Can you share your journey into the security world? What inspired you to pursue a career in this field?
I was in the right place at the right time. On the back of a C-130 as a young Staff Sargeant, I was offered to interview for a computer forensic admin. I didn’t even know what it meant, but I applied and took the job. I was assigned to write SOPs, go on search warrants, collect and process evidence.

I worked hard and earned an analyst position within a year and the ball kept rolling. I found my niche in the world and became enamored with digital forensics. This was 23 years ago now and it’s crazy to think that I am still learning as much today as the day I walked into my first lab. That is why I stay! The ability to learn something new every day and do work that makes a difference and helps make our work a safer place.

What were some of the biggest challenges you faced as a woman, and how did you overcome them?
The first problem that has been around since day 1 of my career (over 23 years ago) is fair pay. As a woman in tech, it’s been increasingly difficult to know if I am paid fairly for someone with my caliber of experience. As much I try to pretend it’s not a real problem, unfair salaries have and still plagues me. As a woman, I know I am paid less that male co-workers. Finding ways around this has been tricky and while some groups I have worked for and currently work for seem supportive I feel like I have to fight for what I deserve. We can all do better here by treating women in tech as equals. I will continue to speak up about this and ask for what I believe I deserve.

Being heard in a room is something that many struggle with. As a woman, finding the right room where people want to hear you is key to gaining confidence and finding your voice. I am lucky that I have found a home at SANS and Cellebrite where my voice is not only heard, but is also valued. I strongly encourage any woman out there to find the room that will listen. Don’t be afraid to use your voice, but always back what you are saying.

How do you describe your leadership style, and how has it evolved over time?
I lead by doing. I pride myself in leading by example and not creating high expectations for others to meet that I am not willing to do myself. I stand up for my team and I try to organically create teams of people based upon skills and personalities that feed into morale and increase work effort. I have formed teams over the last decade of people who are “dotted line” to me at best and we have accomplished so many amazing things. These teams have helped me grow into an even better leader and into the woman I am today.

What strategies do you use to motivate and empower your team?
I hold people accountable, and it helps show that I trust them to do their job, but I will be behind them asking questions when they don’t. A team cannot function when someone is unreliable. Mistakes are made and we learn from it, but you must be willing to do your job and stand behind your work and your word.

Have you had any mentors or role models who have significantly influenced your career? How did they impact your journey?
I have worked for so many great men over the years. Many of them have naturally paved the way for me. I feel the need to state that I said men, yes men. Men do support women. Often, women believe they must find another woman to mentor them and that isn’t the case. Finding the right person to inspire during that specific time or while you are on a certain path is what matters.

My first mentor was Shawn Howell. He taught me forensics and believed that I could do something I had zero training for. He took the time to teach me and I credit him for my stance on the importance of validation. Rob Lee was and still is a great mentor to those in DFIR who he sees something in. Rob introduced me to SANS. For that I am forever grateful. He also helped me find my voice in the room and encouraged me to speak up. Since then, I’ve had many great bosses, mentors and smart friends who guide me along the way and help me stay focused.

What advice would you give to young women aspiring to enter the security world?
Stand up for yourself. From salary, how you are treated, to assigned responsibilities – make sure it’s for your skill and not because you are a woman. Do not let anyone knock your crown off your head. You deserve a chance as much as anyone else. In a male dominant field, it’s important that we encourage on another and not compete. There is plenty of work for everyone. Sometimes we are our own worst enemy.

Can you highlight some of your proudest achievements in your career so far?
I worked on Osama Bin Laden’s media and was given several awards for my work. Working in a classified environment is mentally challenging when you can’t share your work with anyone outside of the office. This case was something that my family could celebrate with me. Huge efforts which made a big difference in the world being safer. I have been awarded for many things over the last two decades but hearing that someone uses my SANS courseware, blogs, books, or advice to solve cases makes my day. Every single time! I put in the work, and I share it. Hearing that it helps makes it worth it.

