Feb. 28, 2021

Betsy Bevilacqua - From Almost Lawyer to CISO and Security Leader

Betsy Bevilacqua - From Almost Lawyer to CISO and Security Leader

Betsy Bevilacqua is the current VP of Information Security at Chainalysis. Initially, she had her mind set on law school until she did a self-audit and realized that she enjoyed computers and tech much more. Her journey into infosec led her to move from Kenya to the US to obtain a degree in Security and explore various companies involved in academia, food and facilities, healthcare, telephone communications, and finance to more traditional tech. Her interview is full of advice for those looking to break in and those already in infosec.


Betsy Bevilacqua is the current VP of Information Security at Chainalysis. Initially, she had her mind set on law school until she did a self-audit and realized that she enjoyed computers and tech much more. Her journey into infosec led her to move from Kenya to the US to obtain a degree in Security and explore various companies involved in academia, food and facilities, healthcare, telephone communications, and finance to more traditional tech. Her interview is full of advice for those looking to break in and those already in infosec.

Notes

  • Started off pursuing a computer science degree, then made the switch to infosec midway
  • Her first official job in security was as a security incident handler
  • Believes that willingness to up-level the team and connect to the organization is important in a new hire
  • Has helped start a lot of outreach and mentorship programs, such as Code Path

Quotes

  •  "What's really important is EQ... it's really important to have empathy for the teams that you're working with and supporting."
  • "You want someone who's going to connect to your organization and not just focus on one particular thing and not have influence or even have a negative influence."
  • "I'll never forget... my colleague was a security engineer... he'd been in the industry for a while, but he came out of networking and then got into security and he basically took me under his wing and he taught me."
  • "I've always taken the point of if somebody has [passion for infosec] and they have transferable skills, you can very easily solve a lot of these problems with people who think differently from you."

Links

  • Betsy's LinkedIn: https://www.linkedin.com/in/betsybevilacqua/
  • Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5
  • Chainalysis: https://www.chainalysis.com/

See omnystudio.com/listener for privacy information.

Follow Ayman on Twitter

Breaking IN: A Practical Guide to Starting a Career in Information Security

Transcript
Betsy Bevilacqua
So, I realized that I had a knack and I was always the kid who wanted to learn a lot more. [I] learned how to hack our phone system and go right to the PBX exchange outside. And it was just, I realized that that's where my passion was.
 
Ayman
Welcome to Getting Into InfoSec. I'm your host, Ayman Elsawah. My guest this week is Betsy Bevilacqua. Betsy's a CSO and amazing security leader who shares her story on how she got into security.
 
Betsy Bevilacqua
When you take these large national exams, you have about three months to wait for your results to come out. And it was during that time I really started pondering, you know, what does it really mean to be a lawyer? What does it mean to be in the legal profession? And the more I dug into it, the more I realized, you know what? Actually, I love computers. I love video games. It's almost like I did a self-audit very early on and I realized I had made a mistake.
 
Ayman
Betsy shares with us some of what she looks for when hiring in information security and how the industry still needs to adapt.
 
Betsy Bevilacqua
And so the idea is: always looking for their passion. Is there an interest? Because security is not something you get into lightly, as you know, right? Basically, we take on a lot of risks.
That's very stressful at times, but it's also very rewarding. And so, I've always taken the point of if somebody has these qualities and they have transferable skills, you can very easily solve a lot of these problems with people who think differently.
 
Ayman
As an African-American woman and someone well-versed in emotional intelligence, Betsy understands diversity and inclusion issues well. [Keeping in mind topics and] those affecting African-Americans and blacks.
 
Betsy Bevilacqua
What does this language do to your psyche? You know, because I remember the first time somebody said master/slave and they were referring, I think was a database or something, and I remember being taken aback. And then, all of a sudden, they just became so commonplace that I started using [them].
 
Ayman
Betsy's an amazing human being and we had a wonderful conversation. So check it out. Hey, sorry about my audio in this interview. It looks like I had the wrong microphone recording. Oops. Sorry about that.
 
All right. Onto the show.
 
Hi, Betsy. Thanks for coming on the show.
 
Betsy Bevilacqua
Thanks for having me, Ayman.
 
Ayman
Yeah, I've been waiting to have this interview for quite some time so I'm very excited about this. For those out there that may not know you, can you tell us a little about what you do today and some of your previous roles?
 
