In the ever-evolving world of cybersecurity, the importance of diversity cannot be overstated. It not only brings fresh perspectives and ideas but also reflects the inclusivity that we strive for in society. I attended the Windows internal training course at OffensiveCon in Berlin in May. I had the opportunity to speak with Yarden Shafir, who taught the course, about her experience in cybersecurity, her thoughts on the current state of diversity in cybersecurity, and how to promote diversity and inclusion. Yarden’s candid insights shed light on the challenges and opportunities that lie ahead.
Yarden Shafir started her career not too long ago but at a time when the industry was different from now. She had just completed her mandatory army service and needed a job. She heard that the tech industry offered high-paying opportunities with minimal skill requirements. Although she did not have a strong technical background, she had some coding knowledge from high school she began applying for support, QA, and help desk roles. Eventually, she landed a junior QA role at Sentinel One, where she was one of the manual testers.
During her time at Sentinel One, Yarden started playing around with the product and discovered bugs. Since it was a small company, the work environment was more flexible, allowing her to explore and find bugs in their newly developed product. She had direct access to the developers and researchers, sitting in the same room, which facilitated her learning process. Yarden would approach the developers directly when she found a bug, and they would explain the bug to her, wanting more information to improve their bug-finding process. This led her to ask more questions and learn from the experienced team members. She also had the opportunity to work with the automation team and gained experience in developing systems and frameworks using Python.
After a few years at Sentinel One, Yarden decided to switch roles and she joined the research team as a junior analyst. This role exposed her to different aspects of the product, such as false positives and false negatives, allowing her to gain a deeper understanding of how detection works. Over time, she started working on new research, tools, and projects. She wrote blog posts and give talks about her work, which helped her network with others in the industry. She even began teaching classes with a renowned cybersecurity professional, Alex Ionescu.
After leaving Sentinel One, Yarden joined CrowdStrike, where she worked with experienced and highly skilled individuals who mentored her. She mentioned that initially, it was a little unnerving working with big names in the industry. Luckily, they took her under their wings and helped her grow her skills. She continued teaching classes with Alex and eventually took over when he retired. Yarden’s career progression also led her to work for Trail of Bits. Throughout her journey, she emphasized the importance of continuous learning, seeking mentors, and putting oneself out there by sharing successes and learning with the community.
During our conversation, Yarden mentioned that while having mentors is important, she does not push that as a goal because mentors might not be available for reasons beyond one’s control. She also noted that while visibility is good, some people might not be able to be public due to personal reasons or the nature of their work.
When it comes to Yarden’s experiences as a woman starting out in the field, she mentioned that initially, she had to fight against certain biases and stereotypes. Being a young woman in a non-technical role (QA engineer) presented challenges, as some technical people tended to look down on non-technical roles. However, she found support from colleagues, especially on the automation team, who became professional mentors to her. Over time, as she established herself in the industry and became more public about her work, she gained recognition and respect.
When asked about the changes in diversity since starting out in the industry, Yarden acknowledged some improvements. She noted that nowadays, it is not uncommon to see women in cybersecurity, although the representation is still limited. As you move towards more specialized and low-level roles, diversity tends to decrease, resulting in a homogeneous environment. She believes that having more representation of women and diverse backgrounds can inspire others and show them that it is possible to succeed in the field. This observation highlights the need for greater efforts to foster diversity across all levels of cybersecurity.
So how do we go about improving the diversity in cyber security? Yarden admits that there is no easy answer. Drawing from her own background in Israel, she highlighted the challenges posed by a pipeline that caters to a specific kind of person, leaving little room for individuals like herself. Unless the entire educational and professional system changes to be more inclusive, breaking the barriers might remain an uphill battle. This is the reality in across the world, not just specific areas, where right from the beginning, some industries are tailored for a specific gender. It remains that unless systemic changes are made, diversity and inclusion will be hard to attain in some industries like cyber security.
Next, I asked Yarden where one seeking to join the industry could start. There are many paths one could take into cyber security. Yarden mentioned that the path one takes is not important, as long as one gets to do what they love. While she could not provide a definitive roadmap, from her own path, she acknowledges that starting at a small startup in a non-technical role worked well for her. Getting into the industry from a non-traditional path has the advantage of giving one a broader perspective and a 360-degree view of the industry. Yarden’s own journey, as well as those of her colleagues, demonstrates that success in cybersecurity can be achieved through diverse backgrounds and unconventional entry points.
When it comes to the skills needed for success in cybersecurity, Yarden emphasizes the importance of resilience and perseverance. Cybersecurity can be challenging and frustrating, requiring individuals to maintain their focus and determination even in the face of obstacles. Yarden points out that many successful professionals in the field possess tenacity that enable them to obsessively delve into solving problems. However, she acknowledges that this path may not suit everyone, and individuals must carefully consider their own desires and aptitudes.
Contrary to what many people believe, creativity is important in cyber security. Curiosity and creativity foster innovative problem-solving and the ability to think outside the box. More often, cyber security is about solving problems using creative solutions, and one can argue that creativity is the essence of cyber security. It is what enables hackers to make systems do what they were not intended to do, and defenders must have a creative mindset to secure systems.
Yarden’s insights shed light on the significance of diversity in the cybersecurity realm. While progress has been made, there is still much work to be done to ensure a truly inclusive industry. Encouraging diversity requires systemic changes in education, professional pathways, and societal attitudes. By embracing diversity, we can unlock new possibilities, fresh perspectives, and innovative solutions in the ever-evolving field of cybersecurity.