to protect customers and clients from the cyber threat and from the adversity that we face in that space. That’s a little bit about CrowdStrike. My role with them is based in the services part of the business. Essentially, I work with organizations across the UK, Europe, Middle East and Africa on a huge range of cyber incident response and readiness activities to help them prepare for the threat and increase their security posture and readiness.
Tell me how you got started in your IT career.
Overcome the imposter syndrome because otherwise, it would impact you personally and professionally.
Completely unintentional move into IT/cybersecurity. Actually, I went straight into cybersecurity. My previous occupation was in UK Law Enforcement. I was in a National Law Enforcement Organization working on a whole range of crime types, different threats, different teams, non-related to technology or cyber.
What happened was I went through a promotion process and they’re quite huge campaigns, I should say, where you apply for the rank or for the grade or the position rather than a specific role. You go through a campaign, they will assess and determine who’s suitable for that particular level, then at that point they will appoint individuals into the role across the organization and across the UK.
I went through a campaign and was successful in that campaign and was really pleased to hear that. It was at that point, I found out which role I was being posted into. Honestly, I expected it would be a role that I had done before with EMA, or had exposure to a crime type I was more familiar with. No one was as surprised as me to find out that I was posted to the National Cyber Crime Unit. I had a moment where I thought, “What on earth has happened here? There must have been a mistake. Why am I going into cyber? That’s not my background. I don’t have an IT skillset.”
I wondered what had happened in the process, but actually people had recognized transferable skills as being incredibly important in cybersecurity, not least of course because the industry is still fairly new compared to many of the areas of work and disciplines, but actually very fortunately the panel who decided recognized that I had some experience that would benefit the cyber side of the team. I found myself in a position there, which entailed creating and delivering and establishing a brand new unit for all UK Law Enforcement. It was all focused on prepared activities.
I had to start from scratch, learn about the threat, and then develop a team which would do a range of different projects from exercise and through operational learning all focused on cyber incidents. It was completely unexpected, but I’ve never looked back. I enjoy every moment of it. Here I am now in CrowdStrike in the private sector.
National Cybersecurity Awareness Month: Familiarity and awareness increase the effectiveness and the speed of your ability to respond.
I love hearing stories of people who have had an unconventional route into cybersecurity. I think it’s a very positive and powerful message to hear. You mentioned there that your campaign is you’re applying for a rank rather than for a specific role, and that somebody had obviously spotted specific transferable skills that you had. Would you mind sharing a bit more about what you believe those transferable skills were or are?
I would describe them best as core skills. Some people say soft skills, I’m not a huge fan of that. I think it can really imply that you are lesser than or it’s not as important. I like to say core skills. Essentially, I would say there are probably three areas. The first is communication. With that, obviously running a team that had a national unit, you would need to work with people in many different sectors, many different organizations, both public sector and private sector, and at different levels, operational levels, all the way through to senior leaders and strategic forum.
Communication absolutely was the top skill that mattered most in this space, so that you could essentially translate a conversation or a topic and achieve what you needed to achieve in that role. The second skill I would say is probably the leadership skills and strategic thinking. Many conversations I’ve had throughout my career, people have said, “Leaders and leadership skills are saved for the senior roles.” I think anyone can be a leader in your space. If you are developing something, if you were doing something novel or creative, or you have simply taken a step forward to help bring people together, then that absolutely means you are a leader, regardless of your role.
Whilst I was in a management and leadership position, I think those skills were deemed pivotal to be able to take an idea and a vision forward, and get people to understand why you were doing some and what the outcome and benefit for everybody would be in that space. Definitely communication and leadership. Finally, and I suppose it’s an element of communication, but it’s about listening skills and the ability to understand the situation that’s presented to you, and tailor and flex your style and ability and approach.
Obviously, there are many different views and ideas that you can take forward in your space that you need to be tuned in to what the actual requirement may be. Attention to detail and that listening ability, and then translating it into the next project. I certainly think those are some top skills I had to draw upon to my journey in that role specifically.
Comparison is the thief of joy.
As you described, they are definitely core skills that anybody needs in any industry and sector, but I think particularly so in the way that cybersecurity space is evolving at the moment, then those skills are in high demand. Tell us a bit more about what you do on a day-to-day basis in your role at CrowdStrike.
No two days are the same, as cliché as it may be. There are themes and similarities but lots of different conversations. There are a few paths on my role. The first is around working with our organization to enhance the incident response readiness. What I mean by that is getting prepared ahead of an incident to be able to deal and respond to that particular situation that they face. There’s a whole range of benefits in doing that. Not least familiarity and awareness, increase in the effectiveness and the speed of your ability to respond, given that time is always of the essence in these circumstances. That’s a huge focus for me is that preparedness initiative drilling down on some key aspects, whether that’s how you seek support in responding to an incident, what barriers you may potentially face, and how can we overcome them proactively.
