Editor’s note: #WeCyberToo Talent Spotlights cover women of color in cyber so our daughters can see women who look like them thriving in the field.
Meet our 10th #WeCyberToo Talent Spotlight, Nicole Fagin!
How did you end up in cyber security?
By accident and on purpose.
I was a business student in undergrad, doing my time in the Army Reserve while working my way through college.
The original plan was to graduate in 4 yrs and go to law school to become the next Johnnie Cochran. But 9/11 happened a month after I graduated basic training and I was deployed to Kuwait the following year during my 2nd year of school.
I was fresh out of military training as IT Analyst. I had some foundational help desk and networking knowledge from the training, yet I had no clue what information security really was.
While in Kuwait, I worked in a Network Operations and Security Center (NOSC) alongside the information assurance contractors. I took an interest in what they were doing and began learning from them.
After my deployment I went back home to a devastated post 9/11 economy and couldn’t find a job anywhere. I finally found one working part-time in the Sears shoe dept (straight commission) but was lucky if I worked 10 hrs a week.
No one wanted to buy shoes in that economy and most days I was sent home early.
To make ends meet, I signed up for extra duty at my reserve unit which consisted of me patching phone calls through for the soldiers that were calling home from Kuwait. One of those soldiers was my commanding officer when I was deployed. He wanted me to transfer him to his mom.
But in our brief discussion about the economy, he also told me about a new Information Assurance contract in Kuwait and said they needed people fast.
I was very hesitant to go back, but life in the states was grim and he assured me that once I took this first infosec job, I would never have to look for another job again—the jobs would find me.
So 2 weeks later, I was back in Kuwait in the same building as before, but as a contractor. Therein began my love affair with information security.
I didn’t have much experience but I learned how to monitor IDS traffic on the job from the contractors and IBM (then ISS) came on site to train us on their Real Secure SIEM.
I also literally read the Network+ and Security+ books from cover to cover to fill in the knowledge gaps and obtained the certifications. I then began studying for the CCNA, although I failed that exam miserably–probably because I was only in year one of my cyber security career.
However, in studying for that exam, I learned a lot about the networking side of security and continued soaking up as much knowledge as I could. I took inter-networking technology classes online at Strayer while overseas, because in 2003 there were really no cybersecurity curriculums in college.
As it turned out, the officer was right and infosec was such a lucrative and in demand the field, that I decided to stay in it for a while.
Since ISS had trained me on their products, my next position was back home in Atlanta working in their Global Security Operations Center. Many other roles followed as I was lured away from job to job by recruiters holding carrot sticks lol.
I was still in school throughout this time and fast forward 10 yrs after I began undergrad, I finally graduated and decided to go to law school. Fast forward again 2 years after graduating law school and I am back in InfoSec—on purpose this time.
Editor’s note: so to recap, Nicole went from the military to shoe saleswoman to cyber. The resilience of a sista on a mission!
What is the most difficult challenge you have faced as a woman in a male dominated field?
Trying to maintain my femininity while being assertive and commanding respect.
Oftentimes in male-dominated roles, the traits that are most commonly associated with men prevail and it’s hard for me to take on those traits.
I am naturally introverted. I wouldn’t describe myself as dominant, aggressive, or commanding. I am more of the quiet observant type, at least initially, and that is oftentimes mistaken for me being meek, less knowledgeable and weak.
In general (not that I’m biased or anything), I think that women are more thoughtful and deliberate in how we communicate in male-dominated environments, as we constantly walk a thin line between wanting to assert ourselves, but not wanting to be coined as confrontational, bossy, or the other b-word that we get labeled with when exhibiting the same behaviors that are associated with male success.
Editor’s note: This is soooo true! Not only do we walk that thin line, but it seems that the line is a constantly moving target that gets thinner by the day. It can be exhausting trying to strike the right balance ALL THE TIME!
How did you overcome said challenge?
It’s an ongoing challenge that I am constantly learning to deal with, but I have made a lot of progress over the years.
I have become more comfortable dealing with individuals that I feel may have dominating or overbearing personalities, because I no longer hold things in for the sake of avoiding conflict or for fear of being labeled.
I have learned that it is possible to command respect as a woman in a male-dominated field without resorting to dominance and aggression. I do so by being assertive and making sure that I speak up when I feel the need to say something, in a polite, yet matter-of-fact way.
If I feel that I am being over talked then I will oftentimes allow the interrupter to finish what they are saying (when they go low, I try (but sometimes fail) to go high), after which point I have no problem steering the conversation back to my point until I am satisfied that I have been heard.
It sounds like baby steps, but it goes a long way in getting your point across.
Another challenge I have had is self-promotion of my achievements. I’m generally low-key when it comes to these things and feel that my work should speak for itself.
However, in male-dominated fields, self-promotion is often the norm and closed mouths don’t get fed.
I haven’t quite figured out how to do this without feeling like I’m being annoyingly boastful, so this is a challenge that I have yet to overcome. Stay tuned…
A reader of Danyetta’s profile suggested asking future interviewees to share failures because those have a bigger impact than just feel good stories. Do you have a failure that you would like to share?
I’ve learned to view all failures as alternate opportunities, because that is exactly what they have turned out to be for me.
I initially saw my not graduating college in 4 yrs and immediately going to law school as a failure, because it had been my dream since I could talk.
Yet the delay gave me an opportunity to explore a new field that I was able to further explore from a legal perspective in law school. And I had the chance to experience life and travel around the world.
I also initially saw joining the military as a failure when I realized that I would be deployed to Kuwait (I never saw a war coming, I just wanted money for school), yet the only reason I am featured in this spotlight is because of all of the opportunities that followed from joining.
That has pretty much been the story of my life when it comes to every “failure”. So I’ve concluded that there is essentially no such thing as a failure.
