Interview with DarkOwl’s Caryn Farino and Steph Shample
August 28, 2023
For the second year in a row, in honor of Women’s Equality Day this past Saturday, August 26th, the DarkOwl Marketing team interviews our Director of Client Engagement, Caryn Farino, and Senior Intelligence Analyst, Steph Shample. Last year, we sat down with Chief Business Officer, Alison Halland, and Director of Technology, Sarah Prime – check out that blog here. DarkOwl is very proud of our women leadership and workforce, with 45% of our staff being female and strives to continue to build a balanced workforce with the most talented and effective team possible.
Interview: Thoughts on Being a Women in Cybersecurity from Two Members of DarkOwl’s Team
To commemorate Women’s Equality Day, DarkOwl’s Director of Marketing, Dustin Smith sat down with Caryn Farino, Director of Client Engagement and Steph Shample, Senior Intelligence Analyst for a candid interview about working in the cybersecurity industry.
Editors Note: Some content has been edited for length and clarity.
The (ISC)2 2022 Cybersecurity Workforce report reported that pathways to cybersecurity are changing, “Traditional habits are being broken and diverse perspectives are entering the field, as the next generation uses new pathways to jump-start their careers.” (ISC)2 estimates the global cybersecurity workforce in 2022 at 4.7 million, an 11.1% increase over 2021, but still reports a gap of 3.4 million cybersecurity workers worldwide, a 26.2% year-over-year increase.
Tell me about your background and your journey to where you are now – did you know you always wanted to be in cyber?
Caryn: I did not. I am definitely one of those individuals that fell into cyber by accident. I was working at a small firm conducting corporate due diligence research, when our clients started asking us for assistance with investigations into individuals who were causing them problems online. I found that the skill set of identifying problems in someone’s background translated really well to uncovering someone’s digital footprint and tracking that anonymous person’s activity. Those one-off research projects blossomed into a full career tracking threat communities and helping clients mitigate the biggest risks to their organizations and their intellectual property.
I would say this career has provided me with a lot of exposure to the different aspects of the cyber world, which includes both open and closed source intelligence, brand protection, insider threats, anti-piracy, and even physical investigations. Now I help DarkOwl’s clients use the darknet to feed their security programs.
Steph: That’s such a great answer. I did not always want to be in cyber, but I can’t imagine not having ended up here. I was also accidental. When I started off, my entire career was based on foreign language translation, so I was a translator for the US army and then ended up at the Department of Defense. Everything was dictated by what languages I spoke, and I’d spent two years in Afghanistan fighting terrorism and narcotics and weapons smuggling. I always concentrated on physical aspects of the mission.
And then, when cyber capabilities started to emerge in the world, those of us in who could speak foreign languages were needed; What are these people saying? What are they doing online? And it was interesting for me because as a Farsi linguist with Iran, we don’t have a lot of physical interactions with them. You know, we can’t really meet up. We don’t have diplomatic representation. We knew they were in Afghanistan in certain places, but that was it, that was the extent. But in cyber, they are all over the place. They are in every chat room and stealing intellectual property and stealing weapons manuals and all of this. So that was really interesting to have the digital and physical, kind of hybrid instance, where we could finally see that. I learned even more about Iran and started understanding their cyber capabilities.
So then I left the government and I went commercial in 2019, and I have done everything from OSINT [open source intelligence] to ransomware campaigns, tracking IOCs [indicators of compromise] and now really following the space with the hybrid conflict, which is where maybe there’s a DDoS [distributed denial of service] attack over one place because they’re physically attacking everything like on the border of Syria or in Iraq, where there’s kind of sectarian violence. So, I love cyber, and it’s everywhere and it’s contributing to a lot bigger conflict space.
Has working in this field dispelled any misconceptions you had about your own abilities or interests?
Caryn: For me, it definitely has. I always joke that I do not actually consider myself a technical resource. However, I find I’m able to bridge the gap between the technology and the business side of the house based on the kind of exposure I’ve had during my career. I was an analyst with a business background. It surprised me that in a lot of meetings people are often making false assumptions about what everybody else understands in the room. And I really enjoy working cross-functionally with those teams and making sure that everyone understands the problems, the solutions, and the course of action from the security teams and though legal recourse.
