It will take a paradigm shift to defend our national security moving forward. Women and people of color should be at the forefront of this effort. Demystifying Cybersecurity, a #ShareTheMicInCyber and Ms. magazine monthly series, spotlights women from the #ShareTheMicInCyber movement—highlighting the experiences of Black practitioners, driving a critical conversation on race in the cybersecurity industry, and shining a light on Black experts in their fields.
You may have heard news about the threat of Russian cyberattacks against the United States in retaliation for sanctions. Perhaps you are part of an organization that was a victim of a ransomware attack, or maybe you’ve had your account hacked recently. (To learn more about U.S. cyber defenders, check out CISA director Jen Easterly’s recent interview on “60 Minutes.”)
Mari Galloway helps break down these issues. Galloway is the CEO and a founding board member for the Women’s Society of Cyberjutsu (WSC), one of the fastest growing 501c3 nonprofit cybersecurity communities dedicated to bringing more women and girls to cyber. WSC provides its members with the resources and support required to enter and advance as a cybersecurity professional.
A resident of Las Vegas and a self-described security geek, Galloway has over a decade of experience in cybersecurity and information technology. Her expertise spans the design of company and government networks, advising clients on security risk, and working with clients after a breach to identify the attackers, recover data and fix the holes. She also works to help get more people interested in and prepared for a career in cybersecurity by writing in blogs, mentoring and serving as an adjunct professor at the University of Maryland. She’s also the CEO of A&M Strategies, which helps clients understand and visualize their business strategy and growth.
Lauren Zabierek and Camille Stewart: Mari, What do you do? What does a normal day look like for you?
Mari Galloway: I am what’s called a sales engineer at one of the most well-known security companies in the industry, Palo Alto Networks. There I get to help potential customers see the value in automation (sales) while still being technical and diving into technology (engineering). Automation allows you to handle routine tasks more quickly and efficiently, freeing up time for analysts to handle more complex issues such as looking for bad guys in an organization.
As part of my role, I conduct training with potential clients, host workshops on all the automation tools we offer, play Capture The Flag (CTFs) games with customers to provide them a feel of what various cybersecurity tools are capable of as it relates to automation. CTFs are a fun way to gain experience in cyber as they offer a variety of challenges to solve and provide hands-on training. You also get to work with others that are learning and can grow your network.
I also get to research the latest trends in the cyberspace, cyber threats that may affect us from an international perspective such as the Russia-Ukraine war and how our customers may be affected by this, and give back to those looking to enter and advance in cyber through my work as the CEO of Women’s Society of Cyberjutsu and individual mentoring.
What is important to note about the Russia-Ukraine cyber threat is that there is the potential for industrial control systems (ICS) to be targeted and hacked, causing a disruption in service and support to those that utilize those systems. These systems include HVAC systems, escalators, elevators, facilities and the systems that pretty much do the organization from behind the scenes.
To the everyday person, you may see an uptick in phishing and scams as it relates to assisting those in Ukraine, either monetarily or with donations such as clothing and food. If you encounter something like this, always verify that the charity or organization you are donating to is a real entity and have legit operations that support these types of situations.
My job is to make sure customers understand what their business needs are in terms of security and then help them implement a solution that protects their customer base.Mari Galloway
Zabierek and Stewart: How does your work keep people safe?
Galloway: My company provides tools to help organizations to make sure their internet traffic is secure, to keep customers safe from internet threats—so when they are conducting business, exchanging emails, offering products, for instance, we secure those transactions.
Our clients range from banks to schools and all those in between. Using technology, we work to keep their data secure. So basically, my job is to make sure customers understand what their business needs are in terms of security and then help them implement a solution that protects their customer base.
Zabierek and Stewart: How did you get into cybersecurity?
Galloway: Great question! Like many people, I got into it by chance.
I was a network engineer—which means that I help clients set up their internal networks and how they connect to the rest of the internet. I went to a training session where one of the instructors showed us how often routers—which are computers that literally route traffic to and from other computers across the internet—are configured to receive and transmit data in plain text. This is a huge problem because that means things like your searches or purchases could be seen by anyone monitoring your traffic. Given that I worked on similar devices, right then I decided that I wanted to go the security route to make sure sensitive data wasn’t being leaked on the internet. Protecting this type of data is important because it helps prevent data breaches that could lead to stolen personal information or intellectual property.
Zabierek and Stewart: What do you wish people knew about working in cybersecurity?
Galloway: Cybersecurity is a challenging, but interesting field. You don’t have to be super technical to succeed, which I think is a common misperception. I often hear that you need to be a coder to be in cyber or you need to be able to hack systems. But this simply isn’t true. What I tell people trying to get into the field is that you have to understand how things work and be able to identify the right resources if you don’t know.
Zabierek and Stewart: Why is cybersecurity important for women?
Galloway: Women belong in cyber, no matter what people may say differently. We think differently because most of the time we are brought up differently, which allows us to often see things from a different perspective and can make critical decisions that others may not see. Most of us are able to take many pieces of the puzzle and see the big picture.
We are also mothers, daughters, wives and friends and those experiences also play into why women are important in the space. We can help reduce the bias in technology, thus making the world a safer place. Reducing this bias is important because it helps create a more equitable society and allows technology to reflect the diversity of thought that we actually see.
Zabierek and Stewart: What is your cybersecurity or privacy tip?
Galloway: Only share the information that is needed to get the job done. Think of social media. We typically like to share photos, family updates, names of our loved ones and more without realizing the information being shared could be used to scam you.
Oversharing of information can inadvertently cause more harm, such as monetary loss or destruction of data, than we realize.
Women belong in cyber. We can help reduce the bias in technology, thus making the world a safer place.Mari Galloway
Zabierek and Stewart: What do you wish you knew when you were trying to get into cybersecurity?
Galloway: When I was entering the field, I wish I knew to network more with my peers and those throughout the industry. After several years in my career, I’ve found that networking has been super helpful in my career growth and advancement. I have been able to move into more senior roles and increase my salary through my network. I love that I can provide that to those coming up after me—so for those who are newer, don’t be afraid to reach out.
Zabierek and Stewart: Self-care is so important in the security world. What do you do to unwind or relax?
Galloway: It is—burnout for the industry is real. We deal with a lot of security threats that never seem to go away.
To relax, I like to have a glass of wine and build Legos. Currently I am working on the Titanic which is the largest Lego set to date. I also enjoy hanging out with friends, which is something I truly missed throughout the pandemic.
Zabierek and Stewart: What advice would you give a young person reading this with interest in the field? How can they break into it?
Galloway: There are so many different areas of cybersecurity that one can get into—from making sure software vulnerabilities are patched to developing incident response plans or designing networks.
I advise people who are interested to do their research on all those areas, and then take the initiative to learn, through training courses, videos or online programs. Fortunately or unfortunately, nobody is going to hold your hand, but there are resources out there to help you figure it out. But that just means that you have the power to create the career you want—so just do it!
Zabierek and Stewart: If you could wave a magic wand to change anything about the cybersecurity industry, the law or technology ecosystem, what would you change and how would you do it?
Galloway: I would change the barrier to entry. There are so many talented people out there, but they can’t bring their talents to cyber because they have been rejected so much due to human bias, people thinking certain groups are either not interested in cyber or don’t have the skills to do the job.
The people in cyber who are successful do not all have a degree or a gazillion certifications, so why should the folks coming in be expected to have those things? I would love to see the industry shift to bring people in based on their core traits and then provide opportunities to learn once they’re in. Several folks can’t afford a fancy education or the latest certification, and they shouldn’t be penalized for that.
Once we start looking beyond the degrees and certifications and looking at the individual’s potential, we can begin to make a change.