A Conversation with Nancy Free, Armor’s Chief Compliance and Data Privacy Officer as well as Head of Governance, Risk Management and Compliance (GRC) and Privacy
It’s been estimated that more than 1 million security jobs are unfilled. Further, the international cybersecurity non-profit ISC2 reports that, of the currently employed cybersecurity professionals, women represent only 11% of the workforce—and only 1% of positions in the C-Suite.
It’s shocking, really. Research shows that, overall, women in the workforce have higher levels of education than men, with 51% holding a master’s degree or higher, compared to 45% of men. Additionally—and more importantly—a great number of cybersecurity jobs require more interpersonal skills than technical ones. They require analytical thinking, teamwork skills, communication skills, and leadership skills, all of which can be learned in fields other than technology, and all of which are skills that women tend to demonstrate with ease and expertise.
The diverse talents and perspectives that women bring to cybersecurity teams are invaluable. In the following interview with Armor’s Nancy Free, that fact is driven home in a powerful and personal way.
What is your specific area of focus in cybersecurity?
I’m responsible for many areas of cybersecurity, including governance and risk management, audit assurance and compliance, vulnerability management, business continuity management, and data security and privacy. It’s a broad range of responsibility.
Can you expand on what that means and what you do?
In the broadest sense, it’s all about managing risk, just from different viewpoints. From a governance and risk management perspective, I look at organizations holistically to identify where the risks are, why they exist, and determine strategies on how to best address them while still ensuring that we operate efficiently and effectively.
When it comes to audits and compliance, I’m responsible for confirming that we meet all regulatory requirements, including external mandates like HIPAA, industry mandates like PCI, and many others. I manage the internal control environment and ensure we are always audit-ready.
I also oversee Armor’s internal audit program to make sure our organization is achieving its objectives and acting with integrity.
Data privacy is more focused on the confidentiality and privacy of individuals’ data. It’s my job to protect the individual (or data subjects), to know where the data is, to know why we have it and what we use it for, and to ensure it is well protected in our possession and properly disposed of when no longer needed. Ensuring we align our business practices to comply with relevant privacy laws is a constant focus.
What kind of training, or schooling did you go through? Any certifications you’d like to note?
My training has been largely experience-based with a smattering of skill specific training courses. Luckily, I’m a natural problem-solver and methodical thinker, so as I’ve taken on different roles, I’m very comfortable with figuring things out. In terms of formal education, the University of North Texas was where I got my start, but at that time, I was focused on biochemistry and genetic research. I entered the workforce at a time when technology was growing quickly. I had the opportunity to work in a variety of capacities and assume responsibilities that expanded with each new job. It’s been a continuous education cycle just doing my day job!
What got you interested in cybersecurity?
Honestly, it fell in my lap. I was working as the assistant to an office manager whose responsibilities included certain IT functions. When she left the company, I was promoted into her job and I hit the ground running, doing everything from payroll, office management and benefits, to internal IT, including networking, equipment purchasing and troubleshooting problems. Figure it out… problem solved! Like I said, that’s kind of the way I roll.
What do you enjoy most about the industry?
I love that this industry is so fast-paced and continuously changing. There’s never a shortage of new things to learn or sort out. I love unwinding the giant bowl of spaghetti and turning it into something organized and efficient. The bigger the mess, the greater the reward! I like big challenges, and cybersecurity definitely offers that—not only because threat actors are constantly looking for ways to mess with you and your existing technology, but also because new and exciting innovations are being introduced all the time. There are so many details to consider. It’s ironic that there’s a shortage of people in the cybersecurity workforce because there’s certainly no shortage in the industry’s areas of focus and career opportunities. There are at least 50 facets of expertise in this industry that individuals could leverage to launch, or expand, their career.
What advice do you have for women entering the industry?
Cast your net wide. There are so many different paths you can follow, and unless you have that one thing that’s driving you—for example, you want to be a pen tester or you want to conduct forensic examinations, the more diverse your experience, the better. Learn as many different aspects of the industry as you can because there’s never just one way to approach a problem. The broader your knowledge, the better off you’re going to be. Don’t shy away from the projects that others don’t want. It’s within those opportunities that you differentiate yourself from the pack and gain knowledge and experience that will make you uniquely qualified for future roles.
Have you had to overcome any challenges as a woman in cybersecurity? If so, what were they and how did you work through them?
There have been, and continue to be, so many. I feel like finding my voice has been, perhaps, the biggest. In an industry that is overwhelmingly populated by smart and vocal men, it was easy to feel like I didn’t have anything to contribute. On many occasions, I would share my thoughts with male colleagues who didn’t share my introverted traits and found them more than happy to pass my ideas off as their own, allowing me to sit in silence, tongue tied and angry as I was passed over for assignments and promotions.
Among the smart women I’ve worked with over the years, it has been a common theme that we’ve all suffered (at one time or another) from “imposter syndrome.” It takes time to realize that in this industry, it will never be possible to know it all… and that’s ok! What’s more important is to join the conversation and let your knowledge, advice, and experience come through. Take your seat at the table, not just figuratively—physically find a chair at the table and sit down. Be seen. Be heard. Contribute.
My experience in overcoming imposter syndrome has required me to develop thick skin. I can tell you, in a room where I was often the only woman, my voice expressing an alternate opinion was not always welcomed and did not always make me the most well-liked person in the office. But in time, I learned that my willingness to speak up and have some uncomfortable conversations has helped me to earn respect and secure my professional footing, and that has been far more rewarding than worrying about whether or not people liked me. Learning how to be confident in my own skills and in what I bring to the table, simply being able to stand up and raise my voice, learning how to be heard; these things have made all the difference.
One of my favorite quotes by Henry Ford is “Whether you think you can or think you can’t, you’re right.” I’ll dovetail that into a Mumford and Sons lyric: “Decide what to be and go be it.” I preach this concept to my children—that it’s all up to them. We all can be anything we want to be. We must simply to make up our minds and get to work.
In one of my previous jobs at an energy company, the CIO happened to be a woman—something quite unique in an industry that still tends to be a huge boys’ club. There were about 6 women who reported up to her in various capacities, and we were able to ask her all kinds of questions about being a female leader. One of the best nuggets of wisdom she shared was that a lot of women go into roles in male-dominated industries and try to fit in with the men or be like the men. Her advice was to “be the obvious woman in the room.” It’s fine to wear bright colors or smile or have a bright personality, she said. It’s fine to be all that you are. You have the knowledge you need to do the job, and you don’t have to portray yourself in the same way that a man does in order to get ahead. I’ve definitely taken that to heart. Be yourself and own who you are.
Women with the same type of drive, smarts, and talent are out there right now waiting for the cybersecurity community to find them. Our schools are slowly finding ways to encourage girls toward technical careers, but it’s up to players in the technology and cybersecurity communities to get the word out too. There are many outlets that are working to further the cause and encourage the next generation of women in cyber. They simply need more participation.
If tangible, sustainable empowerment of an entire workforce is the goal, it’s imperative that corporate executives and hiring managers act swiftly to attract women for positions in cybersecurity, focusing on the skills and experience, if not the formal education, that get the job done.