Category: Inclusion

Three women at a table, possibly a job interview

A Promotions Gap

On February 9, 2020

In Community, Inclusion, Security Leadership

Are expectations in promotion helping fuel the “Skills Gap”

Search job postings and you’ll find there are plenty of companies bragging about how they invest in their people. Internally, organizations like to boast about having a culture of promoting from within. Indeed, there are no shortage of articles touting the value of internal promotions processes. Yet, I must wonder if these words translate into action. While I’m still gathering the data in my surveys, some respondents have also reached out to me directly to share their stories. Quite a few tell me about how difficult it is to transition internally into security-related roles.

Initially, this might seem anecdotal. Without analyzing objective data, it can be dangerous to draw conclusions. However, the stories I hear are numerous and I have also witnessed and experienced similar situations. How many of these companies that claim to prioritize developing and promoting their own people, actually walk that walk? I’m beginning to believe the percentages aren’t that good.

What it means to promote from within

Establishing a culture of promoting from within requires more than mere words. In fact, failing to credibly back up such claims with actions can be detrimental to employee engagement. It’s more than simply having a process for employees to internally search and apply for jobs. It requires a commitment to your people. This commitment requires a few things:

Truly investing in the skills development of your people
Changing the way you evaluate candidates for available opportunities
Shedding the idea of “critical” roles that lead to external hiring

Over my 25 years in professional roles, I’ve seen the good and the bad. I’ve watched companies provide training with no clearly defined path for career advancement. I’ve experienced hiring searches that failed to accurately assess the potential of internal candidates. I’ve even been witness to hiring practices that deemed a role too “critical” to take a chance on elevating an internal employee. These are mistakes and they lead to long timelines to fill crucial positions while also devaluing existing employees.

Quote by Richard Branson about taking chances on people and promoting from within.

Investing in employee development

I’ll start with the concept I believe is probably most easily understood. I also believe, again based only experience and hearsay, that it is the one that gets the most effort. Employee development is a concept that’s gotten increased attention in the last decade or so. More and more, organizations are coming to understand the business value of developing their employees.

Training seems to be one of the key areas that gets the focus when we talk employee development. Many organizations have formal training programs, invest in e-learning technologies, and some even set aside specific per-employee training budgets. This is great, however it only scratches the surface of what is necessary. To truly develop your employees means preparing them for their next role and providing a clear vision of what that next role can be and how they can get there.

This requires active leadership participation. It requires the organization first and foremost to have mature job descriptions and provide clear expectations. Human Resources professionals can often tell you stories of struggling to get support for this foundational element. Taking the next step of succession planning is also crucial. How will a role be filled when it becomes vacant? Leaders should constantly be working to identify “who’s next”. Ultimately, that succession planning then has to lead to action. Leaders need to be grooming those planned successors. Empowering employees through challenging assignments that provide visibility into key aspects of what that next role entails. Sadly these last two steps are often neglected or avoided all together.

So succession planning and development requires us to identify candidates by potential. That leads into the second point, we need to think about our people and how they fit open roles in a different way.

Evaluate talent differently

This is a concept that from my experience needs a lot of attention in most organizations. If an company is looking to fill a role, how they assess the internal candidates needs a unique approach. Far too the same experience and skills based lens is used for both internal and external candidates, but that just doesn’t work. When evaluating external candidates, a reasonable mix of experience that matches the job role is expected. For instance, the expectation that a candidate for a senior manager or director role has previous “managing managers” experience. However, the same bar cannot be used for internal candidates if you’re invested in developing your people.

Internal candidates are often direct reports of the role being filled or moving into that role from another area of the business. So it can’t be expected that they’ll have the experience of someone whose worked that role before. Organizations need to assess internal candidates based on potential. But how does the leadership team assess potential. The Harvard Business Review published a terrific article on this in 2017. The basic premise is leaders need to be constantly aware of those employees whose performance consistently elevates that of those around them. It’s a combination of ability, drive, and social skills that should be prioritized above past experience or demonstrated role-specific skills.

Unfortunately from the stories I’ve heard, my own experiences, and indeed the glut of open security-related leadership roles currently on job boards, companies are failing in this crucial aspect. And it also leads to the third point.

No role is THAT critical

I’ve watched numerous internal security candidates get rejected or ignored and jobs posted externally because the role was deemed “too crucial”. In particular within security, there seems to be a belief that certain roles are so important that the organization must find a “step-in” candidate (someone who’s done it before and can step in and run with things day one). The problem is this prolongs the candidate search in two ways. First, it eliminates the majority of high performing internal candidates who could be very successful in the role. Second, it shrinks the available pool of external candidates since, as studies show, the majority of job seekers are looking for new challenges. Few are going to be attracted to a job doing what they’ve already been doing already.

