Podcast | 04th Aug 2022 / 09:00

Cybersecurity Sessions #10: Mentoring in Cybersecurity

Narrowing the cyber skills gap by mentoring underrepresented communities
Alex McConnell Cybersecurity Content Specialist

Listen across podcasting platforms

Mentoring is essential to closing the cybersecurity skills gap, especially in realizing the potential of people from underrepresented communities. In recent years many newcomers to cyber have been mentored by Gabrielle Botbol. Since teaching herself how to be a pentester, she has become recognized as one of Canada’s top 20 women in cybersecurity.

Andy Still finds out how Gabrielle entered the world of cybersecurity after leaving another vocation, and how she is helping the next generation of women and underrepresented communities follow her ‘six steps to becoming a pentester’.

Gabrielle Botbol, Offensive Security Consultant at Desjardins

Gabrielle Botbol is a penetration tester, cyber security blogger, and podcaster who created a self-study program to become a pentester. She focuses her efforts on democratizing information security for all by offering her time to various communities. Gabrielle has won multiple awards such as Educator of the Year at the Ally of the Year Awards 2022, Top 20 Women in Cybersecurity in Canada in 2020, and Pentest Ninja by Women’s Society of Cyberjutsu in 2021.

Key points

  • Gabrielle’s journey from actress to penetration tester
  • Her motivation to mentor and help others interested in cybersecurity
  • How organizations can encourage underrepresented people to pursue cyber
  • Six steps to becoming a pentester
Loader image

[00:00:00] Andy Still: Hello. Hello and welcome back to the Cybersecurity Sessions, our regular podcast talking about all things cybersecurity with myself, Andy Still, CTO and co-founder of Netacea, the world's first fully agentless bot management product. In this episode, we're going to discuss whether the cybersecurity industry is as accessible as it could be.

Anyone who's involved in hiring will know it's usually a struggle to find talented people, with there being more jobs than there are available applicants. So it's easy to assume that it's an industry that's easy to get into and to progress in. Today, we're going to be discussing whether there is still problems within the cybersecurity industry, addressing things like the skills gaps, and ensuring that all communities are represented. To discuss this topic, we're lucky to be joined by Gabrielle Botbol, who has been helping find the next generation of security professionals. Welcome Gabrielle. Great pleasure to talk to you today. Before we start, could you quickly introduce yourself for our listeners?

[00:00:54] Gabrielle Botbol: Yeah, sure. So I am an offensive security consultant at Desjardins, which is the biggest financial cooperative in North America. And four years ago I switched from developer to pen tester. But, before that I was an actress and I was passionate about technology. So, my curiosity and my love to always learn new things, brought me where I am today.

[00:01:20] Andy Still: Thanks Gabrielle. Can we start by just looking a little bit at your journey in the industry? So I believe you are completely self-taught and have progressed to be one of the top 20 women in cybersecurity in Canada. Can you just talk us through what that journey was like?

[00:01:34] Gabrielle Botbol: So, in high school I studied arts and literature to become an actress but, at home I really loved to program websites about theater. And at that time I did not dare to go in computer science. And I was not really sure what I wanted to do. And also my parents and my school teachers, they saw me more in literature studies.

So that that's how I became an actress. And on the side I was a hotel receptionist, but my passion about programming became bigger. And, on working holiday design Canada, 12 years ago, I had the opportunity to work in IT. And so when I came back in France, I decided to pass a bachelor degree in computer science.

But after this, I got hired in a big company. And when I was working there as a developer, I found myself, you know, questioning the security of the apps I delivered. So I began to do my research to find training, to become a pen tester, but unfortunately, no training fitted my profile or they were too expensive.

So I decided to make my own program and, well, that's how I got hired as a pen tester because I documented all this program in the blog. And now I have been working as a pen tester for around three years.

[00:02:59] Andy Still: Yeah. And I think that's probably a familiar story for many developers. So coming from developer background, there was often not a lot of consideration given to security. and there was a lot of challenges trying to get, certainly some developers, to take that seriously. Is that kind of what you were seeing?