Betsy Bevilacqua
Sure. So again, my name is Betsy Bevilacqua and I'm currently the VP of information security at Chainalysis. Chainalysis is a blockchain security company. Prior to Chainalysis, I've been in the security industry for probably around sixteen years, which sounds crazy for me to even say that out loud. It's been an interesting journey. I've led security teams at a medical device startup called Butterfly. I spent almost five years leading a few security programs and teams at Facebook. And before that, at eBay. Before that, health insurance, academia, and a food and facilities company. So I've seen the rainbow of all manners of security programs, starting from when security was slapped on a firewall and some antivirus and called a job well done to where we are today, which is completely different.
 
Ayman
Yeah, so lots of experience there. And which makes you the wonderful leader that you are today, so happy to bring you on. So I'd love to get into it. How did you get into InfoSec? I think from our other conversations, InfoSec was not your initial career choice, is that right?
 
Betsy Bevilacqua
That's right. It was not. So, I thought I was going to be a lawyer. I'm originally from Kenya and the law degree is actually the first degree, meaning you could go right from high school into law school, unlike here in the US. And it's also not easy to get into, right? You have to get certain grade levels and then you apply. It's kind of a rigorous process. So when I was in high school, you know, law sounded cool. Lots of interesting problems to solve. And it was either that or med school, and I couldn't deal with the idea of cadavers.
 
So anyway, I do all this hard work, pass all my exams or get accepted into law school and I realized that this was not for me.
 
Ayman
How did you come to that realization? Was law school something your parents drove or was it something you wanted and then how did you come to that realization?
 
Betsy Bevilacqua
That's a good question. My parents really didn't drive [me]. They did a good job of letting us decide what we wanted to do. And so, law was very—still is a very—prestigious occupation. And so when you think about your future, you look around you and the people who are successful around you, and for me, folks [on] the legal side were seeming to be doing well. I said, "Well, that's what I want for myself," but then we don't.
 
We have a break in Kenya. When you take these large national exams, you have about three months to wait for your results to come out. And it was during that time I really started pondering, you know, what does it really mean to be a lawyer? What does it mean to be in the legal profession? And the more I dug into it, the more I realized, you know what? Actually, I love computers. I love video games. It's almost like I did a self-audit very early on and I realize it: I had made a mistake.
 
Ayman
Okay, so this is after you took the exam to enter law school, right?
 
Betsy Bevilacqua
Well, the good thing is it's a national exam that everyone has to take. It's not based on your grades. And they say, "Yep, you qualify to go into law school."
 
So, it was during that process that as you finish the exam, you wait for the results. And then once those come out, then they tell you that almost at the same time, whether you were able to get into the schools of your choice or the programs of your choice in the public university.
 
Ayman
Ok, so you had this free time and you realize that computers [were] something [you were interested in]. Did you grow up with computers when you were little? Like, when were you first exposed? How did you come to that realization?
 
Betsy Bevilacqua
Yeah, so I went to a public-private, sort of like a charter school, in Kenya and they happened to get a grant. It was probably in like the late eighties. They got a grant and they bought a bunch of computers, and they were one of the first few schools in the city to have a computer lab so we had computer class. But really, at that point, the computer class was 45 minutes of theory, and it was our teacher doing his best to teach us the basics of programming. But the only thing we were excited about the class for was playing games because we would then get 45 minutes to play. It was on a Commodore 64 Basic, and we're playing this game called the Wizard of War.
 
We would take turns. You know, we had about five computers and so, in a class of about 40 kids, to be eight people assigned to one computer... and I always went first, but then that meant if you were in my group, you never got a chance to play because I was pretty good. I got pretty good at playing this game. And so, they would just sit there and watch me, getting increasingly annoyed or getting increasingly excited because I kept [going] from a higher level to another higher level and unlocking new ghosts.
 
Ayman
Did you have a crowd behind you at some point?
 
Betsy Bevilacqua
Oh yeah, yeah. It was like Twitch, you know, but back in the day.
 
Yeah, so I realized that I had a knack and I was always the kid who wanted to learn a lot more[about] how to hack our phone system and go right to the PBX exchange outside.
 
I realized that that's where my passion is.
 
Ayman
Okay, that's cool. That's awesome. And so now, you've taken this exam and you're waiting for the results and you realize computers is something you want to do as a career. What are some things you did after that?
 
