Information security really needs female professionals. There aren’t a lot of us, but all the women in infosec I’ve met so far have been fascinating. In my first interview, I spoke with Tiberius Hefflin, a Security Assurance Analyst.The second woman I spoke to was Tracy Z. Maleeff, who is well known on Twitter as @InfoSecSherpa.Kim Crawley: How would you describe your current job and title?Tracy Maleeff: Technically, I am the Principal of Sherpa Intelligence LLC. I am an independent information professional providing research and social media management services to clients. I created the business to help my transition from the law firm library world into infosec.KC: I have a vague memory about how you went from library sciences to infosec.TM: I joked recently on a podcast that all my past careers were just preparing me for infosec. I spent most of my twenties as a travel agent. I went back to school and earned three college diplomas in six years.I set off on a librarian path. I worked in corporations and academia before landing in private law firms, where I stayed for about ten years. I have a Master of Library and Information Science degree, and I very much enjoy librarian work. It’s just that I feel like I can do more and found myself remembering how much I liked tech aspects of every job I’ve had.That led me about two years ago to start dipping a toe into the tech waters to see if that excitement was still there for me. I attended every tech meet-up in Philadelphia and beyond. I signed up for Girl Develop It classes and events. I was a sponge and tried to absorb everything.I pretty quickly realized that the programmer, developer, front-end tech world just wasn’t my cup of tea. I kept feeling myself drawn towards the tech articles about security and signed up for a Cybersecurity Fundamentals class. It had everything that I wanted and I felt that I truly had transferrable skills for this industry based on my past work and life experiences.KC: Was there ever friction in your transition to IT due to sexism?TM: I don’t feel like I’m completely in IT or security yet, so I don’t know if I can answer that accurately or fairly.I can tell you that I attended a WordPress conference last year, and that was my first experience being at a mostly male professional event. The librarian world is mostly female, so that was a big culture shock for me. I witnessed and experienced some terrible behavior at that WordPress conference that was eye opening. But I do have to truly say that thus far, my experience in security has been positive.Plenty of my male colleagues have been very helpful in educating me and encouraging me. I’m also being strategic and making sure that I am involved with the female-centric security groups and associations out there, so that I can meet other women to learn from their experiences, as well.KC: That sounds like a good, balanced approach. How did you get the attention of those podcasters?TM: You mean PVCSec?KC: Exactly.TM: Through my involvement on Twitter, basically. I got to know Edgar Rojas via Twitter and his promotion of the Tactical Edge conference. I started doing some work with him on Tactical Edge, plus I think the PVCSec co-hosts interacted with me on Twitter.One day, I was asked to be a guest on a podcast episode. Next thing I know, they asked me to be a co-host. I’ve also done some other guest podcast recordings, and I have to say that those all came out me being active on Twitter as @InfoSecSherpa and being a contributing member of the infosec community.KC: That is some fortunate networking.TM: I don’t think everyone understands the power of social media when it comes to professional development and professional networking within an industry or professional community.KC: How has PVCSec benefitted you?TM: I do a lot of speaking engagements in the librarian world about professional networking, in person and online.So far, I believe that PVCSec has benefited me through getting my name out there more. More Twitter followers, more LinkedIn views, plus more invitations to write and speak. I was surprised how many people knew who I was at Hacker Summer Camp in Las Vegas. Plus, I just learn a lot from my co-hosts. I learn more about infosec from my co-hosts, and that is a great experience!KC: Has that overlapped with the infosec stuff? What have you learned so far?TM: Oh, how has my speaking engagements overlapped with infosec? I think I see a way that I can also do those same presentations to the infosec community in order to help them. Speaking engagements are a great way to meet people. I’ve learned better ways to educate non-tech types about infosec. I’ve learned some management philosophies and techniques. We had a podcast episode recently where each host gave book recommendations. It was fascinating to hear which books they selected and why and how that fits into infosec.I’d say the biggest thing I’ve learned from the podcast is how there are many different skills, not just tech, that go into being a good