Editor’s note: #WeCyberToo Talent Spotlights cover women of color in cyber so our daughters can see women who look like them thriving in the field.
Meet our new #WeCyberToo Talent Spotlight: Meet Dr. Stephanie Carter, Independent Security Consultant, Public Speaker, Professor, Information Systems Security Officer, and CEO
How did you end up in cyber security?
I served in the military for 20 years as an Information Technology Specialist but I decided to stay in IT once I saw how technology was being used to hurt people and this country. I started focusing in cyber so that I could use my skills to help further security.
What formal education, skill sets, and/certifications do you recommend that people start with to stand out among other candidates in the cyber security field?
As far as education, I started a movement called R.E.V.I.V.E. (Rejuvenating the Education of Value – Igniting Virtuous Equality) where I point out the character traits of Dr. Martin Luther King. The correlation I make is that if Dr. King was not educated, he would not have been able to do all the things he did.
His education put him in a position to achieve great things and to be able to have audiences with the people he needed to accomplish what he set out to do. So I believe the same is true for us today.
Not everyone has to be a doctor, but everyone needs education. Not so that you can compete with the men, not so that you can compete with the races, but so that you can put yourself in a position to make a difference in the world.
Education ignites equality.
Dr. King was in an era where no one listened to a Negro. But they listened to him! And should we believe this was because he talked so eloquent? Well, he did talk eloquent but I believe the people that would normally not listen to Negros listened to him because he was an educated man.
Being a black woman in a field predominantly held by men, if you are not educated, it will be harder to be heard as it is very hard for me even with a doctorate. However, I am only given respect due to my credentials which I believe if I did not have, I would not be heard either.
With the push for certifications in this field, most do not get educated. Education of a Masters Degree or higher will definitely set you apart.
It is hard to say a specific certification will set you a part in this field. Of course, the Certified Information System Security Professional (CISSP) is a certification that currently sets you a part and is needed as a requirement for most senior positions.
I do take my students and other professionals wanting to come into this field through a questionnaire to determine where their passion is.
For the sake of not being able to explain that process in depth, I would say that if you are wanting to be an cybersecurity engineer and you have some experience in IT, you would start with a certification such as Security +.
If you have little to no experience in IT, you should start with A+, then Network+ and then Security+.
I do also want to let junior professionals know or those just starting out that although you have to have a certain amount of years’ experience to get the CISSP, they also have a program called Associate CISSP and I do recommend that! The Associate opens doors until you earn the experience requirement to be endorsed as a CISSP.
If you want to be a cybersecurity analyst, you should start with System Security Certified Practitioner (SSCP) or CompTIA Advanced Security Practitioner (CASP).
If you are a senior cybersecurity professional, you should be seeking CISSP, Certified Information Security Manager (CISM), and Certified Chief Information Security Officer (C|CISO) from EC-Council; and especially if you are a minority woman. You must set yourself apart in order to bridge the diversity gap in this field.
Editor’s note: CompTIA also has a new Cybersecurity Analyst certification to bridge the gap between the Security+ and CASP. Note that the CASP recommends at least 10 years of experience and for very good reason. It is very technical and requires advanced skills using enterprise level tools.
Here are tips for passing the Security+ exam.
If you want to attempt the CASP, I published a post for passing the CASP exam too.
If you want to attempt the CISSP or Associate, I shared tips for passing CISSP too.
What advice would you give someone looking to enter the information security field?
For any professional looking to enter this field, I would tell you that if you are a minority and thinking it is a good field to earn more money, you might as well choose something else.
Unless there is a true desire for cybersecurity, the things you will experience as a minority in this field, the money will not be enough to make you stay. If you do not have the credentials needed to get the higher paying positions, you might find that it will be harder to make the move than it seems.
I have given webinars on cybersecurity and how it is truly broken down. The most effective advice I can give anyone who’s wanting to enter this field is keep yourself from being a jack of all trades and a master of none (JOATMAN)!
When you are a JOATMON, you do nothing well but do everything good enough. The cybersecurity field is so big (meaning so many types of positions) that you really need to stay focus on what you want to do.
You want to decide what it is that you would like to do and become the subject matter expert in that focal area. This is an effective way to be respected as a minority in the field and to climb the professional ladder.
The hashtag #BlackWomenAtWork is trending on Twitter with professional black women sharing their stories of micro-aggressions, indignities, being silenced, paid less, and a myriad of other challenges we face in the workplace. Do you have any experiences you would like to share?
I have so many stories to share that it would not fit into this interview but just to share a few that stand out.
One, women do not get paid equal to their counterparts and it has been this way for years. I know this may be in part to the great sexist divide between men and women but I do want women to know, this is largely in part because we do not demand our worth.
We take the worth given to us by our employers and think if we demand what we are worth, we won’t get the position or we might be looked at differently.