The other aspect of my work is more strategic in the sense of supporting organizations in their broader security programs. Working with them to understand what keeps them up at night, what’s the biggest concern, what’s the priority, and how we can help them address those concerns and priorities. Security programs are always changing. They’re always evolving, very dynamic, and you can never do everything all at once.
It’s about having conversations with our clients across this region about what matters to them, and how best we support their effort so that they increase their resilience and readiness in that space. That’s broadly speaking of the day job. I’m really fortunate to have a couple of extra pieces of work that I can do in CrowdStrike relating to inclusion and thought leadership as well, which is fantastic. I’m very fortunate to have the time and opportunity in that perspective.
It sounds like you really enjoy the work that you do, which is brilliant. When you enjoy your work, it makes it so much easier. Since you’ve moved into the IT or the cybersecurity sector, what has been your biggest challenge in your career so far?
National Cybersecurity Awareness Month: To be inclusive with others, we can have thematic and strategic conversations around diversity and inclusion.
I would certainly say it’s around building confidence. We talked about how many people find themselves in cyber in unconventional ways, different routes and paths. I think that contributes to things like Imposter syndrome. Many people, if not everyone, suffer that, and it comes in peaks and troughs, but that was an area that I struggled with to begin with.
What comes hand-in-hand with that is building confidence and having faith and belief in my skillset and my abilities. That was quite difficult to begin with because when you would look around in cyber, it’s still fairly male-dominated. There’s still quite a technical focus rather than a core skill focused certainly at the time that I came into the industry. That sometimes can make you feel like, “I’m not quite like person X, I don’t have that knowledge of person Y, and I wouldn’t take that approach.”
Sometimes, you can then doubt your abilities and whether you’re in the right space and doing the right thing. For me, I had to overcome that because otherwise, you would be impacted both personally and professionally, and suffer in terms of not being able to really do and be who you wanted to be. I had to take the time to reflect and realize that I was in a position I was because of the skills and experience I had. They may have been different for other people, a different perspective, a different mindset or a different approach. I had to remind myself of that on a regular basis.
There’s a quote, “Comparison is the thief of joy.” That’s absolutely true. Remember the skills that you do have, and it’s not necessarily all about certifications. I came into the industry without anything like that. It was about lived experience and ability to apply knowledge. Realizing that position was fundamental to overcome that challenge. Don’t get me wrong, it can still be a challenge now, but it’s much more in check. I also have a wonderful mentor who I met through a Women in Technology program, who supports me create the safe space and has honest conversations, and helps me understand more about my potential and current value as well. That’s certainly been the biggest barrier that I’ve had to overcome.
It’s interesting you talked about a mentor because one of the other women in this mini-series talked about having a mentor as well, and how helpful that had been for her to believe in herself and to apply for the next role and to develop her career. It’s good to hear you talking about that as well. What about your proudest achievement? What’s that been?
If you wait until you feel ready, it’s usually too late.
This is always difficult to talk about. It’s not a question people ask one another so often. For me, I was nominated for a Global Women In Tech Award. That means a lot to me because it focused not just on my work in cyber incident response, but also predominantly about the work I’ve done for inclusion and inclusive practices with incidents.
I would say I’m probably most proud of it because it was the results of the work that I did a few months ago with the forum of incident response and security team. I was selected to speak at their conference. I thought about what we can do to be inclusive with them. For me, a lot of conversations and a lot of narrative, quite rightly, is always about thematic and strategic conversations around diversity and inclusion. Sometimes, those in teams and every individual every day might not feel that relates to them directly.
I wanted to take a moment to speak to those individuals within teams within the global forum to say, “This is what we can do as individuals and actually make it specific real examples, bringing it back and relate for their daily work. That was a fabulous opportunity for me to bring two topics I love together, and a wonderful moment to hear about the nomination as well. That’s where I’m at in terms of proudest achievements.
You’ve done a lot of work around inclusion and representation. What do you see are some of the potential barriers for women working in this sector?
The most prominent barrier at the moment is a lack of representation of women in two areas. The first in senior leadership roles and the second in technical roles. The industry is very vocal and passionate and supportive of having diverse representation, having women in the workforce. There are conversations about how cyber is not just technical, so women in roles that are non-technical and that are outside of the day-to-day hands-on keyboard activity, and they intersect with cyber, was certainly getting there and recognizing that and bringing women into the sector in that regard.
National Cybersecurity Awareness Month: Choose opportunities that you think will be best for you to support your interests in that area.
When it does come to senior leadership and technical hands-on keyboard positions, that is where we lack the visibility and representation. It’s important for me because we want to feel like we can have a career path and that we can do something. Everyone likes to see someone role model that opportunity. Without that can make it quite a challenge to showcase and explain to individuals and to women what a great path this career can take you on.
