Being An Infosec Latecomer, Part 1: Education
A few things prompted me to finish this post, which has been in draft form for months: 1) My presentation “Hacking Our Way Into Hacking”, about infosec latecomers, was accepted to CypherCon in Milwaukee (I originally presented it in BSidesLV’s Underground track); 2) Infoperspectives published an excellent, very comprehensive post on the state of women in infosec, which ended with an inspiring quote from Cheryl Biswas about mid-career women coming to infosec; and 3) I keep going to conferences and coming back with ideas, and I think I finally reached a critical mass of half-baked blog post drafts after GHC -- it was time to dust off the dormant blog.
An important part of getting new people into security is showing that there are many different paths to get here. Public perceptions have the power to bring people in or drive them away, regardless of the underlying reality. And as someone who didn’t start out in security or even in tech at all, I spent a long time fearing that I’d missed my chance to work in a technical job, thanks to the narrative that all good hackers started as kids. (It wasn’t entirely inside my own head -- various folks suggested that I should be an office manager or technical writer instead.) It is telling that just searching “too late” on the learnprogramming subreddit yields so many results. We need to change the narrative: there is no “too late”, and our pre-infosec pursuits were not wasted time. I want to elaborate on how I bring knowledge from my “past life” to infosec. I’m working on additional posts about my past employment. This one focuses on my undergraduate education.
(Side note: This is not about the value of formal education vs. other educational methods. There is plenty of good discussion on that topic, and it’s certainly a discussion worth having -- it’s just not germane to this particular post.)
While my BSidesLV iteration of “Hacking Our Way into Hacking” wasn’t recorded, I’ll share part of my introduction from that talk, where I describe my undergrad experience:
“I really started to tap into my passion for trying to solve fascinating and challenging problems, deconstructing things to see why they did what they did, taking time outside of class to self-teach, questioning authority, staying up late banging my head against my laptop. Pretty typical hacker story, right?
“Wrong. I majored in gender and women’s studies.”
At first glance, the jump from gender and women’s studies to security seems like a non sequitur. However, I love finding connections in unexpected places, and while I certainly didn’t declare my major thinking “when I grow up, I want to work in infosec!”, I owe a great deal of my security brain to my gender studies education. After all, deconstruction knows many forms. Here are a few common threads that I’ve brought with me from gender studies to my security education (and, if all goes well, my eventual security career).
Critical thinking: Asking questions and being willing to seek out information carried more value than knowing all the answers (a welcome change from high school!). This definitely mirrors security -- any degree of troubleshooting or researching requires being comfortable with open-endedness and willingness to be wrong. But more specifically, gender studies taught me how to think critically about systems and power structures. Understanding the players, their dependencies, and what they could gain or lose featured prominently in gender studies, and it features prominently even in my introductory-level security classes. Analysis of power structures seems particularly important for those going into security policy, compliance, or any kind of project management.
Breadth: One of the things that attracts me to security also attracted me to gender studies: the interdisciplinary nature. I like learning about many different things -- it gives me a fuller picture of the world around me. Gender studies, more than a discipline unto itself, is a lens through which to study anything from psychology to history. Similarly, security exists in every level of computing (networks, systems, applications, etc.), and even beyond the bounds of hardware and software (social engineering, anyone?). It’s important to understand the pieces of the puzzle and how they fit together, even if not all of the pieces are our particular domain. Which brings me to...
Empathy: Gender studies programs were developed to bring in perspectives that were missing from college curricula. My own program exposed me to viewpoints that I might not have otherwise come across; it also gave me the chance to discuss them with other students, further broadening our understanding. It wasn’t always easy. There were times throughout my gender studies coursework when I was genuinely uncomfortable because I had to confront my own privilege, and other times when I was uncomfortable simply because I had to question what I had always known to be true. Empathy breaks us out of taking things for granted, and when we move beyond a singular perspective, we become better problem-solvers. Security needs empathy. Since the systems being secured are used by so many different kinds of people, it’s vital for those designing, testing, and maintaining those systems to be able to recognize the validity of other worldviews.
I’m just one person, but I’m hardly the only person in infosec with a non-STEM degree. (I’m not even the only person in my netsec cohort at school with a non-STEM degree.) We’re everywhere. We all apply aspects of our past education to our security practice in different ways, and having a variety of foundations upon which we build our technical skills is absolutely a good thing.
If technologies are a reflection of the societies in which they’re developed and implemented, then there is merit to studying societal patterns. If our machines are only as secure as the people who use, build, break, and fix them, then there is merit in studying people. If technology is integrated into every facet of our lives, then there is merit in studying many different facets -- philosophy, music, literature, art history, sociology, and yes, gender studies.
Or put another way: until the robot overlords come and humans leave the equation, all majors have a place here.