infosec professional. You need communication skills, empathy, problem-solving, time management, organization, and more. It’s not just a straight-up tech job, and that’s also what drew me to it.KC: Do you think the need for soft skills is a benefit of women in infosec?TM: I think soft skills are things that everyone in infosec needs to have. I don’t see that as gender-specific. Not all women have good soft skills. It’s an everybody skill!KC: So, you think ability in soft skills is pretty gender-balanced.TM: I don’t think it’s fair to put a gender on soft skills. Sometimes they are abilities that people have naturally, like empathy and communication. But, the bottom line, in my opinion, that they are skills that everyone can learn. Some may be better at them than others, but they can be learned. That’s how I teach people about professional networking. It’s a skill that can be learned, some may just have to work harder or adapt differently to it.KC: What would you say to a little girl who’s interested in computing, assuming she was taught that computer tech is “for boys”?TM: Question authority. In my very first computer science class in middle school, the teacher was female. I didn’t realize at the time how big of a deal that was. So, I never thought that a woman couldn’t teach computers or be in comp sci. Role models are very important. Women need to be visible to young girls to show them what’s possible.I think actions and visibility have more of an impact than words. I was (and still am) pretty terrible at math. I had my own personal hangups about doing more in comp sci. It had nothing to do with me being female. It had to do with me struggling with math. However, there was a time in college when being one of the only females online and in the computer lab did create some uncomfortable moments that may have impacted me moving away from computers. But, in my earlier years, gender wasn’t a factor.The digital divide concerns me and it’s not just a gender issue. I’m concerned about the lack of POC in tech, and that’s something we should all care about. Tech needs to be more diverse. Diversity of thought helps to solve problems.KC: I agree completely. Do you think some of the lack of diversity in infosec comes from the top? Like when Silicon Valley talks about candidates being a “culture fit?”TM: I feel like I don’t know enough about Silicon Valley culture to make an educated statement about this. I feel like companies could do more to help with creating a more diverse tech workforce. However, and this came up at a BlackHat luncheon, do you want to be hired just to be trotted out by the company to show how diverse they are?KC: I can understand that. So, what do you think is the biggest problem in infosec at the moment?TM: Lack of respect and value. It feels like people treat security as a nuisance and inconvenience. Companies are interested in protecting themselves but then give more responsibility to already overworked IT people or don’t fully support the message of security awareness. A culture of security needs to be embraced by a company, but from stories that I hear and read, it feels like they want to be protected just as long as it doesn’t interfere with anything they do.KC: I think often the CEO, and especially the CFO, messes with the CTO.TM: So, that leaves infosec people feeling like they are constantly herding cats and being Sisyphus in regards to security matters. Honestly, it’s not much different than how a library feels within an organization. Another reason why I feel like I fit in.KC: I heard that often infosec gets cut because the shareholders don’t think we generate profit. Sometimes, even a super expensive POS system attack won’t change their minds.TM: Same thing with libraries. They are overhead. But yet, when people need research or materials, they need the library. I know all about proving value within an organization.KC: You’re practical, then?TM: I like to think so. I also think that I see big picture things better than some. I like to think a few steps ahead. I had a coworker once who used to implement change without thinking through scenarios, and it used to drive me nuts. I think I work well as a hub with a lot of spokes.KC: Do you have any last words about women in infosec?TM: Don’t be afraid to be a trailblazer. Look to persons of any gender identity and POC for advice and feedback. Diversity strengthens us all. Pay it forward and help others by welcoming them into infosec and giving your own tips or wisdom. I like that there are some all-female infosec groups, but make sure that your professional network is inclusive of everyone in the industry. Make your voice heard and be a beacon for others.Tracy Z. Maleeff is one of PVCSec’s hosts. Check out PVCSec.com. Tracy also blogs at librarysherpa.com.ConclusionTune in next time for my next interview with Isly, another woman in information security.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related.By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.