Role Models and Trail Blazers: WISDOM Q&A with Celine Pypaert

Every month, WISDOM highlights the achievements and perspective of inspirational colleagues in the field as part of a Q and A series. Our November role model and trail blazer is Celine Pypaert, an Associate Security Solution Engineer and VMinclusion UK Communications chair at VMware, and part-time mature student finishing her Bachelor’s in Computer Science with Honours at University of Derby.

Celine entered the field after teaching herself cybersecurity skills, leading to a pentesting internship for a few months at a small British cryptography software firm, after which she joined VMware. Previously not being a technical person at all, Celine is also a public speaker and tries to inspire others to go after their dreams in infosec and learn the skills to get to where they want to be! She believes that security should be accessible to all and will continue contributing to initiatives and talks to help “non-techies” become more secure.

1. What do you think is the most challenging aspect of information security?

The most challenging aspect in information security, to me, is the constant challenge of having to stay up to date and learn as much as I can – as low-level as needed, too. Thankfully, I am so interested in it that keeping up to date on the latest hacks, malware, and technology, is no chore for me. Nonetheless, balancing all the self-learning on top of my other work duties, and my university studies (as I am finishing my BSc in Computer Science part-time) can be quite a time-consuming challenge. An additional challenge, of course is having to stay or try to stay one step ahead of the attackers. But I do love a fast-paced job and environment, and if you are a curious person, then staying on top of things and continuous learning can often be a passion and hobby, and not just a job or a chore.

2. What has been the proudest moment of your career to date?

I have a tie between my proudest moments: helping secure a small software company’s web app; giving security training to non-security colleagues in my company; and getting to do my first public talk at Women Driven Development 2020 – highlights in my life and career!

I am happy to help others become more secure, whether that is a client/customer, regular users or friends, companies, or my friends and family – as I believe security should be more accessible to all.

3. What are the most enjoyable parts of your work?

The most enjoyable moments so far have been testing and analysing Linux malware and non-malware attacks (yes, that exists! For Mac, too) and being given permission to “hack” a company or app. It is fun and enthralling trying to find ways in, find vulnerabilities and help secure those holes. I also enjoy talking to customers, learning what their challenges are and how we can help them. The nice thing about being a Solution/Systems Engineer is that it’s often a mixed role of technological focus and customer interaction. I am not just using command-line all day every workday (although I sure enjoy that, too).

4. What are the most challenging parts of your work?

The most challenging parts of working as a Solution Engineer in cybersecurity, is to balance between the technical priorities and the business requirements/ needs. It is trying to find what the business needs and how we can help them. It is also realising that sometimes, budgets can get in the way of what is technically and architecturally more secure. Echoing my answer in question one, another challenge having to continuously learn and keep up with all the latest in infosec and learn the latest tech. In my role, I will forever be learning even as I become an expert, but that is fine by me, as I am a firm believer in lifelong learning!

5. What lessons have you learnt as your progress through your career?

I’ve learned that being honest and saying “I don’t know” is better than trying to ‘BS’ my way around; for example when a customer (or colleague) asks me if I know something technically, but sometimes I don’t. This can sometimes can be hard to admit, especially as I still face impostor syndrome and fear fulfilling the stereotype that “women aren’t as good as men in engineering/cyber/tech.”. But now, I’ve learned that it doesn’t matter: no one comes out of the womb knowing everything, and it’s honest of me to tell the truth and say I will find out and get back to them, rather than try to get away with lying! Authenticity, integrity, and honesty are really important.

I have also learned that even in technical roles, improving communications and people skills, part of “soft skills”, is equally as valuable as technical skills. What use would it be for me to become the best technically if I cannot work in a team, or speak kindly to a customer or work well with?

I have also, technically, learnt a lot about systems administration, hacking attacks/techniques, command line, and networking as well as programming skills too. All things that really help in infosec – getting those strong IT, sysadmin, web development, and networking foundations which enable you to go further in infosec. I am still continuously learning and improving on these.

