Session Slides :
Dinis Cruz: Hi. Welcome to the last session in Open City Summit. April 2023. We’re going to end with a bang on actually a super massively important topic, which we’ve done a whole bunch of sessions before. I’m very glad that Kieran and Subi are going to continue their thinking and give us some really great case studies on really woman kickoff inside security, which I’m a big defender and I really believe we need to get a lot more talent and a lot more women in cybersecurity. So over to you.
Surbhi Gupta: Yeah. Thank you, Denis. Today we are going to talk about women kick off in cybersecurity. Yes, before proceeding with the session, we would like to give a quick introduction of ourselves. So, I’m Surbhi Gupta and I am a cybersecurity analyst with more than three years of experience in this technology. I have worked on technologies like SIM, security information and event management. I have worked on vulnerability assessment and endpoint protection. My skill set includes Splunk, Nessus, semantic. I’m also a Zero certified Cloud engineer. I am currently a cybersecurity learner at Cybersecurity Academy program in OSI, Norway. Now I will hand over to Kieran to introduce herself.
Kiran Gandhi: Yeah, I am Kieran. I have done Masters in Technology back india and I have five years experience in teaching. Now presently I am going on training period in Telenor and where I am working with cloud technologies. After that, during this period, I have done some certifications, like cloud certifications. Now I am a cybersecurity learner at the Innoscience Academy. I will start now to the session. Main aim of the today session is what is the cybersecurity challenges faced by women in cybersecurity, domains in cybersecurity, career roles and pathway in cybersecurity. So let’s discuss first what is cybersecurity? Actually, we have made this presentation in simplest form. Who are new to cybersecurity, it is easy for them to understand what is it basically?
Kiran Gandhi: Cybersecurity is basically the protecting for protecting computer system networks and digital information from unauthorized access, theft and damage. In other words, you can say that cybersecurity is all about ensuring the confidentiality, integrity and availability of digital information by mitigating the risk and threats posed by cybercriminals. So, who are new for them? What is confidentiality? So, CIA trade is the model that organization used to evaluate the security capabilities and risk. So CIA is confidentiality, integrity and availability. So first discuss the confidentiality. Confidentiality is the protecting information to make sure only those people who are allowed to use the information are allowed to use it. By enabling the access Control policy, encrypt data, use multibit authentication, we can maintain the confidentiality. Next is integrity.
Kiran Gandhi: Integrity means that data or information in your system is maintained so that it is not modified deleted by unauthorized parties. For example, if your company provides information about Senior Manager on your website, and some information need to have integrity if it is inaccurate, then those who visiting the website for information may feel your organization is not trustworthy. So how can we protect the integrity? By using hashing, encryption and digital certificates we can maintain the integrity. And third one is availability. The final component of CIA trade is availability. It means that the system and the data available to individuals when they need it under any circumstances including power outages and natural disasters. Without availability, if you have met the other two components of CIA trade, your business can never be negatively impacted can be negatively impacted to ensure the availability, your organization can use redundant network servers and application.
Kiran Gandhi: We can say that an information security system that is lacking in one of these three aspects of CIA trade is insufficient. Next is women’s in cybersecurity according to various studies and reports in the modern world also women continue to underrepresented in the field of cybersecurity. Women in cybersecurity earn less than man. According to reports in the United States, the gender pay gap is cybersecurity 18% so it is higher than the average pay gap across all the industries. According to Cybersecurity Ventures magazines, women make up only 24% of the cybersecurity workflow globally. According to Cybercrime Magazine survey prediction, women will represent 30% of the global cybersecurity workflow by 2025 and that will reach 35% by 2031. These statics highlight the need for the industry to prioritize diversity, equity and inclusion efforts in order to address the underrepresentation of women in cybersecurity and create a more welcoming and inclusive environment for all the professionals.
Kiran Gandhi: Next is challenges there are many challenges that women face sorry, some of them are lack of representation. Women are underrepresented in the leadership position in cybersecurity which can make it difficult for them to find role models and mentors. Next isolation women in cybersecurity may feel isolated particularly if they are only women on a team or in the department so that may make it difficult for build relationship with the colleagues. Third is hostile work environment women may experience hostile work environment in which they are subjected to harassment, bullying and even threats. This can lead to high level of stress and anxiety that may ultimately drive a moment out of the field. And next is gender bias. The woman in the cybersecurity open face gender bias which can manifest in many forms including unequal pay, lack of promotion, opportunity and discrimination in hiring. Next is stereotype. The woman in cybersecurity may be subjected to negative stereotypes such as being seen as less technical or competent than their male counterparts.
Kiran Gandhi: This can lead to a lack of recognition for their skills and contributions. Next is work life balance you can say that women in cybersecurity may face challenges in achieving work life balance, particularly if they have a caregiving responsibilities. This can make it difficult to take on demanding roles and pursue advanced training and education. It is important for the industry to address these challenges and create a more inclusive and welcoming environment for the women in the cybersecurity. This can include initiative to promote diversity, equity, inclusion, as well as providing mentorship, training and networking opportunities for the woman in the field. Next, is why women choose cybersecurity. As the static say that there are very less moments in cybersecurity if we compared to men. There are many reasons that should motivate a woman to choose this cybersecurity path. So in which first is growing demand. The demand for cybersecurity professionals increasing rapidly.
