Infosec leader Naya Moss dropped by Twitter to answer questions about her career in cybersecurity and IT in honor of Cyber Careers Week in October. We’ve rounded up her answers in more detail below to share her professional development insights for this field.
1. How did you get started in cybersecurity?
My career started as a teenager doing odd jobs such as building desktops, freelance helpdesk, setting up home networks, and web development.
After attending a free IT support course at Per Scholas in New York City, then my professional career kicked off. The course included up to 3 free CompTia certification vouchers. Before attending the course, I applied for many jobs in IT, but many at the time required a minimum of A+ and Network+ certifications.
Having CompTia certifications opened the door to more professional, contract, full-time opportunities and an immediate salary jump.
I had my first hands-on experience and security responsibilities in a professional environment while working as a Junior System Administrator on Wall Street and a Cloud Infrastructure Engineer.
2. What advice would you give to women interested in pursuing careers in cybersecurity or other STEM industries?
I would encourage women interested in pursuing a career in cybersecurity or other STEM industries to do it–go for it! Don’t let negative experiences deter you or push you out of the cybersecurity field. Women receive more discouragement than encouragement. This affects their progress and learning. Find like-minded folks, communities, and support. Filter out negativity focus and on building skills. Join women-specific communities to bring balance and mutual support to your experiences.
Here are a few communities to join:
- The Diana Initiative
- Women In Cybersecurity (WiCyS)
- Women In Cybersecurity Society (Canada)
- Seidea | BME Women In Cybersecurity
3. What can cyber professionals/the cybersecurity industry do to empower and encourage women to pursue cyber careers?
To empower women, companies should aim to hire, retain, train, and promote women. Leaders need to have trust, acknowledge and address bias, and put more women in leadership roles. A first crucial step would be to lower the barrier of entry by creating realistic entry-level positions. The second would be to provide a career path for women to enter senior and executive positions. I appreciate it when hiring managers ask if a candidate would be interested in a senior position during the interview process. The direct manager follows up to ensure an appropriate career path within the company.
I’ve seen many leaders hire women in cyber, then assume all their “good deeds” are done. However, they overlook those same women when advancement opportunities arise. This requires a mindset change, as for many, their unconscious biases may make it difficult to see a woman as qualified to lead — hence why more allies in the workplace are needed.
One of the most mind-boggling experiences I saw was on a team I worked with on a compliance project.
A C-suite leader trusted a man with no experience or background in the field over a woman with over 10+ years of experience specializing in information security, data privacy, and GDPR.
The man was against implementing security controls—without a legitimate argument or reasoning.
While the woman spent months explaining why the control needed to be implemented, she was disregarded despite providing research, facts, and evidence of the effectiveness and necessity of implementing the control.
In this scenario, it’s hard to understand why someone with no experience would be trusted over someone with objectively much more, so it’s easy to conclude that bias is involved—even if the executive didn’t realize it or thought their bias was justified by some other reason that was ultimately irrelevant. In cases like this, a greater awareness of biases and better structural support for women in positions like these might have forced this C-suite leader to approach the scenario more appropriately.
4. In cybersecurity, there is something new to learn every day. What resources or best practices do you recommend to keep up with it all?
I have a very sophisticated system for keeping up with cybersecurity news, alerts, and resources. I run and co-run multiple newsletters, including the Frauvis Digest and Diversify Tech Professional and Student Edition.
In my personal and freelance work, I segment incoming resources, podcasts, alerts, newsletters, etc., by various areas such as information security, information technology, application security, robotic process automation (RPA), vendor updates and releases, Twitter status accounts, privacy, etc.
When working for an organization, I always inventory the business’s core workplace applications, sign up for the vendors’ alerts and security updates, and set up Google alerts for the vendors’ names and the words breach, attack, hack, and leak. For example, I have this Google alert for Zoom:
“Zoom” AND “breach” OR “attack” OR “hack” OR “leak.”
My top-level inbox folder prioritizes incoming emails into high, medium, low. If an email hits the high folder, I then get a sound alert. I have all sounds turned off for all applications, so if I get a sound alert, I know it’s something that needs to be addressed or reviewed immediately.