You’re right. There are a lot of organizations that are actively wanting to improve diversity and increase inclusion, but it’s not having those role models at the senior levels and in the technical areas. There’s that quote, “You can’t be what you can’t see.” The more we have those role models, then the more it becomes a snowball effect. Any top tips for anybody who wants to get into cybersecurity via a conventional or an unconventional route?
There are many, and I’m sure you’ll hear some fabulous tips from all of the guests on this mini-series, but I think there are two. The first is to leverage what’s out there to support women. There are amazing networks, free training programs, and I mentioned the Women In Technology mentoring program that I joined a number of years ago. There’s so much out there, so just have a look, make the most of it, choose opportunities that you think will be best for you to support your interests in that area. You don’t need to be in a cyber role to join any of those. You could just be thinking about IT and tech position. Definitely leverage those opportunities. There’s more now than there’s ever been before.
The second tip I would have is there’s no better time than doing it now. Both for those reasons around the opportunities, but also because someone once said to me that if you wait until you feel ready, it’s usually too late. I completely agree with that. Taking a moment to leap into a new opportunity or just signing up to a program or a training course. Even if it doesn’t fully fit with what you’ve got going on right now or if you think, “I need another six months and then I’ll be ready,” just do it because something will always come in the way. That’s my main tip and something which stayed with me for my entire career so far.
I love that piece of advice. I think it’s so true because so often we put off doing things because, “I’m not quite ready or I don’t quite have the right experience yet,” then you can look back later and think, “If only I had done it sooner, if only I’d just taken up that plunge.” Emma, thank you so much for joining me. It has been interesting to hear about your slightly unconventional route into cybersecurity, but I think that’s a very positive thing to hear. I’ve loved the tips that you’ve shared as well. If people want to get in touch with you, I guess LinkedIn is the best place to do that, correct?
Yes, absolutely. Please reach out. I’m always happy to provide pointers and advice on joining the sector and where to leverage those opportunities.
Thank you so much, Emma, for joining me. We’ve been reading about Emma Jones talking about her career as a woman in cybersecurity. If there’s a spot of thought in your mind, let’s talk. Let’s talk about any questions you might have about the work I do in cybersecurity companies on attracting, developing, and retaining your female talent. Just email me at Sherry@SherryBevan.co.uk to book your free consultation call. Thank you, Emma.
Emma is a Senior Consultant with CrowdStrike, who works with organisations across the UK, Europe, Middle East and Africa on a range of cybersecurity incident response and readiness initiatives. Alongside her day job, she is passionate about fostering inclusion and championing diversity, and is involved in multiple associated projects.
There’s always something to learn. You don’t have to know everything, but you should look for innovative ways to acquire new knowledge every day to achieve the success you are meant to have. This interview is one of a series of interviews with women in cybersecurity. The series is published in October 2022 to celebrate National Cybersecurity Awareness Month. Our guest, Dora Ross, shares her knowledge of the barriers and challenges of cybersecurity. Dora is a security culture transformation specialist. She works with organizations to define and implement risk-based, human-centered security culture and training strategies enabling positive behavioral change. In this episode, she emphasizes that there are so many different areas in Security, and the landscape is constantly changing. Tune in to learn more about what people do daily in cybersecurity, the importance of communication skills, and shaping cultural change.
—
Listen to the podcast here
Cultural Change, Continuous Learning, And Cybersecurity With Dora Ross For National Cybersecurity Awareness Month
In this mini-series to celebrate National Cybersecurity Awareness Month, I’m talking to a range of women about their careers in cybersecurity. I’m delighted to be talking to Dora Ross. Welcome, Dora. Thank you so much for joining me.
Thank you so much for having me.
She is a security culture transformation specialist. We’re going to find out what that involves and hear about Dora’s career journey. Perhaps you could start off by telling us how you got started in IT and how you made that move over into the role you do now.
My first several years weren’t in IT or cybersecurity at all. I was working in marketing, communications, and business change management. I transitioned into IT unintentionally. When I was a business change manager working for a social and housing organization, I needed to understand work processes and ways of working for different departments. That is in compatible systems in IT as of products used. That was my way into the world of IT.
It’s quite a different career, but you got those transferable skills. What do you find is different about working in IT compared to the roles you had before?
It is different compared to what I have done before. I feel like I need to understand a bit more because IT is a wide spectrum of topics and systems that are used. I constantly feel like I need to understand more and learn more, and it can be technical. Sometimes, I feel like I need to research a lot more to be able to understand what people do and how they do it, especially with engineering teams. They are so different and technologically advanced people that I feel sometimes I get a little bit of impostor syndrome with them because I might not be able to understand as much as they are.
To be applying for something that’s completely out of your comfort zone is a really big thing.