[00:03:18] Gabrielle Botbol: Yes, that is it. But I feel like it's getting better. These days we see a lot of application security now, which was not that much before, so it's getting better, but, when I studied computer science, there was not a lot of security courses in my university or in my program, I did not have computer security courses, which is strange for someone who is going to develop apps, but yeah, that was the case.

[00:03:54] Andy Still: Yeah. And I think looking at universities now, I think cybersecurity degrees are becoming more common, but even then, there seems to still be a distinction. You know, you do computer science or you do cybersecurity. And the computer science may have a beginner's course to cybersecurity, but you kind of go down one or other pathway.

[00:04:19] Gabrielle Botbol: Exactly.

[00:04:19] Andy Still: Yeah. So the journey that you've been on, obviously the challenges that you face trying to address that, has that inspired you to mentor others, then?

[00:04:30] Gabrielle Botbol: Yes. You know, it's important for me to share my journey, but more importantly to share the results that helped me build my program. Because, yeah, so I think it's essential to mentor, in a field that is as big as cybersecurity because we can quickly get lost or discouraged because there is so, so much information and subfields also in cybersecurity.

So, for a few years I've been involved in several communities to mentor different people, including Women in Cyber. And I wanted to share my experience with them, but, you know, mainly help them avoid wasting time on specific questions I had during my process. So yeah, for me, mentoring is also a way to show that it is possible to succeed in cybersecurity. Even if you don't have a technical background or cannot afford university fees because, that was my case. And, well, look where I am today.

[00:05:31] Andy Still: Why do you think it is that certain communities are underrepresented in the cyber world?

[00:05:39] Gabrielle Botbol: I think we need to switch from awareness to building a cybersecurity popular culture, because it's essential for it to become a lifestyle. And this way we might be able to have more people from underrepresented communities. But, what I hear is that there are a lot of women that are willing to join the industry, but some of them don't stay because they don't have the codes. And it was an industry that was led by men for a long time. But now I feel like it's getting better. There are a lot of programs to, you know... a lot of communities also to help women get in and also, LGBTQ plus and a lot of people from underrepresented communities. So I feel like it's getting better, but I still think that we need to make it more broad. If you see what I mean.

[00:06:36] Andy Still: Yeah, I do, because I think it can be quite an intimidating industry. I think looking at it from the outside can be quite a reputation of, you know, if you're not hitting certain levels, if you've not got all certain level of knowledge that you would not be made to feel welcome. And I don't know whether that kind of reflects your experience at all.

[00:06:58] Gabrielle Botbol: Yeah, totally. I mean, I also often hear that when a woman is going to see a job posting, she's not always going to apply unless she has all the requirements, but on the contrary, you know, men are going to apply anyway, even they have not half of the requirements. So, you know, I think this is, this goes. in how we, women were educated and how men were educated, there is this bias he's getting, you know, later. So yeah, I, feel like, it can be intimidating also because this is a field that has a lot of technical aspects and everything. And so for everybody, a lot of the education we had, it seems like woman were not allowed to be technical, in a way, by society.

Thankfully, it's starting to change now, but yeah, I feel like it might be intimidating. And that's why also we need more role models and more woman who made it to showcase that they were able to do it. And that it's completely possible for any woman who wants to be technical or who wants to go in cybersecurity and work there. There are plenty of successful women and that's why we have awards or things like this.

This is a way to make them visible. So I'm really happy that we see more and more awards and more and more women who are mentoring other woman. And a lot of these communities I mentioned, that's great that that's getting better, but we have to continue this hard work.

[00:08:40] Andy Still: Yeah. And it sounds like, it needs addressing at all levels. And I'm thinking of obviously there's the side that you are talking about. So there's mentoring and I think, for example, education, do you think this is something we should be addressing much earlier in the education journey of, you know, right from kind of young school age and things like that?

[00:09:01] Gabrielle Botbol: Yeah, totally. As I just mentioned, you know, we need to switch from awareness to building this as a cyber culture. Because it's essential for it to become a lifestyle. I mean, cyber, it needs to be a habit and for this to happen, we need, for example, the cyber community to double itself, to popularize cyber security.

