This is post 3 of a 3 part series profiling several women in GitLab’s security organization. See part one and two.
Breaking into technology, and security, can be difficult for anyone. At GitLab 31% of our workforce identifies as women. In our security department we have ten team members who are women out of a total of 48 team members; that’s 21%. Global women in tech numbers are around 21.4% according to CNET and this recent study, “Resetting Tech Culture” indicates that young women who go into tech drop out by the age of 35. How do we change this? GitLab is looking to help there through our outbound hiring model, tracking and working toward key metrics, inclusion training, team member resource groups, Engineering department-based developmental and networking groups (like our Women in Security group), building and fostering an inclusive remote culture and mentorship programs.
Through this series, we’ve discussed the different paths our team members have taken to get into security and tech, the actual projects and initiatives they’ve developed, managed and/or implemented at GitLab, as part of our security team, and their advice to others looking to break into security and take on similar roles.
In this last blog in our three part series, our team members talk about how they stay motivated and engaged to take on that next challenge, and each one offers up a bit of advice or learnings across different areas like:
- How to embrace risk taking
- Starting your career off right in security
- Learning from the past
- Whether (or not) you should apply to roles where you may not meet 100% of the qualifications (we’ll cut to the chase on this one ⇒ YES, do it!)
Julia Lake - Director, Security Risk and Compliance
Joined GitLab April 2020 / Connect with Julia on LinkedIn
What is the most interesting thing you’ve learned about security thus far? That security, and specifically security compliance, is a business enabler and not a business inhibitor. This is true across the board, but especially true for SaaS providers where customers are trusting us with their highly sensitive data. Implementing strong security practices enables all other aspects of the business to grow. The biggest opportunity security leaders have is making this value proposition clear to the rest of the organization.
What advice do you have to embrace risk-taking? From a business perspective, it's important to determine the risk appetite and risk tolerance of the organizational leaders and align your operations accordingly. Risk appetite and tolerance can change as organizations grow and mature, so I recommend measuring both on a minimum of an annual basis.
From a personal perspective, I always try to operate with a higher risk appetite, which to me means saying yes to new projects and opportunities - especially those I’m uncomfortable with. This allows me to continue to grow my professional skill set. You never have to be a perfect fit for a new role, but you do have to have the capability and experience to be able to execute on the strategic objectives of that role. I highly recommend this TEDtalk about taking small risks to increase your luck.
Jennifer Blanco - Sr. Risk and Field Security Engineer
Joined GitLab June 2019 / Connect with Jennifer on LinkedIn
What is the most interesting thing you’ve learned about security and tech thus far? Understanding the power (and danger) of data. I had exposure to aspects of consumer law during my days as a paralegal, but working in security has put data security, and my understanding of it, in a whole new light. Data can easily be collected through our everyday smart devices, and many companies are harvesting this information. The best advice I share with people who want to increase their awareness is to employ a general and healthy skepticism of companies; specifically around ways they can impose on privacy. Once you have the details, you can make an informed decision by looking at the costs and benefits carefully so that you can feel confident about your choices.
Was there ever a role you applied for and landed, but weren't 100% qualified to do? My first job in Security Compliance was the largest leap for me because I had to learn about software models in addition to the technology industry as a whole. It was exciting but also overwhelming because there was so much to understand and the information was not always easy to glean. I invested a lot of study time and immersion into compliance frameworks, as well as in-person training courses, including a hands-on penetration workshop. It took two years before I was confident that I had the whole picture; though this changes with the industry landscape as there are so many aspects that can affect our line of work. Learning how to work with git and remote repositories at GitLab was the next biggest challenge and the one I’m most proud of! I never imagined having ‘Engineer’ in my title, so I’m motivated to continue pushing myself to see what I can do next.
Juliet Wanjohi - Security Engineer, Security Automation
Joined Joined GitLab May 2020 / Connect with Juliet on LinkedIn and Twitter
What is the most interesting thing you’ve learned about security thus far? Security is a team effort and a shared responsibility. We are now connected more than ever before, therefore we need to approach security with a proactive mindset, starting individually by making sure that each one of us is taking the necessary precautions and following best practices to avoid risk. At an organizational level, no security team carries the entire burden of security alone and this is quite evident here at GitLab where we collaboratively work across our respective security teams to enhance the overall security posture of the company and the product. As we build in the necessary tooling and processes to be secure, we must remember that security is a never-ending journey, not a destination!
