BREAKING INTO CYBERSECURITY WITH NANCY HUNTER

Kip Boyle:
Hi, welcome to Your Cyber Path. I’m Kip Boyle, and I’m here with Jason Dion. Hi, Jason.

Jason Dion:
Hey, Kip. How’s it going?

Kip Boyle:
I’m doing really well today. In fact, in my head, what I’m thinking about right now is how cool it is that you and I now have a course up on Udemy. It’s called Implementing the NIST Cybersecurity Framework. It’s been up there for about a month, and I keep getting these emails from them, telling us what our student count is. And the last one I saw yesterday, it says something like, 1,100 students. And it’s only been up there for what? A month? Something like that?

Jason Dion:
Oh, yeah. Yeah. It’s been going fast. People are really loving the course. The reviews are great on it. And what I like about the course is it’s really different than a lot of the other courses I do, and a lot of the other courses I do, it’s very tied to a certification and it’s very theory-based of, “Hey, here’s what the CIA triad is,” and things like that. But when you and I partnered up on this, in this course, we wanted to make sure it was very practical and hands on, and it’s almost kind of the guide of running your business, right? It’s how you do these NIST cybersecurity assessments on organizations every day, and we walk people right through that. And I really like how that turned out. It becomes very practical and very usable in the real world.

Kip Boyle:
Yeah. Yeah. Especially how do you find your top risks, and then what do you do to mitigate them, and then what’s your priority scheme, right? Because you’ve got limited budget, unlimited risks, how do you reconcile that? And we tackle all that in the course. Anyway, I just… Sorry, I couldn’t help it. It’s front of mind for me right now. I’m so excited. I just had to talk about it.

But listen, our guest today is Nancy Hunter, and she’s an experienced hiring manager. She agreed to be on the show to help the folks in our audience. Again, just what’s our theme here? Our theme is you really need to understand what’s in the mind of the hiring manager, how do they see candidates, and the better you can do at getting into that headspace, I think the more irresistible you will be as a candidate, right? So Nancy’s here.

Let me tell you about Nancy. So she is a vice president. She’s the chief information security officer and the data privacy officer at, wait for it, the Federal Reserve Bank of Philadelphia. Wow. Hi, Nancy. Thanks for being here. How are you?

Nancy Hunter:
Hi, Kip. Hi, Jason. Thank you so much for having me. Before I begin any presentations or talks, I need to say, yes, I work for the Federal Reserve, but everything I say today are my thoughts, my ideas. They are not reflected upon by my employer or the Federal Reserve System, or anything like that. So happy to be here, and thank you for the opportunity.

Kip Boyle:
Well, that’s fantastic, Nancy. I appreciate the caveat. And people who have listened to other episodes that we’ve done know that you pretty much said the same thing Jason says all the time. You’re in good company.

Nancy Hunter:
That’s great. That’s great. [crosstalk]

Kip Boyle:
Because I don’t think you’re out of your other position yet. Are you, Jason? You’re close, aren’t you?

Jason Dion:
Friday. Friday. Yeah. Retirement’s Friday. So it’s exciting. It’s coming up, by the time people listen to this.

Nancy Hunter:
Retirement. Oh my, that’s wonderful.

Kip Boyle:
Congratulations. That’s wonderful. Yeah. Well, and so then once you’re retired, maybe in hindsight with a little bit of self-editing, maybe we can talk a little bit more about some of the things you’ve done in the past.

So anyway, well, listen, everybody, Nancy has so much great information to share with us. Let’s get right into it. The first thing that I want to know, Nancy, and a lot of people will probably ask you this, because they ask me and Jason, how did you get into cybersecurity? I mean, well, I’d tell you, when I was a little boy, I was not running around telling everybody that I was going to be a cybersecurity person when I grew up. What happened? How did it happen for you?

Nancy Hunter:
I fell into cyber. So I have a math degree, and I was already geeky. So I was in technology. I was an application development manager in the middleware space. And somebody said to me, “I’d like to build a third-party risk program. Would you want to lead that group?” Knew nothing about it. Actually, the job title was OSP manager, and I didn’t know what OSP meant. It meant outside service provider. I had to look it up before I interviewed.

So it gave me an opportunity for a very large bank to build their third-party risk program for a credit card division, and it just did really well. I was invited to become the governance lead for the whole bank, and it took me into cybersecurity. And I’ve never looked back, but it came from me saying yes to an opportunity that I didn’t know anything about, but was willing to try.