And we also need companies to apply privacy and security by designs policy, but we also need public services to train young people in computer hygiene from, yeah, really an early age. And also, launch national advertising campaigns to stay safe online. This would definitely be helpful.

[00:09:42] Andy Still: So, if you were, talking to employers, what would be your message to try and encourage more people from other communities, more women, to try and, basically, what can employers do to help this situation?

[00:09:56] Gabrielle Botbol: You know, I feel like they should first, make their job posting more accessible, it's getting better now, but before it looked addressed to men because of the pronouns that were used and things like this. They should also let beginners and people know that anyone can apply, you know, because... I have a fun story about this, actually. My first opportunity in Canada as a pen tester, I applied for posting that was for experienced... They were looking for a senior position, but I figured, okay. I'm just going to apply anyway and see if my profile is interesting to them. And they actually asked me to come and to do the interview. So maybe companies could also post a junior position postings so that they could actually attract more talents and if someone is not experienced, someone does not have all the criteria, we can still give this person a chance because everything can be learned. So it's really important to stretch that out.

[00:11:11] Andy Still: Yeah, I think that's a really good point. And I think that highlighting the fact... you mentioned it earlier, that particularly women tend to not apply for roles where they think they may not have all the necessary or specified attributes, that actually being a bit loose on that and having more things as optional and less things as required attributes, I think is a good call.

I always think from an employer point of view as well, that if you have those kind of wider adverts then, and you're willing to take a chance on people that if you look at the kind of spread of people in your team and trying to get as much variety of backgrounds etcetera within the team, then it actually makes for a better team. So not being so prescriptive, and then you get the wider range of applicants, then you can take a chance on people.

[00:12:01] Gabrielle Botbol: Yeah, completely. And I mean, a team is full of various people. So, people can learn from each other also. And so it's a good way for anyone to get better. And so we definitely need different skills and different... that's how we progress. That's where everyone progresses. That's the team dynamic.

[00:12:22] Andy Still: Yeah, and different backgrounds just bring different perspectives and different skills. So I think it's really interesting to take that into consideration when you are defining who you are looking for. Do you have any particular success stories from the mentoring work that you've done that you think is worth sharing?

[00:12:39] Gabrielle Botbol: You know, a while ago, I mentored, someone who had a different background. She was from biology, and she went to cybersecurity and today she's in cybersecurity and she's very, very happy. And, so yeah, that's the kind of thing that, makes me want to continue on this effort because I think it's important she can show that it's possible and everything. So spread the word and...

[00:13:16] Andy Still: Well, and it only takes, one success story like that, and then hopefully that will spread and we'll see more and more of those things. So if there are other people listening who want to get involved and do things like the mentoring, things that you do, how would someone go about getting involved in that?

[00:13:33] Gabrielle Botbol: So there are a lot of different communities that offer monitoring process for a lot of things. For instance, you have... something that is very good, I'm going to talk at the Diana Initiative soon and they offer the possibility to pair you up with someone who is going to help you with your talk, if you want to make it better before the day. So you have this side also, that is very, very, very great. And they also offer a mentoring opportunity. If you want to help someone make their call for paper better. So, this is a way. But also for women in cybersecurity, you have a lot of communities that will ask for people to mentor.

So there is the cyber safe foundation, with which I'm working this year, and they actually help women in Africa to get the technical skills in cybersecurity and different skills in cybersecurity. And so it's called Cyber Girls Program. It's really great.

And there's also a lot of different communities like this, the Women Society Cyber too, they also have mentoring possibilities. And also I know that, on Twitter, there is this hashtag called Mentoring Monday, and there's a post, I think it's Danielle who's posting it. And she said, if you want someone to... she actually tries to pair the people who need to be mentored, and people who are willing to mentor other people. So, that's also very nice, and very good way to get involved and mentor someone.

[00:15:16] Andy Still: Excellent. I've known a few people being involved in mentoring and found it such a rewarding experience. And I think there's probably a similar level of reticence for people to mentor as to enter the industry. And I think you will have something to give to the people who are looking for mentors and it is a very rewarding thing to do. You mentioned, Gabrielle, that you have created your six steps to become a pen tester. Do you want to share a bit more information about that?