For those seeking an out-of-the- pre-curated solution, there are services such as the Feedly cybersecurity API that aggregates threat insights, vulnerabilities, and security news into an all-in-one dashboard or feed.
5. How are you contributing to “demystifying” the cybersecurity field?
In a professional setting, I work genuinely hard on improving technical explanations to non-technical folks and leaders. I invite folks interested in cybersecurity to learn more, share resources, and always offer opportunities to shadow my work. Coffee chats are great as well. I worked very closely with business teams such as marketing, legal, and sales in many of my roles. I consistently offer folks on these teams the opportunity to learn more about my background, experience, how I learned x technology, and what a day looks like in my current role. I’ve also seen a rise in sales engineer positions. There is much opportunity for folks in sales to transition to a position at a tech or security company where they have to have deep knowledge about the technical aspect of the product.
In my personal life, I am very open about my career path. I am very transparent with friends, family, and interested folks about my career. It surprises folks when I tell them one of the ways I upskilled quickly was trading TV and social apps time for continuous learning. Cybersecurity is a field that is forever evolving, and the best way to keep up is to learn new technologies, perhaps not always in-depth, but to the extent that you can explain to someone else.
6. While technical skills are vital in cybersecurity, can you name some non-technical skills that are vital in cybersecurity roles that can help improve the performance of companies and encourage innovation?
The top five non-technical skills vital in cybersecurity are humility, communication, empathy, creativity, and efficient research.
Typically folks in tech, in general, have the reputation of always needing to be right, exhibiting “god-like behavior,” not listening, and displaying a lack of care for and understanding others. There almost seems to be a badge of honor for exhibiting these qualities. Yet, these specific qualities make it difficult to collaborate with other teams, executives, and employees who need the most training and assistance. Humility, communication, and empathy are key to collaboration—creating a better work environment. It increases the company’s security posture when the individuals in IT and security are approachable and willing to have essential conversations.
Creativity and efficient research are skills needed when resources and personnel are limited and in “war-like” circumstances. One of my favorite quotes is, “Imagination is more important than knowledge.” Folks in cybersecurity often are over-reliant on textbook knowledge and lack the ability to combine creativity and efficient research and experiment with unconventional methods.
7. What other women in the informational technology/cybersecurity field inspire you?
8. @VivalaViveNL asked: What would you tell your younger self?
I would tell my younger self to keep going when feeling discouraged! Take more breaks, take your vacation days, work strictly within business hours for jobs that don’t offer flexibility. Don’t sacrifice your early 20s to build someone else’s dream. Say no often and set boundaries.
9. What can you learn from solving open-source intelligence (OSINT) challenges?
OSINT challenges improve your critical thinking, attention to detail, search, reconnaissance, and investigation skills. It also helps you to understand how you should protect yourself and your family.
10. Why does building a security culture at your company matter, and what are three steps to get started?
Building a security culture at your company is important to protect information, data, people, and privacy through processes, procedures, policies, and systems.
11. Any big shifts you have seen this year that show people are taking cybersecurity much more seriously?
I’ve seen a rise in security roles across all sectors. In the past 3-6 months, I’ve noticed a surge in roles such as DevSecOps, Security Engineer, Application Security Engineer, Director of Information Security, and Data Protection Officer. Cybersecurity job descriptions are typically unrealistic, inaccurate, and intimidating.
In the past six months, I’ve noticed gradual improvements in job descriptions for mid-senior roles. Many had unrealistic requirements such as 15-20+ years of experience for non-executive roles, a degree in Cybersecurity, and CISSP. While these previously may have been written as hard requirements or must-haves, they have now moved to “nice to have” and “or equivalent experience.”
Entry-level job postings have much work to do; many jobs, particularly on LinkedIn, require certifications such as CISSP and CIPP rather than entry-level certifications such as Security+.
Altogether, companies seeking to hire dedicated folks in cybersecurity positions are an indication that cybersecurity responsibilities are not being ignored or split between multiple individuals.
