Dispelling the stereotypes about cyber security

In this exclusive interview, Michelle Garcia, director of IT security and compliance at Carnival Cruises, shares her thoughts on holistic automation solutions, why gender disparity exists within cyber security and how to encourage more women to enter the field.  

Cyber Security Hub: How can cybersecurity professionals best discover opportunities for automation?

Michelle Garcia: It starts with being aware of the work going on around you and listening to your teams. You will hear opportunities for processes that are repeatable. The biggest pain points are usually time-consuming repeatable processes. If there is a body of work your team seems to do over and over, it is possibly a good candidate for automation. 

CSH: What tips would you give to pitch to those teams who are looking to deploy these kinds of holistic automation solutions?

MG: The path to automation is a journey. Be pragmatic, because the last thing you want to do is automate something that ends up causing alert fatigue. You also don’t want to create holes in your environment where you end up missing an actionable alert. Alternatively, you may try to automate something that was never a good candidate to begin with. 

I would recommend that before you start automating, create a process flow. While performing the process manually, follow the flow you’ve documented. If you can consistently stick to that flow, it’s a good candidate for automation. Once the automation is complete, monitor the process to confirm the requirements are being met. It is also important to set up alerting for exceptions to the process or when the automation has a decision point which is outside the standard flow. 

CSH: Data has shown that the majority of those in cyber security positions are men. Why do you think that women are underrepresented in cyber security?

MG: For my generation, we were not steered toward STEM programs but toward areas which were less technical, even if you wanted something that was technical. For those like me who were technical, we were guided toward roles which were more creative like website development or user interface design. Women are often associated with more ‘artsy’ areas which leads to missed opportunities. 

Specific to cyber security, most of those in cyber security were network engineers or developers, the roles that women were steered away from. Only recently has the importance of diversity of thought come into the conversations of cyber security. Being able to protect against a malicious actor requires more than knowing how to code or knowing how to read a network diagram. There is a requirement to think creatively or think differently because a hacker is not going to attack where it is obvious. It is not that we are artsy, women are creative thinkers and being able to think creatively is a required skill.

The story of how I got into cyber security is very interesting. I was recruited in a hallway because I knew of a recent cyber event that was notable but did not get much media attention. My first foray into cyber security was not IT security, it was operational technology (OT) security, which is even more underrepresented than IT security. OT security tends to be more technical and very industrial.

The attack vectors are different and the risk to life safety is real. There is a very small niche of women who have experience in this area. Traditional cyber security approaches to hardening these systems do not always apply. When it comes to OT security, women are several steps behind where you would expect us to be. 

CSH: What do you think could be done to encourage more women and girls to go into cyber security or pursue cyber security type, roles and education? 

MG: There are many great organizations such as Women in Cyber Security (WiCyS), Black Girls Code and Girls Who Code and supporting those is key. Personally, I look for opportunities where I can mentor, simply because if I share what I know, I can show them that what I get to do is fascinating. I truly love what I do, and I welcome every opportunity to share the excitement I have about my profession.

When you think about the bigger picture, that a line of code can do so much damage, that is absolutely fascinating. 

I am never bored. I keep bad people out of systems and networks. I also work to ensure those same systems are in compliance with PCI, GDPR and SOX! There are some things which are not very fun to have to work on, but that comes with every job.  I focus on the exciting parts of Security and Compliance which you can only do in this field. I try to share that excitement with other women and younger people. 

I also try to share that there is much more to cyber security than just the stereotype of a person you see on TV. Television and movies have painted a picture of exactly what we are not. We are more than a person sitting in the shadows in front of a computer with lines of green code on a black screen. There are many different careers within cyber security like awareness and training, governance, risk and compliance, forensics, incident response, threat hunting, digital and data analysis and data integrity monitoring, to name a few. Cyber security is a huge field and many people do not realize its scope.  

Anyone can do something within cyber security that contributes to creating safer infrastructure, ensuring compliance, creating safer organizations, and protecting data, because every single one of those roles plays a part. Sharing knowledge about what they are is huge.