Kip Boyle:
Boy, that’s a common story, right? That’s kind of my story. Conceptually, I was just doing a technology job, but I was doing it in a classified computing context. And so I kind of, I backed into it, right? And I kind of liked it. And so I volunteered to do more, and that was easy because everybody else was like, “Computer security, blah. This stuff stinks. You want to do it? Here. Do it all.” Right? So just, I think being open to opportunities, right?

Nancy Hunter:
Exactly. Being open to opportunities and being open to learning, because I didn’t know anything about this area. And going into it from the third-party perspective, it meant that I got to look at all of the controls related to cybersecurity because when you outsource a service, you do not outsource the risk.

So I was very fortunate that I got thrown into the pool and said, go swim. And I swam as fast as I could, and I learned from everybody I could possibly learn from. I remember a guy sitting with me teaching me about encryption. I had no idea, but the people who were kind enough to give me their time and their energy, and I was soaking it in and trying to learn everything I could.

Kip Boyle:
And you had a math background, so that was helpful.

Nancy Hunter:
Yeah. Math and chemistry, and I started out as an actuarial student, and I still think learning how to solve problems is what’s been helpful throughout my entire career. I’m still solving problems. They’re not specifically math problems, but I’m still solving problems.

Jason Dion:
I want to point something out that Nancy just said. She said, “You can outsource the service, but you can’t outsource the risk or the responsibility.” Nowhere is that more true than cloud computing. Everyone, these days, wants to move to the cloud. They think it’s going to solve all their problems. And really, all you’re doing is moving your servers to somebody else’s servers, right? You’re still responsible for the data. You’re still responsible for the governance of it and the oversight of it. They may do all the technical back end, but you’re still got the responsibility for that.

And I see a lot of CIOs who miss that key distinction, and I just think it’s important for our audience to remember that because when you’re in an interview and somebody talks about you’re outsourcing a service or you’re outsourcing to the cloud, you still own that. You still have the responsibility for that.

And so it’s one of those things that in a lot of organizations, while the tech roles may be getting outsourced to these third-party providers and cloud providers where a lot of those roles are happening, the actual governance and the GRC part is still staying with the organization because it has to. So as you’re thinking about which jobs you want, GRC is one of those job. It’s really hard to outsource. In fact, I don’t think you really can outsource it because you still have to own that responsibility.

Nancy Hunter:
Great point. Exactly right. You own it. Accept it, and take it from there.

Kip Boyle:
Yeah. There’s a little saying that I like about cloud computing, and it’s this. “The cloud is just somebody else’s computer.”

Jason Dion:
Yep.

Nancy Hunter:
Exactly.

Kip Boyle:
It sounds magical, but it’s not.

Nancy Hunter:
Right.

Jason Dion:
And I personally love the cloud. My company, everything we do, we run on the cloud. We try to do everything… We’re cloud-first. We’re actually serverless-first as well. We try to do everything without servers, right, which means we’ve then taken that layer of extraction even further and let Amazon deal with all the underlying servers for us. We don’t have to worry about it. But we still own the responsibility to make sure our stuff is secure and those services from end-to-end are secure.

Kip Boyle:
So if you’re listening to this episode and you’re thinking, “I need to build a home lab,” right, because everybody says you need to build a home lab so you can practice on this stuff, don’t do it in a garage. Don’t do it in your basement. Do it in the cloud. That’s the best place for people to build a home lab these days. It’s just, that’s the future. The future is here. So I think that’s a way you can… If you don’t know what cloud is yet, that’s a great way to get in there and figure it out.

Hey Nancy, when we were doing show prep, we were talking about different things that were important to you, that you wanted to make sure that you shared with our audience, and the one thing that you talked about was how important it is to promote from within and to hire true entry-level folks. And the last time we had a guest on it was Naomi Buckwalter, and she talked a lot about gatekeeping and how employers are just doing too much of that these days. So what are your thoughts?

Nancy Hunter:
I know Naomi, and we are kindred spirits in wanting to make sure that there’s a space for people to enter cybersecurity. I believe that there are some transferable skills and some personality traits that just make you a great cybersecurity employee. One is that you’re hungry, that you want to learn. And so that ability, I can’t teach that. I can’t pay for that.