Betsy Bevilacqua
I love computers, but I [didn't] know what I [could] do.
 
And, at the time, looking around the courses that were available were the certifications for Microsoft. So those MCFC solutions, engineer and CSD solutions developer, they were very expensive. I mean, the books themselves were. At that time in my life, something that I would probably have to work for a year before I could even afford that book.
 
And so, I started doing some research on what programs were available in Kenya. At the time, not as many for computers or computer science or information systems. And so, I would spend a lot of time in internet cafes because we didn't have internet at home. I would just look at various courses and I realized that the US had a number of interesting paths for people who were interested in computer science or just information systems in general. And so, I sat in working on the campaign with my parents that I wanted to one day go to the US and take a computer course. They were always very supportive. Yeah. I mean, they didn't get it, but they were supportive.
 
So my dad, through his work—he was, for a long time, in the medical device business—and he had some contacts in Buffalo, New York. He said, "I have a friend in Buffalo, New York." All I heard was the "in New York" part, by the way. I didn't really pay much attention to geography at the time. He says, "I think we can afford to send you there for a month, and then you can figure out how you're going to pay for your schooling. Well, number one: if you can get in and then pay for your schooling."
 
And I said, "Fine."
 
And so he talked to his friend and his wife and they said, "Yep, we're home for a month. And she can do some tourism and all that good stuff."
 
That was really the path that opened a door for me because I ended up in Buffalo and the folks who know Buffalo up there, it's a wonderful place to go to school because it's extremely cold. And coming from a warm climate to a cold climate being indoors, I could focus a lot on my studies and I ended up getting an undergrad. I started off in CS, but then changed my mind midway because I was interested in information systems because it offered a broader set of courses that I was interested in. So, it was a little bit of programming, a little bit of database work. And then, the business courses [because] I was also interested in how you can apply technology to solve business problems. That's really where my mind was going.
 
Ayman
Okay, so [comparing a] information systems to a computer science degree, what are the trade-offs today versus back then? Or, what are the trade-offs today for those in college and looking for college as a career path to technology?
 
Betsy Bevilacqua
Yeah, so I think today follows inviting someone. And I do advise people trying to get into the fields that I still think that CS will give you a better base because if you look at where we are today and the problems we're solving, if you have a good understanding of data structures and algorithms, CS teaches you how to think. Also, it gives you a good base for even if it's just very simple programming. So, you know, I find having to do [information security] a little bit more extra work than if I had already a CS degree, but at the same time, from a business perspective, if somebody gives me a financial statement, I know exactly what's going on there. It really depends on the path that you want to take. But I still always say if you can, even do two years of CS before you branch out. If you were really interested in security, it gives you a good context into solving a lot of the issues we see today.
 
Ayman
Okay. That's helpful. So you did information systems or management information systems as an undergrad. And then, did you go straight to the private industry or did you continue with like grad school or anything like that?
 
Betsy Bevilacqua
Right after undergrad, I went to work at a cable company. So, if you're an international student to the US, back then, you got a year after graduation to work in your field. I opted to find some work just so you can see what the real world was like, and I found myself going to banking at the time or healthcare. These [were] the major industries. And then, there was this company called Adelphia Communications. I was able to get a job at Adelphia as a technical support representative. Basically, what that meant [was] I got to learn a lot about internet infrastructure because I'm the person you called when your cable went down. [I] got to spend a lot of time talking to people. But we also had opportunities to work with the field techs and do ride alongs. I really got a good education there on what it takes to provide internet and to bring that into people's homes.
 
Ayman
That gave you a lot of real experience. What was your role like? Were you technical? Were you in security at that time? Were you just kind of just doing basic IT at the time?
 
Betsy Bevilacqua
Oh yeah, this was basic IT and I should mention that when I was in college, I also worked in the IT department. So, I was help desk. I was building labs. So, I always had a computer job. That was pretty much how I paid for my meals.
 
Ayman
That's really good. That's a good base. Like, from an experience perspective, [a] really good base. Wouldn't you say?
 
Betsy Bevilacqua
Yeah, it was a lot of fun. I mean, I used to push carts with the all-in-one max. I don't know if you remember those. I got the chance to replace them: silicon graphics machines in the CS lab. I learned how to ghost a machine. I also learned what viruses can do in a university once they hit the network. Lots of interesting times there.
 
Ayman
Yeah. Lack of segmentation back then.
 