Kiran Gandhi: With the rise of cyber attacks and cyber threats and the increasing importance of protecting digital assets, this means that there are plenty of job opportunities in the field. Next is job security. Security is a rapidly growing industry and there is a high demand for skilled professionals. This means that job in the field tend to be relatively secure and stable. Third is good pay. Cybersecurity professionals tend to earn competitive salaries and pay can be quite well paid. According to report, average cybersecurity salary in the US is around dollar 90,000 to dollar 103,000 per year. This is more than the double the national median earning of workers across all the industries. Next is intellectual change. Cybersecurity is complex and constantly involving fields, which means that it can be intellectually challenging and stimulating. There is always something new to learn and the work can be highly rewarded. Next is opportunity for the impact.
Kiran Gandhi: Cybersecurity professionals play a crucial role in the protecting organization, government and individual from cyber threat. This means that the work is meaningful and has a real impact on the world. Next is opportunities for the growth. Cybersecurity is a field that is constantly evolving, which means that there are plenty of opportunities for growth and advancement. This can include taking on leadership role, pursuing advanced training or education, and branching out into the late fields. Next is diversity of roles. Cybersecurity is a field that encompasses on a wide range of roles and responsibility, from technical positions such as penetration tester and security analysts, to nontechnical roles such as policy analysts and compliance specialists. This means that there is something for everyone, regardless of their background or skill set. Now, Surbhi will take you further. Over to you.
Surbhi Gupta: Be thank you, Kiran. Now as we know that to protect cybersecurity, we need to know about the confidentiality, integrity and availability trend. I started learning cybersecurity, what I had in mind was like a figure, a person who is sitting in a dark room and as you used writing some codes and trying to intrude the organization network. I thought that a job of a cybersecurity professional was to stop that person from intruding a particular network. Okay, then I thought, okay, I should be an ethical hacker, I should start learning coding and I should start learning how to exploit vulnerabilities in an organization and how I can fix them so I thought that this is one of the most important role for one person can take in cybersecurity. There are many roles like from protecting an organization from a cyber attack to the procedure what happens after a cyber attack has taken place?
Surbhi Gupta: I would be covering some of the domains which are in cybersecurity. First is the network security. The network security basically deals with the implementation of procedures and technologies which are used to protect your network against intrusion, unauthorized excess or modification or destruction of your network resources and also protection of your data which is being transmitted from one network to a different other network. What are the implementations that we can do? Like using a firewall which can filter the incoming and outgoing traffic using intrusion detection system or intrusion prevention system which can identify and block malicious traffic. We can use virtual private network so we can also use network segmentation to segment the networks so that if an attack takes place in one network, it does not spread to the other networks. This is basically what is done in network security. Incident Response in foreign six, the name itself is that when there is a security incident for suppose there is a data breach or there is a malware incident, how should we respond to that security incident?
Surbhi Gupta: This is what is covered incident response. And forensics? Forensics is basically once the data attack has been the attack has been happened, what evidences do we have? How do we collect those evidences? How do we preserve those evidences? What analysis can we do on those evidences? How can we gather our analysis in a particular report and present it to the organization? What security recommendations can we implement so that this attack doesn’t happen in the future? Or we can protect our organization at the maximum limit? The third domain I would like to talk about is governance, risk and compliance which basically deals with the management and the rules and procedures which an organization follows in decision making or in daily operations. At the same time being compliant with industry and industry standards, rules and regulations like ISO and PCI DSS for example, cloud Security what is cloud security?
Surbhi Gupta: Mostly in earlier time the infrastructure was always on premise. Now the infrastructure is either shared or is entirely on cloud. Our resources, our application, our user accounts, everything is on cloud. So how can we protect them? All about cloud security, for example, like implementing multifactor authentication maybe. How can we protect our resources in cloud deals with cloud security like us, pass us the cloud services. Everything is covered in cloud security. Identity and access Management as the name itself says that we are managing the identities from the identification to management to the deletion of identity, the user roles, the groups, the devices, everything. That is identity and access management, authorization, authentication, auditing, reporting everything is covered in identity and access management. Application Security application Security is basically protecting our application from the security threats and vulnerabilities by running scans on our application, identifying the vulnerabilities and fixing them, also protecting them against attacks like cross site scripting, SQL Injection so these are some of the domains which I wanted to talk about in cybersecurity.
Surbhi Gupta: Now we can discuss about the roles in cybersecurity. Career Roles in Cybersecurity so now we have a fair idea about what actually happens in cybersecurity. What are the different domains so we can talk about compliance Auditor these are some of the career roles because there are various career roles in cybersecurity. I would like to cover some like compliance. Auditor what does a compliance auditor do? Anyone who loves to follow rules and who wants that the organization should be compliant with all the rules and regulations should opt for this role, which is compliance Auditor. The function of Compliance Auditor is to run audits, to check if the resources are non compliant, which field is non compliant, and to provide recommendation. Security Analyst so I started my journey as a Sock analyst and my function was to analyze the logs and gather information, data analysis and mitigate the risk to any extent.
Surbhi Gupta: Okay, so that would be security Analyst penetration Tester works like you can connect ethical Hacker and Penetration Tester. It exploits vulnerabilities which are in organization networks and resources and then reports those vulnerabilities to the organization and suggest the recommendation. That how we can fix them. Incident Responder as the name says it responds to the security Incident. Basically, they define a strategy that if a security incident takes place in the organization, how can we respond it and what will be the roles and responsibility of the team? Security Concern security Concern basically, if you have expertise enough to guide your team in case of a security incident and to give security awareness trainings to everyone in the organization, you should go for Security Consultant. Security Architect now, this role requires a large amount of expertise in network architecture, system design, and this is a person who basically knows how to design and implement security solutions in the organization.