What advice would you give to someone just starting out in the security and tech industry? There’s no shortage of problems to be solved in the security industry. Every day there’s a new type of cyber threat and with this, comes along the creation of new and innovative career opportunities to solve these problems. In order to find your place in this cog wheel, you need to be curious and willing to explore the different options within the field and see what interests you the most. The next step is to be proactive in acquainting yourself with this area and start to pick up the necessary knowledge and skills to make you an industry expert. Surround yourself with other security professionals who can contribute positively towards your career growth. It’s also important that you work towards being a T-shaped individual where you have deep expertise in your chosen area of interest but also a breadth of knowledge in other areas in the security field.
Liz Coleman - Sr. Security Compliance Engineer
Joined GitLab January 2020 / Connect with Liz on LinkedIn
What is the most interesting thing you’ve learned about security thus far? One of the most interesting things I’ve learned is that security is an all-inclusive team sport. There are so many layers to security from individuals, general governance, information system security, IT security and the list goes on. Each layer consists of networks of people and processes, all of which have some type of underlying security theme. Security is a consideration and holds a level of importance to everyone and every role in an organization, but in slightly different ways. The great thing about this is that security can be a commonality that can bring people together and be leveraged across all layers of an organization. Its strength lies in its ability to be all-inclusive and everyone’s invited to play the game.
What advice would you give to someone just starting out in the security or tech industry? Just starting out in the security or tech industry can be intimidating. There are so many certifications and paths available that it can be hard to find a place to start. One thing I found very helpful when starting out was to research where I wanted to go. I turned to my colleagues, professional network and leadership and looked at the certifications and education they had. Linkedin is an open book of information that outlines individual accomplishments. I saw my manager at the time had a Certified Information System Auditor certification. So I started there. Then came the Certified Information System Security Professional certification which I found to be a common certification held by individuals who had similar professional and career interests. Each certification takes time, effort and costs money to obtain, so being strategic is key. Investigate your options and identify a path based on your interests. See what other professionals have from a knowledge or certification standpoint and go for it!
Meghan Maneval - Manager, Risk and Field Security
Joined GitLab July 2020 / Connect with Meghan on LinkedIn
What is the most interesting thing you’ve learned about security and technology thus far? I remember when I was just graduating from college and applying for jobs in technology, thinking I was going to come in and be the hot-shot young intern who would make a huge impact. What actually happened was I realized just how little I really knew about technology and security in the real world! What I’ve learned over the years is that it doesn’t matter how much you know about technology or security in general or from a textbook, what matters is how your company applies those concepts. Security controls and methodologies can be applied in millions of different ways! I love meeting with our customers and third parties and seeing all the unique ways they apply and utilize security and technology principles.
What's a difficult situation you've had to overcome, professionally? If you ask my kids they will roll their eyes and tell you that my motto in life is “you learn more from the bad stuff than the good.” And I believe that is true in most situations. I’ve found myself in a few bad situations throughout my career and truly believe I have come out of it a better person. In a prior role, as an auditor, I had identified potentially fraudulent activity within the organization’s Human Resources department. When I reported the information to the auditee in my draft report, she decided to go to the organization’s board and have me removed from my position. While I knew that I had done the right thing, it crushed me and made me rethink my desire to stay in the compliance field. However, after taking time to reflect I realized that going through this actually made me a better auditor, a better compliance specialist, and a better employee. I also realized at that point that I wanted to focus less on organizational risk and more on security. I took a job as an auditor for a software company and my career has blossomed since. So always remember- you learn more from the bad stuff than the good and staying true to your values and instincts will ultimately keep you on the right path!
Mitra Jozenazemian - Senior Security Engineer, Security Incident Response Team
Joined GitLab July 2020 / Connect with Mitra on LinkedIn
What excites you about working in security? I love challenges and being challenged. We all know there is no network that is 100% secure and it is a matter of time, money and effort for an attacker to be able to gain access to almost any network. So, the challenges in security are ever-present. As a security engineer, you constantly need to think about how to prevent attackers from being able to access your network and if they are able to get in; how you can detect and stop them, as quickly as possible.