Betsy Bevilacqua
Oh yeah. Or even a NAC, right? Like what is network access?
 
Ayman
Yeah, the dorm network connected to the lab networks. And so how did you actually transition into security?
 
Betsy Bevilacqua
Yeah, so as part of this MIS program, I got to meet—and, by the way, I should add I worked for a year at this cable company, and then I went back and got my master's. I got an MBA—within that time, I met a professor who was working part-time for the FBI, working on cybercrime. And she was also writing a book on security. And the more I got to know her, I took a few of her classes and I was really interested in what is this security thing? And it's almost as if I'm sitting in class one day and it just clicked. She started to talk [to] me about trust and confidentiality. And these are things that I had thought of, but never really applied them or even thought about how they would apply to people who are building companies or building systems. And I remember almost getting goosebumps going, "Wow, all this sounds amazing," and just the idea of being a defender really attracted me to this field. And that's basically all it took was getting my eyes opened by this professor.
 
Ayman
That's amazing. This is during your MBA, is that right?
 
Betsy Bevilacqua
I met her towards the end of my undergrad and because it's a small school and I was always living in that community. So we can say it was between undergrad and grad time.
 
Ayman
And was she an actual professor? Like, how did you end up in that class or was it a guest speaker?
 
Betsy Bevilacqua
Apparently, she's no longer with us. She passed. She was a full professor. In fact, she was, at one point, the head of the department.
 
Ayman
Was the whole class security-related or?
 
Betsy Bevilacqua
She's done courses like Intro to Security.
 
Ayman
Was it an optional class or required?
 
Betsy Bevilacqua
It was optional.
 
Ayman
So you just happened to have taken that class?
 
Betsy Bevilacqua
I just happened to have taken it. And back then, nobody was really working on security classes.
 
Ayman
Yeah, that's amazing. I mean, the goosebumps story and being a defender is like something I hear constantly where someone is just opened up and like, "Oh, I didn't know that this is possible or how it applies to the real world. [That applies to] many of my previous guests and just folks out there. So, that's really exciting. I'm actually getting goosebumps right now, just thinking about it. And so, you got this opening into this world of security, and you kind of went like, "Okay, how do I get into it?" I'm assuming.
 
Betsy Bevilacqua
It was at that point [I was wondering], "How do I do this for the rest of my life?" Again, back then, nobody was really hiring for security folks. So I get this MBA and then I'm like, "Okay, what do I do now?" And I started applying. I was very close actually to getting a gig at a bank. [It was at] one of the large banks doing AML (anti-money laundering)— which I find it hilarious because [of the] industry I'm in now—but I had two choices: go work in the mail industry or go and work at another university, so the University of Buffalo as an incident handler. And I said, well, the anti-money laundering thing is cool and all, but I'm going to learn so much more going to this university. And also, just the fact that there was room for growth in different parts of security—which, by then, I started gobbling up all this information about the field—when I looked at the path, I said, "I had probably learned more working on incidents." So my first official job in security was a security incident.
 
Ayman
Oh, okay. So you went that route. How did interviews go then? I was interviewed for that position and other positions at that time for security. Did you get any rejections? Maybe walk us through some of those wins and losses?
 
Betsy Bevilacqua
Yeah, so for the bank, I would say [it was an] easy interview because they were looking for people they could train. You might know a little bit about anti-money laundering controls. But for them, it was, "We'll get a bunch of grads. We'll walk them through this path," and the work was very structured on the security incident handling.
And, by the way, it's not like there [were] a plethora of jobs that I had interviews for. It was a pretty tight market at the time.
 
Ayman
You were staying in Buffalo. I dunno if the job market in Buffalo is where you applying locally or nationally or locally.
 
Betsy Bevilacqua
So at the time, I wasn't thinking about leaving Buffalo. My search was very much focused [there]. And in Buffalo, there's academia, there's healthcare, biotech, there's, of course, banking. I think [it] maybe still does have a bunch of data centers, but we're talking, you know, this is a long time ago. I would apply to a lot of jobs, like help desk jobs. So there's a lot of IT jobs. If I want it to be a sysadmin, this would probably have been much easier if I wanted to go and work in insurance. That would have been much easier. But I was very focused on getting a security role: a security role [that was] in Buffalo.
 
In that myriad of possibilities, I even randomly reach out to recruiters, and they would say, "Well, it's 10 IT help desk jobs."
 