6. What are your reflections on diversity and inclusion within your field

Women in infosec are still largely underrepresented: I think the latest numbers I saw were around 11%, which is (in some statistics) less than the average of women in game development, also a field notorious for being male-dominant. But I can attest to the fact that, increasingly, large companies especially are making concrete efforts to hire more from underrepresented groups (more than just gender). VMware, for example, are improving in this, as are others. And at the same time, it isn’t based on quota or just for the sake of it. I mean, practically speaking and thinking of the “bottom line”, why would a company hire someone just for their “group” if they don’t have the experience or skill set needed? Overall, you will still get hired based on perceived merit, skills and/or experience. But more companies are trying to reach out to underrepresented groups and making efforts to train managers and talent acquisition teams, how to reduce unconscious bias. I believe we are making improvements and will continue to do so. But overall, it isn’t so much a hiring issue as it is more of a systemic societal problem: it comes down to the fact that most of us women and girls are not encouraged to pursue STEM fields. I can recall for myself, as an example, how I was even discouraged from pursuing university and a career in favour of marrying young and raising a family! These are still issues that plague our society in 2020, and will take significant effort to improve. And it is more than gender. Discrimination is taught. Unlearning it and discouraging it starts in the families and schools – parents/guardians and teachers, as well as media and social media. But we are making some progress.

7. In your view, how can we increase effective diversity and inclusion in information security?

I believe we can increase D&I in infosec by reducing some of the “gatekeeping” that I have seen in job posts: not asking for a CISSP for entry-level jobs in the UK; increasing apprenticeships and paid internships leading to permanent roles; and making infosec friendlier to all. I recall that the thing that scared me the most in the beginning was my lack of technical knowledge and fear of being ridiculed, as well as fear of fulfilling a stereotype: at my first infosec conference, Steelcon in Sheffield, I didn’t even know what those hexadecimal numbers meant (now I know, and I use them in x86 Assembly, doing reverse engineering of malware at CTFs and systems programming at uni). We can increase diversity and inclusion effectiveness by making the field more welcoming to “newbies” – being open to those who are honestly curious and willing and seeing the potential in people, even if they lack the degree, experience, or certification. To quote one of my role models, Heath Adams (@thecybermentor): “I’d hire motivation and passion over education every single time“, “Give me someone who hustles, loves what they do, and is motivated – I’ll educate them myself”.

My degree has helped me a lot, in terms of gaining an internship then a sandwich-year placement, but the cybersecurity and pentesting was almost all stuff I taught myself outside of university, which eventually landed me that first internship. I went from non-techie person to security engineer in two years. Infosec is a field where people who are hard workers, motivated, and passionate can thrive, and so things like class/poverty, gender, ethnic minority, etc., should not be allowed to hold someone back. Grit and determination are more important. I say, give people a chance, just as I was given a chance before even finishing my degree.

So I think making some exceptions and looking past conventions can really help increase effective D&I. We also need to make the field more enticing to entrants, letting girls at school know that tech and infosec is for them!!!

8. What advice would you give to someone just starting their career?

I would tell you: don’t ever give up and know that this can be for you too. I know how scary it is to start out, especially if you stand out as ‘different’ in any way to the average or norm. Do not let fear of fulfilling stereotypes hold you back and try to ignore the naysayers. Try to find mentors and sponsors who will help you and push you up. Keep working at it and you can get to where you want to be. Do not give up. Keep going!

9. What advice would you give to recruiters for your field?

I would tell recruiters to consider not only the degree, but the self-taught technical skills the candidate or potential candidate has taken the initiative to develop. Lots of people in infosec are autodidacts, like in tech in general, and having the passion or willingness and determination to teach oneself says a lot about that person – willingness to learn, improve, and building discipline. I would say do not only look at the current technical skills or experience the person has, but also their soft skills and their attitude. Be willing to make a few exceptions and give people a chance – you never know, you could get someone incredibly skilled and well-matched for the role and team!

You can read more about Celine’s story and motivation in ‘The Rise of the Cyber Women: Volume One: Inspirational Accounts From Women who are Taking the Cyber Security Industry by Storm’ available on Amazon

Do you have someone you’d like to nominate for our next WISDOM Role Model and Trailblazer? Contact amy.ertan.2017@live.rhul.ac.uk. For any questions related to wider diversity and inclusion within the STEM fields (within and beyond Royal Holloway) please contact the WISDOM committee