I don’t necessarily look for this whole group of, “I’ve been doing this, that,” specifically with cybersecurity. I’ll give you an example. I just hired a librarian. Great skill set, and she wants to learn. And in that really brief period, she’s only been with me a couple of months, she’s already gotten a whole bunch of certifications and done some self-learning. I can’t teach you that.

So yes, I encourage people to hire entry-level and make it truly entry-level, not five years worth of experience, but be open to other backgrounds. And you will find that those people, one, are loyal because they’re so happy to get into the field, that they are learners, that they want to learn. You can give them almost any task and they’ll take it to the next level because they’re trying to learn and they don’t know where that boundary is. It’s not, “Oh, that’s not my job.” They don’t know what their job is. They’re just trying to do the best they can. And to do that, you can promote from within.

So whenever I lose somebody in my organization, and this was certainly radical when I first started, whenever I lose somebody in my organization, I demote the position to an entry-level position and then try to move somebody up to take on the role that the other person had had, opens up a door for somebody new and opens up a door for somebody who’s already been with you by standing the scope of their role. So it’s a win-win on both fronts.

I know it’s not always possible to do with startup companies because they need expertise when they first come in, but for many, many other organizations, there are opportunities out there for entry-level positions to just try it. And you might not have a hundred percent of the qualifications, but if you have most of the qualifications, there aren’t unicorns out there with a hundred percent of the qualifications for what most people can afford to pay for. So apply, just apply for the job, do it. Interviewing is a skill. So if you get that interview, you’re building on a skill. Just apply. And so managers, give people a chance. Bring in those fresh, bring in that fresh blood.

Kip Boyle:
We talk about this very item in the hiring handbook, the Cybersecurity Hiring Manager’s Handbook, which is an open source project. You can find it on GitHub. And in there, this is one of the themes, and Naomi Buckwalter is actually contributing an entire section to the handbook that focuses on this very topic. And so while, today, we don’t see as much of this as, I think, we need between yourself and Naomi and me and Jason and other people continuing to advocate for this, I think hopefully we’re going to see more of this.

But these days, I think if you want to get a truly entry-level job, Jason and I have been telling people that if it’s possible, the military or Federal Service is a great place because they will take you off the street, if you have the aptitude and a couple of other qualifications, right, Jason?

Jason Dion:
Yeah, exactly. I know on the military side especially, if you’re going to go either active duty or reserves, they don’t expect you to have any background in cyber whatsoever. Even if you’re going to go be a fighter jet pilot for the Navy or the Air Force, right, you don’t already have to have a pilot’s license to get picked up and do that. Instead, they hire you based on your aptitude for that. They train you. They put you in the cockpit. They teach you all that over a two- or three-year period, and then you become a fighter pilot.

Well, the same thing happens in cybersecurity. When I worked with the DoD, the way they do it is they pick up people who have the aptitude. They put them through about an 18- to 24-month schooling program, all that while they are on active duty and they’re getting paid for that job. And when they come out of that, they have all their certifications. They know how to program in Python. They know how to do instant response. They know how to do penetration testing. And then they work for the government for four years as a payback, as a military member. And then they can decide to stay in for 20 years and retire, or they can get out and go civilian, or go into the commercial sector. And it’s a great way to get experience if you’re young enough and fit enough to pass the entrance exams and you have a good fit based on your skill set and your aptitude for that.

Kip Boyle:
Yeah. I mean, that’s really what happened to me, right, is I got in the military and I didn’t stay for a full retirement. I left after about six years and then went into the private sector. What were you going to say, Nancy?

Nancy Hunter:
I was to say that I have heard our FBI recruiter in my region, [Serena Coghlan], speak to this as well, that you don’t have to have every one of this tick-off-the-box for the specific roles that such a small percentage of the people going into the FBI are actually agents. But apply for those jobs. They have openings. They don’t leave them open very long, so you have to be vigilant about looking, but they are willing to train you, and you can get exposure and really work on some interesting things by applying for those types of jobs.

Kip Boyle:
Yeah. And you can meet some really amazing people. The reason why I got the job that I did coming out of the military, I left and I went to work for Stanford Research. Now, the reason why I was able to make that leap is because while I was working on the F-22 Raptor as their director of wide area network security is we were doing a whole bunch of network penetration testings and vulnerability assessments and the stuff that we normally did, and we actually ended up hiring different experts from all kinds of different organizations. Many of them worked for defense contractors, and I encountered some people who worked for Stanford Research. And so I got to know them.