Surbhi Gupta: Now we have a fair idea about the career roles in cybersecurity along with ethical hacker. Let’s move to the next pathway. So, as I said in the beginning, we will be sharing a very simple pathway for a person who is beginner in the cybersecurity. Now, the very first thing what you should do is to learn the It fundamentals. You should know what you are protecting. What is a computer, what is a hardware, what is networking, what is an IP address? Then what is like yes, basic knowledge. What is the OS? Right? What kind of languages are being used in a web application, how does an application work? That is all covered in It fundamentals and there are various platforms which provide training on these It fundamentals like Google itself provides a certification program then we have Code Academy, we have Coursera, we have W three schools which is entirely for learning different code languages.
Surbhi Gupta: After you have learned the it fundamentals, even the basic you can proceed to basics of cybersecurity. Meaning? You should know what is cybersecurity? What is a ransomware? What is a malware? What is a Trojan? What is cryptography? What is encryption? What is authentication? What is authorization? Basics of cybersecurity so that you can implement them in the future. There are various platforms where you learn them some of being the common like Coursera. Now I also know about Tech Target which writes about these topics in a very simple manner. You can also refer to YouTube, you can refer to LinkedIn where these trainings are provided. The third step according to me should be gain practical experience. Why I haven’t mentioned certification before? Practical experience because it is very important to have en hands on experience to understand what you studied well should connect to you the terms in mind like we can achieve that through Capture the Flag.
Surbhi Gupta: If you guys have heard about the capture, the flag is basically a cybersecurity competition where the individuals compete in team, are single handed, and there are certain vulnerabilities which the organizers plan, and we need to exploit them in order to gain a flag. That flag is in the form of code. When we submit that code to the organization, then we get some points and we win. It is basically like a gaming experience. There is also a platform like Try Hack me I have used it and personally I would say it is very good because it covers all the knowledge from Basic to Advanced. They have virtual machines where you can practice they also have certain rooms where they mention information about certain skills and then they test you on that so you gain practical experience on it and then there’s also Hack the Box. After having certain practical experience you can also go for internships and you can also try going for this internships with various organizations.
Surbhi Gupta: Semantic offers such internship and there are many more IBM offers also the internship. After having a certain amount of practical experience you can decide your cyber security career to which role suits you the most and maybe after gaining some practical experience you can go for certain certifications like Comfy Security plus and then you would have a fair idea which domain of cybersecurity interests you more. You can choose a cybersecurity according to your interest. This was a simple pathway from our side. In the next slide we would like to share some resources like some online learning assets like I mentioned earlier, code Academy, Coursera, W three schools I think YouTube is the best source but there is I would say a little demerit with YouTube because it is a vast platform. It is a platform with a large number of videos and you might get confused for which video you should follow, which video should not.
Surbhi Gupta: I think you should be specific in what you want to learn. Then, as I mentioned, Tech Target because as a beginner in cybersecurity I usually used to read the articles from Tech Target to understand what technology is, what does it mean, what resource it is. I would highly recommend Techtarget.com then LinkedIn. We have so many free learnings in LinkedIn related to any field. So you should try LinkedIn also. My suggestion is, like, you should subscribe to Cybersecurity News. Like the Hacker News Security Week. Cyberscope? It is very important to remain updated in cybersecurity about maybe the vulnerabilities which are being discovered or maybe the attacks, or maybe the new security technologies which are coming in place. Yeah, I would recommend these learning assets. Let’s move to the next slide. Quick Tips as we discussed earlier, learn fundamentals. You should be very clear with your fundamentals.
Surbhi Gupta: You should get certified. Now, whenever I sit for looking for a job, I usually see there are so many job postings which require certain certifications. Most common I see is like CISSP. CISSP requires five years of cybersecurity experience before going for it. I think for a beginner level you should start with Conscious Security Plus. And then you should advance further. If you want to go for Ethical Hacking, you should go for Certified Ethical Hacker or Junior Pen Tester. First you should know what field you want to go in. Then again, gain practical experience. Stay up to date. You should stay up to date. I mean, you should know what technology is recent, then develop soft skills. Having technical knowledge is important, but if you are not able to convey it, then it’s not so useful because you are working in cybersecurity but your vendors, your organization, it is not necessary that everyone is aware of the technical jargons you might be using.
Surbhi Gupta: You should know how to convey your message in simple language. And also I would also say networking. Grow your network as much as you can. Communicate with people. Join cybersecurity groups online, on LinkedIn, on various other platforms, on Facebook so that you can connect with other people, you can learn from them. So, these were some quick tips from my side and now I would like to talk about Inocai. Me and Karen are from Innoci School of Programming. Innoci offers learning courses and works with a motive of reducing the technical skill gap and inclusion diversity. Since the course at Inocai are intense, they also offer mentor sessions, mental mentor sessions and weekly mentor sessions. Like they are very effective because mentors from different organization come and guide us through their career journey and we are able to learn so much from them. At Innocera we go through effective learning programs.
