Every month, WISDOM highlights the achievements and perspective of inspirational colleagues in the field as part of a Q and A series. Our December role model and trail blazer is Katie Paxton-Fear, a Ph.D. student in Cyber Security and Machine Learning, a bug bounty hunter, and educational YouTuber.
Katie started out hacking in June 2019 during a HackerOne mentorship program and now hopes to be a mentor to others by creating YouTube videos. In her videos, she attempts to bridge the gap between “I know what bug bounties are” and “bug bounty hunter”, giving advice specifically tailored to bug hunting. She has now produced over 40 videos on bug bounty hunting for an audience of over 20,000 subscribers. Aimed at beginners, these videos progress from finding your first bug, to how to use specific tools, to how to find specific bug classes. During her time bug hunting, Katie has been to 4 HackerOne live events and has found bugs in the systems of some of HackerOne’s biggest customers, including the US Department of Defense.
1. What do you think is the most challenging aspect of information security? I think, as a field the most challenging part of information security is actually getting into it – finding all the possible career paths and choosing one that interests you. I think a lot of people misunderstand how wide the field is and therefore struggle to recruit the right people, specifically when it comes to the varied backgrounds of individuals.
2. What has been the proudest moment of your career to date? My proudest moment was when I first started getting messages from people telling me how my work helped them in their career. Although it’s nice to help yourself, I think helping others is extremely rewarding.
3. What are the most enjoyable parts of your work? The most enjoyable part of my work is simply how many people I meet and talk to. No one has the same background, everyone has done something unique and different and that really helps.
4. What are the most challenging parts of your work? I think my biggest challenge is always getting the balance between my work and my hobbies, as my job is as a PhD student and my hobby is YouTube and Bug Bounties. To do everything well requires careful balance.
5. What lessons have your learnt as your progress through your career? Consistency and reliability is key. Be the kind of person others can rely on, and consistently rely on. And that boundaries are important – there is nothing wrong with having them!
6. In your view, how can we increase diversity and inclusion in information security? Hire diverse voices, and work hard to keep them. I’m not sure why this still needs to be said. Infosec puts up walls of degrees, certifications, years of experience, and claims unless you have them, you’re not delivering value. Diversity of background is value in itself. Listen to what these diverse voices need, so you can keep them.
7. What advice would you give to someone just starting their career? Learning everything isn’t possible, but to be widely read is. You don’t need to understand everything immediately or deeply, but you should have an idea of how all the cogs work together, and know where to find out more information should you need to.
8. What advice would you give to recruiters for your field? It can be very tempting to look for individuals that meet a certain mould, but I’d urge people to look outside of that mould and consider individuals with different backgrounds.
Thank you Katie! If you have someone you’d like to nominate for the WISDOM blog’s ‘Trailblazers and Role Models’ series, please get in touch with email@example.com
Every month, WISDOM highlights the achievements and perspective of inspirational colleagues in the field as part of a Q and A series. Our November role model and trail blazer is Celine Pypaert, an Associate Security Solution Engineer and VMinclusion UK Communications chair at VMware, and part-time mature student finishing her Bachelor’s in Computer Science with Honours at University of Derby.
Celine entered the field after teaching herself cybersecurity skills, leading to a pentesting internship for a few months at a small British cryptography software firm, after which she joined VMware. Previously not being a technical person at all, Celine is also a public speaker and tries to inspire others to go after their dreams in infosec and learn the skills to get to where they want to be! She believes that security should be accessible to all and will continue contributing to initiatives and talks to help “non-techies” become more secure.
1. What do you think is the most challenging aspect of information security?
The most challenging aspect in information security, to me, is the constant challenge of having to stay up to date and learn as much as I can – as low-level as needed, too. Thankfully, I am so interested in it that keeping up to date on the latest hacks, malware, and technology, is no chore for me. Nonetheless, balancing all the self-learning on top of my other work duties, and my university studies (as I am finishing my BSc in Computer Science part-time) can be quite a time-consuming challenge. An additional challenge, of course is having to stay or try to stay one step ahead of the attackers. But I do love a fast-paced job and environment, and if you are a curious person, then staying on top of things and continuous learning can often be a passion and hobby, and not just a job or a chore.