 And so when the time came for me to depart, they were one of the people that I called up and I said, “Hey, do you think that there’d be room for me on your team? I really enjoyed working with you, folks.” And so that’s how I made the leap, and it was a wonderful, wonderful experiences, one of the best jobs I’ve ever had.

But that brings up another point, which is this idea of considering nonprofit companies and companies with lower profiles, as you are somebody who wants to get into cybersecurity or grow your career. And I know, Nancy, when we talked about this, this was a big deal for you. Why don’t you say some more about that?

Nancy Hunter:
Absolutely. I always chose to work for these companies that were these very big, well-known organizations, and I, one day, decided that I wanted to look past that. And I started to look at companies that were based upon a mission and that mission not related to making money for shareholders, but truly just trying to do the right thing for the right reasons.

I thought I’d have to take a significant cut, and I thought all sorts of things, which really just ended up not happening. I had this very small list of companies that I started to apply for. And as I interviewed, I realized, I love this. I love this. I love this. I want to work here. And I actually went home and talked to my husband about a cut that I could take in my salary, and it didn’t happen. I ended up not having to take a cut. And I just got to work on interesting things. So it opened up a whole new level and a whole new group of opportunities to apply for. I encourage people to stop not only think about the big companies, like the Googles or the Salesforces or the JP Morgans, but think about the little companies or the little things like the Federal Reserve Bank, which is a fabulous place to work, or the DoD or [inaudible]-

Kip Boyle:
I love how you call the Fed system a little place. That’s so cute. It is the opposite of a little place. There’s 12 regional banks in the country, and it is a massive system, but you’re on the inside, and I know. I know things look different when you’re on the inside.

Nancy Hunter:
And what I will say coming from… I worked for JP Morgan, which was gigantic, before I worked for the Fed, and each one of the little Federal Reserve Banks is their own little bank. We really partner very well together. We have a whole system IT function, but it feels like I’m coming into this very small bank of about a thousand people when I go to work in Philadelphia and everybody knows everybody, and [crosstalk]-

Kip Boyle:
And people take care of each other. I remember you told me what a stark contrast there was culturally, coming from a big commercial bank to the Fed, and how stunned you were, but in a good way. Right?

Nancy Hunter:
Exactly. And I tell this story that my first week, we were looking at eliminating a position, which doesn’t happen very often in my bank. And I sat with HR that first week in this meeting where they just talked about the person and how they could bridge that person to retirement, and what were the things the person would be interested in. And I said, “Is this something that you do for this person?” And they’re like, “For everybody. We really try to kind of look at the individual on our human resource decisions.” And I was just stunned that, where am I? Is this an alternate universe? But it [crosstalk].

Kip Boyle:
Because where you came from, right, it would’ve been, “Here’s a severance package. Best of luck to you. We love you, but it’s time for you to go.”

Nancy Hunter:
And a great severance package, but this really approaches us very differently. And we actually took and trained that person into another role and all sorts of other great things that happened. I can’t say it can happen across the board for every role, but they really do try to look at the individual because they are small. It’s a thousand people that you’re trying to manage versus a hundred thousand people that you’re trying to.

Kip Boyle:
Right, right, right, right. And so they have the bandwidth to be able to do that. Jason and I run small companies, right? I’m a small business owner. Jason’s a small business owner, and I love making opportunities for people. And so, yeah, I think it’s a great idea to encourage our audience to look at nonprofits, or just, there’s a lot of B2B companies that, as a consumer, you just never hear about. So go on LinkedIn jobs, go other places. Jason, what’s your take on this idea of nonprofit companies or overlooked companies in the job search?

Jason Dion:
Yeah. I think especially the small and medium-sized businesses are ones that you might want to target, especially as somebody trying to get somebody to take a chance on you at the entry-level roles. Earlier, we talked about the fact that if you’re a small startup, you need somebody who has all the exquisite skill sets to be able to do the job.

That has not been my experience in my company. We’re a small company. We’re 15 people as of this recording, and we’re continuing to grow. But for us, we hire a lot more for aptitude and knowledge and the ability for them to gain that knowledge. Right? So I may not hire somebody who has a hundred percent of the skills, like you were talking about. For me, if they have 50 or 60%, that’s good enough for us because we can train the knowledge. I mean, we’re a training company. That’s what we do. I can help you learn how to do pen test and I can help you learn how to do a cybersecurity scan and those kind of things. But I can’t teach you how to be a good person who cares and actually wants to do the work and that kind of stuff.