However, if you don’t ask, you don’t receive. This is the reason that we have to set ourselves apart so that we can demand our worth and be fully justified in that demand.
I have had to file a junction against a minority male for his abusive and racist words. We were not the same race but we were both minorities.
I have been employed by a company where the CEO asked me if was I a real doctor.
He also told me that if I put Dr. Stephanie Carter in my signature block on my email I might make the clients uncomfortable with that. So he made a rule that no titles will be used in the signature block to keep me from using the title Doctor.
Most times in the security world, you have to be able to tell people no. And you have to stick with your guns especially because any compromise of your responsibilities as a security professional means a compromise of the client’s security.
So when I have to say no, I have an attitude. When I have to stand my guns, I am told I am not a team player or that I create a hostile working environment. Neither is true and they always seem to come back to my original advice but it is always them (men) taking credit for it.
If I am in a lower level meeting and say something that is accurate and effective for use, in higher level meeting those who have charge over me always take credit for my ideas and never acknowledge that it was my idea.
In meetings I am completely discounted and even rudely cut off when I am speaking, but all the men get to say their part without interruption.
I worked for an organization where as soon as the minority (black) woman learned that I had 13 IT certifications, a doctorate, and working on more certifications, she had me fired.
When most people learn that I am a doctor, they automatically think medical. Once they find out it is in Computer Science, it is worse.
There are always attempts to have everything I let come out of my mouth be scrutinized, doubted, questioned, and discounted.
This is the reason why I say again, WE MUST set ourselves apart; we MUST be educated; and we MUST be the expert in one area instead of a JOATMON!
What is the most difficult challenge you have faced as a woman in a male dominated field?
I am a very tenacious woman. I will not let anyone make me doubt myself, my intelligence, or my skills as they are gifts from God and no one will be able to move them away from me expect for Him!
So the biggest challenge in a male dominated field is the fight to keep fighting. Sometimes I get so tired (mentally) and just exhausted from having to fight for and about everything!
In a field dominated by men, you will rarely find a voice to vent to as if you talk about a male to a male, you will not get a listening ear; especially when they are the same as the one you are talking about.
You can’t turn to other females because they are tearing you down too with jealousy and if you turn to the majority female, she is completely clueless to the struggle and will often time think you are just complaining.
Another challenge in a male dominated field is that most of the women in this field are just as bad if not worse than the males in this field that discount women.
Some women think that if they are siding with the males, they are on the winning team. However, they just can’t see to make the winning team theirs and this is why we have not moved forward in the attempt to bridge the gap between males and females in the workforce because we are creating the gap for ourselves.
But I believe that if we start working together, educate ourselves, and become the subject matter experts, we can bridge this gap!
Editor’s note: I hear horror stories regularly about women not supporting each other professionally. Ladies, can we do better? Starting today? That is all.
How did you overcome said challenge?
With the first biggest challenge, I show females something different from what they would naturally expect as I am first judged by the stigma that has been placed on me by virtue of being a black woman.
I attempt to help everyone I come in contact with. Whether this is through helping them with educational, professional, or personal goals; everything I do is to strive to help everyone better. This helps them pass it on.
This helps break the stigma that all women are naturally jealous of other females. This helps to show that just because I am a doctor, I don’t think I am above anyone else. And in the end, most will do the same.
With the second biggest challenge, my philosophy is that if I can train up the next generation on how to fight (with their brains, with their education, with their credentials) then when I have completely exhausted myself and can fight no more, they can continue to the fight.
This is why I mentor young girls and junior professionals. Just as Dr. Martin Luther King has said many times that what he was fighting for, the victory might not been seen in his lifetime so he would ensure that civil rights would keep going by teaching the younger generation how to fight…
…as so I, if I teach future cybersecurity professionals how to fight, the fight will continue when I cannot.
A reader of Danyetta’s profile suggested asking future interviewees to share failures because those have a bigger impact than just feel good stories. Do you have a failure that you would like to share?
I have plenty failures and failures should be used to make you better; make you stronger.
- I failed at being a faithful Christian. I had 2 children out of wedlock.
- I failed at being a protector. I failed to protect those that I love from the treacherous grasp of sexual abuse.
- I failed at being a soldier. I was medically retired from the military and could no longer serve.
- I failed at being a provider. My kids and I were chronically homeless for 8 months after I was medically retired from the Army in 2013. I also was jobless for 1 year after I quit the job where I could no longer take the abuse in 2015.
- I failed to know my self-worth. I have been taken advantage of in my personal as well as my professional life. I have taken jobs and pay that have been way less than my value. I have let relationships take advantage of me and just took whatever was given to me as I didn’t think I deserved anything more.
