Creating a more inclusive security research field
A glimpse into the backgrounds and day-to-day work of several GitHub employees in cybersecurity roles.
Cybersecurity has grown in importance and mainstream understanding, thanks in part to the rise in headline-driving breaches and Hollywood’s depiction of “hackers” with their often nefarious undertakings. While many people have a general understanding of cybersecurity and a sense of its importance, there remains limited understanding of the careers available, with perceptions limited to technical roles in the space.
I previously gave a guest lecture at Cornell University’s Department of Communication to a ‘Persuasion and Influence’ class comprising 100 students across multiple disciplines including communication, information science, and engineering. When asked about their perceptions of cybersecurity, many students recognized the importance of cybersecurity and the need to take appropriate measures to protect their data through various means including two-factor authentication. While they recognized the importance of keeping their information safe and secure, they expressed either a complete disinterest in pursuing a career in this field, or were simply unaware of career opportunities available to them:
- “I do not think I would be interested in pursuing a career in the field. This may be, in part, because I’m not entirely sure what kinds of jobs there are in cybersecurity other than computer science/coding and management.”
- “I would pursue a career in cybersecurity if there was a communication aspect that interested me such as the social media or marketing part of the field since that is what I am good at.”
- “Something that would possibly motivate me towards pursuing a career in cybersecurity more would be by showing me less of the coding side of cybersecurity and explaining other perspectives of it.”
It is encouraging to see that learners understand why cybersecurity is critical. And the growth of the industry at large reflects this criticality as well. In 2021, the global cybersecurity market totaled $150.37 billion with expectations to essentially double to $317.02 billion in the next six years. As the industry’s value increases so will career opportunities. Currently, 3.5 million cybersecurity positions are available worldwide. Many of these opportunities remain open for a couple of reasons. First, some employees are migrating away from the field citing reasons such as a lack of social recognition. Second, a skills gap in the cybersecurity workforce is leaving them unfilled. Organizations, such as Microsoft, are launching campaigns to close this worldwide skill gap to build an inclusive workforce.
As the industry works to retain current workers while closing the skills gap, it is imperative that the industry raise awareness of the breadth of career opportunities available in the field. This awareness should focus not just on technical pathways, but also additional ones that may be served by other disciplines. This will ultimately lead to an inclusive talent pool and interdisciplinary teams.
Here are a few GitHub employees that work in security-related roles providing a glimpse into their backgrounds and day-to-day responsibilities:
Product Marketing, Security
“At a high level, a product marketer is, essentially, someone who takes technical concepts and distills them into content that is more digestible for the rest of the business and the market at large.
Now, you don’t have to be technical to be an impactful product marketer: you need to be curious and willing to ask questions, to learn from the feedback you’re receiving, and to apply that in all of the work you do.
My background is in journalism and enterprise tech public relations, so as I moved into product marketing, I leaned into my zones of genius–research, writing, and connecting dots–to help security organizations tell stories that sell products and shape industry narratives.
The key takeaway: if you are clear on your strengths, love to learn, and are willing to go deep into the details, product marketing just might be the career for you!”
– Laura Paine, Director, Product Marketing, GitHub Security Lab
Security Developer Advocate
“I’m extremely passionate about what I do as a developer advocate (also known as developer relations or DevRel) in security for the past 13 months, and what I enjoy the most is the balance between tech and soft skills. I didn’t know a lot about the role before joining and I often catch myself asking how and why I wasn’t aware about this career path, so I could pursue it earlier.
My role is to help every developer in the world maximize their capability on software security through awareness and education. While these activities can take many forms, ranging from public speaking, video content, workshops and blog posts, everything starts from interacting with our users and understanding their pain points. I enjoy this interaction and while their pain points are mostly technical, everything around this interaction needs soft skills and creativity to succeed.
The key takeaway: if you enjoy the balance between technical skills and soft skills, love to educate others and constantly experiment with the latest technology, the role of developer advocate might be one to try next!”
– Joseph Katsioloudes, Security Developer Advocate
Product Security Engineer
“I am a product security engineer on the Bug Bounty Team at GitHub. My background consists of previously working in a vulnerability management role, where I was tasked with supporting the bug bounty program, conducting root cause/variant analysis, overseeing vulnerability scans, and assisting with incident response investigations.
My day to day at GitHub is an exciting mix of several things. I help validate security vulnerability submissions from multiple sources, conduct root cause/variant analysis, and bridge the gap between the engineering teams, security teams, and security researchers by testing and coordinating fixes for our products, ensuring our users and products receive the best in-class secured products.
The skills needed for this role are to be interested in application security, engaging with researchers and other security and engineering teams, and an immense curiosity. Knowledge of common application security vulnerabilities like the OWASP Top 10, participation in Capture the Flags or hackathons, and a drive to learn.”
– Jeff Guerra, Product Security Engineer
These are just a few examples of existing roles within the industry, and, as the industry evolves, there is ample opportunity to further develop and amplify these existing roles while expanding to new ones. This expansion can lead to the creation of new opportunities, which will attract new talent and ultimately lead to an inclusive and healthy software ecosystem. For example, within the GitHub Security Lab, we are a multidisciplinary team that accommodates a range of backgrounds and experiences that reflect expertise in both technical and non-technical roles from traditional security research to socio-technical research, developer advocacy, and advisory curation. Having this variety of backgrounds is paramount to fulfilling our mission of bridging the gap between open source maintainer and security research communities to help secure open source software. And, we hope to see the industry continuing to evolve in this way.
Tags:
Written by
Related posts
Uncovering GStreamer secrets
In this post, I’ll walk you through the vulnerabilities I uncovered in the GStreamer library and how I built a custom fuzzing generator to target MP4 files.
CodeQL zero to hero part 4: Gradio framework case study
Learn how I discovered 11 new vulnerabilities by writing CodeQL models for Gradio framework and how you can do it, too.
Attacking browser extensions
Learn about browser extension security and secure your extensions with the help of CodeQL.