The other thing, I think, with smaller companies is sometimes they’re more apt to take a chance on you and allow you to move outside of your particular role. So you might get hired on as the IT person at a small, medium-sized company that has a hundred people. And you can probably go to your boss and say, “Hey, I really like the cybersecurity stuff. I noticed that we’re really not doing any Nessus scans. We probably should be doing Nessus scans once week to find out what’s vulnerable. Do you mind if I do that?” “Oh, sure. Go right ahead.” Right? If I try to do that in the DoD or the FBI, like “No. We’ve got people for that. You’re not in that role. Go away.” Right?

And so it’s a lot more strict and rigid when you go to these larger companies than in a smaller, medium-sized company. And so I think there’s a really good opportunity in small and medium-sized companies to really almost make your job and get the skill sets you want and be able to build that experience that way.

Kip Boyle:
Yeah. Jason, would you tell the story about somebody that we helped recently who had a marketing background and she was trying to cross over into cyber and she ended up getting a really, really amazing opportunity with a small company? Would you mind giving us a thumbnail sketch of what happened to her? Because I think it fits right into what you’re saying.

Jason Dion:
Yeah, definitely. Back in our January Hired course, our Hired program, we had one of our students. She came to us. She had a master’s degree in marketing. She had 10 to 15 years of experience in the marketing realm, but she really didn’t have any IT experience, but she wanted to get into cybersecurity. The closest thing she had done to IT was about 10 or 15 years ago. She worked at a cell phone store doing some tech and hands-on with cell phones. So very, very minimal background, no real background in cybersecurity.

She was able to find a small company. I think the company has less than 25 to 50 people in it. And when she interviewed to that company, they liked her so much because of her personality, her willingness to learn, her ability, that they actually kind of created a position for her. She went in to apply for an analyst-type position, a cybersecurity analyst-type position, and they said, “Well, you don’t really have the skills for that, but you have this really great marketing background and you really have this really great personality. We need somebody who can work with our B2B clients and teach them about our different offerings and teach them about cybersecurity. And at the same time, we’ll help build you into this analyst that you want to be as well,” but she ended up getting a job, doing this almost cybersecurity training, internal trainer and awareness campaign person, because they said, “Oh, we see your marketing background and we think that’s a benefit, even though you don’t have the cybersecurity background, and we’ll put those two things together and then be able to have a job that works for you.” And I believe she’s starting last week or this week, but it was a really great opportunity how they kind of created this job.

And if I went to the FBI and applied for something, they’re not going to go, “Oh, you have a great background, but we don’t have a job for you. Let’s create a job for you.” Right? But that’s what this company did because sometimes, you’re interviewing with the owner. They have that ability to make that decision. And so sometimes, these smaller companies are willing to take more of a risk on you and be able to create a position for you based on your skill set, where they see you going, how you can adapt and move up that way.

Nancy Hunter:
There’s also a million opportunities within even the larger companies where they’re looking to add additional resources free of charge, “In your free time, would you like to work on this project?”, because they need somebody volunteer. But there’s just no reason why not.

Kip Boyle:
Yeah. And also, another thing people don’t realize and at the risk of beating this subject to death, but I just want to say one more thing, I can’t tell you how many people come to us and say, “Oh I’m just a help desk technician,” or “Oh, I take care of some servers or whatever, but I really want to get into cyber.” And I’m like, “You’re already half into cybersecurity. You just don’t see it. Let me help you see it because, hey, do you ever help somebody reset their password? Do you ever create a file, share on the network and set some permissions on it or whatever? Do you ever install a patch? Guess what? That’s all cybersecurity.”

So if you’re in a position now, whatever it is, look around and ask yourself, where is the cybersecurity in the job that I already have? And just start leaning into that, I think, is another tip that we can share with you about how to move in the direction you want to move into based on where you are now.

Couple other things we wanted to talk about with you, Nancy, we really wanted to get your perspective. And let’s talk about mentors. We’ve had a lot of conversations with people about mentoring and how to get a mentor, and there’s a certain amount of confusion about, well, what exactly is a mentor and particularly about, well, how do I get a mentor? Is it a formal thing? Do I have to apply to be a mentee? Or what is it like when I get a mentor? I mean, do I get a syllabus? Are there lessons? How does it work? But what does having a mentor mean to you, Nancy?

