A research study by The National Center for Women & Information Technology showed that “gender diversity has specific benefits in technology settings,” which could explain why tech companies have started to invest in initiatives that aim to boost the number of female applicants, recruit them in a more effective way, retain them for longer, and give them the opportunity to advance. But is it enough? Three years ago, we launched a diversity series aimed at bringing the most inspirational and powerful women in the tech scene to your attention.
Today, we’d like you to meet Rayna Stamboliyska, VP for Governance, and Public Affairs at YesWeHack. Today’s Woman in Tech: Rayna Stamboliyska, VP for Governance and Public Affairs at YesWeHack As Vice President of Governance & Public Affairs, she will expand strategic cooperation between ethical hackers and political organizations. In her new position, Rayna Stamboliyska will focus on raising awareness of digital security risks among political actors and advising them on how to proactively counter these risks. The cybersecurity expert worked for many years in risk and crisis management, including for international organizations such as the World Bank, OECD, and UNESCO. Rayna Stamboliyska’s main task will be to build a bridge between the YesWeHack community, consisting of 15,000 ethical hackers, and the needs of an increasingly networked, digital society.
To this end, she intends to focus on strategic issues of cybersecurity and digital governance. An important part of this is dealing with the disclosure of security gaps (Vulnerability Disclosure Policy) and dealing with it responsibly. A further aim of the security expert is to become more involved in the EU project SPARTA, a pilot research project on Ethical Hacking Certifications. Before YesWeHack, Rayna Stamboliyska was Chief Information Security Officer and Data Protection Officer at the Oodrive Group, a solution provider for virtual data rooms. She has also worked as an expert and consultant in risk and crisis management for international organizations such as the World Bank
OECD and UNESCO. She studied political science in Paris and holds a Master’s degree in International Relations. Rayna Stamboliyska writes the column “50 Nuances of the Internet” on ZDNet.fr and speaks regularly at conferences and workshops in Europe. She is the author of “La face cachée d’Internet” (“The Dark Side of the Internet”), which won the “General Public” cyber-book award in 2018. She has recently published a white paper on coordinated vulnerability disclosure with YesWeHack. How did you end up in your career path? I went into the tech industry through a rather natural approach, although it was not an orthodox one. Indeed,
I was majoring in genetics and evolution when bioinformatics made its way through the curriculum. I understood the importance of being able to leverage technology to address scientific and social questions alike all by being conscious of the uses. This is what brought me in the Free and Open Source Software community when I was still a Master’s student. Doing a Ph.D. instilled in me the crucial matter of making research data, publications, and code open and accessible to anyone. After graduating with my Ph.D., I went into an innovation-in-education oriented post-doc where I applied those learnings and endeavored to bring technology to the classroom. So when international organizations such as the World Bank and UNESCO invited me to become an international expert focusing on open knowledge (data + code) as a way to improve public service and people’s lives, I became a full-time technology advocate.
What are you most proud of in your career? There are a lot of things I am proud of: graduating with two Masters and a PhD, writing two books, many articles, and chapters, etc. Yet, the most exceptional pride of mine is having been able to nourish interactions with people who helped me grow, who let me learn how to learn, and who trust me in impacting real change. Did someone ever try to stop you from learning and advancing in your professional life? It is not that clearcut.
Although blunt conflict-prone situations may have arisen, they pale in comparison to a much more toxic gate-keeping attitude. There is an immensely prevalent culture in STEM with some people deciding upfront that their criteria for inclusion must define who can be part of the community. There is a lot of navigating to do between disgruntled meritocracy-motivated guys and silent democracy-driven ones, so it is no surprise that many just find it harsh. (Note: Here’s a long read about the whole meritocracy concept https://www.theguardian.com/news/2018/oct/19/the-myth-of-meritocracy-who-really-gets-what-they-deserve ; as for democracy, the term has arisen from hackerspaces and communities to indicate that responsibilities—thus, power—are for the individuals who do rather than for those who have a diploma/a social status/etc.