Steph: I also was floored with the opportunities in cyber for people who are not “on the wire”, don’t program, don’t code. It really requires every kind of thinking and every kind of background, especially analytical. And, you know, Caryn’s exactly right. I think what we might share there is we have to take what we witness and see in our day to day and translate that to every entity of a business, right? Cyber actors are going to target HR [human resources] and finance with personal information all the way up to the C-suite. So, you’ve got to be able to explain and make your case for why we need tools, resources, analysis and how we can protect ourselves as well as our industry, starting with every level employee of every company. It really does require every kind of background and every kind of personality and every kind of skill set. And it’s wonderful to see them all meld together, especially now that AI has come into the picture. That’s going to require even more creativity and divergent thinking. It’s really exciting to be in the space at this time.
The (ISC)2 2022 Cybersecurity Workforce report reported that 43% of organizations reporting a shortage of cybersecurity staff reported the reason being that they can’t find enough qualified talent. Other main reasons included: not prioritizing cybersecurity and not training staff sufficiently.
Can you talk about your professional development? What courses or certifications would you recommend? What advice would you give to a woman who is at the entry-level in the cybersecurity industry?
Steph: There are a lot of groups being established. For women especially, I would join a WiCys, a women in cybersecurity group – there are chapters all over the country. There’s also a national chapter. I would be happy to be that point of contact – feel free to contact me on LinkedIn, I’d love to get people set up. And then there’s also Women in Security and Privacy [WISP]. Two different groups with national chapters and they sponsor conferences. There are scholarships for SANS courses or certificates as well. It’s really wonderful to have those resources.
And then I would say, just put yourself out there. There’s always going to be naysayers. There’s always going to be people who tell you that you don’t belong in any industry… ignore it. And I know that’s hard. But as you get used to ignoring it and as you build yourself up, lean on your crew, right? Lean on your coworkers. Lean on those women’s groups. Lean on any group that wants to support you. And for entry-level, you just have to be curious. If you are somebody who needs routine and does the same thing every day, cyber might not be your calling. You’ve got to be curious. You’ve got to be constantly wanting to learn.
Also, start off with, CompTIA Network+ and Security+ – they’re easy courses that you can do on your own time. They provide guides and visuals and manuals. It really is a good way to introduce yourself by fire hose to basic security concepts to see if cybersecurity is for you. And those ones are not as expensive. If you decide to stay in the space and in the industry, it is worth going after a SANs course. They are pricey, but they are very hands-on, and you will apply them to your job. Those are some of the courses that you can do. And for the SANs courses, use those websites or the women in cybersecurity scholarships or opportunities.
Caryn: I definitely don’t want to undervalue certificates, but I’m a big believer in more of that hands-on experience as the best method for learning. Those cybersecurity courses, especially the ones that Steph mentioned, are so important to build the foundation in this space. And I’m sure, we’ve all read the Michael Bazzell’s books and done his courses. However, the tactics used by these criminal organizations are constantly changing, so it’s really important to embed yourself in those real life situations and investigations and learn as much as possible from them. I encourage everyone to get involved in as many different types of cases as possible within your organization and really embed yourself in the start to finish of working a case.
The other thing I do outside of that is I regularly listen to a variety of cyber podcasts so I can hear what others in the industry are experiencing and make sure I understand those different issues. So when we’re working with our clients, I know what they might be going through that may be unique to their space.
As for the advice portion of what I would give to somebody entering into the cybersecurity industry – find a mentor, somebody who can help guide you through your career. And don’t be afraid to fail. I know for me, personally, most of the biggest wins I’ve had in my career have come out of my biggest fails. They were incredible opportunities for me to learn. Lastly, we want to make sure that we are getting different viewpoints and looking at things from different angles. So the other advice I have is to listen just as much as you contribute during these conversations.
Steph: She brings up amazing points on that. In cyber, you’re going to be wrong, right? I know in medicine and science and other fields, they’re very unforgiving and the preciseness is there because it has to be. But in cyber, the actors and the people you’re working against to keep yourself safe, they’re setting you up for failure. They want you to be wrong and they’re trying to mislead you. And she’s exactly right. You’ve got to be resilient and bounce back from that. That’s a great point.