Nancy Hunter:
All of the above. So I have had mentoring relationships that have been grassroot, just kind of you connect with somebody. You’ve talked about leading somebody to understand that the skills that they had were, in fact, cyber skills. You were mentoring that person. And so those are just very organic, and you meet somebody, and there’s a click. And they have some experience that you’ll want to get, or you have some experience that you want to share, and you work together to make that happen for somebody.

I’ve also been in formal mentoring programs and built formal mentoring programs, where you get paired with somebody based upon some commonality. And then there might be a course that you take to get the best you can get out of that mentoring relationship. And you set goals as to, this is what I’m trying to get out of this mentoring relationship, and you go move from there.

Mentors don’t have to be formal. They can be informal. They can be… I saw my mother as a mentor for me. She was a business woman who was savvy and smart and managed to balance it all. I learned from watching that. So you don’t only have to have one mentor. You can have many at different points in your life.

Somebody I mentor today let me know that they’re applying for a job. Surprisingly enough, I’m on the committee for the panel for that job. I came back and said, “I might have to recuse myself from that panel because I mentor this person,” but you build these relationships. And I was thrilled to hear that they were taking some of the advice and suggestions and really putting themselves out there to apply for something that was outside of their wheelhouse, because you know what, they might get that job, and they would be great at that job.

The mentoring program that I helped build was one of my Women in Cyber programs. Actually, one of our targets was to help people break into cybersecurity and get jobs in cybersecurity. And so we attached people that were seasoned that were hiring managers with those that were entry-level and just either in college or having graduated or just trying to learn to break in. That’s how I got my librarian, for instance, from one of those relationships. So you can absolutely have mentors in many ways. Don’t shut the door. Learn what you can, but come to an agreement with that person around what are you trying to get out of this and how can they help you.

Kip Boyle:
Yeah, Yeah.

Nancy Hunter:
As a mentee, you are accountable for setting up those times and that relationship. [crosstalk] say too, don’t think your mentor’s going to do that setup this time with you. Take ownership for it and set up time with them.

Kip Boyle:
Right. Yes. Thank you. Those are really good insights and practical examples, right, of what a mentor can do for you and what that can be like. I know some people are very shy about asking somebody to be their mentor. And so one of the things Jason and I talk about in the course that we run is that, hey, you need a mentor. However you get a mentor, you need a mentor. And one of the options is to sign up for mentoring, and that’s kind of what we do in our Hired course, right? And we talk a lot about mentoring. And really, that’s what this podcast is about, is we’re… If you’re listening to this podcast right now, hey, guess what? You’re in a mentoring relationship. It’s a one-to-many, right? Because we don’t… It’s not interactive right now, but you are getting mentored right now.

Jason, what are you thinking about mentoring? What have we not said that’s important to say?

Jason Dion:
Yeah. So a couple things. One, you’re absolutely right. This is a form of mentorship. It is a one-to-many form of mentorship. I’ve had lots of mentors over the years. Some of them are where we actually meet and have lunch once a week, and we talk about what’s going to be happening. Some of them are just people that I respect and look up to the way they run their businesses or the way they run their certifications or the way they do things. And that’s more of the… We all have these influences on our life, and some of those are a quasi-mentoring relationship.

In the case of this program, for those who are listening, if you go to yourcyberpath.com, right on the homepage, you can sign up for Kip’s mentor notes, which are an email that he sends out every other week that gives you some mentorship in this whole hiring world and how this stuff works as somebody who’s a job seeker. So definitely recommend you do that at yourcyberpath.com.

Now, the other thing I like to talk about when you do mentoring is that, as we said, you can have multiple mentors. You also need to pick the right level of mentor, right? And this comes down to where you are and where you’re trying to go. For instance, if I was a brand new person and I’m trying to break into cybersecurity, having a mentor who is somebody like Mrs. Hunter, who is a VP level, very, very senior person, who’s been in this business for 15, 20 years, is probably not the right mentor for you. Yes, she can probably open some doors and help you get your first job, but she doesn’t really necessarily understand what you’re going through on a daily basis and the struggles you’re facing because she went through those 10, 15, 20 years ago, right?