2. What has been the proudest moment of your career to date?
I have a tie between my proudest moments: helping secure a small software company’s web app; giving security training to non-security colleagues in my company; and getting to do my first public talk at Women Driven Development 2020 – highlights in my life and career!
I am happy to help others become more secure, whether that is a client/customer, regular users or friends, companies, or my friends and family – as I believe security should be more accessible to all.
3. What are the most enjoyable parts of your work?
The most enjoyable moments so far have been testing and analysing Linux malware and non-malware attacks (yes, that exists! For Mac, too) and being given permission to “hack” a company or app. It is fun and enthralling trying to find ways in, find vulnerabilities and help secure those holes. I also enjoy talking to customers, learning what their challenges are and how we can help them. The nice thing about being a Solution/Systems Engineer is that it’s often a mixed role of technological focus and customer interaction. I am not just using command-line all day every workday (although I sure enjoy that, too).
4. What are the most challenging parts of your work?
The most challenging parts of working as a Solution Engineer in cybersecurity, is to balance between the technical priorities and the business requirements/ needs. It is trying to find what the business needs and how we can help them. It is also realising that sometimes, budgets can get in the way of what is technically and architecturally more secure. Echoing my answer in question one, another challenge having to continuously learn and keep up with all the latest in infosec and learn the latest tech. In my role, I will forever be learning even as I become an expert, but that is fine by me, as I am a firm believer in lifelong learning!
5. What lessons have you learnt as your progress through your career?
I’ve learned that being honest and saying “I don’t know” is better than trying to ‘BS’ my way around; for example when a customer (or colleague) asks me if I know something technically, but sometimes I don’t. This can sometimes can be hard to admit, especially as I still face impostor syndrome and fear fulfilling the stereotype that “women aren’t as good as men in engineering/cyber/tech.”. But now, I’ve learned that it doesn’t matter: no one comes out of the womb knowing everything, and it’s honest of me to tell the truth and say I will find out and get back to them, rather than try to get away with lying! Authenticity, integrity, and honesty are really important.
I have also learned that even in technical roles, improving communications and people skills, part of “soft skills”, is equally as valuable as technical skills. What use would it be for me to become the best technically if I cannot work in a team, or speak kindly to a customer or work well with?
I have also, technically, learnt a lot about systems administration, hacking attacks/techniques, command line, and networking as well as programming skills too. All things that really help in infosec – getting those strong IT, sysadmin, web development, and networking foundations which enable you to go further in infosec. I am still continuously learning and improving on these.
6. What are your reflections on diversity and inclusion within your field
Women in infosec are still largely underrepresented: I think the latest numbers I saw were around 11%, which is (in some statistics) less than the average of women in game development, also a field notorious for being male-dominant. But I can attest to the fact that, increasingly, large companies especially are making concrete efforts to hire more from underrepresented groups (more than just gender). VMware, for example, are improving in this, as are others. And at the same time, it isn’t based on quota or just for the sake of it. I mean, practically speaking and thinking of the “bottom line”, why would a company hire someone just for their “group” if they don’t have the experience or skill set needed? Overall, you will still get hired based on perceived merit, skills and/or experience. But more companies are trying to reach out to underrepresented groups and making efforts to train managers and talent acquisition teams, how to reduce unconscious bias. I believe we are making improvements and will continue to do so. But overall, it isn’t so much a hiring issue as it is more of a systemic societal problem: it comes down to the fact that most of us women and girls are not encouraged to pursue STEM fields. I can recall for myself, as an example, how I was even discouraged from pursuing university and a career in favour of marrying young and raising a family! These are still issues that plague our society in 2020, and will take significant effort to improve. And it is more than gender. Discrimination is taught. Unlearning it and discouraging it starts in the families and schools – parents/guardians and teachers, as well as media and social media. But we are making some progress.