However, in my world and in business change management, it’s number one to be able to ask questions. It doesn’t matter, even if I don’t understand something. It is being able to ask questions. There might be some complex topics that I need to translate into an easily digestible format for the rest of the organization. Although I used to have impostor syndrome, and sometimes I still have that, I have to be okay with knowing that it’s okay not to know everything.
That is one of the traps that some women tend to fall into wanting to know everything, needing to be the expert, and having all the detail on everything. The more you move up in an organization, the less feasible that is practically to have the time in the day to know the detail about everything. I’m glad you have talked about that. That is positive that you have taken that learning on board. Tell us a bit more about what you do because your job title is a bit different than some of the other women in this area. You’re a security cultural change specialist. What does that mean? What is it that you do on a day-to-day basis?
As the title said, it is not heavily technically involved at all. It’s more of a softer side, people side, and psychology and behavioral side of elements. I am responsible for embedding secular behaviors into that corporate culture. That means I work with all different parts of the business, different functions, and departments to understand what they do and how they do it. I help them during the workforce in more secular ways.
They’re able to protect the company data, but besides that, it’s not just the company, customer data, and employee data that are important. What I enjoy about this is that people can learn tips and techniques and best practices on how to protect themselves in their own personal lives, their families, when they do banking, or even on social media, and how much they share.
It’s an interesting role to be able to help the organization build up cyber resilience and also help people on a personal level. My role could be different on another day. I could be writing blogs or user guides, preparing for some training or workshops, working on creating cyber secretary training and culture strategies, or some incident communications that could happen any day. It’s varied in terms of the role.
What about the skills that you need for that particular role?
Cybersecurity: Be motivated and have that hunger for knowledge, so you continuously learn and expand your horizon.
My career started doing marketing communication and business change, especially for this work, this cultural change. Change management is important to know how people go through change cycles and how to influence behaviors. Also, the marketing side is quite good to have so that you know how to write communication and business training materials. It captures people’s attention. You can help them learn new skills in an easily digestible format.
Once I started being interested more in security, I went on a couple of courses at Open University. There are free courses out there that can be taken. You can go on a different learning journey. I have qualified by SANS, which is a paid five-year course. You need to learn about how to manage and measure secondary awareness practices and interventions. There are different ways you can go about it, and you can learn on the job. I do find some qualifications help you to be better at this role.
That qualification gives you a certain level of authority and credibility in what you do.
Exactly. However, there are some rules. Sometimes, there are too many qualifications that may be asked. People are not going to apply for those because they don’t have them. They might have the skills and experience but not the qualification for various reasons. Qualification might not always be the most important thing. However, there are certain ones that are worthwhile to see.
I remember years ago, I was hiring a network administrator. We interviewed some people who had the qualification, and some of them didn’t have the qualification that we were looking for. Some of those people without certificates were fantastic, knowledgeable, and experienced. Some of the ones with the certificate didn’t know what they were doing. There is an element of that. It’s a mixture of having the qualification and the experience, but those qualifications certainly give you that credibility. In your career, what’s been your proudest achievement?
I can mention a couple. I will bring down the two main ones. When I was working at a social housing association back in 2012, I was still in my marketing role. PWC came in to look at our target operating model or the stigma that we can get some savings. I applied for a role, besides my marketing role, to help PWC with this big piece of work and be marvelous for six months.
To be able to collaborate with people, having good communication and social skills are the keys.
I was fortunate enough to be accepted for this program. That completely changed the course of my career life. That’s where I learned about business change management, organizations, and different departments and got to know the business and how they operate. That was mind-blowing to learn all of these things. That was one of my proudest moments because I was in marketing. To be applying for something that’s completely out of my comfort zone was a big thing for me. It changed the course of my life.
The other one I would mention was before COVID hit. It was in February 2020. We had the ties in International Security Summit. I was one of the speakers, and that was the last live event before we stopped the live conferences. I was able to speak about security culture and education among many credible and amazing speakers. That was one of my biggest highlights. To be able to be on stage with those people, commenting and giving advice on best practices, and imparting my knowledge around security culture was an incredible moment.
The opportunity to work alongside PWC, what better organization to learn from a big consultancy firm like that? I can imagine that’s given you a strong foundation in business change. I’m thinking about getting more women into cybersecurity. What do you think are the barriers or challenges to doing that?
When I transitioned from the business change adamant into more of the technological side, I mentioned impostor syndrome. You might feel you don’t have enough knowledge to get into a certain industry or tech industry. That could be a barrier. People believe in themselves, move forward, and go for those interviews or look at those opportunities. You know there was a way in.
I would encourage women to have mentors because they can be a great help to get into cybersecurity or IT. Find communities and networks that support each other in the area of interests and performance people, and they will be able to show them opportunities, skills festivals, or something like that. There are opportunities to meet future employees. You can ask them, “What do you need, or what requirements do you have?” Start the initial conversation. You will get a better chance of getting into this industry.
