There’s always something to learn. You don’t have to know everything, but you should look for innovative ways to acquire new knowledge every day to achieve the success you are meant to have. This interview is one of a series of interviews with women in cybersecurity. The series is published in October 2022 to celebrate National Cybersecurity Awareness Month. Our guest, Dora Ross, shares her knowledge of the barriers and challenges of cybersecurity. Dora is a security culture transformation specialist. She works with organizations to define and implement risk-based, human-centered security culture and training strategies enabling positive behavioral change. In this episode, she emphasizes that there are so many different areas in Security, and the landscape is constantly changing. Tune in to learn more about what people do daily in cybersecurity, the importance of communication skills, and shaping cultural change.
Listen to the podcast here
Cultural Change, Continuous Learning, And Cybersecurity With Dora Ross For National Cybersecurity Awareness Month
In this mini-series to celebrate National Cybersecurity Awareness Month, I’m talking to a range of women about their careers in cybersecurity. I’m delighted to be talking to Dora Ross. Welcome, Dora. Thank you so much for joining me.
Thank you so much for having me.
She is a security culture transformation specialist. We’re going to find out what that involves and hear about Dora’s career journey. Perhaps you could start off by telling us how you got started in IT and how you made that move over into the role you do now.
My first several years weren’t in IT or cybersecurity at all. I was working in marketing, communications, and business change management. I transitioned into IT unintentionally. When I was a business change manager working for a social and housing organization, I needed to understand work processes and ways of working for different departments. That is in compatible systems in IT as of products used. That was my way into the world of IT.
It’s quite a different career, but you got those transferable skills. What do you find is different about working in IT compared to the roles you had before?
It is different compared to what I have done before. I feel like I need to understand a bit more because IT is a wide spectrum of topics and systems that are used. I constantly feel like I need to understand more and learn more, and it can be technical. Sometimes, I feel like I need to research a lot more to be able to understand what people do and how they do it, especially with engineering teams. They are so different and technologically advanced people that I feel sometimes I get a little bit of impostor syndrome with them because I might not be able to understand as much as they are.
To be applying for something that’s completely out of your comfort zone is a really big thing.
However, in my world and in business change management, it’s number one to be able to ask questions. It doesn’t matter, even if I don’t understand something. It is being able to ask questions. There might be some complex topics that I need to translate into an easily digestible format for the rest of the organization. Although I used to have impostor syndrome, and sometimes I still have that, I have to be okay with knowing that it’s okay not to know everything.
That is one of the traps that some women tend to fall into wanting to know everything, needing to be the expert, and having all the detail on everything. The more you move up in an organization, the less feasible that is practically to have the time in the day to know the detail about everything. I’m glad you have talked about that. That is positive that you have taken that learning on board. Tell us a bit more about what you do because your job title is a bit different than some of the other women in this area. You’re a security cultural change specialist. What does that mean? What is it that you do on a day-to-day basis?
As the title said, it is not heavily technically involved at all. It’s more of a softer side, people side, and psychology and behavioral side of elements. I am responsible for embedding secular behaviors into that corporate culture. That means I work with all different parts of the business, different functions, and departments to understand what they do and how they do it. I help them during the workforce in more secular ways.
They’re able to protect the company data, but besides that, it’s not just the company, customer data, and employee data that are important. What I enjoy about this is that people can learn tips and techniques and best practices on how to protect themselves in their own personal lives, their families, when they do banking, or even on social media, and how much they share.
It’s an interesting role to be able to help the organization build up cyber resilience and also help people on a personal level. My role could be different on another day. I could be writing blogs or user guides, preparing for some training or workshops, working on creating cyber secretary training and culture strategies, or some incident communications that could happen any day. It’s varied in terms of the role.
What about the skills that you need for that particular role?
My career started doing marketing communication and business change, especially for this work, this cultural change. Change management is important to know how people go through change cycles and how to influence behaviors. Also, the marketing side is quite good to have so that you know how to write communication and business training materials. It captures people’s attention. You can help them learn new skills in an easily digestible format.
