Unconventional Women in Cyber Security — a series of origin stories.
As I was attending a women in security conference in Philly, I had someone approach me and ask me how I got started in the industry. She had just lost her job as a bookkeeper in an accounting firm. She had three kids, one in first grade, one in kindergarten and another in diapers. Someone told her that working in cyber security could provide stability and possibly a remote work environment that would give her an opportunity to be around her kids more. So here she was at her first security conference, making connections and letting her curiosity guide her.
Her story resonated with me as I came from a similar background. We chatted for a while, I gave some guidance on what to study, where to seek information and networking with other women in security and she left. Despite being a brief interaction, I came to think about it often. My origin story isn’t unique. It isn’t even especially exciting. I came to be where I am today through a series of opportunities that presented themselves and terrific mentors who believed in uplifting others in the community.
As I took this story back to my peers at the office, several people told me they didn’t graduate with a CS degree. One woman had a career in law enforcement, one worked as an EMT, another graduated with a degree in physics.
Diversity in the workplace tends to focus on the more obvious things that make us different; gender, race, physical abilities, etc. Bringing together a community of people with different backgrounds including their diverse work history sparks innovation and brings new problem-solving perspectives to the table. This series will highlight the origin stories of women with diverse backgrounds thriving in one of the most lucrative and challenging technical careers.
The first in this series is the story of Essbee Vanhoutte, known in hacker circles as SandboxEscaper. What if I told you that a simple search on how to make money online sparked the beginning of a bright young woman’s future in cyber security? It sounds fantastic, but it’s often the fantastic moments in life that ignite the greatest change.
Essbee grew up in Belgium and dropped out of high school at a young age. Being part of the LGBTQ community made it difficult to find an inclusive career path in her home country. She found work as an Emergency Medical Technician, but also had a tangential interest in computers. She had no formal training, but wanted to find a way to make more money. One day she opened a search engine and typed, “how to make money online.” This would be the beginning of a whole new world of possibilities.
After learning some self-taught code essentials, Essbee landed a job in software quality assurance testing, and quickly zeroed in on security defects. Taking apart vulnerability write-ups from other notable security researchers like James Forshaw, who were publishing their findings online, she began searching for other code repositories and online assets with security vulnerabilities.
Teaching yourself to find vulnerabilities in code without any formal training is not an easy task. It takes perseverance, patience, and a tenacity that often comes at a price. The journey can isolate you socially while you peel back layers of self-doubt and watch others around you succeed. Essbee is outspoken about her findings, and that garnered her both admiration and adversaries. After experiencing job loss, she began dropping zero-day vulnerabilities in highly visible Microsoft products. This no doubt put her in a precarious position. Coordinated vulnerability disclosure isn’t always straight forward and easy to navigate as researchers often face ambiguity, resistance, and threats of litigation.
Her activity (some would say notoriety) in dropping zero-days got the attention of a Microsoft manager who reached out to listen with empathy to her situation, offered mentoring and a sympathetic ear. It wasn’t long before he encouraged her to interview at Microsoft. As she tells it, she is fairly certain she didn’t do too well on the technical white board questions, but I would argue that wasn’t the case. Afterall, she is currently a software engineer on the Windows development team focusing on secure code development and finding existing vulnerabilities in the Windows platform.
If asked, Essbee will tell anyone seeking a career shift into cyber security to “go for it!” It won’t be easy. You will face bias, difficult situations, maybe even imposter syndrome, but persistence and tenacity will pay off. Along the way, find community in people like Essbee who are enthusiastic and willing to share their stories of perseverance. Stay connected with them, share your own learnings and spark that curiosity in others seeking the same. To quote another unconventional woman, “Alone we can do so little. Together we can do so much.” — Helen Keller.
Join me next week for the origin story of a physics enthusiast turned Vulnerability Response and Resolution Principal, Mechele Gruhn.