How do you manage work-life balance, and what tips do you have for other women striving to achieve this balance?
Terribly, but I am getting better! I listened to a podcast recently about single tasking. It’s when you do one single thing at a time. Not doing a puzzle and listening to a podcast. It’s doing one of those things for 15 mins a day. It relaxes your brain. As women, we brag about doing a hundred things at the same time. We need to slow down so we don’t burn out.

I am also trying to “log out” at the end of the workday. Don’t open your email all evening. Don’t be on group chats. Put your phone down and disconnect. I joke with my kids that I lose my phone, and they love it. They can tell when I am still working. I don’t want to send a message to them that mom works round the clock. They help me find my balance.

“The path to achieving a true state of Zero Trust isn’t straightforward. Organizations often encounter several fundamental challenges when attempting to implement end-to-end Zero Trust principles across their environment,” said Ismael Valenzuela, SANS Senior Instructor and author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. “By understanding and addressing these common mistakes, businesses can make better strategic and tactical decisions and increase their resiliency in the face of evolving threats.”

SANS Institute identified the top five mistakes made when implementing Zero Trust:

1. Overlooking the Importance of Organizational Culture: Zero Trust is more than just a technological shift; it requires a fundamental change in organizational culture. Chief Information Security Officers (CISOs) must align security with strategic, operational, and financial priorities. As the strategy guide states, “Effective security is driven by people, processes, and technology.” Failure to secure stakeholder buy-in from the outset can doom Zero Trust initiatives to fail.
2. Underestimating Human Risk: Employee error and negligence account for over 80% of data breaches. Hybrid work environments blur the lines between personal and professional spaces, increasing the complexity of monitoring user activity. “A Zero Trust architecture is an important line of defence against human risk,” the strategy guide emphasizes. Organizations must implement continuous monitoring and real-time assessment of user behaviour to mitigate these risks.
3. Neglecting the Supply Chain: Recent high-profile supply chain attacks have underscored the vulnerabilities within interconnected systems. According to Gartner, by 2025, 45% of organizations worldwide will have experienced attacks on their supply chains. Zero Trust principles help limit the impact of these breaches by ensuring continuous verification and deeper visibility into user activity.
4. Failing to Plan for Sustainable Success: Implementing Zero Trust is a long-term commitment that requires continuous improvement and adaptation. The SANS strategy guide highlights the importance of effective change management practices: “Effective change management ensures stakeholder buy-in, facilitates user adoption, minimizes disruption, promotes continuous improvement, and enhances collaboration.”
5. Inadequate Measurement of Success: Measuring the effectiveness of a Zero Trust framework is crucial for maintaining stakeholder support. The guide suggests several metrics, including authentication success rates, policy compliance rates, and the time to detect and respond to incidents. These metrics provide a clear picture of the framework’s impact and highlight areas for improvement.

“Adopting the Zero Trust ‘never trust, always verify’ mindset is essential for modern cybersecurity,” said Valenzuela. “However, the real challenge lies in having a realistic understanding of what a Zero Trust architecture looks like and avoiding common pitfalls during implementation. From cultural shifts to technical deployments, this offers vital guidance to help organizations successfully navigate the complexities of Zero Trust and enhance their cybersecurity resilience.”

“People have become the primary attack vector for cyber-attackers around the world,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report. “Humans rather than technology represent the greatest risk to organizations and the professionals who oversee security awareness programs are the key to effectively managing that risk.”

After analysing the data of more than 1,000 security awareness professionals worldwide, SANS Security Awareness, the global leader in providing security awareness training, has released its seventh annual SANS Security Awareness Report. The 2022 report establishes updated global benchmarks for how organizations manage their human risk and provides actionable steps to making improvements with key metrics in the Security Awareness Maturity Model Indicators Matrix to measure progress.

“Awareness programs enable security teams to effectively manage their human risk by changing how people think about cybersecurity and help them exhibit secure behaviors, from the Board of Directors on down,” said Spitzner. “This report enables security awareness professionals to make data-driven decisions on how to best secure their workforce and speak to leadership about risk in a compelling way that demonstrates value and support for their strategic priorities.”