- I failed to love myself. I have allowed myself to be used and abused. I have allowed people to dump on me because I was willing to take it. I have sought the worse because at that time, it seemed to be the best. I have let others dictate my worth and the amount of love I deserve.
- I have failed many college classes. I was not focused when in school in my early years and did not take it serious.
- I have failed at my first doctorate program. Although I have a spirit of never giving up, once I found out my loved ones were being abused, I just couldn’t make it through.
- I have failed many certification exams. I am a pretty smart lady but have had my share of butt-kickings when it comes to certification tests.
- I have failed many interviews. Sometimes if you seem to smart you don’t get hired as well as if you don’t seem smart enough you won’t get hired. Knowing the balance, especially when you do not have the credentials to back it up, had proven to be detrimental for me.
- As a leader, I fail to show emotional intelligence sometimes. Sometimes I get so wrapped up in “the fight” that I forget to show the emotional intelligence needed in order to keep the peace.
There are so many other failures that are not here but enough to show that failure will always come. But failure is a temporary state and up to you to make victory permanent by using the failure as a stepping stone to improve the factors needed to gain the victory!
How did you turn that failure into an opportunity?
I have not taken all of those failures one by one to turn them into opportunities, but I use all of them to take the opportunity to show my kids, to show young people, to show junior professionals, and to show minority women alike that in addition to the situations that you will encounter in the workplace, there is sometimes a lot of stuff underneath that no one would ever know that someone is going through.
When I take students and junior professionals through a psych profile, I go through everything they are comfortable with sharing. And from that, I am able to touch them on a deeper level.
When they look at my education, certifications, and other credentials, most think I have had it easy. Everyone has “struggles” but mine go a little farther than that.
And to this day, I have never given up and will never give up! Although no one knows my story, I know the day I am able to tell it, it will ignite a fire in the hearts it will touch to tackle the world!
If you have your CISSP, what was your motivation for pursuing it? If you have other certs, would you like to share the certs you’ve earned and why you pursued those vs. the CISSP? Diversity of thought around credentials is important for women coming into the field.
I truly ONLY pursued the CISSP because it was a job requirement.
Before the CISSP, I had earned the certifications MSCA, MCITP, MSCE, CCNA, Network+, Security+, CISA, CISM. The CISSP is a very technical cert although some employers count it as a management cert.
My philosophy is that you must make goals for where you want to go, not for where you are at the present time. I knew upon retiring from the military that I was at the level of a CISO from 20 years in the field, so I pursued what I thought were management certs.
Of course, military time does not translate well as everyone tends to think that the only thing we do is shoot guns and fight wars. Most CISOs I meet do not even touch the amount of years or credentials that I have.
For women coming into the field, I would say that the CISSP will definitely boost you above those that do not have it. Keep in mind that depending on what focal area you are attempting in the cybersecurity field, some of them the CISSP does not matter.
For example, if you want to be a pen-tester, getting the certs from EC-Council would be of greater benefit than CISSP. These certifications are too expensive to just be getting them to be “getting” them.
Editor’s note: the OSCP certification is also in high demand and has more street cred if you want to go the PEN tester route.
Can you give a brief “day in the life of” description of your role to help women that are coming into the field behind you understand what that kind of work entails?
In my role as CEO: I have an IT business, an event planning business and a 501 (c) (3) organization that helps people with cancer. I have not gotten into the government contracting world as I would like with my IT business and that is why I do more consulting work for now.
I do have some clients with my event planning business so on top of everything else, I create custom decorations. My non-profit has not gotten a lot of traction as it is hard to get donations for this cause. I guess this is due to the competing market for donations for this cause.
In my role as Professor: In the Masters program, there is a lot of writing. I always have papers to grade or recommendation letters to write for students pursuing scholarships or helping students with certification study.
In my role as Senior ISSO: I lead a team of 4 ISSOs. It is actually hard to go through a normal day but just the highlights of the day I would say that I am always proofing policies, reviewing policies for comment/feedback, continuous monitoring activities for 5 infrastructures myself and about oversight of 20 for my team.
I have to put my tasks on hold to deal with team issues, client issues, and issues from my company. I attend a lot of meetings, sometimes that get in the way of me completing my tasks but that are necessary.
When running the team, I want to make the junior professionals feel like they are important and that I am truly invested in their professional development so a lot of time is given to coaching and advising my team. I run out of time at the end of the day, every day!
In my role as Independent Consultant: I help companies with implementing Risk Management Frameworks as well as ISO 17020 and 27001. I write a lot of policies and attend a lot of meetings and have strict deadlines for deliverables.
In my role as a Public Speaker: Constantly developing abstracts and creating presentations. Traveling sometimes get in the way when it is during the school year for my son but during the summer is always great! Also spend a lot of time creating webinars to give to students and junior professionals.
What project(s) are you most proud of?