You sound like you love your work. Your enthusiasm and passion for it come across when you’re talking. What do you see as being the key skills that are required not just for women but for people to be successful in this industry?
Cybersecurity: Working with people and getting to know the business through the different departments and what people do in different functions is really satisfying. It’s creating those relationships and actually making a difference.
Social skills are important. To be able to collaborate with people, you have to have good communication skills. Sometimes that’s a little bit lacking. If someone has got a lot of technological knowledge, they are not able to translate what needs to be done about the systems in an easy and clear way to people. Collaboration is one of those keys. Be motivated and have that hunger for knowledge so that you learn more and continuously learn and expand your horizon.
What is it that you love about the work that you do?
I love our security culture. It does not just work for me. I personally love this. I’m the one who can go out with friends or family. I’m giving them best practices sometimes. They don’t even want it.
You can’t help yourself. That’s what is valuable about the work that you or the people like you do. What you’re doing is protecting companies, but that information and knowledge help individuals protect themselves. In this cyber world, that is important.
Working with people and getting to know the business, different departments, and what people do in different functions are satisfying. Creating those relationships in each department depends on their needs in providing them suitable training or whatever guidance they need. Creating those relationships is amazing and you are making a difference.
When you see a communication strategy come to life, people come to you, and they’re starting the conversation. It’s a two-way conversation. That’s where the magic happens. You’re not pushing out information, but the people receiving them now ask questions about the ending in the changing behaviors because of that. That unfolds the beauty of other cyber security cultures.
When you see a communication strategy come to life and people actually come to you and start the conversation that’s really where the magic happens.
What has been your biggest challenge since you have been working in cybersecurity?
I would mention learning more about the technical side. Initially, because I’m coming from business change, plans the psychology of change, and how to communicate changes to people, but to understand and be credible on a different topic is learning about the system, the threats, and the risks a little bit more.
That was a bit of a challenge for me because I knew how to communicate about certain topics, and I found that I needed to find out. I did feel like if I knew a little bit more, I don’t always have to ask those questions because I understand what people are talking about. It’s easier to impart that knowledge to other people. It’s learning a bit more about the technical side.
Having that depth of knowledge and information makes it easier for you to communicate in ordinary English that a non-technical person can then understand. One of the hardest pieces about working in technology is doing that translation from tech speak to normal person speak.
There is so much out there, and you could get lost in the knowledge because there is much information out there. I hear a word over here about technological solutions. You instantly research, but you can get into too much research and get lost because there is more information. There has never been a stop to it. There is a lot more that you can do, and you have to know where to stop. You’re not getting overwhelmed by all the information that comes in.
Understand what you need to understand and ask questions. If you ask people, “Can you explain it a bit more because I don’t know about this? Could you demonstrate it to me?” They like to help. People are naturally quite helpful. It’s good to ask for knowledge. You need to research and stop there. If you need more, get more later.
Cybersecurity: You could get lost in the knowledge of someone because there’s just so much information out there.
If there are women reading this who are looking to get into cybersecurity, what are your best tips for them?
If you can sign up for mentorship, you can do it within your own organization or somewhere externally. I have had mentors before, but one in particular, Deborah Haworth from the publishing company where I worked previously has been amazing to me. She has opened doors for me that I don’t think I could have opened myself in terms of getting to know people and introducing me to many people. From then on, I could learn more.
My number one advice if someone would like to get into the industry is to find a mentor who is in that industry that you would like to get into, and they will be able to help you. The second last tip is to find the community. There are many communities like the SANS or SASIG community that are helpful. The people there can help you with whatever career you would like to take. There are lots of advice on training or conferences on how to develop your skills.
With more women working in cybersecurity, finding a mentor and finding the right communities are getting easier than it was several years ago because there are that many more women now in the sector. We don’t yet have a gender balance. I don’t think that’s going to be anytime immediately soon, but we’re getting there, aren’t we?
We are getting there, but there’s no balance yet. In the last few places where I worked, my immediate team, the smaller team, had a high number of women working in the department. When you look at the widest perspective, the whole IT or security, there are more male-oriented than female. I have worked with incredible women.
Hopefully, there are more women who want to get into this industry because it’s amazing. There is so much variety in work, and you could progress into different roles. Mine is not too technical. Social skills are required, but I can digress in the future years to more technical elements and do something completely different. There is so much there and everyone can choose whatever system works for them.
Dora, if people want to get in touch with you, I’m guessing LinkedIn is the best place.
LinkedIn is the best space.
Thank you so much to my guest, Dora Ross. I have enjoyed hearing about Dora’s career as a woman in cybersecurity, particularly because she is doing a role a little bit differently, looking at the cultural transformation. For more episodes, go to SherryBevan.co.UK. If this has sparked a thought in your mind about how you can do more to attract, develop, and retain your female talent, please do get in touch. Email me at Sherry@SherryBevan.co.UK. Thank you so much, Dora.