Once I started being interested more in security, I went on a couple of courses at Open University. There are free courses out there that can be taken. You can go on a different learning journey. I have qualified by SANS, which is a paid five-year course. You need to learn about how to manage and measure secondary awareness practices and interventions. There are different ways you can go about it, and you can learn on the job. I do find some qualifications help you to be better at this role.
That qualification gives you a certain level of authority and credibility in what you do.
Exactly. However, there are some rules. Sometimes, there are too many qualifications that may be asked. People are not going to apply for those because they don’t have them. They might have the skills and experience but not the qualification for various reasons. Qualification might not always be the most important thing. However, there are certain ones that are worthwhile to see.
I remember years ago, I was hiring a network administrator. We interviewed some people who had the qualification, and some of them didn’t have the qualification that we were looking for. Some of those people without certificates were fantastic, knowledgeable, and experienced. Some of the ones with the certificate didn’t know what they were doing. There is an element of that. It’s a mixture of having the qualification and the experience, but those qualifications certainly give you that credibility. In your career, what’s been your proudest achievement?
I can mention a couple. I will bring down the two main ones. When I was working at a social housing association back in 2012, I was still in my marketing role. PWC came in to look at our target operating model or the stigma that we can get some savings. I applied for a role, besides my marketing role, to help PWC with this big piece of work and be marvelous for six months.
To be able to collaborate with people, having good communication and social skills are the keys.
I was fortunate enough to be accepted for this program. That completely changed the course of my career life. That’s where I learned about business change management, organizations, and different departments and got to know the business and how they operate. That was mind-blowing to learn all of these things. That was one of my proudest moments because I was in marketing. To be applying for something that’s completely out of my comfort zone was a big thing for me. It changed the course of my life.
The other one I would mention was before COVID hit. It was in February 2020. We had the ties in International Security Summit. I was one of the speakers, and that was the last live event before we stopped the live conferences. I was able to speak about security culture and education among many credible and amazing speakers. That was one of my biggest highlights. To be able to be on stage with those people, commenting and giving advice on best practices, and imparting my knowledge around security culture was an incredible moment.
The opportunity to work alongside PWC, what better organization to learn from a big consultancy firm like that? I can imagine that’s given you a strong foundation in business change. I’m thinking about getting more women into cybersecurity. What do you think are the barriers or challenges to doing that?
When I transitioned from the business change adamant into more of the technological side, I mentioned impostor syndrome. You might feel you don’t have enough knowledge to get into a certain industry or tech industry. That could be a barrier. People believe in themselves, move forward, and go for those interviews or look at those opportunities. You know there was a way in.
I would encourage women to have mentors because they can be a great help to get into cybersecurity or IT. Find communities and networks that support each other in the area of interests and performance people, and they will be able to show them opportunities, skills festivals, or something like that. There are opportunities to meet future employees. You can ask them, “What do you need, or what requirements do you have?” Start the initial conversation. You will get a better chance of getting into this industry.
You sound like you love your work. Your enthusiasm and passion for it come across when you’re talking. What do you see as being the key skills that are required not just for women but for people to be successful in this industry?
Social skills are important. To be able to collaborate with people, you have to have good communication skills. Sometimes that’s a little bit lacking. If someone has got a lot of technological knowledge, they are not able to translate what needs to be done about the systems in an easy and clear way to people. Collaboration is one of those keys. Be motivated and have that hunger for knowledge so that you learn more and continuously learn and expand your horizon.
What is it that you love about the work that you do?
I love our security culture. It does not just work for me. I personally love this. I’m the one who can go out with friends or family. I’m giving them best practices sometimes. They don’t even want it.
You can’t help yourself. That’s what is valuable about the work that you or the people like you do. What you’re doing is protecting companies, but that information and knowledge help individuals protect themselves. In this cyber world, that is important.
Working with people and getting to know the business, different departments, and what people do in different functions are satisfying. Creating those relationships in each department depends on their needs in providing them suitable training or whatever guidance they need. Creating those relationships is amazing and you are making a difference.