but little actual contribution) Even without getting into some Facebookish-level psychanalysis, there is a clear dynamic of singling out newcomers. This is not new. What is new—and potentially harmful to minorities in STEM—is for them to be seen as people who have to be included just because they are a member of a given minority. That is the reason I am always careful about being singled out as a “women in STEM”: my skills matter, not my gender, so I’d always aim at being acknowledged for my contribution. Gender-neutral is hard to achieve, though. Lastly, since women are humans, too, they may fully participate in that gate-keeping approach. This aspect is rarely addressed, though. Who was your most important mentor – and why? Even without getting into some Facebookish-level psychanalysis, there is a clear dynamic of singling out newcomers. Someone who really unblocked a frequent challenge for women in tech was a guy acting as a director at a big Paris-based global tech consultancy: salary negotiation. Back in 2015-2016, I was looking for a career change.
After spending nearly three years traveling the world, I was willing to settle and have a more sedentary, perhaps less strategic, and more operational job in technology. The issue was twofold: ‘coming home’, getting to develop a Paris-based professional network, and whenever I had job offers, being able to self-appreciate adequately throughout the salary negotiation phase. So, this guy was someone who was able to understand how a trained researcher would approach private-sector jobs in Paris and then helped me ‘trivialize’ the whole salary negotiation thing which was really scary and uncomfortable for me. As anyone with a multidisciplinary background that has to fight their way into an industry, impostor syndrome is a reality.
Thus, putting myself in a situation where I had to argue about money while my self-worth was unclear, even diminished, to myself, was a true block growing up and moving forward in my career. A day in Rayna’s life I am the VP for Governance and Public Affairs at YesWeHack, directly reporting to the CEO. The position is unambiguously strategic and was created for me. It is a recognition of two ideas. The first is that YesWeHack has reached maturity in its ambitions so that so the company makes enough room for someone to work fulltime on research and public affairs. This is no small deed for a European startup. What makes it possible is that YesWeHack sticks to its European values of integrity, collaboration, and ethics.
The second idea is that my skillset is recognized as an enabler. We are aligned in terms of values, ambitions—and of means. I am opinionated, which may not always be easy to handle. 😊 In creating my position, I see the immense trust my colleagues invest me with. There is also a very gender-neutral aspect here, everyone is respected and recognized for what they do, effortlessly, and fluidly. So far, we walk the talk, which is why, I guess, we have a near-strict parity within YesWeHack! As for a typical day…There is no such thing 😊 What fascinates you about IT security? Information security transcends every human activity since said activity has a digital existence on its own. So, how security and privacy (a partially overlapping but not entirely substitutable domain of activity) impact our lives and societies is what most fascinates me.
Why aren’t there more women in the tech industry? There are many reasons for this, although I believe there are more than we think. In other words, there are women stuck below the glass ceiling of a too self-centered manager, or unwilling to be more involved since they value their ‘me-time’ more, feeling insecure about their expertise, etc. If we look at more global proportions, there are a lot of other obstacles: leaky pipeline due to family pressure, salary negotiation issues, a harassment-prone workplace, etc. Furthermore, there are still a lot of clichés associated with this field, from its allegedly awfully difficult-to-acquire skillset to toxic “ol’ boys’ club” culture. We need to do better informing the wider public about why technology should matter to them to the point where they decide they want to impact its development by working in the field.
Thus, in my humble opinion, when addressing a minority problem through the only angle of gender, we also single out women. What can politics/society do to change that? I don’t have THE solution, otherwise, things would be different now. Yet, I can see what does not work. We have seen different initiatives come and go through the years, and they have not born great results. Overall, we need to stop tokenizing people. We all think with our heads, not with our genitals, so why should we frame and articulate an employment pipeline problem essentially through the gender prism? We do have a diversity problem in STEM; gender is one of the issues, but not necessarily the main one. I started feeling diminished because of my gender when I set foot in Western Europe.