Promoting from within requires the understanding that high-performing candidates thrive in critical roles that stretch their skills or demand them to develop new skills. Pushing back on or ignoring internal candidates because a role is “too critical” to fill internally tells your teams a lot about how much you value their skills and abilities. It says you don’t trust them, you don’t believe in them, and that the only jobs they’re qualified to fill are somehow less crucial. This is not how you create a culture of committed high performance.

About that skills gap…

When I see security roles open for long periods of time, it causes me to question the organization. Sure many jobs need to be filled externally, especially with growing companies that are seeking to add resources. But when there’s a role that sits open for 6 months, a year, or longer, especially if it’s a senior or leadership role, one has to ask “are there no internal high-performers who could step into that role?” The broader question becomes once again, are we experiencing a skills gap, or are we just looking for the wrong skills or in the wrong places?

** Footnote: Some may take issue with certain aspects above in the context of equal employment opportunity requirements and such. Nothing I’m suggesting above is in conflict with those requirements, I simply didn’t go the extra mile of explaining how as that a lengthy discussion on its own.

Talent Shortage, Really?

By Alyssa Miller

On September 6, 2019

In Community, Inclusion, Security Leadership

Examining the disconnect between employers and job seekers in Security?

There is a lot of talk among business leaders about a critical shortage of cyber security talent. Many cite studies and surveys that provide context for just how big the problem has become. In fact, Cybersecurity Ventures predicted in 2017 that by 2021 nearly 3.5 Million security jobs will go unfilled. While this discussion is seemingly ubiquitous in the business world, there is another side to the story.

Interacting with the security community through social media, one quickly discovers that there are significant numbers of job seekers unable to find security jobs. In fact, I recently tweeted about a job opening that I have coming up. With roughly 4,200 followers, I had over 200 people send me direct messages expressing interest. After weeding out those who were clearly not fits, I still have a list of over 50 potential candidates. With that much interest from one tweet about one position, it seems odd that organizations are having a hard time finding candidates. This dissonance is so powerful that I personally call BS on the talent shortage. What we have is a talent disconnect, but why?

Job descriptions and unrealistic expectations

Browse the listings of security jobs and you’ll quickly see just how poor and unrealistic many of them are. In my own less-than-scientific research, I’ve noted a few of the more common issues:

Requirements for an overly broad range of expert-level skills beyond what any single human could possibly possess
Length of experience requirements that are not commensurate with the position (e.g., 6-8 years of security experience for a security analyst role)
Unrealistic salary ranges for a given title (e.g., a Senior Security Architect role with a salary range of $50,000-65,000)
Seeking impossible levels of experience in emerging technologies (e.g., 10 years experience with block chain technology)

Breaking it down

Let’s tackle these one at a time. Overly broad skills requirements often stem from building job descriptions like a wish list. The approach ends up being “we can’t have it all, but whoever checks the most boxes in this list is the one we choose”. There are two problems with this methodology. First, job seekers read those lists as hard requirements. The more items on the list they can’t check, the less likely they are to apply. Second, picking a candidate with broad knowledge but little depth may leave the organization in a bad position when deep technical expertise is needed.

Security related job descriptions are still new to many organizations. As such, they are often derived from other technical roles with similar titles. This can lead to a scenario where the length of experience being asked for does not match up to what the market would dictate for that level position. This same scenario can often lead to the seeking impossible levels of expertise. Ultimately, more time and analysis is needed from security leaders and Human Resources working together to develop market-aligned expectations.

One of the most frustrating issues isn’t always visible from the job description itself. When the salary range attached to a role is unrealistic in terms of market forces, both hiring managers and candidates are impacted. Candidates often go through multiple rounds of interviews before finding out the pay range is too low. They end up feeling like their time was wasted. In cases where initial screening interviews are used to match salary needs, the hiring manager will likely receive few qualified candidates options, resulting in further frustrations on their part.

Engaging the Security Community

Another common issue that seems to hamstring many recruiters is their inability to connect with the security community. Anyone who has security experience listed on their LinkedIn profile has likely gotten messages from recruiters. Commonly, recruiters will use one or two search criteria and match highly experienced candidates with entry-level or unrelated positions. The “hot” job market in security brings many non-technical recruiters out in search of security talent. The resulting credibility problems for recruiters in the security industry in particular creates a heavy divide.

Recruiters must overcome that credibility problem with a genuine understanding of the security landscape. Additionally, they must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach. It takes time, but recruiters who take time to learn security and develop long-term relationships with members of the security community find greater overall success in filling roles.