And I would say, "Nope."
 
So the interview process for this particular role, because I had already worked in the academic setting—so I went to Canisius college and then I was applying for a job at the University of Buffalo—and a lot of the challenges that I saw when I was working [at the] work-study program—you know, I told you about the labs I'm working [at] the help desk—all of that was very applicable to it, obviously.
 
And they said, "Yeah, absolutely. You know, you should come work here." So it was a very easy process, at least, for that particular role.
 
Ayman
That's good. Actually, that's a common thing for a lot of industries, actually. I've noticed even as a senior person, when going to like, say healthcare, and they're like, "Oh, you don't have any healthcare experience or health industry or medical device experience" and the same with the universities. So it seems like a lot of these positions want to see some similar background, even back then, it seemed to be the case.
 
Betsy Bevilacqua
Yeah, and again, I was entry-level. So, sometimes, when you hire an entry-level, you want to make sure that the person won't require too much handholding because when you are starting a job, there is a need to provide folks a lot of guidance. And sometimes, depending on the size of the team, if the hiring manager doesn't necessarily have the cycles to grow someone, they're probably looking for [someone] who can ramp up quicker.
 
Ayman
Let's jump around a little bit. So you, as a leader right now, what are some things you look for when hiring someone?
 
Betsy Bevilacqua
For me, what's really important is EQ: emotional quotient. Of course, IQ is important, but EQ, for me, is paramount. And part of the reason why I bring this up is in the industries we are in today, looking at where security is headed, it's really important to have empathy for the teams that you're working with and supporting. For me, I look at it as if you already come in with the correct attitude around how we coach people—I love Netflix's approach of guardrails, not Gates. I really buy into that because I think you can build a really strong program with that. That is the context—so in any of my teams, I always look for people who are willing to use the word "no" sparingly, and to help advise people, provide people that data that they need to make a good decision. But that means you have to invest a lot in teaching. You have to invest a lot in influencing, and that's not always easy; that's the hardest skill to hire for versus going and getting the top contester or U-verse or whatever technical background we're hiring for.
 
Ayman
I saw Twitter posts about hiring 10X engineers, and then people are talking about how these 10X engineers are often some of the not so favorable people in the office. And they may know, but [they're] not really nice people in general.
 
Betsy Bevilacqua
It's really hard. I mean, sometimes you can fall into the trap of looking for somebody who's just amazing at their job that nobody wants to work with them. And so then the question is: "are they up-leveling themselves or the rest of the team?" Especially if you're in a small company or a small team, you want someone who's going to connect the organization and not just focus on one particular thing and not have influenced or even have a negative influence because at that point, building up team morale can be really challenging.
 
Ayman
I think there was a phrase that you used that I love where you're dealing with humans that they're technical, but... what was it that you said?
 
Betsy Bevilacqua
Oh, I said, "We're debugging humans."
 
Ayman
Yeah, that's one of my favorite things I've heard lately.
 
Betsy Bevilacqua
Oftentimes, the problems we're dealing with, they start off as technical problems but then you dig deeper and you realize humans are going to human. So we've been [in] the business of debugging humans.
 
Ayman
So you might be saying, "This person might be smart, but I don't want to deal with debugging this person." Trading one problem for another. That's interesting. So, now you're in the incident response. This is your first real cybersecurity role. Tell us how that was like.
 
Betsy Bevilacqua
One: just shout out to the people who are living and working in IR, so all the SOC analysts, people carrying around, we don't have pagers anymore, but you got the app on your phone.
I mean, it was interesting. So, at the time, AOL was a big thing. [On] the college campus, one-time, we watch the yellow worm just take over our network. We had instances where we would have people come in and connect their machines that are living lives of crime because they were part of a botnet and they don't know, you know, people won't know, but the machines don't know that.
 
And I would have to be the person to send them a note and say, "Hey, you need to get off my network because we need to fix this infected computer." It was trial by fire because we didn't have processes built out yet. So, as an example of what some of the things we would have to do is if we identified a compromised device, we'd have to hunt down the person. But because this is a public university and—at the time, I don't know why we weren't using email, but we were actually—I was doing mail emerges of letters and then, I would have them delivered by the RAs. It was crazy.
 
And so, this was how we were doing containment. And then, after a while of this, we ended up growing our team, and we hired a security analyst and between the security analysts, myself as the incident response. And I think there were two more people involved in the networking team.
 