Thankfully, amazing folks like Alyssa Miller are solving the tech skills gap, informing folks and companies how to break the entry-level cybersecurity barrier, and job boards such as Cybersn.com and Bettercybersecuirtyjobs.com tackling better cybersecurity job descriptions, recruiting, and more.
12. Can you share three cybersecurity trends you anticipate will be in the forefront next year?
In 2022, we are likely to see a rise in advanced ransomware. Companies will need to develop more advanced threat models and further implementation of zero trust as more transition to hybrid and remote organizations.
13. What is the most alarming statistic you have seen that should make people care more about the future of cybersecurity?
The top three alarming statistics I’ve observed this year are:
- 78% lack confidence in their company’s cybersecurity posture
- The average cost of a data breach is $3.86 million as of 2020 and rose to $4.24million in 2021
- The average ransomware payment in 2021 increased by 82% year over year to $570,000
Amid these statistics, I am interested in whether there is a rise or decrease in breaches and ransomware at distributed and hybrid companies.
While these statistics should make people and companies care more about the future of cybersecurity, companies need to know that one individual such as a Director of Security or Chief Information Security Officer (CISO) will NOT fix all of their problems, nor will buying all the latest and greatest security tools.
Hiring a security leader is a great first step, but the company will be set up for failure without security or an IT team to support them. A security leader can conduct risk assessments and document a threat model. Yet, the company will just become part of these statistics without people to support the systems and processes.
I would love to see companies in 2022 allocate part of their budget to FIDO2 hardware-security keys as part of employee onboarding and invest time and resources into a disaster recovery plan.
14. What is a unique social engineering attack you have seen?
I once intercepted an operation where a group of individuals attempted to steal a CEO’s new laptop at a financial company. My role was in cloud infrastructure and IT, but my responsibilities were a mix of IT, Security, and a bit of DevOps.
The CEO of the company had broken his computer. Shortly after, we ordered him a new one that was supposed to arrive in 1-2 business days.
I had received a notification that our package was successfully rerouted.
After calling Dell support, I found out there were a series of calls to Dell support of some folks impersonating me, asking to reroute the package, and a call from the CEO confirming and asking to upgrade to next-day shipping.
After spending some time quite confused about how this happened, I did some investigating, the package was rerouted to a new location, a FedEx office within Manhattan, but the exact details were “unavailable.”
On my lunch break, I decided to stop by a few FedEx locations nearby to investigate. In one particular area, I happened to be standing behind the guy attempting to steal the CEO’s laptop with a fake ID, along with the FedEx employee’s, and stopped the “operation.”
I want to add; I do believe the CEO’s original laptop and email were compromised. They (I’m using this pronoun to protect their identity) kept putting off letting us enroll them in, AND security policies – 2FA, SSO, MDM, a password manager, etc. Not to mention, the CEO used this laptop for work and personal, traveled often, and stayed in hotels often.
We truly had no insight into any of their hardware and a very little overview of their email. It took months, but we finally got the CEO to agree to all of the above; they were willing to as they realized it was “put off” for too long. Then this happened.
Staff, Dark Reading. “Ransomware Price Tags Skyrocket along with Extortion Techniques.” Dark Reading, 9 Aug. 2021, https://www.darkreading.com/attacks-breaches/average-ransomware-payment-hits-570000-in-h1-2021.
Scholz, Cheryl, and Jim Capalbo. “78% Lack Confidence in Their Company’s Cybersecurity Posture, Prompting 91% to Increase 2021 Budgets.” Business Wire, 24 Feb. 2021, https://www.businesswire.com/news/home/20210224005176/en/78-Lack-Confidence-in-Their-Company%E2%80%99s-Cybersecurity-Posture-Prompting-91-to-Increase-2021-Budgets
“What Is the Cost of a Data Breach in 2021?” RSS, https://www.upguard.com/blog/cost-of-data-breach#:~:text=According%20to%20the%20latest%20data,2019%20which%20was%20%243.86%20million“IBM Security: Cost of a Data Breach Report 2020 Highlights .” IBM Security, https://www.ibm.com/downloads/cas/QMXVZX6R