[00:15:45] Gabrielle Botbol: Yeah, sure. So, I base my program on a lifelong learning education science concept called apprenance, it briefly says that learning can take many different forms and it can happen in many different situations. And so I organize this program around six steps. And so the first is eLearning, you know, to learn about the fundamentals in cybersecurity.

The second is conferences to meet people, to network and to learn about different topics in cybersecurity. The third one is capture the flag competition or capture the flag platforms to practice in a fun way. And the first one is internship, to get to know the industry from the inside. And the fifth one is volunteering to meet like-minded people and to network because it's really, really important to have a good network.

And the sixth one is learning expedition to learn about research and cybersecurity. And as a resource, I can offer my blog, which is https://csbygb.github.io, and in there I explained my steps and I made also multiple libraries of resources to learn pen testing. There's actually a link to my Gitbook there.

And also if you follow me on LinkedIn, I regularly post a list of resources about different topics. It can be in pen test, but it can also be in cybersecurity more generally.

[00:17:20] Andy Still: Excellent. That sounds like a great program. I think what I like about the program you've put together there, is it does so much to de-mythologize the work that you'd be doing and make it more real. And once you get into it and actually talk to people who were doing it, you'll probably realize it's not as scary as you might have thought it was.

It's not as challenging as you might thought it was. And there's a route to get from where you are today to where you will need to be, but it's not anywhere near as scary as probably you might be thinking it is.

[00:17:55] Gabrielle Botbol: Yeah, exactly. When you start to take the steps and meet people, go to conferences, you really see that. First you discover new fields within cybersecurity that you probably... you maybe did not know existed. Like, that's what happened to me. I saw that there were so many fields.

I had not imagined how broad it was and yes, it really did dramatize the complexity of cybersecurity. And I realized that it's completely something really fascinating and really interesting and not complicated as everyone are trying to make it complex, but it's totally something anyone can do, and in different ways. And you know what I like also? It's very various and it can be law, it can be politics, it can be mathematic. It can be philosophy, psychology, you know? So different topics, in the one same area. It's really, really fascinating.

[00:19:04] Andy Still: Yeah, and it's really easy to get to something that's quite rewarding as well. You'll soon get to the point where you've genuinely made a difference and you've stopped something bad from happening to someone, which adds a lot of value to what you do when you can see that kind of real-world impact.

[00:19:21] Gabrielle Botbol: Yeah. I mean, I have this feeling when I'm doing pen test and I discover vulnerability. I'm very happy because I feel like this way I'm going... the application is going to, or the system is going to be better and more secure. And that's really a really rewarding feeling.

[00:19:40] Andy Still: Yeah, it is. You've genuinely stopped someone's data from being stolen, some system from being compromised. So just to finish up today, if there was one piece of advice that you're giving to a young person interested in getting into cybersecurity, what would it be?

[00:19:57] Gabrielle Botbol: I would say don't give up and never stop learning, aim for the moon and everything's going to be just okay. And don't be shy, ask people on LinkedIn, talk to people at conferences. This is definitely something that will help a lot.

[00:20:18] Andy Still: Excellent. That is very, very good advice. And I think that's a great way to wind up the show for today. So thank you very much, Gabrielle. It's been a great conversation today. Thanks everyone for listening. As usual, if you have any feedback, you can do that by our Twitter account, which is @cybersecpod. Or you can email us at podcast@netacea.com. Please subscribe, please leave a review and I hope you all enjoyed the conversation today. Thank you again, Gabrielle.

[00:20:49] Gabrielle Botbol: Thank you for having me.

[00:20:51] Andy Still: And goodbye everyone, we'll see you on the next episode.

Chosen for you

The Bot Management Review: How are bots skewing market...

05th Jan 2022 / 09:13 VIEW video

Gartner: Setting a Cybersecurity Budget Across your Bu...

01st Aug 2022 / 01:00 VIEW guide

Customer Loyalty: How are bots exploiting business logic?

28th Jun 2021 / 16:32 VIEW whitepaper