We started looking at building a NAC. Like a homegrown NAC. I think about this now and now, I mean, these are products that are available on the market. But anyways, the network team built this system called NetPasss. And the idea was you would connect your device. It would put you in quarantine. You'd have to get scanned. And that would, at the time we were using Snort, and then —because we're a heavy Windows community—I would work with another Windows sysadmin and we would look at the largest phones. And then, we would pick which ones we cared about. I think we also included a botnet scanner, but anyway, so you go into this, you know, jail. [If your] devices went to this jail, you get scanned, and then you would get out of quarantine.
 
And there were times that the switch would fail. There [were] some upgrades that needed to be done. So, it didn't always work. It was really, really buggy, but we actually saw good results out of that. And at the time, I didn't realize that we could probably just have done this easier by going to purchase a solution versus spending all the time when we did to build it.
 
But I learned a whole lot through that experience. And most of what I learned was [about] how to communicate to people about what was wrong with their devices. And then, how best to fix them. So we ended up getting a partnership with the campus bookstore where people could go in and, you know, take my letter with them and they would be able to get help, which, oftentimes, just meant reimaging the boxes.
 
Ayman
Okay. The bookstore had IT people, is that what I understand?
 
Betsy Bevilacqua
The campus bookstore, but you [could] buy computers from there. You could buy yourself software.
 
Ayman
That's cool. So, your IT experience helped you with coaching people on remediating their security. And I guess you've built up some EQ in that, right?
 
Betsy Bevilacqua
Oh yeah. I mean, we're talking about college kids. Lots and lots of patients.
 
Ayman
So if we fast forward, I think you spent quite some time at Facebook. Tell us about how you helped evolve the security program from when you entered it to when you left. Or is there anything you could share in that regard?
 
Betsy Bevilacqua
So some of the things I can share, I was brought in to Facebook after—and this is public knowledge—Facebook signed what is known as a consent order from the FTC, which basically means that for the next 20 years, that Facebook would be required to undergo a number of audits, security audits, as well as provide the result of these audits to the FTC. But at the same time, Facebook [resulted] into looking to roll out its Workplace product, which is similar to Slack. And so, there were a number of activities going on that meant that for the first time, that Facebook wouldn't be under a lot of scrutiny from auditors, and regulators on the team [were] fairly small.
 
When I got there, the security team was small, but also focusing on risk and compliance and how do you translate all the controls you've put into place into a narrative that is centralized. And that also, we reduced the load on our engineering teams due to audits. Because it wasn't just auditors coming in. We also had regulators coming in from the payment side of the house because, at the time, you could send money on Messenger.
 
There was a lot of activity going on and [I was] brought in to work with the audit team and work with the engineering team and work with the privacy team. Lawyers as well, because we were also looking at privacy shield. This was right when Safe Harbor was gone, and now, this is all of these controls that we put into place that we have to build out and work with multiple groups.
 
I just loved this kind of work because it meant that I got to spend a lot of time with not just security engineers, but also our product. So people were building out very nascent versions of features. Or, even if we're working on acquisition, helping those acquisitions come in and understand how to build on top of the Facebook stack.
 
But, from a security perspective, [it] was really interesting. I got to have a hand in a number of those programs. But I think reflecting on my time there, the work that I [was the] most excited about was the work that touched people. [By] people, I mean the next generation of security professionals. So, we were really fortunate to be able to have a program outreach program, which in my last years there, I ran an amazing team of very dedicated people who worked to build out programs [in] underserved [communities]. So, as an example, we would go to the universities in rural areas. We would go to historically black universities. We partnered with a group called CodePath—these programs are still in place today—and we piloted a course, Intro to Security. [It was] mostly on application security because that's where we saw some of the gaps within the industry.
 
People would go to CodePath or CodePath would teach these courses onsite in these campuses with a high population of underrepresented minorities or even people just going into university, the first people in their families to go into the university, and we would pull from the CS programs. We worked with a few professors who offered this course as an elective. On the one hand, you got to take this course and you would get course credit, but also, we were opening your eyes to the world of security. Even today, we have people working at Facebook who went through this program, and we have people working in some of [the] larger companies that you would identify[as] graduates of this.
 
When I think back, if I ever get another chance, probably, we'll focus on this and, in a sense, opening the doors [is] similar to how that professor I told you about opened the door [for me].
 
