Interview of the Week - Mari Galloway
During Cybersecurity Awareness Month Security in Color plans to highlight different women in the field of Cybersecurity / Information Security, in an effort to give voice to an underrepresented yet talented and diverse group.
Mari Galloway is the CEO and a founding board member for the Women's Society of Cyberjutsu. With over 9 years of Information Technology, 8 of which are in cybersecurity, her experience spans network design, risk assessments, vulnerability assessments, incident response and policy development across government and commercial industries. She currently works as a Sr. Security Architect for a large casino in Las Vegas.
I connected with Mari Galloway, and Lisa Jiggetts - founder of the Women's Society of Cyberjutsu, on Linkedin during my quest to connect with inspiring women in the field of Cybersecurity. Their mission, to advance women in their cybersecurity careers, is one that is dear to my heart and the foundation of this blog so getting a chance to speak with Mari was a no-brainer for me. I am happy to have had this chance to share her story with you:
Can you give us a quick scan of your resume to introduce yourself?
My resume spans many different sectors. Before getting into Cyber and IT, I worked as an Assistant Manager at a clothing store, worked at Cingular Wireless (now AT&T), and did Armed Security for the state department. I eventually landed my first role as a Network Engineer for Accenture. This is where my love for hacking and infosec was sparked. After seeing a teacher (Joe Mccray) pull up a router config on the internet in plaintext, I was hooked. I spent the majority of my career working as a government contractor doing Network Traffic Analysis, Detection, requirements gathering for cyber projects, certification, and accreditation, testing, developing training and audit products and more. 3 years ago I transitioned to the private sector to do Vulnerability Management and Pentesting before finally settling into a Sr. Security Architect role for a large casino in Las Vegas.
How did you get started in the field of Cybersecurity?
I actually got started in Information Assurance. I was responsible for securing the Army's top secret network and had to learn all about DISA STIGS. I learned SO much about network security and routers and switches it was nuts. I lived and breathed that stuff. On top of that, I was responsible for developing the testing guide that the auditors would use to certify the equipment. This role opened up a world of security for me.
You are the CEO and founding member of the Women’s Society of Cyberjutsu - what need did you recognize that started the organization and how did you plan to tackle it?
I met Lisa Jiggetts, Founder, President and original CEO, through a study group for CISSP in March 2013. I had failed the first time by 4 points so it was a much-needed group to pass the 2nd time. She created the organization as a way to get women together that wanted to learn to hack and wanted to get the hands-on experience. WSC came out of a lack of options to feel comfortable in learning and asking questions. There were plenty of groups out there but they lacked diversity and for Lisa, she wanted more. Summer 2013 Lisa asked me to be on her board. I didn't really know what that meant but I did it because I saw the potential in what she was trying to accomplish. I saw the need for a community for women to network, engage, ask questions, and make a real difference in the industry. In the beginning, things were crazy. We are technical people trying to run a non-profit. From the outside, everything worked according to plan. Behind the scenes, we were just learning what it meant to have an organization, what it meant to run the organization, and what it looked like to drive the organization forward. There were tons of grand ideas, including Cyberjutsu Girls Academy. Some stuck others didn't but through each idea the goal was to empower women to network and lead in cybersecurity and that part starts with us.
There is an influx of incoming potential security professionals via non-traditional methods (boot camps) but not many opportunities for them to gain the real-world experience necessary to advance. Any advice on how they can navigate this hurdle?
Until hiring practices change, this will always be a hurdle. This is where creativity comes into play. There are so many ways to get hands-on experience that can translate to words on a resume and potentially in the door. Building a home lab to research and understand vulnerabilities and network traffic works. Tinkering with tools of the trade that companies are using such as Wireshark or SIEMs. Working on Open Source Projects that are available. Participate in cyber competitions. A lot are free, some are attached to a company. Take the initiative. Volunteer. Churches, schools, small businesses all need assistance in some way. Find out what they need and reach out. There may also be people there that can help you along your journey.
Look for local groups hosting events where you can practice skills. Women's Society of Cyberjutsu offers various types of hands-on activities to get women prepped for a role in cyber. Find a mentor or someone you can trust to help you navigate the industry. This last one can be a little more difficult if you aren't comfortable reaching out for advice. So attending local networking events can help ease that.
As a Senior Architect, what advice do you have for mid-career professionals that can help them be successful in securing a senior role?
What's your roadmap? Have you ever thought about it? This applies to all levels - entry, mid, senior. Once you figure 1 or 2 paths to where you want to be, it makes it easier to go after roles that you will enjoy as well help you progress. I wasn't really looking to be an Architect. It's a little less technical hands-on and more about strategy. Don't get me wrong, you should have a technical background if you want to be in this role, but you aren't necessarily going to be installing routers and switches or writing code to automate something. But because I work for a company and team that is actually interested in career advancement, my boss and my bosses boss thought it would be a great way for me to get an understanding of the strategy side as an Architect. (I had expressed interest to them both about being a CISO somewhere)
Security in Color’s mission is to increase the visibility of diversity in Cybersecurity and do away with the traditional norms of being seen as a boring field. What steps do you think are necessary to not only increase but retain the diverse talent we have in Cybersecurity?
The industry as a whole has to become more inclusive. We have to celebrate minorities doing great things, like Security in Color is trying to do. There are 11 - 20% women in cyber and even less are minority women. It is our job to share our accomplishments and reach back into the communities that need to see us. We can't expect little brown children to go into cyber if they don't see brown adults in it or don't even know about it. The industry also needs to be more flexible in the workspace. Don't just say we have diverse hiring and the diverse candidates are brought on and completely alienated or left out of the conversations. Diversity isn't just catchphrase. You actually have to implement it throughout ALL the processes. This could mean allowing telework days for moms with small children, onsite daycare options, flexibility to leave early to handle the family business, paternal leave for new dads (they need love too). Offer training programs to help new employees. Establish an advancement program. some people don't want to stay in the role they are in, they also want to advance and continue to be challenged. Invest in your workforce and they will invest in you!
Want to be featured on our site, or know of someone who deserves to be heard? Submit your interview nominations at SecinColor@gmail.com