Female role models and mentors have long been recognized as vital in encouraging more women to pursue careers in the cybersecurity sector. Ning Wang, CEO at Offensive Security, is one such woman who has taken it upon herself to fulfil this function. In addition to her day-to-day role as an executive, Wang is using her profile to help make the industry a more diverse place, in particular by providing inspiration and advice to help other women reach leadership roles. Infosecurity recently caught up with her ahead of this year’s International Women’s Day to discuss advice and practical measures that can help more women enter and achieve high profile positions in the industry.
What are the biggest challenges you have personally faced as a woman building your career in the cybersecurity industry?
At each step of my career, I’ve always been one of the few women in male-dominated fields. While I’ve always been more focused on surviving and thriving in my role, having few relatable role models made the journey more difficult. I always believed in myself; I learned to be tough, not letting others define who I am and what I can do, and I sought out the few role models there were and was fortunate to have found some good and supportive mentors. I got to where I am today through having confidence in myself, years of hard work, perseverance and with the support of my mentors and a few women role models.
When I first entered the cybersecurity world over five years ago, I had experience as a business executive building companies and products. However, I didn’t know much about the industry. Similar to how I learn about any new industry, I read a lot of industry reports, I went to conferences, I went out of my way to meet ethical hackers, to learn what they do, how they work, what’s important to them, what skills they are developing, and the cybersecurity problems they want to solve. I spoke with customers and other domain experts. I took every chance to learn specific things such as what a SQL injection is, to understanding the bigger picture of what we are trying to solve in cybersecurity at large. I was not afraid to admit when I did not know something, and I would ask questions. Through this process, I became more comfortable being an executive in a cybersecurity company. I continue to learn today in my role as Offensive Security (OffSec) CEO. It’s important we continue to learn, think critically and ask good questions.
I believe that if we can introduce and celebrate more relatable role models, if more leaders can practice being vulnerable, sharing their trying career journeys, especially the failures and the obstacles they have experienced, we can make cybersecurity a field that appeals more to women, and other people who aspire to enter and make a career in the industry, but may not think they have what it takes to succeed. If we can make cybersecurity appeal to more people, it will be one of the few realistic solutions to the skills gap problem – drawing from new talent pools, women, minorities and people with other backgrounds. As such, I’m working to break the boundaries in this industry, so that people can see that anyone is capable of starting a career in cybersecurity, thereby growing and advancing the space.
In your experience, how important is mentoring in helping women to rise to leadership positions in cybersecurity?
As cybersecurity is such a male-dominated field, virtually everything to do with it is seen through a male lens. Success as defined by men, leadership as defined by men, etc. The female role models out there have worked hard to carve out their own space, but there is still an unconscious groundswell to create only what men would define as a role model.
It is thus critical for the women out there to find mentors who can relate to the challenges that they actually experience, not just the challenges men think exist. While I’ve had the opportunity to work with and learn from some of the premier voices in the technology industry, and this was very valuable, it was also hard for me to find mentors who could specifically relate to the challenges I faced as a woman in a male-dominated field, a working mom, a dual-career marriage, someone who grew up in another culture and country, etc.
The good news is this has given me a unique perspective and ability to relate to my employees, which has had a very positive impact on the OffSec company culture. For example, as I was rising through the ranks of the technology industry, I always fiercely defended my personal time and refused to ever compromise on the issues that I thought would impact my ability to be a good working mother. I requested a minimum of four weeks of vacation in most of my jobs because I wanted to make sure I could have a good summer vacation with my kids. I have skipped board meetings or other important business trips because of my kids’ special events. I share my journey and my struggles with my team. I’ve encouraged my female employees to do the same – take the time you need, define and set your own boundaries that allow you to strike the right balance, accept the trade-offs and don’t apologize.