Ayman
That's a great segue. Like, tell us more about mentorship. I think you've had some interesting mentorship experience and just tell us about mentorship in general and the security community and your some stories of successes and what you've had to do or what you've done.
 
Betsy Bevilacqua
Yeah, sure. One of the things that I noticed [from] being in security—and I got in fairly early, so we're talking 16+ years at this point—and starting out, when I think about choosing my success, yes, of course, I did the work, whether it's studying or at the time, it was CDs and buying the books.
 
Ayman
It's like the dark ages compared to now.
 
Betsy Bevilacqua
I know! My mind is so blown and like, I can just get a VM. I have my own AWS instance and I can go in there and play like, this is crazy. It was either too expensive or just not possible.
 
Ayman
I mean, [there are] even free websites. You can launch a VM and just play with [nothing] at all. No software, just a browser. Like on YouTube videos, we were literally in the dark ages, trying to find security information. It's just, just wild.
 
Betsy Bevilacqua
Yeah, it's wild. Yeah, so I did the work, but I also had lots of mentors, people who were very, very generous with their time. So, when I left the university, I went to go work at a food and facilities company. And I was a security analyst at that point, and one of my job responsibilities was [the] firewall. I was a file admin, and I had taken a few courses but getting into this stuff isn't like I can just go in and start making changes in prod without much guidance.
 
I'll never forget. My colleague was a security engineer. He'd been in the industry for a while, but he came out of networking and then got into security. He basically took me under his wing and he taught me hand to keyboard timing's checkpoint, how to change firewall rules, and how to configure switches. And when I think about that today and that sort of apprenticeship, without that, I probably wouldn't be where I am today. And I have many other examples of also learning from people when we were deploying PGP encryption to a very large organization of about 7,000 people. That was my project. I was one of the two engineers who were deployed to that program. I think back and I can attribute a lot of that to the generosity of people, and I've never forgotten that.
 
So when it comes to mentorship, I take it seriously because one: I mean, when you keep talking about this shortage of talent, and it is real because it's really hard to hire, but at the same time, we have on the other side people who are very much willing to learn if somebody gives them a chance. Or, we have people who have skills that are very useful for security. As an example, I worked with a really brilliant lady who turned from the public policy world, and she had an interest in security and, through a number of mentorship and coaching, she was able to get a role working on security awareness and knowledge, leading security awareness for a very large tech company. I also have another story of yet another lady who came from network engineering and is now a security program manager for another large tech company.
 
And so, the idea is always looking for one: is there a passion? Is there an interest because security is not something you get into lightly, as you know. We basically take on a lot of risks. It's very stressful at times. But it's also very rewarding. And so, I've always taken the point of if somebody has these qualities and they have transferable skills, you can very easily solve a lot of these problems with people who think differently from me because I think, sometimes in security, if you've been in it for a while, you become like a tribe. And then, you all think the same way. Why are we in 2020 [still] worried about password reuse, right? It's like something needs to change. I think that we're going to get there by inviting more people who think creatively about some of these challenge[s].
 
Ayman
It's like diversifying the gene pool. If you don't diversify, you're going to end up with bad results.
 
Betsy Bevilacqua
Yes, and we don't want a bad resolve. We're already suffering.
 
Ayman
Yeah, that's pretty cool. So these mentors, were they people in your workplace already that you went to seek out?
 
Betsy Bevilacqua
Those are two that [I talk] about to work people in my workplace, but I also, once in a while, when time allows, I do have people who reach out via LinkedIn or through mutual connections, especially, again, a lot of questions from folks who are in audit and are trying to figure out the best way for them to move into more technical roles. That's something I've noticed, especially [during] the past three years.
 
Ayman
And what would be your advice to them?
 
Betsy Bevilacqua
My advice to them is normally, if they're in a large organization, to make use of the training budgets that are available, and then [partner] with more technical teams or [work] with their managers to get more assignments or projects that would expose them to the more technical side of the house. And also, the folks that I'm referring to coming out of audit are looking to get into GRC roles.
 
I've noticed over the past two to three years, it's been my experience [that] we've moved away from this idea of an audit just being a checklist or GRC as being a checklist. You really have to have that context now to be able to make recommendations whether you're dealing with risks or this idea of compensating controls. It's not just so you can just throw these words out there without some guidance for a lot of the engineering teams. And so, a lot of these roles are required to have that technical context to be able to help guide these conversations on both sides. That's really where I advise them: more risk appetite or more opportunity to rebrand themselves or transform themselves. Go back and get some core courses under your belt from CS.
 