Surbhi Gupta: There are also programs, real time real world programs which are set by industry experts. Now they make us ready with the skills so that we are up to date when we join a certain job. So I would like to thank NSI for this opportunity. My journey at NSI. If I talk about it I came to know about NSI from LinkedIn and personally if I speak I have worked on premises and I wanted to learn cloud technology and also I was so enthusiastic to know how cybersecurity is helping and protecting resources on cloud. I looked up at NSI and there I got a program which had both the things where I could learn both the things the cloud computing as well as how cybersecurity is helping secure the resources in cloud computing. It was a boom for me and I had to go for it and frankly speaking this was a very good experience.
Surbhi Gupta: This is actually a very good experience for me because the course is intense but the course is designed in such a way that you learn very efficiently. You are at pace and mentor sessions that I spoke about earlier. We get a lot of guidance. My networking has also improved after joining inocyte so I would highly recommend you guys also if you are thinking of being a career in It, go for it. And Kiran, would you like to share your experience with Innocence?
Kiran Gandhi: Yes, thank you. Actually I also want to share my experience how I started my journey with Enoscience. As I have discussed in the starting of the presentation I have five years of teaching experience so I do not have any It experience. Last year I have started internship at Telenoras Cloud Engineer where I have learned a lot about cloud technology. During this time I have attended many seminars where I came to know about cybersecurity. I am a person who always try my hands in learning new things and I challenge myself to learn more about cybersecurity. Inoscience came to my life and which was entirely a game changer for me. Which combined my both cloud experience and my cybersecurity learnings. Today I am with a quite a good exposure in cybersecurity. This is my experience how I have started my journey with Inoscience. If you want to tie your hands with learning something new and wants to make a career in cybersecurity then come and join us at Inoscience and be a part of cybersecurity society.
Kiran Gandhi: For any question regarding innoscience please contact and follow and given information. You can also follow Serbia and me on the LinkedIn. If you have any further curious regarding how to start career and in cybersecurity we are happy to help you. Thank you. We are also open to any questions.
Dinis Cruz: Yeah I have a couple really cool. I really like the way you’re explaining the different paths and the different ways to get into cybersecurity, which is really cool. Do you have any thoughts about people with quite a lot of experience? I think we talked before we started. I think a big source of talent, of course, is the new generation, right? It’s making them excited about it, saying it’s a great career, right. I would say for anybody that’s new joining, you should still reassure that you have individuals on the older side. I would put myself on that side now that we’ve been doing this for 30 years, but we’re still super passionate. We love it and it’s a great career, right? And there’s some amazing problems to solve. I think that path is in, but I feel that in the kind of diversity side of things, I feel that we’re missing a little trick by not finding good ways to bring talent that is quite experienced and for example, is really great at engineering, really great at medicine, really great at other very complex careers.
Dinis Cruz: Somebody with a PhD really knows how to process data, right? Somebody that works on any or works for managing a lot of people in certain situations. They know a lot about the core, almost. They have a lot of the core skills that we need in cybersecurity, but they might not have cybersecurity experience. What’s your thoughts on how do we can help them to come into kind of our world where although they don’t have a couple of little things that they need to learn, almost the hard capabilities that we all want to hire for, they already have?
Surbhi Gupta: So Karen, should I answer this? Okay, so as Denis, you said that there are people who have skills and they are highly qualified in them, but they do not know cybersecurity so much. I personally think that we should give everyone a chance if you think that they have that potential, that they will be able to combat any type of attack with the skills that they have learned from their past profession. What we can do from myself, if I say from the outsider, we can specify certain basic skills, just as I said, for a beginner to have certain basic certifications. Right? Because I think that if they are so much qualified in the profession that they are doing, I think experience is more important than skills. If they are able to learn a skill which is quite good in their profession, I personally believe that they will be able to pop up quickly in this profession.
Surbhi Gupta: The only thing required is the support from our side. And the clarity. The clarity that what exactly do we expect from us? Do we require a certain basic level of expectation certification, right, or do we require we are actually judging them on the basis of their knowledge, like providing trainings. I think for me, the solution would be like to provide them trainings and then for a certain period of time and then invite them for an interview like we do with our employees in the organization. I personally feel like this because giving them not a chance. I don’t think this is going to solve the problem just because we have the fear that they won’t be able to whether they will be able to do it or not.
Dinis Cruz: When you say we provide them trainings but there’s lots of training online already, right? There’s lots of really good open source training stuff. If you want to learn how to hack, there’s online platforms even for free, right. You can set up juice shop, you can fire up a bunch of things, right, so you mean those to see almost like hey, if you can find, try that and if you really like it, then we just want to see the delta where they were and now and see their excitement about it.
Surbhi Gupta: Yes. Because if they are passionate about entering them, suppose if there is a job for an ethical hacker in your organization and you are searching for someone who has at least a hand on experience on CTF, I think you should interview that guy. Right. To have that knowledge. Or you can provide them with a specification just like before interviewing. You can come up with these courses, just prepare these courses and then you are eligible to sit for an interview so they will have a clean perspective.
Dinis Cruz: Yeah, which is interesting. We kind of talk about it. It’s almost you’re saying we can even create a curriculum for non security experts and saying look, here’s the kind of path if you think about that curriculum should be the same one that they follow internally, right. We should say, look, if you’re going into the cybersecurity, this is the path we would like you or recommend you to take.
Dinis Cruz: Right?
Dinis Cruz: Here are the actions and hear the things, right?
Surbhi Gupta: Yes.
