“You get what you get, and you don’t throw a fit.”
I got into cyber – Like many in the industry, my journey into cybersecurity was not a direct path. I actually began my college career as an Interior Design major! However, after a semester of C’s in art classes, I realized I wasn’t quite cut out for it. I quickly changed my major and earned my undergraduate degree in Management of Technology.
Shortly after that, I began to search for my first “real” job. Like many recent college graduates, I took the approach of throwing spaghetti against the wall—I applied for as many jobs as I could that were tangential in any way to my major. I remember driving to one interview thinking, this is the job I am least qualified for, but I’ll give it a shot. Sure enough, that was the one that stuck. A few weeks later, I began my career as an auditor for an insurance company.
I learned a lot from my time there, including the basics of internal audit, the value of log correlation, and the camaraderie that comes with hours in the “war room” with stakeholders. After a Master’s in Business Administration (MBA), a move across the country, and two children, I accepted a role leading the audit function at a credit union. This was my first exposure to security compliance and risk management. I quickly learned about the Payment Card Industry Data Security Standard (PCI-DSS) and the mechanisms needed to satisfy those requirements. But the longer I worked there, the more interested I became in the actual security controls—how to implement them and how we could improve them. I decided now was the time to make a change. On a leap of faith, I applied for an Information Security Engineer position and got the job.
The experience that helped me transition to a career in cyber – My unique experiences with auditing and compliance early in my career solidified the importance of evaluating requirements, outlining implementation details, and utilizing repeatable test steps to ensure they function properly. And these concepts carried through even after shifting to a tactical security role.
When the list of security concerns seems to grow daily, it can be hard to know where to start. It can be even harder if you don’t understand the basics of security requirements and controls. That’s why I recommend beginning by learning about international security frameworks and control sets- such as the AICPA’s System and Organizational Controls (SOC), International Standards Organization (ISO)-27001, or the Secure Controls Framework. These standards do a wonderful job of synthesizing and explaining suggested mechanisms to secure an organization. I’m not saying you must immediately comply with such a framework or become a certified information security auditor overnight. However, I do recommend you learn about their structure, their requirements, and the risk associated with not implementing the various controls.
Because of my compliance background, I am better equipped to recommend security improvements that align with risk reduction activities because I understand why they are essential and how well they could improve an organization’s security posture. Over the years, I’ve consistently applied the “auditing” approach in project management and process improvement.
For example, before starting that first Information Security Engineer role, the company underwent an external security review documenting a lengthy list of required improvements. From removing developer access in production to implementing multi-factor authentication- I had my work cut out. Over the 3 years that followed, I took painstaking steps to reduce those gaps and aligned our organization with ISO 27001. Part of that process included deploying Reciprocity ZenGRC® to monitor our growing list of requirements, assess controls, track findings, and implement a risk management program to ensure oversight of all projects and technology deployments. I’m proud to say that we passed our stage 1 and 2 audits with zero findings and obtained our ISO 27001 certification. It was one of the proudest moments of my career, and I equate much of that success to my early exposure to security compliance.
The skills that set me up for success – When thinking about cybersecurity skillsets, many people focus on the technical aspects- network configurations, data analysis, or scripting. But in my experience, the essential qualities of a cybersecurity engineer are curiosity, creativity, and empathy.
As we all know, threats and vulnerabilities are constantly evolving. The risk associated with your organization’s security changes daily, if not every minute. That’s why one of the most critical skills for cybersecurity professionals is curiosity. Never stop asking questions! Never stop learning. One of the things I love most about working in security is that things are constantly changing. Yup, you read that correctly. I love changes! Learning new things, challenging past assumptions, and expanding my understanding and abilities are profoundly satisfying. I once heard myself referred to as a life-long learner and thought, isn’t everyone? To be successful in cybersecurity, you have to keep learning. I recommend joining professional organizations (like the Cyber Guild!) and subscribing to industry newsletters, blogs, and Reddit feeds. For example, check out the Reciprocity resource center.
Another critical trait is creativity. I may not have been great at my art and design classes, but I use my creativity daily! When you work in cybersecurity, a million things could go wrong. And no two organizations will remediate them in the same manner. As a security professional, you’ll use your creativity to develop, maintain and improve security controls tailored to your organization’s unique needs. And this creativity goes hand-in-hand with curiosity. One of my favorite parts about my job is researching different ways of approaching cybersecurity methodologies and coming up with different (and I think better) ways of accomplishing them. So, while I’m not designing buildings, I do get to design solutions that improve the cybersecurity world. And I think that’s pretty cool.
All too often, security and compliance activities are seen as a nuisance, or in some cases, as a money drain. While most understand the need for security, many don’t understand the value. I believe this is partly due to the perception that security’s role is to enforce rules for the sake of compliance without any explanation as to why. That’s why it’s critical to be empathetic.