7. In your view, how can we increase effective diversity and inclusion in information security?
I believe we can increase D&I in infosec by reducing some of the “gatekeeping” that I have seen in job posts: not asking for a CISSP for entry-level jobs in the UK; increasing apprenticeships and paid internships leading to permanent roles; and making infosec friendlier to all. I recall that the thing that scared me the most in the beginning was my lack of technical knowledge and fear of being ridiculed, as well as fear of fulfilling a stereotype: at my first infosec conference, Steelcon in Sheffield, I didn’t even know what those hexadecimal numbers meant (now I know, and I use them in x86 Assembly, doing reverse engineering of malware at CTFs and systems programming at uni). We can increase diversity and inclusion effectiveness by making the field more welcoming to “newbies” – being open to those who are honestly curious and willing and seeing the potential in people, even if they lack the degree, experience, or certification. To quote one of my role models, Heath Adams (@thecybermentor): “I’d hire motivation and passion over education every single time“, “Give me someone who hustles, loves what they do, and is motivated – I’ll educate them myself”.
My degree has helped me a lot, in terms of gaining an internship then a sandwich-year placement, but the cybersecurity and pentesting was almost all stuff I taught myself outside of university, which eventually landed me that first internship. I went from non-techie person to security engineer in two years. Infosec is a field where people who are hard workers, motivated, and passionate can thrive, and so things like class/poverty, gender, ethnic minority, etc., should not be allowed to hold someone back. Grit and determination are more important. I say, give people a chance, just as I was given a chance before even finishing my degree.
So I think making some exceptions and looking past conventions can really help increase effective D&I. We also need to make the field more enticing to entrants, letting girls at school know that tech and infosec is for them!!!
8. What advice would you give to someone just starting their career?
I would tell you: don’t ever give up and know that this can be for you too. I know how scary it is to start out, especially if you stand out as ‘different’ in any way to the average or norm. Do not let fear of fulfilling stereotypes hold you back and try to ignore the naysayers. Try to find mentors and sponsors who will help you and push you up. Keep working at it and you can get to where you want to be. Do not give up. Keep going!
9. What advice would you give to recruiters for your field?
I would tell recruiters to consider not only the degree, but the self-taught technical skills the candidate or potential candidate has taken the initiative to develop. Lots of people in infosec are autodidacts, like in tech in general, and having the passion or willingness and determination to teach oneself says a lot about that person – willingness to learn, improve, and building discipline. I would say do not only look at the current technical skills or experience the person has, but also their soft skills and their attitude. Be willing to make a few exceptions and give people a chance – you never know, you could get someone incredibly skilled and well-matched for the role and team!
You can read more about Celine’s story and motivation in ‘The Rise of the Cyber Women: Volume One: Inspirational Accounts From Women who are Taking the Cyber Security Industry by Storm’ available on Amazon.
Every month, WISDOM highlights the achievements and perspective of inspiratinoal colleagues in the field as part of a Q and A series. Our very first nominated role model and trail blazer is Fatimah Adelodun, the Cyber Security Engineer at Nigerian Bulk Electricity Trading Plc.
Fatimah has a bachelor’s degree in computer science from the University of Ilorin, Nigeria and graduated from Edhec Business School where she earned an MBA degree. Fatimah started her career as an intern in IT in the year 2012 and over the years she has worked and evolved to become a well-rounded IT professional with immense passion for cyber security. She has worked on numerous projects and applications and has acquired various certifications including CISA, CISM, CEH, ITIL. Fatimah is also well-versed in cloud computing and data analytics. She is a regular speaker at the annual “Girls in ICT Day” where she sensitizes young girls about IT security and careers in IT.
What do you think is the most challenging aspect of information security? Fatimah: Information Security is a constantly evolving ecosystem. Earlier security incidents were often contained to individual user’s systems, resulting in little downtimes. However, the complexity of security attacks have increased over the years. With the increasingly interconnected environment, information is exposed to a growing variety of risks such as computer hacking, malwares, denial of services, etc. and the resulting effects range from causing billions of dollars of damage to businesses and completely shutting down others. Even with the proliferation of security solutions in the market, threats have continued to grow in severity making remediation even more challenging. This makes implementing and maintaining information security arduous for any organization.