[There are] lots of bootcamps now that are not as expensive and can probably be done part-time or in an accelerated fashion to give you the boost that you need for that next role.
 
Ayman
That's cool. So how does one seek a mentor out there? Not everyone can be available. From the mentoring side, not everyone is able to be a mentor. What are some things that you would recommend? Because there's a lot of people out there that are looking for mentorship. And so, what are some suggestions for them to find mentors to help them?
 
Betsy Bevilacqua
Yeah, that's a good question. So, I think today more than ever, there's a lot of groups that people can join and you don't even have to be there in person. We're now all mostly confined to our homes, but [there are] lots of digital communities.
 
One of my favorites is WiCyS's Women in Cybersecurity. There's Blacks in Cybersecurity. There's a number of communities that you can join that don't cost money, where you can network. The idea of mentorship, it doesn't have to be something where you're building or you're investing so much time with someone. You could have the micro, I'm just calling it the micro mentorship, where if you have a specific question that you'd like to get answered that you approach someone through those networking channels. And just ask that one question, because that's the other piece they'll say when some people approach me, "When can you mentor me?"
 
And I'll say, "Well, what specifically is it that you're looking to do?"
 
And they don't know. And I say, you have to do the work first. You have to decide what it is that you want to get out of a mentorship relationship and then zero in on that because it could be that you have a number of people who can help you. It's much easier if you're coming to ask me a very specific question versus if you were coming to ask me a number of questions to work with you to identify. It maybe sounds harsh, but at the end of the day, even the people you're approaching as mentors, they probably have a number of other competing priorities and they can't always extend the energy. But, if you can at least get one or two questions answered, that will take you down a specific path that then will [lead to] more self-discovery and that's better than nothing.
 
Ayman
That's exactly right. And then [there are] groups, right? So you could try groups out there, searching if there's one particular person that you think can get then that's like the one-on-one and asking a focus question. Different escalations of right mentorship out there from crowdsourcing to the individual.
 
Betsy Bevilacqua
Yeah, and I mean, I guess it depends on the digital communities we're talking about, but I even see people on LinkedIn who will just if you share what you're doings are, then people are willing to just help.
 
Ayman
Yeah, absolutely. LinkedIn. Reddit. Twitter, 50/50. But there are a lot of communities out there that you can post a question and get a variety of answers, and just take one of those answers and run with it. Yeah, that's great. Is there anything you want to talk about? Like, diversity and inclusion or anything like that that we didn't get to talk about?
 
Betsy Bevilacqua
Yeah, one: I love that right now. We're at a fever pitch with this message of diversity and inclusion and actually something that I saw this morning that really warmed my heart was we have 17 discussions around the language we use in technology today. Um, somebody said, it was in a Slack that somebody said, "I want us to think about how we coach certain topics" and they give the example of master and slave. And this was in relation to GitHub.
Even in security, we have a lot of language that is, I'll call it "legacy language," that will attribute negative characteristics to the color black. So we have black hats and white hats and gray hats. And so, I think a lot about this. I think about [it] from a technology perspective, people coming up through the industry and what does this language do to your psyche?
 
Because I remember the first time somebody said "master/slave," and they were referring, I think, [to] a database or something. And I remember being taken aback. Then, all of a sudden, it just became so commonplace that I started using it.
 
It just was something that will take a long time to fix, but just being conscious of it, sometimes, even the words that we use in an industry can have a negative impact on people who are hearing them for the first time and might be taking them out of context. We should be thinking about how to make changes there.
 
Ayman
Like, blacklists, whitelists, right? I think just having more empathy in just what we're doing.
 
Well, Betsy, thank you so much for your time. This has been quite illuminating, and I'm so happy to get your story and share your story with the world. So, thank you for coming.
 
Betsy Bevilacqua
No, thank you. This was a lot of fun, and thank you for inviting me. I hope that this will be helpful and useful to folks who are looking to get into the industry.
 
Ayman
Oh yeah, it definitely will be.
 
So thank you so much. Yeah, this will be great.
 
Betsy Bevilacqua
Thanks.
 
Ayman
All right, thanks.