The data from the 2021 Cybersecurity Workforce study from (ISC)2 suggests that a reliable estimate of women in the cybersecurity workforce globally remains at 25%. The (ISC)2 2022 Cybersecurity Workforce report states that 57% of organizations are investing in diversity, equity, and inclusion initiatives, to decrease staff turnover and lower the gap.
What is it like as a woman working in the cybersecurity industry? Are there any challenges or advantages to working in a male-dominated industry?
Caryn: I feel very fortunate to work at DarkOwl as this company really empowers their female staff. It’s not like that everywhere. I have been in so many situations where I am the only female voice in the room but I don’t really want to feed into like that gender bias. I think the biggest challenge we face as women in the industry is overcoming that imposter syndrome, right? So that feeling that we don’t belong. We do belong and I want to keep stressing that different perspectives are often the key to solving these complex issues we face. And as a whole, I want to see more diversity, not only in the cybersecurity space, but also at the management level and above at companies. I think women will really be surprised how receptive anyone, not just males, are to their thoughts and ideas if they’re choosing to participate in areas outside of their comfort zone.
Steph: She’s right. It’s not just a gender thing. There’s conflict in every industry. What’s really hard in infosec and cyber is that it started off male dominated, and the interest and the push early on for math, science and stem was more for men. And it was just accepted in society that women can have careers, but cyber and networks and computers really are a man’s world. And that’s categorically false.
I will say in the military intelligence community, I really didn’t experience a ton of male versus female conflict or sentiment. In the military, you all suck it up and suffer and experience together, in Intel at least. I’m not saying women in other fields like Infantry, Artillery, and more don’t experience misogyny – they do, let me recognize my sisters in uniform for that. But intelligence is different. I did see more inappropriate behavior and open hostility towards women emerge when I came into DOD cyber and the commercial infosec world. But I do think that the message has been received, women are pushing back, stand up for themselves and one another.
I, too, would like to shout out DarkOwl. When I was looking to change jobs and looked at the org chart for this company, I was blown away at women’s leadership because I will tell you, in previous jobs, there were no women above a team lead, if that. There were no women execs, no VPs, nothing, and I would be lying to you if I said at times I had thought of leaving cyber because it just seemed like I was running myself up against a brick wall where you were just getting shot down and shut down. And that’s hard. That takes a toll on you. I know of companies where they won’t even let people acknowledge days like this, the reason we’re doing the interview, and they wouldn’t acknowledge International Women’s Day in March.
Slowly, that is changing. And how do we combat that? Nominate women for conferences, push them to present, get out there publicly. Caryn made a great point about mentorship. Male or female, have a mentor. When I first started, I had a technical person on every single project that I would go to and say, “Where am I wrong? Can you sanity check me? What writing do I need to change?” And that is how you’re going to learn, when you find that constructive criticism. We need to stick together.
Caryn: It’s definitely our responsibility as women to help bring other women up with us. We don’t want to be in the position where we’re not part of the solution. We want to empower other females in our organization and our industry.
Steph: Let me add to that, too. I was really fortunate. The very first boss that I had in cyber in the DOD was a male, and I went to him and said, “Are you sure I belong here? Like I can barely work a computer. You positive?” He sat me down and built me up and then put me on special projects to help me learn. And then when I was thinking about grad school to up my credentials because I was hooked by cyber, he had done the same program and I went to him and I said, “Do you think I can hack this program? Do you think I can do this?” And he was like, “absolutely”. And that was seconded by my husband. So I want to say, I have really great male role models. And there are men in WISP and it’s wonderful. So we’re getting there.
What do we not understand about cybersecurity as a field and its job opportunities? What does cybersecurity mean to you?
Steph: I think there is a community failure of understanding how many different perspectives it takes to make sense of cyber. That’s because you need the people who are on the network speaking only ones and zeros, you need the people who can speak mainly to computers and make them “do” and build the tools that we need. But we also need translators, etc. At a conference last year in Saudi Arabia, I was floored that the biggest topic of conversation was the cyber psychology of online actors. Why do people act the way they do behind the scenes? Why do they act one way on the computer and then differently in public? There’s a whole emerging neuroscience and psychology aspect behind the actors on cyber criminals.
Furthermore, geopolitics enters into this in a huge way. We are now seeing, of course, people take sides with Russia and then people take sides with Ukraine. And you have to understand why entities come after American or Western businesses or go after Five Eyes businesses to try to hurt them because of the geopolitics physically playing out. And then we’re also seeing that in Syria, where there’s all kinds of different interests and entities and sectarian violence. It cannot be overstated the amount of expertise, you have to have a mixture of thinking, you have to have thought groups collectively working together.