Furthermore, it is critical that our mentors be authentic – be vulnerable with your mentees and open about the challenges you struggle with. This creates an atmosphere of trust and makes it easier for other women to discuss their struggles. I have shared my struggles as a mom with a newborn, how to learn to be a mom and to complete a project which required me to be away for a week while I was breastfeeding. Sharing these tangible struggles with young mothers helps them feel okay with their journey. If we clearly communicate the challenges that exist, and get everything out in the open, we can do a better job as an industry of addressing said challenges and making cybersecurity more inclusive.
What remain the biggest barriers to women in the sector, particularly in taking leadership positions?
In a way, one could call the lack of women in cybersecurity a self-fulfilling prophecy – one of the things that discourages more women from getting into the sector is the lack of women in the sector. What is more, many women simply assume that they cannot rise to leadership roles because so few other women have.
There isn’t a silver bullet solution here, but one way we can address this is by celebrating the success stories that we have. Where cybersecurity is missing the mark today is by overlooking anyone who doesn’t fit the mold, and this has a two-pronged effect – it causes us to overlook qualified candidates, and it discourages otherwise great candidates from applying for cybersecurity roles. However, if we amplify and celebrate the success stories that we have, that will alter the narrative and people will hopefully stop seeing cybersecurity careers as only available to certain people.
Women need to know that success in cybersecurity can happen for them. They can do it regardless of their background. They can do it and have a great family life too. They can do it their way. It seems hard to believe now, but with a different communication strategy and a different way to amplify successful women in cybersecurity as role models, we can change the narrative around cybersecurity and make the industry attractive to a different set of applicants.
What are the most effective policies/approaches organizations can put in place to provide women with greater opportunities to develop in this industry?
We need to be very intentional about identifying, attracting and nurturing diverse candidates into security. This is a big picture issue, we need to change how we recruit, promote and most importantly, how we lead. We need to be more inclusive, not only by getting more women into cybersecurity, but also by accepting a diversified way of thinking, problem solving and communicating so more diversified people and styles can succeed in cybersecurity.
We are in the midst of a massive cybersecurity talent crisis, yet organizations are still placing more emphasis on technical experience than on mindset. Even though everyone knows there aren’t nearly enough qualified professionals out there to fill all those empty security seats, organizations are still only looking for recruits who ‘fit the mold’ and are turning away anyone who doesn’t have all the experiences. Having the right mindset is far more indicative of success in security than any amount of technical experience. If we want to access new talent pools and bring new voices to the industry, we need to stop focusing primarily on experience and instead hire for mindset and the potential to succeed in the long run.
Our leaders also need to do more to create inclusive, open company cultures. Many of the issues that women face in the workplace today exist simply because other people don’t realize that they’re there. However, if leadership embraces the concept of leading with vulnerability and proactively share their own struggles, employees will begin feeling more comfortable sharing theirs. Once we establish transparent cultures, we can more easily address the issues that hold women back today.
How can more school/college-aged girls be inspired to pursue a career in cyber?
In my first year as CEO, I was approached by a 16-year-old high school student who expressed interest in taking OffSec’s OSCP certification course. Since he wasn’t of legal age, we had to learn more about him, and after we learned how interested and serious he was about starting a career in information security, we waived the age-requirement. He then went on to obtain the OSCP and OSWE certifications while still in high school. I do believe more school/college-aged individuals are becoming more interested in the tech field – and organizations like OffSec can help get them there.
This goes back to the need for more people – especially women – to share their experiences. The younger generation is incredibly smart, they are growing up with so much technology at their fingertips. By providing them with examples of female leaders in the space, who share their success stories, I believe we can continue drawing female prospects to the tech field and help them succeed and climb the ranks. I have intentionally reached out to women OSCP holders, to learn their stories and amplify them to share with the world, with the goal to inspire other young women to consider cyber as a possible career choice. Several of these stories have led to a blog on OffSec’s website.
Finally, what advice do you have for women just starting their career in the cybersecurity industry?
Be yourself, pursue your dreams, and work hard – don’t let anyone stop you. Try Harder, as we say at OffSec!