Same thing with me, I’ve been in this business for a long time. And so if you’re a brand new to a person who just got their first certification, you’re trying to break in, I’m a little more removed, at least in my personal experience. Now, I happen to be very involved in this again because Kip and I run this podcast and we work with students all the time. So I’m still very in touch with that. But in general, if you’re talking to somebody who’s at a very senior level, they don’t necessarily get it for what you’re going through right now and your struggles, because the industry changes.

I remember when I first got in the industry back in 2000, 1999, 2000, coming out of high school, nobody cared if you had a college degree. Everything was certifications, right? If you got your Microsoft Certified Systems Administrator, you could get a job. Then we went through a period where nobody would talk to you unless you had a bachelor’s degree. Then it started pushing towards master’s degrees. Now, there’s a kickback, and there’s a lot of people who don’t care about degrees again, and they just care about certifications. And so these things do go in ebbs and waves, and sometimes, if you’re with somebody who’s a very senior person, they may not understand that.

So what I like to do is find somebody who’s about two to five years ahead of where you are. It’s close enough that you could start mimicking their career path in yourself and be able to see things, and they’re not so far removed that they can’t necessarily help you, but they’re still senior enough that they can open some doors for you because they already have some connections as well. So I find that to be kind of the sweet spot.

If you do have somebody who is very senior, I know this is very popular, especially in minority communities, whether that is black, Latino, women, those different population segments, there is this people at higher levels are trying to bring in new people into that. And so you do have some senior folks with junior folks. Totally good, but I also recommend you get somebody who’s just a couple of years ahead of you because I think you’re going to get more benefit out of that on a daily basis.

And when you do mentorship, as you said, it can be very laid back. We’re just going to meet over coffee and lunch, or it can be very strict where you kind of say, “Okay, these are my goals for the next seven days,” and then in seven days, you’re going to meet back with that mentor. They’re going to verify you did those things. And it can be very structured. So it really does depend, but for me, I always find that two- to five-year point of somebody being ahead of you is kind of the sweet spot.

Kip Boyle:
Yeah. And just to kind of put a bow on this, I want to reemphasize something that’s really important. Nancy, you said this already, which is as the mentee, you really need to drive the agenda. Right? Because what you said that kind of made me want to reemphasize that, Jason, is you said if you’ve got somebody that’s really far ahead of you, they don’t really know what it’s like to be a beginner again. Right? So they don’t know what you’re struggling with. It’s difficult for them to sort of just realize what your struggles are and where you could use some help. So don’t be afraid to drive the agenda when you get into that situation.

But hey, one more thing, Nancy, we want to talk about, as we kind of get to the end of our episode here, and it comes along with mentoring, but you mentioned something just now, Women in Cyber. Tell us, please, a little bit more about what is that program, who’s it meant for, and then just how does it work?

Nancy Hunter:
Thank you. I appreciate the opportunity to do that. I belong to an organization called Women in CyberSecurity. We call ourselves WiCyS, WiCySters. And yeah, WiCyS. And it is a global organization that helps women who aspire to be in cybersecurity, helps women who are in cybersecurity remain there, and gives opportunities for those of us that are seasoned in cybersecurity to give back.

So there are many, many, many programs with WiCyS. There’s a mentoring program that’s established where you can pick somebody to get you a mentor. There’s education. There’s partnerships with some very large companies like Google and AWS to give you training, and there’s events that you can attend. But more importantly, there’s local affiliates, and I am the president of a local affiliate that supports Pennsylvania, New Jersey and Delaware. It’s called the Delaware Valley affiliate of WiCyS. And we provide free mentoring. We provide free training, free events just to encourage people to support one another. This was an outgrowth of a smaller grassroots organization that we had held in Philadelphia, and then realize that we could partner with a larger global organization WiCyS to have a bigger reach.

So we have taken those opportunities and are encouraging people to join us. Again, Pennsylvania, New Jersey and Delaware. I know that there are multiple affiliates, and we just are there. We’re listening boards. We are there. I love the idea, as Jason had said, with a two- to five-year window for mentors. Well, we encourage people to become that first mentor after two to five years. And that support helps them to have the courage to say, “Ah, I’ve been doing this for two or three years. Maybe I can help someone else.” So I encourage you to look outside. There are other types of affinity groups, as Jason had mentioned, for people that are African American or women or Latino, and there’s no reason why you can’t join multiple ones. I do. I join multiple ones, and I gain something from each one.

Kip Boyle:
And there’s different chapters of WiCyS, right?