Breaking the mold

A side effect of interacting with the security community is that organizations will also shed their preconceptions of what security talent looks like. Sometimes there literally is a bias as far as the appearance of security professionals. Bold hair colors, visible tattoos, body piercings, and non-traditional fashions are very common among security experts. Meanwhile, the corporate world continues to shift at a glacial pace toward acceptance of such appearances.

Security and business leaders alike still carry heavy bias, albeit sometimes unconscious, against individual expression. Conformance to traditional standards is still sought and often to degree of disqualified otherwise highly qualified candidates. Managers hiring for security positions (or any positions for that matter) need to understand this and move beyond their preconceived images.

Incubating talent

I find it particularly frustrating how little foresight organizations put into developing security expertise in their current staff. As digital transformation trends continue, security has to be a part of every phase of our business. So why then don’t leaders look to groom security expertise in all business functions? Imagine a world where every team from accounting to finance to development was required to have security expertise.

An approach like this has multiple benefits. First and foremost, it begins developing a culture in which security is always a consideration. No longer do we allow admin or operational groups to fly under the radar of security considerations. Second, these resources now become an internal pool of candidates from which security-focused positions can be filled. Essentially, it becomes an incubator of security talent. Third, this type of investment in employees also helps combat turnover. Employees are able to develop marketable skills that give them a clear path for advancement or new challenges.

Obviously, this type of approach requires executive level buy-in and support. Business and support functions will be reluctant to dedicate portions of their budgets to training in skills they see as unrelated to their purpose. However, at an executive level, when the cost of training is weighed against recruiting costs, turnover costs, cost-of-vacancy, and third party services expenses, the business case is easy to build. Organizations must stop relying on someone else to develop security talent and instead they must take an active role in the process.

Bridging the gap

Is the idea of a talent shortage truly false? It’s hard for anyone to say for sure. However, the way organizations search for and cultivate talent clearly contributes to the problem. We’re seeing a shifting of the tides in terms of how security talent and hiring firms come together, but there’s still a massive gap. To those of us active in the community, that disconnect is very visible everyday.

Conquering Impostor Syndrome

By Alyssa Miller

On July 14, 2019

In Community, Inclusion

Recognize that you bring value to the discussion and be heard

One of the things I’ve always found incredible about the security community is the commitment to openly sharing information and discoveries. We have countless conferences, discussion medium, and publications devoted to sharing security related works. However, for many, seeing the massive contributions of others invokes a level of anxiety when seeking to establish they’re own contributions. The infamous impostor syndrome rears its ugly head and hold people back from getting involved.

My first experience with impostor syndrome

Woman hiding her eyes behind her braided hair — Photo by Sharon McCutcheon on Unsplash

My memories of my first experience with impostor syndrome are very clear. I was working as a Managing Consultant for a security firm and at that point had been in security as a penetration tester for eight years. While I had thought about speaking at a security conference on occasion but never really considered it a realistic goal. That is, until my director and a sales person encouraged me to submit a talk to a local conference our company was sponsoring.

I agreed, after all it was my boss telling me I should do this; and yet I was scared to death. I had seen some of the biggest names in our industry on stage at conferences, I had seen 0-day exploits announced at DEFCON, and here I was with nothing of the sort to contribute. Who am I to speak at anything? If I get accepted, they’ll all see that I’m just an average person and I’ll get laughed off the stage. All these thoughts went through my head, but I had to push through and create a talk, so that’s just what I did.

I had just come off a string of three separate application assessments where I had discovered various issues in OAuth2 implementations that created some significant vulnerabilities. I decided to put together a talk to discuss the proper implementation of OAuth2 and common failures that led to exploits. The talk got accepted, I delivered it (to a surprisingly full room), and I got some great feedback afterward.

A week or so later, I received a link with the video of my talk. I provided it to my director who suggested I send it out to our entire AppSec practice. While I received a number of gracious emails, the one that stood out in my mind came from a principal consultant who had spoken at a few conferences, including as part of a group at BlackHat USA. His response read, “A lot of hand waving here, nothing new or informative being shared”.

I was crushed. This was what I feared the most. An experienced conference speaker telling me my talk wasn’t worthy. I ignored all the good feedback I got at the conference, all the great emails I got from other consultants on our team, and I allowed this one email to confirm in my mind that I was a fraud.

Thankfully my director was an amazing leader who knew how to motivate me and he helped me see the truth. He pointed out how the email I got came from a consultant who himself was insecure and felt like an impostor. He helped me see the value of my talk and encouraged me to continue speaking. And that I have. I now speak regularly at conferences, and while I still have my bouts with impostor syndrome, I don’t let it hold me back. So I wanted to share some steps I’ve learned about how to overcome these feelings.