Indeed, in Eastern Europe, the way I was treated was through the lenses of my capabilities: how well I understand something, how well I can structure an argument, an experiment, etc. I had never expected to be seen as a lesser human because I was born with ovaries. Thus, in my humble opinion, when addressing a minority problem through the only angle of gender, we also single out women. What we do is say “look, we need to hire more women because they need help, they need saving from their biological condition”. This is not true. We need equal pay, comparable durations of parental leaves, comparable career opportunities, etc. we need to be treated like regular human beings, not included in quotas.
Those are a sort of positive discrimination and can be toxic. Am I hired because of my expertise or because I am a woman and the company needed to increase female presence? Telling women that they don’t need advanced knowledge or expertise the same way men do is not acceptable neither: we should not promote lower quality professional requirements just to get a given gender on board. What advice (and tips) would you give to women who want a tech career? Do your job with transparency and modesty, and hold your ground.
Ideas matter, introducing positive and constructive change matters. So, be faithful to yourself and strive to learn evermore. If you had three wishes to make the world a better/fairer place for women, what would they be? Equal pay; less gendering, more mentoring. How would our world be different if more women working in STEM? We do need diversity because it enables us to learn better, to get an always evolving and more complete view of the world and of the people around us. Inclusivity, equal opportunities, and equal pay are what make a thriving, innovative, and viable work environment. We need talents to grow as a society, too; so why not embrace all the talents our society has to offer? More Women in Tech: For even more Women in Tech, click here
Job alert! Demand for cybersecurity professionals doubles in two months; these are the top skills needed
Cybersecurity is one of the few areas where hiring has more than doubled, even though many other sectors have seen a freeze on recruitment because of the COVID-19 disruption. According to industry experts, the demand for cybersecurity specialists has more than doubled in the last couple of months. "Earlier, if there were 100 jobs per month, 10 would be for cybersecurity. Now 20 jobs are for such professionals," Sunil C, head of specialized staffing, TeamLease Digital, said. This demand, he said, would continue to go up in the near future. The increased demand has come on the back of a rise in remote working, which in turn has resulted in rising cyberattacks. Experts Moneycontrol spoke to said there has been 6X increase in cyberattacks targeting Indian firms.
However, there is a huge talent crunch in this space with a large number of firms fighting for a limited talent pool. That is why hiring experts pointed out, this is one of the few spaces that could guarantee jobs. With the risk of cyberattacks increasing, it is not only the IT firms, but various industries are also looking for security professionals. How do you become a cybersecurity professional? Jobs in cybersecurity could be broadly classified into four, said Anand Narayanan, Chief Product Officer, Simplilearn, an e-learning platform. These include an auditor, manager, architect, ethical hackers, and chief information security officer. Systems auditor The primary role of a systems auditor includes maintaining systems such as firewalls, routers, switches and virtual private networks. They should also be able to identify vulnerabilities.
Narayanan pointed out that the demand for auditors increased 120 percent in the last four months, since COVID-19. Currently, there are about 13,000 openings for this role, according to job search portals. What is the qualification needed? To become a systems auditor, one needs to be a Certified Information Systems Auditor (CISA), certified by ISACA, an international professional association focused on IT governance. Completing CISA could cost between Rs 30,000 to Rs 40,000. Payscale: Certified professionals can earn anywhere from Rs 4 lakh per annum to Rs 8 lakh per annum, Narayanan said. Cybersecurity manager Managers oversee the information security of organizations.
They are also involved in designing and developing security practices and policies for the company. What is the qualification needed? One needs to be a Certificated Information Security Manager (CISM) certified by ISACA. Candidates will have to spend Rs 30,000 to Rs 40,000 to earn the certificate. Payscale: A certified professional’s remuneration starts at Rs 12 lakh per annum and increases as you accumulate more experience. Security architect Architects are those who set up the security architecture for a company, without whom the company would be vulnerable to attacks, pointed out Narayanan.
