I started coding at 17 years old, and it was love at first sight.
I got great marks in all of my classes in high school, but loved computer science because in every class, I could “make something out of nothing”. Computer science runs deep in my family as almost all of my aunts and uncles are computer scientists, and my cousins are engineers, scientists and programmers. When I announced that I wanted to go to college for computer science my family responded with “what else would you take?” It wasn’t until years after working in tech that I realized that this is not an experience that most young women share.
I landed my first job in tech at age 18, and haven’t stopped since, despite several career setbacks, harassment and toxic work environments. I realize this might not seem very encouraging, but I have to tell you; things in tech have really improved. I’ve had the fortune of work experience in a variety of different situations both in computer science and in my other passion, music. Both careers taught me the value of collaborating with others, confronting differences, and taking constructive criticism well. It’s also given me the benefit of becoming more resilient when it comes to unpleasant situations or less-than-constructive comments made in the workplace.
For many years, I was a programmer by day and a musician at night. My successful music career allowed me to play in countless venues and bars around town, and it taught me many lessons that have since turned out to be very helpful in tech such as how to handle hecklers, how to capture the attention of a drunk and belligerent crowd, and what the best way to throw someone off a stage is. As you can imagine, there were challenges to being a young 20 something woman in a hardcore punk band.
Later in my career I met an ethical hacker who was also in a band and we became friends. He spent the next 1.5 years convincing me to join him as his apprentice and learn how to hack. I became fascinated with the security of software, I wanted to know everything. I joined my local OWASP chapter and almost immediately became a chapter leader, which helped me greatly since I had the chance to invite experts on topics that I was interested in to come speak for us. I also met my next 3 professional mentors though OWASP, who taught me even more. OWASP is an incredibly supportive and amazing community, I strongly recommend that everyone joins their local chapter...
At this point in my career I felt like I had a thirst for knowledge that could not be quenched. Although I managed to switch over from software development to a full time security job, I was frustrated that there was no budget for me to go on the types of advanced training that I was interested in. Then one of my professional mentors convinced me to speak at a conference, and they let me in FOR FREE.
For the next 2 years, I spoke at meetups and local events, taught myself as much as I could, and worked in application security helping developers make more secure apps. I loved it, but I kept striving for more. I wanted to do more modern types of application security, and I realized that the organizations I worked for were not very modern, and resistant to change. I found that my drive and ambition was difficult for certain managers, and it became a point of friction for me in the workplace.
Then I broke through from meetups into speaking at conferences. I honestly couldn’t believe it when I received the email saying that I had been accepted to speak at AppSec EU, the international OWASP conference. I discovered that all of my musical stage performance skills transferred over and with all of my practice at meetups that I had become good at public speaking. After AppSec EU I had invitations to speak all over the world. As conferences started sending me plane tickets, I took time off work and went off to learn for free. I realized that a career shift was necessary. I knew that I had something to offer to the right employer, but I wasn’t quite sure what that would be... Then Microsoft reached out to me.
A Microsoft representative said that he had heard about me, and wanted to interview me for a “Developer Advocate” position. I had no idea at that point that “developer relations” was a job, and when he described what the job would be I said “I already do that, for free”. It took him about 20 minutes to convince me that he was not kidding, this was a really job, and he was actually from Microsoft. Before I knew it was travelling the planet, learning about cloud security, working with absolutely brilliant people and so much more. All the while I was getting paid to do it! Talk about a dream!
During my many years travelling and talking to the community, I learned a lot about my industry, both good and bad. I learned that software developers had a lot of aches and pains in regards to security that I had also felt when I was a developer, and especially during my work in incident response and AppSec. My goal in being a developer and cloud advocate was to help push the industry forward, and to help people create more secure software, everywhere. During this time I founded the #CyberMentoringMonday online initiative and the WoSEC (Women of Security) organization, released countless articles, videos and podcasts, and spoke regularly at security events. Although I definitely felt I was helping many people in my industry, I felt like I could do even more. I also felt the constant travel was extremely exciting, but also exhausting and perhaps not the most efficient way to help the most people. I wanted to figure out how to make a bigger difference, and ’scale’ myself in a more effective manner.
With that in mind, I started to devise a plan; focus my efforts in a more concise way in order to deliver more impact. Do fewer things, but do those things in a very big way. I decided to choose two big goals; to write a book and start my own company. And I decided I would just go for it, even if it was scary.