Nancy Hunter:
There are absolutely different chapters of WiCyS. I said, I’m just the Delaware Valley division, but there’s a chapter that’s specifically for students who want to come into WiCyS. So that different stages in your career, you can find an organization there. There is a small fee to join the WiCyS global organization, and that fee can be reduced if you are already doing a government-type job or if you work for a nonprofit. And we have scholarships that for those people who cannot afford to be there on their own, there are scholarships and just support network that is invaluable.

Jason Dion:
Yeah. I just want to point out there’s a couple other organizations, just like Women in Cyber, that I’ve personally worked with over the years. And I am not one of those minorities. I am the standard middle-aged white guy, but I have worked with organizations like Blacks in Tech, BIT. They’re based out of Georgia, and they are very big on helping people across the technology spectrum, not just cybersecurity.

Another organization, when I was in the DC, Maryland area that I worked with, was Women’s Cyberjutsu, WSC, and they are another great organization that does a lot of the same type of things where they are focused on training, outreach. They even have a program down to middle school and high school girls to try to get them interested in cybersecurity and start bringing that path forward, as we try to fill some of that cybersecurity gap.

So there’s lots of great organizations. And if you’re not a minority, like me, I’m not a minority, you could still be involved with all these organizations because they still have a need for people to serve as mentors, people who can help train, people who can help with fundraisers and all sorts of other things. So there’s lots of good opportunities to get involved, either as a participant or somebody who’s trying to help the organization.

Nancy Hunter:
Yep. Our board actually has men, women, people at different stages in their career from entry level to seasoned. So get in there and put your name in to help. There’s just no reason why you can’t participate.

Kip Boyle:
Yeah. That’s great. Thank you so much for talking about WiCyS. Now, I actually know how to say the acronym. I had no idea how to say it. I’ve encountered the org many times, but I was like, “That’s probably a way to say that.”

Nancy Hunter:
WiCySters. WiCyS.

Kip Boyle:
Yeah. I love that. That’s a great mnemonic. Well, thank you so much, Nancy, for being here. I think it’s about time. We need to wrap up our episode, but I wanted to give you a chance to just… Any final words for the folks in our audience who are either trying to break into cybersecurity or trying to grow their cybersecurity career? Any other thoughts for them?

Nancy Hunter:
Yeah. You’re limited by yourself. So the answer is always no, if you never ask. Ask, apply, try, reach out, because you’ll find that people are willing to talk and encourage you, and the answer could be yes. So you’re limited only by yourself.

Kip Boyle:
I love that. I love that. Jason?

Jason Dion:
Yeah. I think exactly what Nancy said – ask. And I think the other thing is when you ask somebody to be your mentor or if they’ll give you their time, you need to phrase it. A lot of things we talk about is how you phrase things, right? And I know you’ve used this before, Kip. When you ask somebody, it shouldn’t be, “Hey, what can they do for me?” But you want to ask them, “Hey, would it be okay if I bought you coffee and you tell me about how you got into cybersecurity?” Right? People love talking about themselves.

So that’s a great way to kind of introduce and broach this concept, because I’ve had a lot of people who say, “Hey, will you review my resume?” It’s like, “Well, I have a million people asking me that. I don’t have time to do everybody. So no. I’m going to say no.” Right? But if it’s like, “Oh, will you meet me for 15 minutes and talk to me about how you got into this or how you overcame this challenge?” or blah, blah, blah, blah, usually you’ll say, “Yeah, I’d love to talk about that.” Right?

So the easier you can make it for the mentor, because most of these people that you want to work with are very busy people. I’m sure Nancy is tremendously busy in her job at the Federal Reserve. And I really appreciate the fact she took 30 minutes out of her day to come and meet with us, to share with all of you. And when you’re trying to find people like that, you have to make it easy for them because their schedules are just so darn busy. That’s my two cents there, Kip.

Kip Boyle:
Appreciate it very much. Okay, Jason, well, I think that’s a wrap. Why don’t you close this out?

Jason Dion:
Yeah, definitely. I want to thank everybody again for joining us. I want to thank Nancy for joining us and spending some of her valuable time with us. If you would like to leave a review for the podcast on any of your favorite podcast players, we would really appreciate that. Your podcast reviews really help the podcast stand out and have other people find it, and so they can get the help as well. So until next time, we’ll see you on the next Your Cyber Path.

Kip Boyle:
Bye everyone.

Nancy Hunter:
Bye everyone.