Dora is a security culture transformation specialist. She works with organisations to define and implement risk-based, human-centred security culture and training strategies enabling positive behavioural change. She has a true passion for information security, demystifying security threats and policies, so that people know what to do in certain situations to better protect themselves and their organisations from cyber threats.
Going to the next level in your career means having to take on more complex projects. And our guest in this episode has done that while coaching and mentoring women in technology. Sherry Bevan interviews Chloe Acebes, the Director of Software Engineering at Sophos, with 20+ years’ experience in the cybersecurity industry. Chloe leads teams of Engineers who develop next-generation endpoint security products.
In this conversation, Chloe shares her career in cybersecurity, taking us along to both the challenging and proudest moments in her career thus far. She also talks about coping with the pandemic, the barriers for women working in the sector, and the future of her career balancing politics and technology.
—
Listen to the podcast here
Taking On More Complex Projects In The Cyber Industry With Chloe Acebes Of Sophos To Celebrate National Cybersecurity Awareness Month
In this episode, I’m talking to Chloe Acebes of Sophos about her career in cybersecurity. A very warm welcome to you, Chloe. Chloe is the Director of Software Engineering at Sophos. She’s going to be talking to us about her career in cybersecurity. Let’s get started. Perhaps you could tell me how you got started in IT or in cybersecurity.
I studied Physics and Astronomy at university. In my final project at uni, we did a little bit of C programming. I learned a little bit of C there and to say that I liked that and thought I might be interested in a career more towards IT. When I was finishing university, I applied for various different jobs in technology and in science. I applied for a job at Sophos, where they had a graduate program where they took people on from different disciplines. We got basic training on the job. We learned about coding, various aspects of technology and security. Basically, I’ve been at Sophos ever since.
That sounds amazing that you’ve been there ever since. It proves that those graduate programs, when you get them right, they do work and you get good staff. How did you get into cybersecurity more specifically?
It came to me by chance. As I said, I was interested in IT and technology. I applied for several different roles. When I came to interview at Sophos, they talked a lot about protecting customers and protecting small businesses. Sophos focused a lot on small and medium businesses, which means that we make the difference between a business doing well and a business being attacked and potentially losing money. That aspect of talking about helping people was what drove me into the industry. That’s what still gives me job satisfaction.
In thinking about your career overall, what has been your biggest challenge?
I think there are two that come to mind. The first one is starting the job. I came from a Physics and Astronomy background. I didn’t know a lot about computers. I didn’t know a lot about programming and hadn’t done computer science. There’s that foundation that you’re missing. That was a bit intimidating coming online and starting off the job, but that strong ramp up to start off with is a big challenge.
It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn.
The second one I could think of is during the pandemic. I was leading a project at Sophos to deliver a project where we had to coordinate with many different teams and many different business units, different time zones. I have led projects before, but this was the biggest and most complex one that I had ever done. That was the biggest but also more satisfying challenge I’ve had because we delivered what we were asked of on time and coordinated across many different teams, and it was a success.
At that time, you were doing it in lockdown when we were still getting used to the ways of remote working and hybrid working.
In a weird way, it was beneficial at some points because some of the teams we were working with were based in the US. We would have been on Zoom with them anyway. Sometimes when you’re in a call in the office and some people are in the office in the room and some people are on Zoom, it’s actually hard to engage both sites. Having everyone be on Zoom was a level playing field.
I think that’s been one of the advantages that we see now with more hybrid working. People are more understanding of the disadvantages of having a mixed group of people working in the office and from home. Being on Zoom and in the office all at the same time, it adds an extra layer of challenge to the way that communication works.
You have to be careful with things like drawing on the board. The meeting I was in right before this one actually, we had one person on Zoom, the rest were all in the office, and I wanted to draw on the board. We’re lucky enough that where I work, the cameras move around. You can point the camera at the board, not the people on the call, and have the person on Zoom still engaged with what’s going on in the call. You’re right, it’s an interesting challenge having people come back to hybrid, partly in the office and partly online.
I’ve seen that work well. I’ve also seen it work badly. You mentioned there about your biggest challenge and it sounded like a very complex project. I’m wondering, what about your proudest achievements in the work that you’ve done or that you do?
Sophos: We can work very hard to try and make the balances as good as we can, but if a few people are applying, it’s like fighting a lost battle.
There are a couple of things. I do some coaching and mentoring at Sophos. Some of it is around women in technology. I’m part of the Women in Technology Group at Sophos. We have a coaching scheme and a mentoring scheme as part of that. I have a mentor and I mentor other people. I also run a Women in Engineering Group where we try and get people together. We started that in the pandemic. New people would start during the pandemic, they didn’t have that natural meet the peers in the coffee area and find people around. I’m not at all saying that because there’s another female in the office, you should be friends with them because you’re females together, but you maybe have more in common with them.