Cybersecurity isn’t about ruling with an iron fist. To be successful in cybersecurity, you must take the time to understand the business, its objectives, and how you can enable its success. When you focus on the business and your shared objectives, you can recommend and deploy security controls commensurate with the level of risk the business is willing to accept. In my prior example, mobile device management (MDM) was one of the controls I needed to implement. One of the executives was concerned about the process since it required each employee to factory reset their phone to install the application. Further, some phones were very old, and many employees were remote and lacked the skill set to deploy the application independently. We both understood the need for mobile device management, but I was empathetic to his concerns about employee impact. We developed a multi-stage plan aligned with device upgrades, employee attrition, and an annual in-person meeting to achieve full deployment. The business was willing to accept the risk of waiting a bit longer to fully comply because it minimized employee impact, and in the end, we deployed MDM to all company phones. Win-win!
My tips to help a successful career transition to cybersecurity is – Like any career transition, it will be hard. There is no way to sugarcoat it. You will have to step out of your comfort zone and be willing to fail. We all fail. One time I was deploying a duplicate file storage system and accidentally overwrote the existing server with the blank image of the new server. I erased about 15% of the file server before we noticed the mistake. But you know what? I learned. I know firsthand the value of redundancy and backup testing. And those failures ultimately help you build better security controls to prevent something like that from occurring again. The phrase “could Meghan break this” was used often on my team!
My second tip goes out to my ladies and other underrepresented groups. You will be underestimated. You just need to accept that now. I’ve been second-guessed and overlooked countless times. And when this happens, remember this- PROVE THEM WRONG! I’ve been called the “IT Department Secretary” and the “cheerleader who hangs out with the AV club”. And even worse, I’ve had other women in security try to push me down to promote themselves. When this happens, my philosophy is to prove them wrong. Focus on your goals and do what you need to do to achieve them. When people say you can’t do it, use that as fuel to keep going. And when you do achieve your goal, and I know you will, you can look back and know that they were wrong.
Believe it or not, I’m actually thankful for everyone who underestimated me. Thank you to my former boss, who thought I wasn’t technical enough. I now run the Technical Product Management team for a global software developer. Thank you to the former manager who never approved my ideas and proposed solutions. I presented a new risk management methodology at an international conference in Rome. I’m thankful for them because they pushed me to try harder, making achieving those goals even more satisfying.
Now, I know what you’re thinking- “it’s going to be hard, and people will underestimate me; maybe cyber isn’t the place for me”. Well, that brings me to my final tip- surround yourself with cyber-positivity. If you’re a fan of Christmas movies, you may know the phrase, “the best way to spread Christmas cheer is singing loud for all to hear”. The same is true when it comes to your cyber career. The best way to succeed in cyber is to talk about cyber for all to hear!
I can’t stress enough the importance of having a group of cyber-minded connections to bounce ideas off of, share research, and validate methodologies. Working together only makes cybersecurity stronger! If you need a place to start, please follow me on LinkedIn.
Something few people know about me is – I have an auditory processing disorder which limits my ability to understand speech in noisy environments, distinguish between similar sounds, and comprehend information without context clues or facial expressions. And though I’ve adapted mechanisms to offset this deficit, I realized just how impactful it was on my life when people started wearing COVID masks. I felt like I was underwater- everyone’s voices sounded muffled, and I lost my ability to read lips. It was very disorienting. I used this as fuel to spread awareness in my community- recommending see-through masks for local teachers and girl scout volunteers in support of the deaf and hard-of-hearing community.
The quote I live by is – “You get what you get, and you don’t throw a fit”. This quote actually comes from my youngest daughter’s kindergarten teacher, and it’s a quote my family and I live by. But it’s actually very applicable in cybersecurity as well. Things change rapidly, there will always be an emergency, and nothing will ever work the first time. But you must stay calm, assess the situation, and devise a creative solution. You can’t change “what you get,” but instead of throwing a fit, you must focus on resolving the problem. And then, once the fire is out, you can throw a fit 🙂
My recommended read – Last summer, I had the opportunity to attend the RSA Conference in San Francisco. One night I was out to eat with my coworkers when a nearby table ordered champagne and was clearly celebrating. When we inquired, we learned that this group had recently written and published a book. They just so happened to have a signed copy handy which they so generously gave to me. Reinventing Cybersecurity, published by JupiterOne Press, is a compilation of stories from successful women in the cybersecurity industry. From CISOs and CTOs to security analysts and risk managers, the authors’ shared experiences highlight the challenges and opportunities faced by those breaking into and navigating the cybersecurity world.
I immediately made this my “on the airplane book” and breezed through it in a few weeks. It’s a quick read- each author provides specific input and experience in various areas of cybersecurity. But it is also a very valuable read- hearing the struggles, successes, and advice from these trailblazers was amazing.