I realized at this point that I was going to have to leave Microsoft to pursue my new career goals. I met with many security specialists in the field, and decided to start my own training Academy: We Hack Purple! We have an online community, on-demand courses, and a podcast!
I am also in the process of writing my first book! It's an intro to AppSec, "Alice and Bob Learn Application Security", and I’m excited to share it with the community at large when it’s ready. Even though I am at the very beginning of both of these adventures, you better believe I plan to knock them out of the park!
** Book is available now at books stores world-wide.
If I can offer advice to you it is this: if you want it, go get it. Don’t let anyone tell you that you can’t reach greatness; you can, you just need to be prepared to work like you’ve never worked before. The Information Security industry needs all the help it can get, and we definitely need you. Yes you, the person reading this right now. Please join us, and help us make the world a better and more-secure place.
Top comments (10)
Thanks for sharing your personal story!
As a software engineer interested in learning more about the InfoSec field, can you please elaborate on your transition from software developer to your first security job.
Specifically:
Hi Ty,
I had a professional mentor. He was a friend who was a hacker and he spent 1.5 years trying to get me to join InfoSec. I he taught me quite a bit, but more importantly he advocated for me. He gave me my first contract, and then helped me get my first full-time, permanent position in InfoSec. I learned a lot on my own (I read and worked through about 1/2 of all of the following books: Shell Coder's Handbook, Web App Hacker's handbook, Hacker's Playbook), I read every book in the library, took 3 courses at Maryland university online (usable security, software security and web app hacking), recruited speakers for OWASP for things I wanted to learn, started speaking at conferences so that I could get in free and learn, spoke at every meetup that would take me, and attended meetups constantly, asked for book recommendations and read them, volunteered for every possible security task at work until the security team let me join, etc., etc. Etc. I kept learning until I knew more than my teacher, then got a better teacher. Then another teacher. Then started the OWASP DevSlop project, and got even more mentors, plus created a crap-ton of proof-of-concepts. I attended a capture the flag, then decided I would run my own for the next three years. I can't remember what else. I tend to be obsessive in nature when I'm really into something. I do not think this level of dedication was necessary though. I honestly think that having a professional mentor, getting an entry level job (the hard part) and then studying anything that you don't understand at work until you know it well, is more than enough. You don't need to be world-famous or better than everyone else you know; you just need to know enough to do a good job.
Yes it was tough to get my first shot, but luckily I had a lot of wonderful humans from Ottawa that work in InfoSec that helped me a long my way. I did get some flack for being a woman (once even from a woman), but mostly I just made myself indispensable at every job until I had people's respect and was given more responsibility.
I was invited to sit in on an incident and I figured out that I could read the obfuscated code during the meeting, and explained the attack to the investigators. #indispensable
If you ever don't know something or feel unconfident, ask or study it until you DO feel confident. It will beat imposter syndrome AND make you awesome.
Because I've coded most of my life I never felt like I was starting from scratch, but it was unnerving at times to feel uncertain of myself. I had previously been the "senior tech" everywhere I had worked, for about ten years, stepping down was hard on the go. I recall a director telling me to "try sounding more confident in meetings, even if you don't feel it, then come back and check with the rest of the team. If you were wrong, correct yourself, confidently. If you were right, carry on. Eventually you will almost always be right." Smart guy.
Ty, we need more people in our industry, please join us.
Hey Tanya, thanks a lot for this reply. The small details involved in this type of career shift are often overlooked, but hearing your story is inspiring! I knew you must have put in a ton of work from a technical standpoint, but hearing the details is helpful. It’s also really interesting to see how much community and quality mentors played a role in your story. A great reminder that we are not on this journey alone!
For those who are greatly interested in CyberSecurity, Canada is great shortage of people in this field.
The government of Canada is working with I believe Ryerson to open up a CyberSecurity school in Brampton.
So for those from India looking to migrate to Canada into the tech-field, that's both a destination and job you may be interested in seeking.
Many large Canadian companies appear to prioritize hiring internationals, and it speculated because these internationals will be loyal employees since they are working to get their PR (Permanent Residency)
Also, I believe Canada has a fast track for Visas. I don't know if this is specifically for India but it sure seems to be how some Ministers advertise it.
Thank you for sharing Andrew! :-D
Interested
SHE'S NOT LYING. PLEASE, PLEASE JOIN US. WE NEED HELP. IT'S BAD.
This is such an inspiring story! Thanks for sharing ❤️
Thank you Nafisa!
Love your story.