Meeting people in the office is more natural. We couldn’t do that in the pandemic, so we started this Women in Engineering Group. We went out for dinner one night. We have an online teams thing where you have new starters join and realize there’s a community of other women at Sophos that they can meet up with. I’m quite working with the mentoring scheme. The project I mentioned was a big complex thing, and I’m proud of delivering that project. It set me up for more complex things in my career.
Obviously, you work in cybersecurity, and we know that the gender balance between men and women in technology as a whole is not great, but it’s even more marked in cybersecurity. What do you see as some of the potential barriers for women working in this sector?
I think part of it is fear of the unknown. I’m not seeing role models that are similar to yourself. The thing I struggled with the most is it’s quite difficult to fix having more people to apply because the pipeline isn’t big enough. It doesn’t have a strong enough pipeline of females. You have to go back to university or school, and change the attitude there so that they’re more likely to do science and technology subjects, and be more passionate about those so that when you get later on in life and you start to look for a job, there are more women looking for that. It’s almost a bit of a catch-22. We can work as hard, and we do work very hard to try and make the balance as good as we can and make cyber at Sophos more appealing to women. If there are fewer people applying, it’s like fighting a losing battle.
We know there’s a skill shortage generally in the cybersecurity sector. That does make it even harder.
There are fewer people, in general, doing degrees, never mind women.
The more diverse your workforce, the better the solutions you come to.
What about the opportunities for women in the sector? If you were to go and do a marketing piece and come and join the sector, what would you say to women?
This may sound weird, but I almost wouldn’t want to say that there’s anything specific to women that appeals to women in cyber. It’s just a good career for anyone. There isn’t anything specific to women or men. There are lots of challenges. It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn. There are always new challenges coming, and I think that should be exciting for anyone.
It sounds like that’s what you enjoy about the work that you do.
That’s part of the reason I’ve been in one company for so long. I think if I had been here and done the same thing for many years, I would be bored. I’ve moved around different teams. The challenges move on all the time. The bad guys are always doing different stuff, so the whole industry has to move along to keep up with that. There are always new things to look at, new techniques that you have to worry about. It keeps you on your toes.
In the role that you do, can you tell us a bit more about what you do on a day-to-day basis?
As a Director of Engineering, that means I basically manage multiple teams in one functional area. My role has transitioned a little bit. It was at first that I was the director of the endpoint detections for our endpoint software, which covers some Windows devices and Linux devices. I’ve shifted a little bit, and I now focus more on protecting Linux devices. I have 3 or 4 teams now that work on various aspects of our products, which protects Linux servers.
Sophos: The further up you go, the more removed you are from technology and the more of the politics game you have to play.
We help to work on strategy with product management to identify the roadmap and the areas that we want to deliver. I also work then with the teams to work on how we deliver those things, what technical choices we want to make, how we split the projects up, how we are using resources for the projects, what the timelines for those look like. How do we coordinate across the teams? How do we make sure we deliver it with quality?
A lot of your role at the level you’re at now is managing the teams to do the development and the delivery of those products.
I still have one team who reports directly. Maybe I do like day-to-day management with them and what tickets are we working on and what are we doing? I would like to hire a person to take on that role so that I can be exactly as you described, a slightly higher level. You’re worrying more about what direction the teams are going in and what direction the product itself is going and more strategic.
What do you see in the future for you and your career?
I think I would like to weigh in the scope of my responsibility and the area that I’m in. As I said, I’m responsible for taking care of the Linux product, which covers a lot of cloud workloads. A lot of customers have machines running in the cloud, AWS or Azure, and that’s a specific type of customer. That type of customer may use other tools and leverage other security tools to manage their cloud workloads. I’d like to extend my functional responsibility to cover those areas and have the responsibility within the department.
I don’t know how much further I would like to go up the ladder. The further up you go, the more removed you are from technology, the more of the politics game you have to play. I’m in the middle of that now, but I still have reasonable ideas about what technology the team is using and having a hand in the strategy. I still have to do some politics, but I’m not far enough up the ladder that that’s what I do day-to-day. That’s probably the next decision I have to make if I’m able to go farther up and do more of the politics and less of the technology, if that makes sense.
The cyber industry is looking for many passionate people who want to solve problems.
Thinking back to your original degree, I think you said it was Physics and Astronomy. Is there anything from what you studied in your degree that you’re actually using in your work?
No. I think the main thing is ability to solve problems. Anyone who does a Science degree learns how to have a logical approach and how to approach solving problems. That is invaluable. You’ve proven that you can understand the problem and that there are various ways to approach it, and that absolutely applies in software engineering. That’s one of the main things we look for when we get graduates to join.