Professional:
I was an analyst that was chosen to inspect the 3rd party companies that were used by OPM at the time of their OPM breach a couple of years ago.
With the documentation I was given and the known vulnerabilities at that time, it could not be determined where the weakness was that led to the breach. However, I was determined to figure out how it happened.
Due to previous technical knowledge, I was able to ask the right questions and was able to understand the infrastructure better than those who used it every day.
The security infrastructure was very chaotic, not documented well, and very ad-hoc. I was able to help the company develop policies as well as leveraged all of their existing documentation to meet policy requirements.
I have created my own templates for a System Security Report (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR), Business Impact Analysis (BIA), FIPS 199 Study and a comprehensive list of security policies and procedures. Because of this, I was able to empower the company to meet the government’s deadline in reporting security assessment results and implementing the government’s requirements.
After the government reviewed the policies, procedures and reports created from my templates, they sanctioned the company’s security infrastructure as the standard of what the other 3rd party company’s infrastructure should look like.
Because of my extensive knowledge of security, the 3rd party company often consulted with me before they changed or implemented anything in their security infrastructure and to seek my advice on IT and security matters.
Wisdom for young girls, college students, and women considering the field:
I am proud of the fact that I have never given up no matter what racism, sexism, abuse, or failures I have faced. This is not a reflection that something was wrong with me, but something wrong with that person.
My failures made me press harder. After each failure I had to do a self-reflection to evaluate the factors leading to the failure to ensure I do not do it again. Some things I have failed at more than once, but it is okay. Just never give up.
Coming into any field, you will have the male/female divide, but cybersecurity is a male dominated field so you will have more situations than of other fields. But no matter, we have to keep fighting for equality and that will not happen if we always run away from the first sight of struggle or challenge.
When I was in a unit with over 5,000 soldiers I saw how my leadership was struggling with providing higher headquarters with reports and with status checks on the soldiers. So I created a program that would capture all of the information needed to produce reports needed to report to higher headquarters.
It took about 2 months to build and I built it from MS Access. Afterwards, the processing of the soldiers became easier and more efficient; I also created web training to meet training requirements.
Personal:
Outside of work I have started a program where I provide webinars to students and junior professionals to get them prepared for the cybersecurity field. Some of the things cyber professionals should know is not always taught in a certification or classroom.
It is not effective for the cause to prepare a generation that cannot understand the basic elements and concepts of the cybersecurity field. These are concepts that span across all cybersecurity positions.
Is there anything other info you’d like to share that you feel would benefit our readers?
Ensure that you make goals for yourself. A goal has to have 2 elements in order to be a goal: Sacrifice and it has to take you out of your comfort zone.
Every goal you have, something must be sacrificed to get it. Your comfort zone is “safe” and it is hard to step out of it as we are always afraid to fail.
If your goals do not contain sacrifice AND if it does not take you out of your comfort zone, you simply have a to-do list. And all to-do lists never get done!
When you are making your goals, first you have to count the cost. This would be mapping out all areas that will be affected by you pursuing this goal and what specific sacrifices that must be made.
Then you must do an analysis of everything that would make you afraid or make you uncomfortable about pursuing the goal. This can be captured from the sacrifices as the sacrifices would feed right into the things that would take you out of your comfort zone.
Thank you for your service to this country. We appreciate you taking the time to share your insights and for being so candid in your answers. Our stories connect us, especially the parts that we bury as a coping mechanism. I am in awe of your strength and determination. How would you like readers to contact you?
LinkedIn: https://www.linkedin.com/in/dr-stephanie-carter-cism-cissp-cisa-5703b151/
Twitter: @StepCarter75
Email: [email protected]
About Dr. Stephanie Carter
Dr. Stephanie Carter started her cyber career in the US Army in 1994. During her military career she has been relocated to several states and countries around the world.
She has served in many capacities all captured under the umbrella of cybersecurity disciplines such as network/system engineering, network/system administration, and security analyst/officer.
She currently works as a contractor for the Department of Justice (DOJ) managing a team of Information System Security Officers (ISSOs).
She takes great pride in the mentorship and development of future cybersecurity professionals in her role as a professor with the University of Maryland University College (UMUC) teaching courses in the Cybersecurity Graduate School programs.
With the unmeasurable desire she has for cybersecurity, she even continues to mentor cybersecurity professionals one on one, outside of the busy schedule detailed above, exemplifying a passion that is truly unmatched. She has her own cybersecurity business, an event planning business, and a 501(c)(3) organization to help cancer patients.
She holds a Bachelors of Science in Information Technology, Bachelors of Science in Software Engineering, Masters of Science in Information Systems Security and a Doctorate of Computer Science in Enterprise Information Systems.
She also holds the certifications: Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Certified Information Security Auditor (CISA), Security+ and Network+.