Dinis Cruz: Actually to be like maybe we should do an open security summit project around it because I need it. I think there isn’t a good path out there. Ideally in this session you could actually turn that path. It’s almost like you got some good pointers. I think we can be a bit more explicit on go here, start here, do this. I like the idea that’s the path that we would promote both with the people that we hired or the people that we want to hire because at least it’s fair. Also we allow that talent to be proactive and to say look, I started here but I’m already here.
Surbhi Gupta: Yeah, okay, we’ll have that in mind to add here.
Kiran Gandhi: I totally agree with Surbhi, but I have another way also. Like if we can call for a person for a journal interview and let them know what we are actually looking for and on what projects we are working, what technology they are looking for and give them. Some deadline, like for one month and something according to your requirement and give them a chance at least so they can go back and learn about something. After a month you can have a session again and according to that, you can find out that how a person is eager to learn and what can the person can learn. This could also solve a problem of unemployed person, like directly say, no, you are not matching with our requirements because we are also looking for a job. I think if this thing is happening, the companies maybe it will solve the problem of unemployment.
Dinis Cruz: Yeah, cool. No, I like it. I was just checking the chat. I don’t think we have billy, you want to ask a question? Sorry, let me make you co host. Give me a second and.
Dinis Cruz: Sorry, I.
Dinis Cruz: Think that’s the other question. I’m just sorry, I’m just making him a co host because I don’t think.
Kiran Gandhi: I there is one person. Hanson.
Dinis Cruz: Yeah, I just need to log in quickly as the host. Okay, sorry, you can share now. Go ahead. Actually, sorry. Now you can.
Surbhi Gupta: Hi Billy.
Billy: Yeah, first, I really love what Kiran was saying there about having a list of things companies want to see in a prospective employee or like a new hire. Also what Dennis was saying about having a criteria or a curriculum, I would really love to see a curriculum of different skills for the different types of roles because I’m also just learning about cybersecurity, but I’m just kind of going with what I can see at the moment. Starting on Try Hack Me, I just started learning about learning Python, just different things like that. I would really love to have a direction and that’s something that I would really love to see in the future, either from prospective employers that are looking to hire in the security field or even just from the industry professionals. Just to show if you’re looking for this type of a career in cybersecurity, you should focus on these right now.
Billy: That way I think that would really help a lot of people just getting the ball rolling on their training.
Surbhi Gupta: Yeah, Billy, I totally agree because I think that applying for jobs from being an outsider and I have worked with in cybersecurity. My past experience is that learning is fine, reading theory is fine, but until unless you have an hands on experience, that is not going to help. I should say thankfully that there are options right now which we can explore, which provide us hands on experience. Like try hack me to take that for an example. Now it has various courses from beginners to advanced level, right. I could literally follow the instructions and exploit a particular vulnerability to get that flag. I was eager to earn that flag and from in that process I could learn about that vulnerability. I personally think that it is very important that the employers understand this point to give chance to the people who are eager to join cybersecurity.
Surbhi Gupta: Because when I go for a job search and I see that in an entry level, it requires three years of experience. Four years of experience, five years of experience. Right. So even I am not very clear. Why is this experience required? Because I join as with a zero level, zero experience, right. I learn everything on the ground in the organization. I would learn much faster in that way. I think everybody can learn much faster if they are given a chance. Basically, what Kevin said, even I agree with that. My thinking is that there should be specifically clarity what is exactly expected from us? How should we proceed? Yeah, absolutely.
Kiran Gandhi: The main is to give a chance first and let employees explore. Maybe it will, because it works.
Dinis Cruz: Right.
Dinis Cruz: I had a lot of success, right, of bringing people that didn’t have a lot of experience in cybersecurity. What they had was the passion. Right. The challenge, I find, is how to do that in a fair way, doing the job interview process, right. There’s a school of thought that we shouldn’t be giving a lot of homework or a lot of tasks to the candidates. My thinking is actually the more tasks we do and there’s a little difference between tasks and paid work.
Dinis Cruz: Right.
Dinis Cruz: I’m not saying we should give them unpaid work, but I think that the more tasks and the more paths we can give to the candidates, the more we can distinguish between the ones that really want to do it and the ones that think it’s a good idea. Because actually we now have an interesting curse where because the salary margin is so good now in cybersecurity, the premium is so good there’s, people say, oh, cool, I’ll go into that.
Dinis Cruz: Right?
Dinis Cruz: I think almost I would argue that’s not who we want. Who we want is the people that want to do that because they have a passion. They found a place that it’s really interesting. There’s something in cybersecurity and the world is so big. In cybersecurity, you can always find an area. You can go from compliance to testing, to planning, to architecture, development, engineering.
Dinis Cruz: Finding.
Dinis Cruz: Problems, fixing problems like literature, you name it, right? What we need to do is find something that you’re very passionate about and also have the confidence that you will add a lot of value by just having experiences that most people in our industry don’t have. That’s why we need the diversity of thinking. We need diversity of thoughts. That comes from individuals that have different experience, they have different life experience, have different thinkings. Right? A mom actually has the type of experiences that others don’t have. Hiring moms that have raised kids, maybe now they pass the age where the kids don’t kill themselves if you don’t keep an eye on them every day, right? Then they are amazing talent, right. They haven’t worked for five years, for example, or they haven’t worked in the industry. So how do we get them in? Some of it is actually impostor syndrome.
Dinis Cruz: You haven’t really talked a lot of it, but I have also seen a lot of impostor syndrome, which is very frustrating because I believe in the individuals. I just want the individuals to believe more in themselves. Right. To know that you might not have the exact technical skills, but the skills that you have, the common sense and the experience is what we really need industry.
Surbhi Gupta: Yeah, I agree with you, Denis. The thing is, I think the only way is giving them a chance through internships, maybe, and proving themselves. I think this is the best goal.
Dinis Cruz: Yeah, but internships are tough when for somebody more senior, right? Let’s say somebody works as a doctor on an emergency hospital, right? An E, right? That person knows how to deal with pressure.
Surbhi Gupta: Correct.
Dinis Cruz: Talk about somebody who knows how to deal with crazy situations. Everything is flying around. What do you focus that’s who you want as an instant responder, right? Like, that person will be amazing in cybersecurity, right? You can’t give them an intern job, right? Because that person might be quite senior ready. I think there’s a lot of talent that fits into it. Talent that could be great at cybersecurity, especially in the mid to senior roles. That kind of we need to find a way to give them simpler roles without having seniority, that they can use their skills, but then give them the time to basically be able to hold their own in cybersecurity.
Surbhi Gupta: Okay, so if I say in this way, like taking your example, a doctor who is doing an operation or delivery and he wants to become a part of cybersecurity, but you are saying that he is much experienced to give an internship, right? Still, he’s a beginner in cybersecurity, right? You are a beginner in any industry, you start from zero. I think that having a basic knowledge is very important. When you are starting, because in cybersecurity, it is very important that you learn the fundamentals. If he wants to enter himself into cybersecurity, he’s very well aware of the fact that he will be starting from beginner level. He is a beginner. Right. I don’t think according to me, there might not be a problem. But if you are trying to we.
Kiran Gandhi: Can say that it depends on your priority. Like if you can choose a salary package or you can choose your opportunity. If you go with the like, I’m a five year experience, I can’t take an entry level position. It means you are not eager to learn new things. It means you are more focused on surgery. So I think. So you have to prioritize your things. What is more important for your experience or you want to learn something new? I think it is a personal level who can think in what way. Like if I talk about myself, I have five years teaching experience. Now I move to it and I’m totally new to this, it background and all. If I expect I have five experience, I can’t do entry level job, then I don’t think I can ever go into the It and get a job.
Kiran Gandhi: So it depends upon me how I.
Surbhi Gupta: Take this, how you approach certain specifications. Because ultimately you are a beginner, you enter into any field or if I.
Kiran Gandhi: Say I am an engineer, I want to doctor. I even don’t know how to do stitches for that I have also go to entry level for every area or every industry. If you are new, you have to start from zero and it is nothing wrong in that, I guess.
Dinis Cruz: Yeah, I get that but I think.
Dinis Cruz: That.
Dinis Cruz: I feel that’s the bit that I don’t think we have good examples or good paths like you said, right? Because I feel that’s what’s available today. But that doesn’t work in practice. It doesn’t work in practice for somebody who already have a career responsibilities basically, right? If you’re just out of university, right, you can afford to do an internship, right?
Kiran Gandhi: Because probably or another way we can do in this way like we don’t left our job first and side by we are giving extra time to learn more technology. You think that you are capable of that then you should move to next job and asking for like I have this experience so I should go for this. So this is another way we can.
Surbhi Gupta: Say, and I think most of the people do like this only, right? They continue learning new skills with the job they are already doing.
Dinis Cruz: We’re saying that maybe we should have these part time openings to give people the ability to do it part time in extra bits, so they can learn, get the experience, have real world experience in these activities and then do the move. That could be an interesting offering, right?
Surbhi Gupta: If we can, because we all know that every profession requires certain amount of dedication and cybersecurity requires continuous learning, right? It’s like one needs to be very sure that he or she has to be a part of cybersecurity and for that, according to me, they should have some experience to decide.
Dinis Cruz: Like that phrase you said cybersecurity does require dedication, right? Maybe that’s what we should be already pushing early on to say look, if you don’t have dedication to jump these initial hoops, right, then it’s not going to work for you because this is just the beginning of that path.
Kiran Gandhi: I think it’s high time for the industry to address these challenges and create a more inclusive and welcoming environment for.
Dinis Cruz: The.
Billy: I was just thinking for technical roles we have ways of testing that such as try hack me, pack the box, things like that, GitHub if you’re a coder, that kind of stuff. What if people who are looking to hire people for entry level cybersecurity roles in a more technical field, what if they set up their own a mini try hack me thing, for people that are just looking to so that way they could have it so that you could log into a virtual machine, try to hack it, or do whatever their assignment is. If you’re for coding, maybe they could ask you to supply a script that would do a specific function, something like that, just for various technical things that they’re looking for. Maybe set up docker containers or something on Amazon web services in like a virtual environment kind of a thing, just so they can see that people have those abilities.
Billy: Once if someone can complete those abilities, at least to some degree, then that would allow that company or that company would then allow that person to submit a resume or they could get their information to further speak to them about a potential role. I think a lot of them they’re asking for resumes and from my understanding, most of the time they don’t even look at most of the resumes, just toss them aside and that’s someone’s chance right there just getting thrown out. This way as well, if they do it like this, they could make it anonymous so that they don’t know who is completing all the challenges, they just know that they’ve done them and that way it removes any bias from the decision right off the get go. I think that would really help with getting them a diverse set of applicants right then and there just because it’s strictly by what they can do, what they can prove that they can do.
Surbhi Gupta: Yeah, I completely agree with you. Like you said that you’re applying two jobs and we are not sure whether our resume are properly looked upon or not. I completely agree with you and we are actually focusing on just giving a chance because somebody who is an expert in this industry at once was given a chance, right? Someone has to start from somewhere for starting somewhere we want that chance. I’m saying like that because you can’t become an expert until and unless you gain experience on a particular thing and there are many things which you learn while you are in an organization in real time. Okay, so my appeal is only that, yes, we can go through a curriculum, we can go through creating virtual machines. That organization give us this chance of solving particular like capture the flag or something like that. But we should be given chance for.
Kiran Gandhi: An entry level job. They are asking for some hands on cloud technology three years experience for entry level job. How can they expect hands on now?
Surbhi Gupta: I think they will be able to answer this question.
Dinis Cruz: Well, look, I think that if somebody is asking for that, then it’s already not the right employee. I put job specs in the past where we literally would have in the job spec saying you don’t need service experience for this job, right? Like apply. And we had some great candidates, right? I think it’s also on the employees, right. I think if the employee is open to hire people without cybersecurity experience because they’re going after a certain type of talent, then they need to be explicit. And I think that’s the key. Right? It’s a bit like if somebody says you need to have three years experience with chat GBT, right? You already know they’re clueless. Right. It’s the same thing. Right. But you have that, right? You always have these jobs where they want to I remember there was Net, you need to have five years experience in Net.
Dinis Cruz: We’re like, dude.net, was released two years ago, right?
Surbhi Gupta: Yeah.
Dinis Cruz: You always have this. I think it’s up to the employee to basically put good JDS out there because, look, it’s a privilege, right. We want companies that view the talent that they’re hiring as talent, not as numbers or as quantity. Right? You want to find companies who think like that. The good news is that the cybersecurity market at the moment is so hot that it’s probably the easiest time to get into the industry, right, because you can literally hack your way into it. You can literally deliver on the job, right, because there’s such a demand. The good news is the pay is good, right. It’s not even like you have to go in a massive desert before you even get this amount of money, right? There’s a lot of great talent, there’s a lot of skill shortage. I kind of agree when you were saying that the people that want to do the job need to show a level of productivity, need to show a level of putting some skin in the game, right, to show that they are committed to do the jump.
Kiran Gandhi: Yeah.
Surbhi Gupta: And even one, please.
Kiran Gandhi: Yeah.
Surbhi Gupta: I just wanted to being clear, because I’m not the employer, I wanted to know how an employer thinks about it. Now, in a cybersecurity company, when you are hiring, right, you already have some experts who an existing Sock team or existing vulnerability assessment team who is already doing their work, right? If you hire a person who has basic knowledge or who has little bit experience, meanwhile the existing team is handling the operations, that person can learn. Right. What is the fare in hiring a person who has, I mean, basic level of experience? I just want to understand this point because there’s already a cybersecurity team which is doing their job. Maybe the beginner level can be given a chance to learn from them, because I learned in that way. I wanted to ask, what is the current scenario?
Kiran Gandhi: But why do they do charity? Why they hire internship?
Surbhi Gupta: I’m talking about internships.
Kiran Gandhi: Internship, you can say, but for a job, I think nobody can do no.
Surbhi Gupta: I’m talking about internships. Can we do this in this manner?
Dinis Cruz: Well, you can. To be honest, if you have internships and early entry jobs, and if somebody applies with that, which clearly has crazy experience right. I would argue that person has a big competitive advantage. Right. It’s a bit like you’re already hiring people that don’t have clear experience.
Dinis Cruz: Why?
Dinis Cruz: It’s an internship or a junior role. If somebody appears in there that says, I’ve run teams of 2030 people. I know how to work here, I’m an architect, I know how to build a house, I’m a lawyer, I have a PhD or I have a degree on psychology. Right. All those things are insane assets. Right. I don’t think that’s the gap that we have. Right. That market already kind of exists, but I don’t think there’s enough people joining the market because the ones we need to attract, especially on a diverse and women more specifically. Right. We don’t have a good funnel. If you look at the number of kids in schools, you still have 90% males in computing course. Right. You still have cybersecurity courses. It’s still very male dominated, so it’s already skewed from the start. The reality is that I think we need to be finding talents that already has graduated, that already done other careers that maybe haven’t found their calling.
Dinis Cruz: Right. And security is a great career. It’s a great industry, and we need to find paths for those individuals. The individuals that have gone a career, have spent 35, 10, 20 years, 30 years in a particular industry and now want to go to cybersecurity. Like I said, internships does not work for them. We won’t find them with internships because they will be too. Also, in a weird way, if somebody has a level of experience, you want to give them a mandate, right? You give them good challenges. You want to say, look, you might not have cybersecurity experience, but how to run a meeting. How to run a team, how to deal under pressure, how to think logic, how to read the GDPR standard and not fall asleep and be excited about it. That’s the challenge that we need to give to those individuals.
Surbhi Gupta: Okay.
Kiran Gandhi: I think now it’s time for employers to rethink the process of hiring a person and starting to give a newcomer a chance if we move the unemployment from the society.
Dinis Cruz: Yeah, but I think Billy, you mentioned right, like the impostor syndrome. Right? It’s real. Right. It’s, for me, very frustrating because I think most individuals sometimes don’t understand where they add value. I’m telling you, man, as an employee and as somebody who leads teams and I hire quite a bit and I work with other people, a lot of times the technical skills are important, but that’s not the main thing. Right. It’s how people think and how they learn, how they interact, how they respond under pressure, how they have clarity of thought, how they learn, how they’re curious about learning. Right. Those skills are way more important than whatever you happen to land or whatever you happen to be paid to do, which is on your CV.
