A Conversation with Marie Garcia, Armor’s IT Compliance and Audit Manager

Did you know that many of computer technology’s earliest innovators were women? In the 1840s, Ada Lovelace devised the first algorithm for Charles Babbage’s analytic machine, an early computer prototype. About three-quarters of the Bletchley Park team that broke the Nazis’ ENIGMA code during World War II were women. In the United States, during the same period, the team that developed the ENIAC, another early computer, was comprised of 6 women. In the late 1950s, Navy Rear Admiral Grace Hopper laid the groundwork for the COBOL language with her pioneering work in computer programming. And when astronaut John Glenn circled the earth in 1962, his safe trip was largely due to the computational work of 3 African-American women— Katherine Johnson, Dorothy Vaughan, and Mary Jackson—whose work was memorialized in the film Hidden Figures.

Yet, despite these early successes, women’s participation in the computer technology industry plunged in the mid-1980s. Women made up 37% of computer science graduates in 1984 but less than 20% by 2014. Today, organizations such as Girls Who Code strive to reverse this slide by empowering women in technology through scholarships and outreach to young people, networking opportunities, advocacy and research.

In this series we’re highlighting some of the amazing women in senior technology roles at Armor. This time, we chatted with Marie Garcia, a leader in our cybersecurity compliance group, about her life, career, and advice to young women hoping to work in the cybersecurity field. Garcia gained a passion for coding by watching her mother work hard to complete a bachelor’s degree in computer science while raising 3 children, and Garcia is committed to welcoming the next generation of young women into her industry.

What is your specific area of focus in cybersecurity? Can you expand on what that means and what you do?

My area of focus is cybersecurity compliance. Which means I collaborate with seemingly disparate groups across the enterprise to ensure compliance with our internal policies, laws (e.g. HIPAA), and regulations (e.g. PCI).

What kind of training or schooling did you have? Any certifications you’d like to note?

My training started back in the early 1980s when I was in middle school. My mom was enrolled in the Computer Science program at New Mexico State University. In addition to raising 3 kids, she commuted a little over 140 miles to campus 5 days a week to attend classes. This was at a time when you had to schedule and reserve time in the computer lab to enter your code (think punch cards and then Fortran). She didn’t want to waste time debugging code while in the lab, so she would do code walkthroughs with me. She’d walk me through each line of code, explaining what it did, and how it handled errors. Occasionally, I’d catch syntax errors! I followed in her footsteps, and got my Bachelor of Science in computer science from NMSU as well. As for certifications, I’m a Certified Information Systems Auditor (CISA) and I’ve also held the PCI-QSA (Quality Security Assessor) designation.

How did you get into cybersecurity?

When I started my career, cybersecurity wasn’t even a field, it was just IT. I was a programmer, and terms such as developer, software engineer or software architect didn’t exist yet. But, as a programmer I was never a big fan of having access to a production environment. I didn’t realize it, but I was saying things like: “Who has access to the production environment and at what level? Should they?” “Production is down? What changed?” or “Hmm, that doesn’t look quite right, let’s take a look at the logs.”

It was a former coworker who called me up one day and asked me if I’d ever given any thought to IT auditing. I had no idea what he was talking about. He said I was “wired for this stuff,” and that I was “always trying to find holes in processes and technology to help fill the gaps.” He offered me a job and I never looked back.

What do you enjoy most about the industry?

What I most enjoy about the industry is the people and working through a challenge or challenges with them. Cybersecurity compliance is really very logical. Pretty much everyone will agree with the need for an inventory and control of hardware and software assets, continuous vulnerability management, controlled use of admin privileges, secure configuration, etc. Think CIS Top 20 controls, but compliance is a verb. It’s something we have to do on a continuous basis in a highly dynamic environment that supports the business. So, if you’re going to level up and actually do cybersecurity compliance, it’s hard. But when, not if, you’ve matured your controls environment and your control owners (both technical and business) understand the benefits, it’s a “drop the mic” kind of feeling when the external audits come! I can’t tell you the nerdy joy I feel when I see the faces of my teammates experiencing a “we got this!” moment. It’s priceless!

What advice do you have for women entering the industry?

What does networking really mean? I’m sure it means something a little different for everyone. To me, networking is multifaceted. It includes volunteering, friendship, and building partnerships. Each of those is beneficial to me in different ways. I feel volunteering is good for my soul, friendship is good for my spirit and partnerships are good for my career. Find what works for you and do that.

As for learning, foster curiosity, and be a lifelong learner. Anytime you catch yourself making the “hmmm” sound, that’s a good thing. Don’t be afraid to ask, “What does really that mean?” I consider myself a technical generalist, and there have been countless times when I’m working with a subject matter expert and I ask that simple question, “What does that really mean?” and it led to finding a security gap. Give yourself permission to not know everything, because you won’t.

Have you had to overcome any challenges as a woman in cybersecurity? If so, what were they and how did you work through them?

When it comes to challenges as a woman in cybersecurity, be comfortable with the mindset “I’m not on sale.” I really believe that we discount our value, as women. At the beginning of my career, just before the salary negotiation phase of a job offer, I caught myself rationalizing a lower offer because I didn’t meet all the requirements listed in the job description. This was before the actual negotiations even began! I finally started asking myself, “Why are you negotiating on their behalf?” I recommend reading up on salary negotiations, especially Dr. Robin L. Pinkley’s book “Get Paid What You’re Worth.”

Another challenge is staying current. I am a ferocious learner, but my time is limited. To stay current, I’ve become a cybersecurity podcast and audiobook junkie. Between those two resources, I find key articles, technical segments, and resources that help me every day.

Recognizing the influence of the past

Women have broken new ground in computer science from the industry’s earliest days, but in recent years’ sexism, discriminatory workplaces, and an assumption that coding is a man’s work have discouraged young girls and women from pursuing technology careers. Superstars like Marie Garcia recognize the gift that female technology pioneers have given to them, while preparing to hand it off to the next generation.

“I want to give a shout out to the women who came before me,” she says. “I’m in my 50s but I want to recognize unsung heroines who have cleared the path for us, so that we can pave the way for the ones that come after us.

“I consider the women who came before me InfoSec rock stars, and I want to say thanks to all of them, especially my mom,” she says. “She and the handful of women that she worked with are already fading away into history, but they really did clear the path for us to pave the way.”