WISDOM highlights the achievements and perspective of inspirational colleagues in the field as part of a Q and A series. We’re delighted to welcome Laura Jones as our June 2021 role model and trail blazer.
Laura Jones (she/her) is a collector of strange career choices, moving into cybersecurity from a law enforcement intelligence background after her anthropology and politics degrees. She has worked cyber intelligence for Barclays in the UK, moved to Melbourne just before the world’s longest COVID lockdown, and now manages cybersecurity in public transport in New Zealand. Her biggest cyber regret is buying and quickly selling a bitcoin in 2013 out of ‘professional interest in the money laundering implications’ (she wishes this was a joke).
1. What do you think is the most challenging aspect of information security?
I think the most challenging aspect is that cybersecurity is still considered niche when in reality it is incredibly broad. Cybersecurity is just IT that isn’t bad, and IT is the absolute core function of most workplaces at this point. Most companies are now unable to provide their products or services without IT, so it is critical to realise that cybersecurity is now core operations. We should not be the basement staff from the IT Crowd.
2. What has been the proudest moment of your career to date?
Probably when I won ‘Highly Commended’ in the Security Champion category for the Australian Women in Security Network. It wasn’t so much the award as being nominated by my colleagues.
3. What are the most enjoyable parts of your work?
I’d say training people in cyber awareness and hearing that they came in expecting cybersecurity to be boring, but left energised and curious.
4. What are the most challenging parts of your work?
Probably the cybercriminals.
5. What lessons have you learnt as you progress through your career?
Soft skills are important, nobody has enough budget, and in this field if you think you’re underqualified, you probably aren’t.
6. What are your reflections on diversity and inclusion within your field
Cybersecurity is absolutely crying out for more diversity and inclusion and struggling with a massive global talent shortage. But if you get into the field as one of the underrepresented groups, it can be exhausting being the ‘only one in the room.’ I was once the only woman at an entire conference. Just last week I ended a call with ‘thank you ladies and gentlemen…well…actually just gentlemen and me.’ It would be even more exhausting if I were a woman of colour in this field, but it cannot be solely up to us to champion change. So to everyone in this field, especially the men who make up the overwhelming majority of CISOs, I say this to you: stop gatekeeping.
As a field, we’re in no position to turn down talented people who may simply lack the right letters after their name, and doing so is keeping our field homogenous, over-certified, and yet under-experienced, especially in the higher ranks.
For example, I work in an organisation with many talented helpdesk staff- I can’t think of many better foundations for cybersecurity work than staff who work well with customers under pressure on technical issues, yet very few cybersecurity staff get recruited from these environments. If you are a leader, ask why it is that qualified staff who already exist in your environment are not considered ‘experienced’ enough for cybersecurity, despite their transferable skills- and consider if institutional racism or sexism plays a part in this. Furthermore, ask yourself how many of your certifications have actually been of use during your last incident- and which of your staff ended up doing the work to fix the problems when it happened.
7. In your view, how can we increase diversity and inclusion in information security?
Build better pipelines, rethink what you’re asking for, stop hiring people with the same qualifications as yourself, and for goodness sake stop with the all-male panels. The current unrealistic requirements in cybersecurity hires favour the current gender and ethnicity imbalances that are keeping these jobs unfilled or homogenous in the first place.
I did anthropology and politics degrees and can tell you from experience that cybersecurity is broad enough to include everyone. A previous employer of mine had a pipeline programme for veterans, another preferred to hire only from bootcamps filled with people who had had other careers before IT as they found them better than people with all the ‘right’ certifications. Consider also pipeline programmes for helpdesk staff, students, or ex-carers and parents returning to the workforce- there are many untapped groups for cybersecurity vacancies who are not being included.
8. What advice would you give to someone just starting their career?
If you don’t want to specialise early, don’t. Stay open and stay curious- careers are long. In a field desperate for staff, don’t let people tell you that your experience isn’t enough, tell them why it is enough: cyber is broad and it has a niche for you.
9. What advice would you give to recruiters for your field?
Cybersecurity remains among the most under-employed fields with millions of unfilled vacancies every year- yet most vacancies still ask for unrealistic qualifications. Stop asking for the moon, we need people. If you aren’t getting any applications, then look at what you’re asking for and change it. Recruit the unexpected, and give chances to people who have already proved themselves in fields with transferable skills.
Most of the best people I have worked with do not have computer science degrees or CISSPs and in any case, many degree level computer science programmes do not even cover the basics of cybersecurity as a core foundation. The best staff come from all backgrounds- technical and non-technical- and work best when given training on the job.
Thank you Laura! If you have someone you’d like to nominate for the WISDOM blog’s ‘Trailblazers and Role Models’ series, please get in touch with firstname.lastname@example.org