These professionals design and implement the infrastructure for the company. Though the role of managers and architects are similar, the former's role is purely management focused. An architect needs to have both managerial and technical skills to design, engineer, implement and manage information security systems. There are close to 18,000 openings for this role, according to job search portals. What is the qualification needed? One should be a Certified Information Systems Security Professional (CISSP) provided by International Information System Security Certification Consortium, also known as (ISC)².
Candidates will have to spend close to Rs 50,000 to earn the certificate. Payscale: According to Simplilearn, the average pay of a security architect begins at Rs 17 lakh per annum. Ethical hackers are almost synonymous with cybersecurity. These professionals are the ones who assess the security by finding and exploiting vulnerabilities of various systems just like a malicious hacker. However, they do it legally and ethically. In the last few months, demand for hackers from large organizations to assess their vulnerability increased and they have been paid handsomely in return. What is the qualification needed? One needs to obtain a Certified Ethical Hacker qualification under EC Council to be employed. Payscale: Average pay scale for an ethical hacker is about Rs 5 lakh per annum. However, with experience, they can earn up to Rs 15 lakh per annum.
Chief Information Security Officer This is a senior executive role within an organization, who is responsible for establishing and maintaining the enterprise's security strategy to ensure that information assets and technologies are adequately protected. CISO typically will work auditors, manager and architects to design, develop and implement security architecture so that the company is not vulnerable to cyberattacks. What is the qualification needed? Narayanan said that a CISO should have knowledge of systems auditor, security manager and architect to understand and implement a robust security network. Pay scale: According to various reports, salary could range anywhere between Rs 30 lakh per annum and Rs 4 crore.
US$ 100m paid in bug bounties to white-hat hackers
Ethical hackers on the HackerOne platform are reported to have earned a cumulative US$100 million (£82 million) finding and reporting vulnerabilities through bug bounty programs for customers including UBER, Slack and Goldman Sachs. The payments are clearly accelerating, with US$ 40 million (£33 million) paid in 2019 alone. More than 140 hackers working via HackerOne have earned over US$100,000 (£82,000) with 50 exceeding that sum this year. Some 84 hackers join the platform every hour, now reporting an average of 24 vulnerabilities in the same time frame - with 170,000 vulnerabilities uncovered to date. Hacker One reports that it has gone from paying US$30,000 (£25,000) in its first month, October 2013, to US$ 5.9 million (£4.8 million) in April 2020. “We started out as a couple hackers in the Netherlands with a crazy belief that hackers like us could make organizations safer and do it more efficiently and cost-effectively than traditional approaches,” explained HackerOne co-founders Jobert Abma and Michiel Prins in their blog post about the milestone. “US$100 million (£82 million) in bounties later, maybe this idea isn’t so crazy after all.” Highlights since launch include 84: The number of new hackers that sign up to the platform every hour US$ 6,000 (£4,900):
The number of bounties paid out on the platform every hour 214 percent: Year-over-year hacker-powered security growth in the federal government 85.6 percent: The year over year growth in total bounty payments, with 17.5 percent increase since February when Covid-19 was declared a pandemic. 343 percent: The increase in signups over the past year on Hacker101 — HackerOne’s free online classes for aspiring hackers. 38 percent: The increase in average weekly new registrants for Hacker101 since February. Over 170,000: The number of vulnerabilities hackers have uncovered in nearly 2,000 customer programs Marten Mickos, CEO HackerOne comments: “We have arrived at the point in history where you are ignorant and negligent if you do not have a way to receive useful input from ethical hackers. In this new world of ever-evolving threats, the only way to get ahead is to get transparent. Openness, not secrecy, is the way forward.” Mickos’ predictions for the future: Within the next 15 years, we expect to have produced over 500 Chief Information Security Officers (CISOs) out of our hacker ranks. These skilled and motivated people will help reduce cyber risk in key commercial enterprises and government agencies.
Hackers will earn US$ 1 billion (£820 million) in bug bounties within five years on HackerOne. Many of these ethical hackers have daytime jobs, but there are increasing numbers pursuing bug hunting as a career and globally they earn up to 36 percent more than they would as a software engineer in their home country.
0 comments: