Estimated Reading: 10 minutes

I never expected to work in this industry. Yet here I am. A woman working in infosec.

I did not go to school for IT and I had no interest in pursuing a security related career. Yet here I am.

Somehow, completely by accident, I have spent the last ten years of my life preaching infosec ideals and becoming an information security professional. How did this even happen?

I blame it on my dad, really.

My dad got me started young.

He has been in this industry and run his business out of the house for my entire life, so my childhood was full of security software, and consulting calls with clients, and swag brought back from security conferences. I even learned the alphabet on a keyboard at 18 months old. He started taking me to DefCon when I was 16 and one of my ‘chores’ in high school was compiling a list of security relevant news to be used in a weekly newsletter sent out to clients. (I got paid and it sure beat scrubbing the toilet like my friends were doing for spending money!) Concepts like social engineering, white hat hacking, wifi sniffing and the importance of backup were commonplace for me, and it was not until high school that I realized maybe not everyone knew Kevin Mitnick’s name or was as paranoid about downloading a virus on Napster as I was.

While my dad gave me odd jobs to do for the company here and there, and I learned from my mom as she did design work in CorelDraw, neither of them ever pushed me to join the family business. They urged me to pursue my dreams, which ranged from becoming the Art Director of an entertainment magazine in New York to editing movie trailers in Los Angeles.

I transferred colleges a few times, my major switching from Multimedia (with a fine arts focus) to Digital Media (a combination of comp sci, web development and graphic design). I interned at the college TV station and in my fifth (and final) year of school, set out to create a documentary in order to teach myself how to edit video. What was the documentary about, you ask. Hackers. I filmed Hackers Are People Too at a few conferences and premiered it at DefCon 16 on 08/08/08. Even for a personal project, I could not get away from infosec. I may not have known it then, but making that movie only cemented my future in this industry.

Releasing my documentary at DefCon

After graduating college, I moved home to get my bearings and figure out where I was going. Would I really venture to the City of Angels to pursue film, or head into the Big Apple to join the failing publishing industry? After working a lame retail job, and not finding any other leads, I felt lost. But then my dad offered me something I had never seen as an option: join his company full time. They were ready to expand their services and jump into e-learning, and I knew enough about the subject matter to develop content and enough savvy with software to figure out how to do what he needed.

I took the job willingly but with every intention of finding something better down the line. Then our client base expanded, I started coming up with new ideas for teaching the same old security lessons, and I found myself in a full-time position in an industry I had spent most of my life trying to avoid. And I was actually having fun! Pretty soon we needed more help and we hired my first assistant. Not long after that we needed to hire another team member and another and another and another. Here we are in 2015, the company with an entire production staff and me, fully invested in an industry I now have no intention of leaving.

As the Creative Director of The Security Awareness Company, I work hands-on with all of our clients building and launching information security awareness campaigns. I develop training materials to teach users how to protect company data and the importance of following security policy. I have seen security initiatives of all shapes and sizes both succeed and fail, and have learned what the security teams must do in order to get buy-in from users and C-levels.

By widening my focus from graphic design and video editing to include elearning, I’ve discovered a whole world of fascinating research and development that I had no idea existed.

On the surface, to many of my friends, my job may not seem like an obvious “infosec” career. I run the creative department, after all. But the work my team and I produce is entrenched in security, focused on reimagining & teaching age-old problems such as passwords, compliance, data breaches and phishing. It is impossible to work on awareness materials without becoming somewhat of a subject matter expert yourself. So while my skills might serve me in other industries – marketing, advertising, publishing – my knowledge base and vast experience with clients’ awareness programs make me a infosec professional.
So what advice would I give to future infosec professionals?

 

Throw away preconceptions about what infosec is.

The infosec industry calls on a wide variety of people with myriad skills, everything from sysadmins and pentesters to the people who design simulated phishing attacks. Look around the vendor floor of any conference and you will see the kind of variety I am talking about. Software developers, phishing companies, awareness training, cloud services, MDM, VPNs, hardware developers… and each of those companies has a need for programmers, designers, marketers, administrators… A range of people with a range of skills that are not all deeply technical. Infosec is not just a technical field, and you can thrive in this industry as long as you have a base understanding of the issues and passion for the subject matter.

In college, I entered the Airborne Germy Shortfilm contest and won in the amateur category, so I got to receive the Germy Award at the 2007 Sundance Film Festival. (Very technically, I have won a Sundance Award! Ha!) Be bold, take risks, don’t be afraid to try things to scare you.

Widen your focus.

One of the mistakes I see students make in all industries is choosing a career path and never veering off road. Many of the people I went to school with wanted to be graphic designers so they took graphic design classes and scoffed at those of us who ventured into other areas – computer networking, film editing, PHP, creative writing, theme park design, interactive performance. They saw no need for any skills that were not in the basic job description of a designer. But as someone who now leads a production department, having an understanding of all those others areas has only made me better at my job. And the same goes for any job in the infosec field. You should know more than just what your dream job expects of you. You should understand the roles of the people you work with and for. Learn everything you can about everything – networking, programming, designing, managing. Coding was never my forte but I understand it enough to talk to our programmers and web development team with confidence and savvy. And while I am not a CISO myself, I understand the problems they face on a daily basis and constantly educate myself about new threats so that I can better serve the people I work for. You will be an asset to your team if you can expand your knowledge base beyond the limited scope of your specific job title.

 

Be open to opportunities.

This relates to my point above. Let’s say you are headed towards being a pentester, and the job market is kind of scarce in your city. But a position opens up for the help desk at a local health care company. Take it. Is it exactly what you want to do? Not at all. But being at the help desk puts you on the front lines of defense, receiving calls from users who don’t know what to do or can’t login to the company network. You will see many weaknesses that Future Pentester You will be able to exploit. Help Desk You can keep track of the most common mistakes made by users and help the security team build targeted awareness training. Look for learning opportunities in any job, and think about how they can help you reach your dream job. Remember, I wanted to be the art director of a major magazine, and now I oversee the production department of a company that creates videos, e-learning modules and magazine-like newsletters, so in reality, I have my dream job. Or something better.

After the release of the documentary, my friend and creative partner Amanda and I were invited to speak about the movie, our process and why we made it at the University of Advanced Technology. They wanted us to showcase that you can work in a tech field without being super technical or being one of the Layer 1 people. We are very clearly Layer 7 people but still get to be part of this incredible industry.

School is important but not the most important.

It’s been a long-held misconception that a college degree is necessary to be a successful member of a workforce. Attitudes toward this are changing, and I am of the firm belief that college is not for everyone nor does it mean you know a damn thing about your field. Our company’s first intern was a graphic design college graduate with a minor in comp sci and a 4.0 GPA. He interviewed really well but when he came to work for us proved he knew zilch about anything we needed him to do. Now, when we hire people we do not even ask about college because a degree proves nothing. But work experience, and lots of it, does. Going out and taking the initiative to learn more, get certified and work hard to perfect your craft – that proves more than sitting through four (or five!) years of college and coming out with a piece of paper. Frankly, I do not even know where my piece of paper is, nor do I care. My degree did not prepare me for this job or this industry. The things that truly prepared me were attending conferences, joining the ISSA, staying up to date on security news, talking to our clients and putting in a lot of long hours working to get better. You can learn a lot in school, yes, but there are just so many things that can not be taught in a classroom and must be learned from real experience. In my opinion, the infosec field is a prime example of one in which a degree is not entirely necessary to becoming a well-educated, knowledgeable and skilled professional.

 

Be willing to say “I don’t know.”

Technologies change so rapidly and new threats pop up so often, we all must be in constant learning mode. None of us can ever say, “Yup, I know everything about security!” While many of the issues and lessons have not changed over the last twenty years (passwords! breaches! malware! Oh my!) the technical specifics and speed at which bad things can happen are only ramping up. Our daily newsfeeds overflow with criminal hacks and APTs and data breaches galore, and as industry professionals we must all maintain a current knowledge of these issues and an understanding of new technologies. But there is a lot to keep up with. It can be overwhelming. So ask for help. Talk with your colleagues, join professional development groups, ask your company for additional training (even if it is not directly related to your role), subscribe to journals like this one and attend conferences. Never stop learning. This is not an industry in which you can afford to stagnate, because if you do, you will be left behind.

Some of SAC’s production team at Learning Solutions Conference, learning about elearning and corporate training.

One final piece of advice for the ladies:

Have confidence in yourself, your abilities and do not let a male-dominated industry intimidate you away from it. I wish that the stigmas surrounding STEM industries would just fade away because I think they scare off smart people who would have a lot to contribute. Like I said, infosec is not any one thing or meant only for one type of person. As a woman in this industry, which has been a boys club for a long time, you will face adversity and discrimination and eye-rolling. You will be spoken down to and many will assume that you do not know what you are talking about. As a woman, it is even more important to know your subject matter and become knowledgeable about everything that touches your area of expertise. You must develop a thick skin and confidence to keep your head raised high. Keep learning, keep pushing, keep bettering yourself. The women I meet in this field impress me on many levels, with skillsets ranging from over-my-head technical expertise to master level geek-wrangling management skills. So if you can get hurdle the gender divide and the few detractors you will meet along the way, you will be rewarded with a fascinating industry full of passionate, hard-working, smart people who you can teach you a lot and want to hear your ideas.

I have a degree but it’s not how I developed my skills or my passions. My passion for storytelling, in all forms (film, literary, Broadway, design), is something I’ve studied and pursued my whole life. And this passion is what led me to where I am today. This bookshelf, containing books related to my primary subjects of interest, is also home to a little doll-version of myself I made in 7th grade gifted class. She’s wearing a purple cat shirt (still my favorite color and I’m a certified cat-lady), and she’s holding a Teen People magazine, because she wanted to be the art director for a magazine. Follow your passions but be open to unexpected opportunities that might not fit the exact description of what you intend(ed) to do.

Like I said, it was never my intention to become an information security professional, but despite my best efforts, here I am. And I love it. I love this industry. Infosec is full of interesting challenges and some of the smartest people I have ever met. As we become more reliant on technology and as the internet of things becomes more ubiquitous, this industry is only going to grow and become more mainstream. Infosec is not just for the nerds. It is not just for the techies. It is an industry for anyone who is passionate about technology and making it more secure. It is for anyone who wants to make the internet a safer place and secure the information of the people who use it. So go forth, educate yourselves and do not lock yourself in a box – you never know where your career path may lead you but if it brings you to infosec, there is definitely a place for you. It just may not be the one you expected.

There is not a specific career path that lands you in the infosec industry. Everyone has a different journey and must be open to the opportunities that present themselves, especially the unexpected ones!

Now, as the Creative Director for a company that specializes in information security awareness and training content, I’ve learned a ton about adult learning, corporate training, and ways to make security awareness engaging and fun… and get to share those things at conferences, through presentations and blogs like this one.

Ashley Schwartau

Director of Production & Creative Development at SAC
After more than 15 years of working in this industry, she’s finally accepted – and embraced! – the fact that she’s a security awareness expert. She is also a book-loving, travel-blogging, French-speaking Gryffindor who is unapologetically obsessed with her cats.