What causes impostor syndrome?

I’ve done a lot of self reflection on this along with a lot of reading and research. What I’ve found is that impostor syndrome is ultimately the result of feeling like one doesn’t belong. It’s this feeling that we’ve somehow stepped into a world where we are not like those around us and we’re somehow inferior as a result. When we perceive that the people around us are far more experienced, talented, or qualified than we are, those feelings come to the surface. For people in under-represented groups like people-of-color, women, those with disabilities, or LGBTQ+, the problems can be compounded since we can struggle to identify with our peers.

The problem stems from how we identify ourselves. We begin to establish our identity through labels when we are very young. Age, gender, race, job titles, etc. all play into how we identify who we are. We label others and often compare our labels with them. This is how social groups form. So when we follow a course of action in which we perceive that we’re stepping outside of those labels, our anxieties kick in. We fear that someone will figure out that we don’t wear that arbitrary label we’ve given them and they’ll see us as a fraud, that they’ll look at us and point us out as not a member of their group.

This is a very natural phenomenon in human social interactions. We place labels and gravitate toward those who we perceive as sharing the same labels we give ourselves. So how do we break down the barriers we place on ourselves? The following is the process I’ve come up with through my own self-analysis and research.

Acknowledge and combat those feelings

As you might suspect, the first step in overcoming the anxieties of impostor syndrome is to simply recognize that this is what we’re experiencing and combat it. When we begin to feel those fears, it’s important to look at those feelings and identify where they come from. How does the fear you’re experiencing related to a feeling of not belonging? Personally, I take a mental inventory of those.

The key to combating them is objectively identifying the positive accomplishments we’ve experienced. Those positive comments and emails I received were a perfect example. So find those elements, but be careful. Do this objectively. Do not assign a relative value to them, just simply acknowledge and appreciate them.

Let the feelings go

Once you’ve identified your feelings and where they come from, you can start to let them go. Sometimes what you feel will be tied to things you simply cannot control, like your gender, race, etc. Understand that those are not characteristics that impact your qualifications and so don’t allow them to make you feel inadequate.

Also recognize those feelings that result from comparing yourself to others. Humans fall into the trap of measuring our talents and skills in comparison to others. However, that’s not a valid way to measure. Instead, see your qualifications as an objective measure, you have certain skills or you don’t. When you find that feelings of inadequacy are the result of such comparisons, trust that they’re not an accurate measure of your abilities and let them go.

Analyze your process of success

Look back at where you’ve been. How did you get to where you are today? Did you just have one success after the next without experiencing challenges and failures? If you’re honest with yourself, the answer is no. Thomas Edison did not invent a working light bulb on his first attempt. Stop holding yourself to that standard. Those challenges and failures are how you learned and developed your skills. Accept them, be proud of them, and understand that you’ll experience more of them in your future and that is a good thing.

Set objective goals and measurements

Identify the goals you have in attempting what it is you’ve set out to do. If you’re thinking about speaking at a conference, perhaps your goal is to share information about some research you did. It may seem corny, but list those goals and how you plan to measure them. Then look back. Are they based on others’ reactions, feelings, etc? If so, those are not objective goals because they’re based on your perception of someone else’s feelings. So re-frame them into something that focuses solely on you and something that you can objectively measure. This ensures that when you accomplish those goals, you’ll be able to recognize it and celebrate it. It prevents you from letting feelings downplay the great things you achieve.

Everyone experiences impostor syndrome

Finally, understand and accept that everyone has these feelings from time to time. I’ve talked to some of my idols who tell me often of their own experiences of feeling “out of their league”. It’s in pushing ourselves to exist beyond our labels that we grow and conquer obstacles. That’s how each of us becomes great.

Accept that it’s OK not to know all the answers and that if you did, it would mean you’re not pushing yourself hard enough. Have faith that it is not only acceptable to reach out for help, but that this is actually an effective tool. It gives you the opportunity to get others’ perspectives and challenge your own biases on the topic. It is also a chance to establish relationships with others who may actually be fascinated by the work you’re doing.

In the end, we all build off of each others’ works. Collaboration drives the continued growth of our collective community. So rather than convince yourself that asking for help makes you less, embrace it as part of the process.

These are the steps that have worked for me and that I’ve found corroborated in other research I’ve done. Hopefully some of this resonates with you and is helpful. I’d love to see some comments from others on what has worked for you that I’ve not included above.

Welcome Aboard

By Alyssa Miller

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!