Surbhi Gupta: Right, exactly. Yes.
Kiran Gandhi: Agreed with you.
Surbhi Gupta: Totally.
Billy: I also was listening recently to a podcast where they had a guest on who claims he had his majors, he had his Master’s degree in cybersecurity and he cannot find a job. That would be soul crushing, going through that much work and not being able to find work.
Dinis Cruz: Okay. I can have you brutal on my answer. I don’t know the individual.
Billy: I’m willing to bet I know the answer, though.
Dinis Cruz: There has to be another reason. Nothing to do with cybersecurity.
Billy: That’s a possibility. Yeah.
Dinis Cruz: Or going for roles that are crazy. Again, having a Master of Cybersecurity experience doesn’t mean you can take any jobs. Right. For me, it just means that you are able to actually do something that is very good academic. To be honest, in cybersecurity, it’s actually really good for, a reasonable, not small, but not large amount of cybersecurity roles. It depends what role he’s applying for. He or she, I don’t know. We have close to 0% unemployment in cybersecurity. Right. If he had a degree on an esoteric. Right. Kind of. Okay, I’m going to make up a degree because there’s always a crazy degree that people do. Right. If you have a degree, I don’t know of creating lamppost. Right. Because I’m actually seeing a lamppost now. Right. You can’t find a job because you took a Master’s in creating lampposts, I think. Yes. You may be struggling to find jobs.
Dinis Cruz: Right. If you have a degree in cybersecurity and you’re struggling to find a job, then there’s something else that is not working. There’s something else I play.
Dinis Cruz: Sorry. I don’t know. Not in 2023.
Billy: Yeah. I don’t know too much about the context there, but it did kind of catch me by surprise.
Dinis Cruz: Yeah, but that’s like people that take a degree and go and work on a checkout and supermarket. Right. Which, to be honest, there’s nothing wrong with it. Right. It’s a job. Right. Again, how you have your attitude on it, but at the end of the day, you have to think strategic about your career. If you take a university degree on a job that doesn’t have a lot of market opportunity, then sorry, there’s literally a market economics at play here. Yeah.
Kiran Gandhi: It also depends on like he has masters of in cybersecurity and he’s applying for a job, but we don’t know if he getting calls for interview. Like he has attended any interview and then rejected. Or in my case, I have also the same, but if I get selected for the interview, then they reject it. That is something wrong in me. Like, I couldn’t clear the interview. What if you are applying and nobody and you are not getting calls for the interview? Then where you are wrong? What is the problem?
Dinis Cruz: Well, to be honest, look, one of the things that I always ask on our jobs applicants, I asked the candidates to create a presentation about themselves. Right. We debate a lot about it. My point is that CVS are a horrible way to review people. Right. Again, you have to take into account that when people will have a job, and if you have 50 people, 100 people applying for a job, let’s say, ultimately you have to have a CV that stands out. Right. I like a presentation because it allows you to expose more about who you are and what you do. At the end of the day, it’s about, for example, having public participation. I don’t think we mentioned a lot here, but like, open source projects are a great way to get experience. Right. Look, the summit, I know a lot of people who got jobs because they did presentations at the Open City Summit during COVID There was a couple of amazing individuals that got furloughed and they contributed a lot.
Dinis Cruz: Their career skyrocket because they were mass involved in the summit. They helped, they met a lot of people. There’s lots of ways that you can start to hack your way into the industry. Right. Again, the fact that there’s a lot of jobs in cybersecurity doesn’t mean you get a free pass. Right. You still have to work really hard and you have to earn your spot because ultimately it’s a competition. Right?
Surbhi Gupta: You’re right, Dennis. I think maybe me and Karen will find a way and we’ll come back to you.
Dinis Cruz: Yeah, look, but this is important, right? I think sessions like this, they make a difference. Right. Again, even from you’re building a brand, you’re creating connections, you expanding and you’re learning. That’s who you want, right? That’s who you want to hire, and that’s how you grow. Right. I think it’s about making it fair for the right candidates.
Kiran Gandhi: Thank you. I think next time we will participate in panel discussion.
Surbhi Gupta: We can do that.
Dinis Cruz: Absolutely. There are a lot of people we can bring. There’s some amazing individuals. I always mentioned Petra because she’s one of my rock stars. That, again, she was a doctor. Right now is an amazing cybersecurity manager professional, and let’s bring talent in. Let’s have a panel about, again, the evolution and thinking and good examples on career paths. Maybe what we could do is let’s work maybe together on those examples of where to start. Right? Like, if you want to start here and, collect materials from OAS, from other things so that we can basically have a nice path or almost like journeys for the individuals that want to jump into cybersecurity.
Surbhi Gupta: Yeah.
Dinis Cruz: There you go. There’s our project for the next couple of months. And you guys going to be involved?
Surbhi Gupta: Yeah? Yes, me. Sure.
Dinis Cruz: Brilliant. Okay, cool. Look, thanks for participating.
Surbhi Gupta: I hope our session was informational and people learned from it. Little bit.
Dinis Cruz: Brilliant.
Surbhi Gupta: Thank you.
Billy: Absolutely. Thank.