These days, many more people will do Computer Science degrees than back when I was at university. We always look for people who have a Computer Science degree because they have that foundation that I mentioned earlier, but they also have shown that ability to solve problems. We do also sometimes consider people from other backgrounds if they’ve shown that ability to do the problem-solving.
What other skills are you looking for apart from problem-solving and that kind of foundation in Computer Science?
Definitely communication. That’s something that’s changed in the time that I’ve worked in the industry. When I first joined Sophos, there were lots of people who would be handed a little bit of work to do. They would sit in their corner. They’d write their code and then they pass it back and they almost would avoid talking to other people. The industry has gone through quite an epic change where the focus is much more on Agile programming and collaboration.
That’s important to know that when we solve problems, we often do it as a team. You have to be able to stand up in front of a whiteboard, draw a picture, explain the problem and what your approach should be, and then collect information from other people and come to some consensus about, “Let’s take a little bit from everyone’s solution.” Come to a consensus, something common. To be able to do that, you have to communicate. You have to actively listen. Those are the two other key things that we look for.
Sophos: When we solve problems, we often do it as a team. You have to be able to stand up in front of a whiteboard, draw a picture and explain the problem and your approach, and then collect information from other people to come to a consensus.
At the end of the day, that means that you’re going to end up with a better product because it’s not just one person’s thoughts or ideas on how to deliver or how to develop that product.
That’s where the diversity comes in. The more diverse your workforce, the better the solutions you come to.
Before we finish, Chloe, any tips for people thinking about working in cybersecurity or thinking about going into that as their career after university?
Just apply. The cyber industry is looking for lots of people who are passionate and want to solve problems. You don’t need previous cyber experience to do well. You just need someone who’s passionate, able to communicate well, can sell yourself and can solve problems. Those are the things we’re looking for. I’d recommend that you read up a little bit about, in general, what cyber is about, but just go for it. We’re desperate for new blood.
I hear that all the time from lots of the companies I’ve been talking to. The skill shortage is very real. I was talking to someone else who was saying, “We don’t mind whether they’re male or female. They could come from planet Mars, as long as they have got communication skills and problem-solving skills because we’re so short on good talent.” It sounds like it’s a brilliant sector to work in with the future of technology, isn’t it?
Yes. For me, the thing I mentioned earlier about the fact that you’re helping people, you don’t get that in many other technology industries. You could work in finance, doing fintech, or you could work in IT, building computers for people, but you don’t get the same satisfaction. You’re helping protect people. You’re helping keeping their assets secure. For the small businesses, you’re basically helping keeping them going. If they had a ransomware attack, they could potentially go out of business.
It’s that sense of purpose that you get working in that sector. Thank you so much for joining me. I do appreciate it. Thank you, everyone, for reading. I’ve been talking to Chloe Acebes from Sophos. She’s a Director of Engineering there. I enjoyed hearing about Chloe’s career as a woman in cybersecurity, but also her journey from coming from a Physics and Astronomy degree, and then finding out about coding and then eventually joining Sophos as a graduate.
You can find out about more episodes at SherryBevan.co.uk. If it sparked a thought in your mind about how to attract more talent to your organization, particularly if you’re looking at attracting female talent, then please do get in touch. An exploratory call with me will give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining your female talents. You just need to get in touch with me by email, Sherry@SherryBevan.co.uk. Thank you again, Chloe. It’s been great talking to you. Enjoy the rest of your day.
As #15 Most Influential Woman in UK Technology and 21 Most Inspiring Women in Cyber Dr Jacqui Taylor was awarded an Honorary Doctorate of Science in recognition of her international web science work. One of the 250 Founders of the UK’s Digital Economy, in 2016 she pivoted her company FlyingBinary to meet the challenges of Web 3.0, the Metaverse and the Industrial Internet of Things (IIoT) with spectacular results.
Ashley is a security consultant whose work is focused on proactively improving organization’s resiliency to cyber threats and advising organizations through cyber crisis’. A readiness and crisis management consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, she is responsible for helping organization’s flex their crisis response capabilities.
Laura Whitt-Winyard is a Fellow at the Institute for Critical Infrastructure Technology and an International Advisory Board Member and Women in Technology board member at HMG Strategy. Previously, she was the CISO of Malwarebytes, Global CISO for DLL Group, Director of Security for Billtrust, and held senior leadership positions in security at Comcast and Bloomberg, LP.
Emma is a Senior Consultant with CrowdStrike, who works with organisations across the UK, Europe, Middle East and Africa on a range of cybersecurity incident response and readiness initiatives. Alongside her day job, she is passionate about fostering inclusion and championing diversity, and is involved in multiple associated projects.
Dora is a security culture transformation specialist. She works with organisations to define and implement risk-based, human-centred security culture and training strategies enabling positive behavioural change. She has a true passion for information security, demystifying security threats and policies, so that people know what to do in certain situations to better protect themselves and their organisations from cyber threats.