What do you wish you had known at the start of your career that you know now? Really, I wish I knew all the things I know today back then. Wait…is that not possible?
Ok, if I have to choose just one thing I would say: I wish, at any given time in my career, that I would have all the answers to how the security team should best collaborate with colleagues in other teams so that they feel security is there to enable and protect their work, not stop them from doing their job.
Rupal Shah - Security Compliance Engineer
Joined GitLab October 2020 / Connect with Rupal on LinkedIn
What excites you about working in security? Security is ever-changing and impacts everyone! Changes in one area of the business can quickly impact another area and so, everyone must work together to maintain security. This allows me to constantly be learning about other parts of the business that I might not regularly get to be involved with. Things can change at the blink of an eye, but I always feel challenged to keep learning and never have the feeling of being bored.
Was there ever a role you applied for and landed, but weren't 100% qualified to do? I feel that way about every role I have ever had. Including this one..haha. However, I think that’s a good thing, otherwise I’d get bored, be unmotivated and leave too soon! In a previous role, I had no background in security, but my manager saw something special in me, took a chance on me and that changed my world. I’m so happy that opportunity came into my life. I think the most important thing is to feel confident in yourself, knowing others already feel that way about you and see something special in you. As long as you keep a positive, can-do attitude, you can achieve anything you set your mind to. Just remember, you have to start somewhere and what better time than now! Anytime I feel unsure, I remember how far along I have come and know how much more I have to learn and keep a positive attitude.
Heather Simpson - Senior External Communications Analyst
Joined GitLab February 2019 / Connect with Heather on LinkedIn and Twitter
What excites you about working in security or tech? The nature of the beast that is tech, is that it's ever-changing and evolving. Meaning you’ve got to continually learn new tools, sharpen your skills and freshen your approach to problems. As a marketing communications professional in the industry this means I need to continue throwing myself into new concepts and tools and pushing myself out of my comfort zone. This has meant that I’ve gotten comfortable with “trying things to see if they’ll work” and holding my breath as I type commands into my terminal 🤣; knowing that my Google skills are just as good as the next person’s.🤷♀️ Thankfully, being a “connector of dots”, as many in marketing are, means I work across the organization and know who will graciously help me dig myself out of a “command gone wrong”. Working in Tech means I’ll never know all the things (and won’t ever get close) so I’ll always have challenges to overcome and new things to learn; and that’s what keeps me going.
Was there ever a role you applied for and landed, but weren't 100% qualified to do? Yes, almost all of them. This one included. When I’d applied to GitLab I’d worked in tech for over 10 years, but had almost no experience in devops, and little experience in security (I spent 2 years as a portfolio marketing manager for a large enterprise tech integrator). However, I’m really motivated by new challenges, LOVE building new programs and have a can-do attitude. I think these are common traits of many team members here at GitLab and my hiring manager at the time saw this in me.
Early in my career, I moved into a new job and only stayed there for 2 months. I knew within the first week I’d be bored out of my mind because I wasn’t challenged. I’m not proud of having taken a job only to stay for a few months, but this goes to show that, it's better to have a role where you have to “grow into it” than one where you’ve already been there, done that. For me, the recipe for success in almost any role or project is a combination of “believe (in you/your skills/your expertise) and achieve”, mixed with heaps of research, planning and doing. Believe that you’ve got the “stuff” to get the job done, figure out the best way to do it and then knock it out of the park! 🚀
Interested in a career in security or tech? We're hiring!
You can check out the career opportunities page. Don't meet 100% of the qualifications for one of the roles listed there? Still share your information with us! We're hiring within our Security department (and beyond) and looking for unique backgrounds and expertise. You can also learn more about GitLab’s culture and values in order to get an understanding of what it might be like to work here!
Cover image by #WOCinTech Chat.
“8 security team members at @GitLab talk about what they've learned in their Tech careers and what advice they’d offer to someone considering a career in #security. #careerdevelopment #WomeninTech” – Heather Simpson
Click to tweet