Originally a software developer (for 17 years), Tanya Janca, CEO of We Hack Purple, switched to security seven years ago. She founded the company to share as much knowledge as possible in hopes of moving the industry forward towards creating more secure software and systems. Janca is also the author of the acclaimed book “Alice & Bob Learn Application Security“.
In this interview for Help Net Security, she talks about her path in the industry, skill development, infosec certifications, as well as key challenges for the cybersecurity industry.
What were the pivotal career experiences that unquestionably shaped the way you are now? What lessons have you learned along the way?
When I was a software developer, I met a penetration tester. He kept trying to get me to move into security, but I was not interested. I had previously had several bad interactions with several different security teams, where they had not really helped me, and instead just thrown up roadblocks, blacking me from doing my job.
I had a rather negative perception of the security team at most of my offices at that point. To spark my interest, he showed me how he could break into one of my applications, and that made me curious. He kept showing me more and more things for about a year and a half, until I finally agreed to be his apprentice and changed careers into security.
It’s not every day that a professional mentor will spend a year and a half trying to convince you to switch careers, I was very lucky. Then I joined the OWASP community, and they taught me a lot more than he did. They were so welcoming, so open to sharing knowledge, and making me a part of the community. Before I knew it, I was giving talks, traveling, and had my own open-source project within OWASP. I feel that those were rather pivotal moments in my career.
The cybersecurity skills gap is getting bigger, which means there are plenty of opportunities for competent people to build a good career. What advice would you give to those just entering this industry? What pitfalls can they expect?
It is quite difficult to join the information security industry right now. There is no clear career path, like there are for accountants or tradespeople. I find it rather frustrating to be honest.
My suggestion for someone trying to join our industry would be manyfold; find a professional mentor, join the security communities that focus on the topics that you are most passionate about, network and meet people, and learn as much as you can for free.
When people can see you are trying your best, and they’ve met you multiple times before, they are a lot more likely to recommend you for jobs or make introductions.
What’s your take on infosec certifications? Are they valuable for someone that wants to specialize in the industry?
I have a lot of thoughts on information security certifications. It is an industry, that exists to makes money. And in some ways, it can really help people in finding jobs. I find that hiring managers who ask for certifications, are 1) hoping that the certification proves that you are trying really hard to learn things or 2) they have no idea what they’re hiring for and they don’t know what to ask you or to test you on, so they hope that by asking for a certification that you will show up and be qualified. Unfortunately, not all certifications are created equal.
I personally only have the one certification and it’s the one that my company, We Hack Purple, created. I personally don’t love tests. I, however, am in a much different situation than the average person. Instead of pursuing certifications, I shared my knowledge via blog posts and conference talks, which serve as evidence of my qualifications. Not everyone can do that, and I’m not saying that’s what everyone should do. But it worked for me.
There are some certifications that people ask for, where honestly, I don’t feel the certification itself offers value. Studying for a certification and learning things is awesome. Some of the certifications cover important topics that you should know to work in our industry. Some of them don’t. It’s difficult working for a training company, because I’m tempted to trash some of them, but I know that’s not in good taste. I hope this answer helps.
What do you see as the key challenges for the information security industry over the next five years?
I feel that key challenges in information security are going to be revolving around ransomware, technology transformation (moving towards DevOps and cloud), training and education, and everyone within the security industry learning to be a lot more empathetic.
I think the industry would do better to focus on sharing knowledge with other areas of IT whenever possible, being more empathetic to what other areas of IT are trying to accomplish, and preparing for the worst (ransomware, AppSec incidents, etc.) whenever possible, well in advance.