What has been the proudest moment of your career to date? Fatimah: That would be the moment I was confirmed as a full-time staff at my place of work. Having started as an intern with an organization in infancy, I was entrusted with a role to build the IT department from the ground up. I literally had to have a 360-degree understanding of running an IT department and as a fresh graduate then with mostly theoretical knowledge, I had a lot of challenging moments. Summarily, I enrolled in courses, broke a few things, built some, but mostly, I grew as an IT professional. I learnt and became even more passionate about IT. Getting retained as full-time staff (not a common practice in my office) based on my outstanding performance after the completion of my internship made all the hurdles even more worth it.
What are the most enjoyable parts of your work? Fatimah: As a firm believer in the advantages offered by technology and information security, I enjoy deploying robust digital protection (firewall, anti-virus, wireless security, etc.) against a cyber diverse range of issues. Ensuring that users can use computer systems and applications as and when needed while reducing the risks from potential threats to the barest minimum enhances productivity at work. I also enjoy a good challenge and working in cyber security ensures to keep me on my toes as protecting critical infrastructure is anything but boring. Besides protecting systems and data, I love learning new things and because information security is constantly evolving and new technologies emerging, jobs in the domain evolve too and so do the required skills.
What are the most challenging parts of your work? Fatimah: Everyday comes with its own challenges. Some unique, others not. While security incidents are almost unavoidable, being proactive and putting necessary measures can help in reducing the risks to an organization. A rather challenging aspect of my work is convincing the management to view information security as an intrinsic part of the business.
What lessons have you learnt as your progress through your career? Fatimah: * Enact a multi-layered defense strategy that covers the entire enterprise (endpoints, data, applications, mobile devices). * Continuously back-up data to safeguard against incidents and attacks such as ransomware. * Patch software regularly. * Problems don’t finish, live a little.
What are your reflections on diversity and inclusion within your field? Fatimah: The STEM fields and particularly IT is male-dominated. There are moments of awkwardness when I walk into a meeting-room filled with men. Globally, women endure work environments where their contributions are not as valued as much as their male counterparts and so have more to prove. Some people are of the opinion that men are more built for technical roles than women and this type of reasoning discourages young girls and limits our opportunities in the workplace. It is refreshing to have discussions surrounding diversity and inclusion. Although many companies put their efforts towards both on their website, only few actually implement it.
In your view, how can we increase diversity and inclusion in information security? Fatimah: At the core of inclusion and diversity should be the deliberate creation of an enabling environment that supports all genders, religion and ethnicities. More importance should be placed on competence than gender, the color of our skin or religious beliefs.
What advice would you give to someone just starting their career? Fatimah: I would advise anyone starting their career to dare to dream. The tech industry is a huge one. Take your time in deciding your areas of interests/specialization. Also, invest in self-development; There are loads of useful resources that can help in guiding you to becoming more grounded. Finally, build a network of professionals in the industry. This is really important for future opportunities.
What advice would you give to recruiters for your field? Fatimah: I would advise recruiters to let candidates know their status in recruitment processes as soon as possible.
Do you know inspirational colleagues who could be our next WISDOM Trailblazer? If so, please get in touch with firstname.lastname@example.org and/or email@example.com.
On June 1st 2017, WISDOM’s London Universities Women in STEM Day was held at the London Mathematical Society in Russell Square, London . The event aimed to connect groups and individuals in London working towards the goal of promoting women in STEM, with interesting speakers from both academia and industry. (Speaker biographies can be seen here.) The event aimed to act as a forum to share ideas, to discuss hurdles and to network; we hoped each attendee would leave with some new ideas they could implement in their workplace and some new contacts.
Back when I was an undergraduate student of Mathematics I remember periodically receiving emails inviting me to a ‘Women in Maths’ event taking place within the department. Most of these events were targeted at early stage mathematicians (undergraduates, PhD students, and postdocs) who were women, and focused on their career. I never attended any of these events, actively selecting to ignore them instead. In this post I want to share some reasons why I avoided these events, and reflect on how I feel differently now.