Key Findings:

• Workforce: More than 69% of security awareness professionals are spending less than half their time on security awareness. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
• US Compensation: The average salary reported was $110,309 USD for security training professionals, an increase from 2021. However, those dedicated full-time to awareness were paid on average only $86,626, while those who are part-time averaged $117,584 – $30,000 difference. This difference is because people dedicated part-time to security awareness have their compensation based on their other responsibilities, which are usually more technically focused.
• Global Compensation: Security awareness professionals in Australia/New Zealand had the highest average annual compensation ($121,236), while South America had the lowest ($56,960). In North America, the higher the maturity level of an organization’s security awareness program, the higher the salary for the awareness professionals who work there.
• Top Reported Challenges: The three top reported challenges for building a mature awareness program were all related to a lack of time: specifically lack of time for project management, limits on training time to engage employees, and a lack of staffing.
• Pandemic Impacts: The top two reported impacts were the challenge of a more distracted and overwhelmed workforce and a working environment where human-based cyber-attacks have become more frequent and effective.
• Program Maturity by Region: Consistent across all global regions is that current programs’ most common maturity levels are compliance-focused and awareness/behavior change.
• Successful Program Indicators: Strong leadership support, increased team size, and a higher training frequency topped the charts as key enablers to program success.
  Key Action Items to Increase Program Success:
• Action Items to Increase Leadership Support: One of the top ways to increase leadership support is speaking in terms of managing risk, not compliance, and explaining WHY you are doing something, not WHAT you are doing. Additionally, creating a sense of urgency by utilizing data and communicating value by demonstrating alignment with leadership’s priorities.
• Action Items to Increase Team Size: Documenting and contrasting how many people on the security team are focused on technology versus how many on the team are focused on human risk, creating a document to explain personnel needs fully, and developing partnerships with key departments that can help develop ways to communicate the program’s value were recommended.
• Action Items to Increase Training Frequency: It is recommended that organizations communicate to, interact with, or train their workforce at least once a month. Keeping training simple and easy to follow is the key to increasing your opportunities to engage and train your workforce.

“The most mature security awareness programs not only change their workforce’s behavior and culture but also measure and demonstrate their value to leadership via a metrics framework,” continued Spitzner. “Organizations can no longer justify an annual training to check the compliance box, and it remains critical for organizations to dedicate enough personnel, resources, and tools to manage their human risk effectively.”

2021 marks the sixth release of the SANS Security Awareness Report, and through 2020-2021 the industry witnessed deep and rapid changes in how and where employees work. These changes have caused unprecedented evolution in not only in technology we use, but how we use it, especially with so many working from home. Simply stated, it has never been more important to effectively create and maintain a cyber secure workforce and a vibrant security culture.

“Cybersecurity is no longer just about technology but people; managing human risk. Awareness programs enable security teams to do just that by not only guiding how people think about security but how they act, from the Board of Directors on down,” said Lance Spitzner, SANS Security Awareness Director and co-author of the report. “This report enables security professionals to make data-driven decisions on how they can most effectively engage the workforce and manage human risk.”

Key Findings:

• Workforce: Over 75% of security awareness professionals are spending less than half their time on security awareness, implying awareness is too often a part-time effort. The data shows that security awareness responsibilities are very commonly assigned to staff with highly technical backgrounds who may lack the skills needed to effectively engage their workforce in simple-to-understand terms.
• Compensation: The average salary reported was $103,000 USD for security training full time professionals. However, salaries were found to be higher for those with technical background and on average up to $10,000 less for those with non-technical backgrounds.
• Top Reported Challenges: The two top reported challenges for building a mature awareness program are the lack of time to manage the program and a lack of personnel to work on and implement the program.
• Dedicated Personnel: Awareness programs effectively changing behavior had at least 2.5 FTEs (Full-Time Equivalent) dedicated to helping manage their awareness program. Those impacting culture and having the metrics framework to prove it on average had 3.5 FTEs.

“Security awareness programs have evolved from a limited compliance focus to becoming a key part of an organization’s ability to manage human cyber risk,” said Dan deBeaubien, SANS Security Awareness Director and co-author of the report. “While security awareness programs are gaining executive support, there is still a long way to go before enough personnel, resources and tools are allocated to this effort.”