When you see a communication strategy come to life, people come to you, and they’re starting the conversation. It’s a two-way conversation. That’s where the magic happens. You’re not pushing out information, but the people receiving them now ask questions about the ending in the changing behaviors because of that. That unfolds the beauty of other cyber security cultures.
When you see a communication strategy come to life and people actually come to you and start the conversation that’s really where the magic happens.
What has been your biggest challenge since you have been working in cybersecurity?
I would mention learning more about the technical side. Initially, because I’m coming from business change, plans the psychology of change, and how to communicate changes to people, but to understand and be credible on a different topic is learning about the system, the threats, and the risks a little bit more.
That was a bit of a challenge for me because I knew how to communicate about certain topics, and I found that I needed to find out. I did feel like if I knew a little bit more, I don’t always have to ask those questions because I understand what people are talking about. It’s easier to impart that knowledge to other people. It’s learning a bit more about the technical side.
Having that depth of knowledge and information makes it easier for you to communicate in ordinary English that a non-technical person can then understand. One of the hardest pieces about working in technology is doing that translation from tech speak to normal person speak.
There is so much out there, and you could get lost in the knowledge because there is much information out there. I hear a word over here about technological solutions. You instantly research, but you can get into too much research and get lost because there is more information. There has never been a stop to it. There is a lot more that you can do, and you have to know where to stop. You’re not getting overwhelmed by all the information that comes in.
Understand what you need to understand and ask questions. If you ask people, “Can you explain it a bit more because I don’t know about this? Could you demonstrate it to me?” They like to help. People are naturally quite helpful. It’s good to ask for knowledge. You need to research and stop there. If you need more, get more later.
If there are women reading this who are looking to get into cybersecurity, what are your best tips for them?
If you can sign up for mentorship, you can do it within your own organization or somewhere externally. I have had mentors before, but one in particular, Deborah Haworth from the publishing company where I worked previously has been amazing to me. She has opened doors for me that I don’t think I could have opened myself in terms of getting to know people and introducing me to many people. From then on, I could learn more.
My number one advice if someone would like to get into the industry is to find a mentor who is in that industry that you would like to get into, and they will be able to help you. The second last tip is to find the community. There are many communities like the SANS or SASIG community that are helpful. The people there can help you with whatever career you would like to take. There are lots of advice on training or conferences on how to develop your skills.
With more women working in cybersecurity, finding a mentor and finding the right communities are getting easier than it was several years ago because there are that many more women now in the sector. We don’t yet have a gender balance. I don’t think that’s going to be anytime immediately soon, but we’re getting there, aren’t we?
We are getting there, but there’s no balance yet. In the last few places where I worked, my immediate team, the smaller team, had a high number of women working in the department. When you look at the widest perspective, the whole IT or security, there are more male-oriented than female. I have worked with incredible women.
Hopefully, there are more women who want to get into this industry because it’s amazing. There is so much variety in work, and you could progress into different roles. Mine is not too technical. Social skills are required, but I can digress in the future years to more technical elements and do something completely different. There is so much there and everyone can choose whatever system works for them.
Dora, if people want to get in touch with you, I’m guessing LinkedIn is the best place.
LinkedIn is the best space.
Thank you so much to my guest, Dora Ross. I have enjoyed hearing about Dora’s career as a woman in cybersecurity, particularly because she is doing a role a little bit differently, looking at the cultural transformation. For more episodes, go to SherryBevan.co.UK. If this has sparked a thought in your mind about how you can do more to attract, develop, and retain your female talent, please do get in touch. Email me at Sherry@SherryBevan.co.UK. Thank you so much, Dora.
About Dora Ross
Dora is a security culture transformation specialist. She works with organisations to define and implement risk-based, human-centred security culture and training strategies enabling positive behavioural change. She has a true passion for information security, demystifying security threats and policies, so that people know what to do in certain situations to better protect themselves and their organisations from cyber threats.