There are those who fail to recognize the alternate opportunities that are presented to them as shortcomings, but everything in life happens as it should, so by definition they can’t be failures.
What advice would you give someone looking to enter the information security field?
The most obvious path may not always be the right path.
Take on opportunities that may not be what you envisioned as you were methodically planning out the next 20 years of your life, because those opportunities could take you places you could’ve never imagined.
Also, Information Security doesn’t just exist in tech companies, it is needed everywhere—healthcare, retail, oil & gas, construction, etc.
These industries may not sound as high speed as working for Google or the NSA, but every industry comes with unique security challenges.
Before I happened upon doing security work for the healthcare sector, I had no idea about the many security concerns with medical devices and other healthcare-specific security issues. However, general security knowledge translates across all sectors and industries.
What formal education, skill sets, and/certifications do you recommend that people start with to stand out among other candidates in the cyber security field?
That would depend on what area of security you want to be in. As a basic foundation, I think Security + is essential, but from there you should consider what area you may to specialize in.
For example, if security engineering, then CCNA.
If SEIM/malware analyst, then GCIA.
If ethical hacker, then CEH or GCIH.
When I am trying to determine my next direction, I read through tons of job descriptions to figure out what seems appealing and then I look at their certification requirements and aim for those certs.
Now that there are cybersecurity course curriculums, I would also get a degree in the field because it would likely give you access to relevant internships that could lead to that coveted first security job.
Can you give a brief “day in the life of” description of your role to help women that are coming into the field behind you understand what that kind of work entails?
In my current role, I get to utilize my technical, business and legal skills to approach cybersecurity from a strategic risk management perspective.
That means I try to analyze and address potential security risks (ideally) before the organization decides whether they want to accept it.
For example, I sometimes work with the attorneys to ensure that vendor contracts appropriately cover our cybersecurity concerns, or with vendors to ensure that their software or cloud environment is HIPAA or PCI compliant.
Sometimes I have to work with the software acquisitions department and IT project managers to assess potential security risks in software applications that they are considering purchasing and make recommendations on how to securely implement them.
I may need to work with the communications department to update a social media policy to continually address new security risks.
InfoSec risk management essentially touches every part of an organization and I am in meetings and conference calls with not only the CISO, but also with vendors, doctors, IT staff, compliance staff, finance staff, and others throughout the organization because they all play a role in my security risk assessments (yet most of them have no idea that they do and that’s the hardest part about me trying to save the world).
Editor’s note: Trying to save a world that does not seem to want to be saved is the story of our lives!
Why did you become a CISSP?
Because I wanted to move beyond strictly operational roles and explore more of the strategic side of cybersecurity.
Working in Security Operations Centers, CERTS and NOSCs is how I got started in the field and working in those environments are definitely a great way to learn a lot about security in a short period of time. I would recommend it to anyone wanting to get their feet wet.
However, after my first few years, I was over my security monitoring and incident response phase (mostly), and was definitely tired of 24×7 operations (the enemy works on Christmas too).
I became more interested in project-based roles and felt that the CISSP would allow me to move in that direction.
Although I obtained the CISSP very early on in my security career, having it helped to quickly mature my resume because it served as evidence that I could think about security from a strategic management, as well as an operational perspective.
What project(s) are you most proud of?
I’m most proud of the work that I’m doing now, which entails building a world-class InfoSec risk management program from (almost) scratch (and trying to save people from themselves).
Most of cybersecurity is reactionary, especially on the operations side, as security analysts and engineers are constantly trying to put out fires and actively addressing security vulnerabilities and incidents.
In the meantime, the less “sexy” things such as risk assessments, security audits, security policies and documentation, are often neglected.
That’s where I come flying in with my Captain Boring cape on.
Although the hacker types may see it as such, I actually find my work to be quite interesting and it thankfully allows me to wear multiple capes and escape the monotony of day-to-day operations.
Did I mention that in the midst of doing all of the above and more, I also meticulously engineered, securely transported, and safely downloaded the best son in the world ☺.
I know we women sometimes have it hard trying to juggle motherhood and professional life, and we often are made to feel that we must draw hard lines to separate the two identities, but I’ll gladly add my son to the top of my list of professional accomplishments (especially since he worked some very long hours with me while in the womb).
Editor’s note: I am a mom too and I love that your son is at the top of your list of professional accomplishments! We take our kids to our public speaking engagements and tech events, so I guess they are earning their paychecks too! 🙂
Is there anything other info you’d like to share that you feel would benefit our readers?
Joining professional organizations can be a great way to network with security professionals, even if you are new to the field.
One that I recently joined and highly recommend is Infragard— a partnership between the FBI and members of the private sector. They have chapters all around the country and within the chapters you can join specific interest groups. You get access to the latest cybersecurity information and you get to meet people in different cybersecurity roles and industries.
[Related: Ladies GET OUT!]
Editor’s note: speaking of the FBI, a colleague at the FBI Houston office told me that women never even apply to the open roles that he posts. Ladies, you cannot get a job if you don’t even apply!
Thank you for your service to this country and sharing your story with our readers! The talent spotlights are my favorite part of this blog. Our stories matter, and I absolutely loved yours! How would you like readers to contact you?
About Nicole Fagin
Nicole Fagin is an information security professional with 15+ years of information security experience in the federal government, military and private sector.
She is currently a Sr. Information System Risk Assessment Analyst for a large healthcare organization, where she manages all aspects of the risk assessment process.
Nicole was a former Computer Analyst in the Army Reserve and former Paralegal in the AirForce Reserve.
She has a law degree from the University of Pennsylvania, where she focused on the intersection of law and technology in the realms of intellectual property, cybercrime, data privacy, and data security.