This year, actually just at Defcon and Black Hat, the private public partnerships are essential. Maybe back 30, 40 years ago, the military was considered perfect at conflict, no one else contributed. Doctors were doctors and that was their expertise. Cyber doesn’t silo everything like that. Cyber requires every perspective to have an informed and intelligent conversation and adequate problem solving. We need academia, we need government, and we need the commercial sector. We truly need everybody from all backgrounds.
Caryn: 100% agree with that. Cybersecurity nowadays is just a very broad term and it encompasses so many different aspects. I think a lot of people still look at cybersecurity from the vulnerability management perspective and the hacker in the basement, right? But organizations have to worry about so much more because not only do you have insider threats and external threats, but then you have these unintentional threats. And they are really your biggest weakness, in my opinion. That is going to be those non-malicious events where an employee exposes an organization by reusing a password, accidentally sharing IP [intellectual property] to a public facing system, or clicking on a malicious link. There are just thousands of human error type activities out there, and they’re really difficult for this industry to account for. So for me, cybersecurity is really more about the OPSEC [operations security]. That opens up so many different career paths.
Steph: I have to pivot off of that because she again, makes wonderful points. So you have the practitioners who are working against the malicious forces. But she’s [Caryn’s] exactly right. There are people who are just in this operating day-to-day and to them it’s benign, they don’t realize that they’re exposing themselves or their families. So kids on Facebook accidentally posting vacation pictures, opens up targets of opportunity. An employee who just wants to maybe get good press for their company and doesn’t realize that what they’re exposing is personal or sensitive information, corporate speaking. So that is a risk. These is, of course, the malicious factor, but the human factor is what everybody talks about. It takes a human to click on a spear-phishing link. It’s a human to post accidental information. So everybody, I think, sees cybersecurity and cyber and thinks of a computer and they think networks, they think “I have no part to play in this.” The human element will never, ever go away, even with AI. Cyber is so broad and I think we’re only a decade into this, but now we’re going to have specialties. People are going to step up and say, “I’m an AI expert. I’m a crypto expert. I can talk about the blockchain and smart contracts and the underlying tech. I can talk about cyber psychology compared to human psychology.” So it’s just an endless opportunity for cybersecurity. It’s going to keep broadening.
Caryn: I want to make one more point to wrap this up. It’s important for organizations to have that holistic view of their threat landscape, because as cybersecurity professionals, we not only have to consider the inside perception of what is most damaging to our organization if it’s exposed, but also the consumer perception. So what do people outside your organization perceive as the most valuable data to obtain from you? Make sure we’re looking at it from both perspectives. A lot of people just want to batten down the hatches and protect their networks, but they’re not really considering what those outsiders are looking for – you know what your organization’s crown jewels are, but that might not be what somebody else is going after. So it could be that they’re going after your financial data, not your intellectual property. No one is immune anymore. And that human error component I mentioned earlier is really evident on the darknet.
At DarkOwl, we’re regularly seeing the results of those social engineering and phishing campaigns that result from those kind of attacks. The education piece is really important here, is your operational security and training your staff and your family members at the same level? Steph mentioned earlier if somebody has sloppy OpSec [operational security] out of your organization, the chances that they’ll have sloppy OpSec inside your organization increases. And we really want to make sure that people are approaching it in both directions. So my last comment here would be to really encourage all organizations to make sure they have a comprehensive monitoring program that includes a variety of data sources, including darknet data.
Key Takeaways from Caryn and Steph’s Perspectives
There is no perfect background or one way to have a successful career in cyber. Individuals interested in a career in cybersecurity need, above all, curiosity and determination. Individuals should not underestimate their potential to contribute to the cybersecurity realm. The diverse array of skills required to tackle current and future threats necessitates a range of expertise and backgrounds.
Efforts to bridge the gender and representation gaps in the cybersecurity field are underway, but these disparities do still exist and women need to continue to raise each other up. As always, it is important to look into an organization and make sure that they align with your own beliefs, morals and goals – if these align, it will be so much easier to be a supportive, hardworking and happy employee, no matter what field or role you are in.
