Arguably one of the most powerful women in cybersecurity today, McAfee’s vice president and chief technical strategist Candace Worley has been paving the way for the company and women in security for more than 17 years. And in her words, she’s loving her job.
As part of Worley’s recent visit to Sydney for McAfee MPOWER, we discussed the company’s priorities, risk, the cyber skills shortage and of course, women in security.
Worley started as a product manager and worked her way up to vice president of product management before becoming SVP and general manager of the company’s corporate endpoint business for five years.
After a year and a half of product marketing, she moved into the chief technical strategist role. Her team is an extension of the executive management team and part of that is driving thought leadership.
At MPOWER Worley discussed the issue of changing security thinking from a threat perspective to a risk perspective. She believes that in order to engage boards, CEOs and CFOs, people must use the language of risk rather than the language of operations.
“It’s a very different dialogue, and often times when security and operations teams have the security conversation with the CEO and the board, they’re talking operations and the board is worried about something else, about risk,” she explains.
MPOWER Sydney also recognised outstanding women in security this year. Worley says that any opportunity to highlight achievements in the security space is a good thing.
“I think they’re good things because we need more people in security in general, we also need more women. Diversity is important in that with diversity comes greater creativity and greater diversity of thought.”
“Let’s face it, solving the security problem is a significant challenge so more creativity and more diversity is all goodness if it leads to delivering better security solutions.”
“If women in industry or college knew that cyber is an industry that is acknowledging and recognising the unique contribution of women I think that more women would seriously think about it. I’m hoping that we will see more women seriously considering cyber as their career path.”
At MPOWER Las Vegas McAfee CEO Chris Young described the ongoing ‘skills shortage’ as a ‘talent efficiency opportunity. I asked Worley what factors contribute to this shortage.
“We have a pipeline issue when it comes to women in cyber security. The number of women choosing a STEM degree (Science, technology, engineering and mathematics), is pretty low compared to their male counterparts.”
“It’s an issue because there are not enough young women in high school and university choosing a technical path that would put them in a position to consider cyber security as an option.”
She also says cyber is a specialised skill set. Not only do employees need to write code but understand IT infrastructure, the architecture associated with it, how it works and the co-dependencies.
There is also a need for understanding adversaries and their predicted behaviour.
This is not a machine to machine thing. This is people protecting machines and data against people attacking machines for data. The attackers are highly creative.”
“What makes cyber security extremely challenging but also outrageously exciting is the fact that what might work today in cyber security may very well fail tomorrow because the adversary figured out what you were doing and they’ve modified their behaviour.”
For some, that is an exciting prospect and part of their journey.
“We need to do more to help people understand that it’s not just about the excitement or the grind. It’s also about the fact that every single day of your life in cyber security you get to come to work and make the world a better place.”
We are seeing partnerships between industry and training institutions in order to encourage people into cybersecurity and Worley says there is an inherent need for that collaboration, which has improved in the last couple of years.
“In working together they can also help students understand the pros and cons of entering the cyber security space.”
She says educational institutions don’t typically have that real-world experience, which is why partnerships with industry are important.
“The industry practitioners are the ones that have real world examples of a company that got hacked and how that hack was perpetrated and what happened as a result of that hack and how did they identify the hack and how did they get it cleaned up and what were the downstream implications of that hack.”
There may be a need to show students that the ‘bro-culture’ of Silicon Valley is nothing to aspire to.
Worley says she knows some women who have felt like they are at a disadvantage in the industry, a testament to lingering pockets of stigma against women.
“I also think that there’s two sides to that coin. I think bad on the people who behave that way but also bad on the women who tolerate behaviour that dismisses them as less capable, intelligent, worthy - pick your adjective.”
She believes that it’s important to be a change agent within that workplace culture, or find another organisation that doesn’t treat women as less than their male counterparts.
Luckily, that doesn’t seem to happen very often and men are appalled when there is inequality.
“I think the way we fix it, is not just within the female community, it’s within the professional community whether those professionals are male or female,” she explains.
As for those who are steadily working away in cybersecurity, Worley is more than supportive.
“You have identified an incredibly exciting industry that pays well, that has incredibly bright, capable people that you get to work with every day. It’s an industry that changes on a regular basis, so what you deal with today will be very different from what you deal with tomorrow. Boredom is the last problem you’re going to have,” she says.
For those not in security, Worley has a similar message:
1. You don’t necessarily need a technical degree so if you don’t have one don’t rule cyber security out.
“I don’t have a technical degree. I have a management degree, a behavioural science degree and an MBA.”
“I don’t have a technical degree but I’ve performed well in numerous technical roles. You can enter this world and be part of marketing or finance or HR or sales or any number of other functional areas where you’re contributing at an equal level to anyone who can write code.”
2. If you have a technical degree then cyber security is going to offer you challenges that you will never see in developing software for other industries.
“Unlike in other industries where a failure to operate correctly is likely a code or hardware error, in cyber security it could be the same thing or it could be that the hacking community figured out your code and is writing malware to circumvent it.”
“Your number one job is to figure out how to write code that is either unhackable or really hard to hack. Whether you are in the industry already or you are contemplating jumping into the cybersecurity world, it’s an industry that is very hard to beat.”