How to build a public profile as a cybersecurity pro

Cybersecurity professionals interested in raising their profiles as subject matter experts can count on social media to become more visible. With everyone being online this may not be enough though. CSO spoke to Forrester analyst Jinan Budge and cybersecurity professionals Katie Moussouris, Troy Hunt, Rachel Tobac, and Christina Morillo about their journeys and their tips for those who want to build their public profile.

Some of these professionals have been known for their work for more than two decades while others may have become more prominent in the last decade. But they have all seen and experienced the good and the bad.

Step 1: Define your cybersecurity area of expertise and what success mean to you

Professionals can use many channels to share their knowledge: blogs, video content, tweets, etc. How a professional decides to share knowledge will vary and it may not work in the first attempt, but one thing is key: Be yourself and discuss a topic you are comfortable with and understand.

Budge says that it is important to understand who you are to be able to go speak of things that matter to you. “Sometimes you need to remove that pressure of building a high profile, and it sounds counterintuitive, but I think once you do that and get to know who you are, that’s it.”

Jinan Budge, Forrester

Choosing your area of expertise is important. At some point, you may find that you will need to make decisions when opportunities are presented to you. Taking every opportunity may help increase visibility but it may also confuse those looking for a certain type of content. If you have that clearly defined, it will make it easier to decide which opportunities to turn down.

Define what visibility and success mean to you. “You may not necessarily want those same things that everybody else has, and that’s OK. Just be very clear on what you want, what you are and what you’re not willing to sacrifice and make a plan for yourself,” Morillo tells CSO. “There is no playbook. Define what it is that you’re good at. Figure that out, what makes you feel good.” Find your own formula is Morillo’s lesson.

Some key points from Tobac include building it in public to show people what you are working on and what you are doing so you can get feedback and know what works or doesn’t. Also do UX research; know your audience. More importantly get used to giving stuff for free. “You can’t give everything away for free. That’s important. But you have to give a lot of your thoughts and tips and tricks away for free. And I think that’s what really helps people understand how to stay safe. I think Katie [Moussouris] and Troy [Hunt] do that really well, where they talk about what they’ve learned, how you can implement it at your work and how to stay safe. And Troy created a completely free product for the general public,” she says, referring to Troy Hunt’s Have I Been Pwned, where anyone can search across multiple data breaches to check if their email address or phone number has been compromised.

Step 2: Start creating content

Once you know what you feel comfortable talking about, start talking about it. When Budge started at Forrester, the managing director said she should write blogs. She thought she had nothing to say and didn’t know how to do it but, “Once you start you can’t stop,” she tells CSO. This can work as practice for discussing topics, it can raise questions from readers, things you may not have initially considered, etc.

Troy Hunt

Writing blogs was how Hunt started. He tells CSO that 13 years ago when he was hiring at Pfizer, he was looking at resumes and wondering how he could tell if this or that person knew the things they said they knew. He’d search candidates in Stack Overflow or GitHub but would not find them there. That was where his first blog idea, Why online identities are smart career moves, came from. He says technology professionals in general should have something to show to prospect employers—something a lot of techies have been doing—other than references, which are people chosen by the candidate and likely to be someone who will say good things about them. This was part of how Hunt started his online presence, too: following his own advice and writing about things he was interested in.

Looking back now, he can see how things were “all over the place” as he was speaking broadly about technology. Eventually he landed in infosec, which is what he is most known for. “I think you just got to figure out your path in online life…. It probably took me a good year or two before I found the groove,” he says.

Step 3: Buckle up against criticism

These experts make it seem easy to be in the public eye today, but it is not. They have shared some of the obstacles they faced.

Hunt has seen others cope with appalling and more relentless behavior than he has, “particularly if it’s based on sexuality or gender or religious beliefs or things that are very, very personal and very, very targeted and amount to someone just simply disagreeing with your freedom of choice in life.” He has suffered online abuse, usually in the form of people questioning his right to discuss a topic. He believes this happens because he wasn’t a penetration tester by background, so discussing the topic made people question him. There were more serious issues such as a death threat, but the person was not living in Australia, so could not physically harm him.

Katie Moussouris

For Moussouris this wasn’t the case until social media platforms allowed people easy access to anyone. With her career already established before Twitter was launched, she found herself dealing with different behavior on social media. “I would say the obstacles there [Twitter] have been that because it’s a public medium, and Twitter especially tends to have a lot of people who think they can spend about two seconds considering a complex topic and rattling off their opinions. I think it’s been challenging for me having been a pioneer in several spaces basically being mansplained a lot on Twitter where people are explaining to me how vulnerability disclosure works when I wrote the international standards for it,” she tells CSO.

Moussouris also says that Wikipedia has a gender problem as there have been at least two attempts to create a page for her with both being taken down until around 2017 when the final attempt stuck.

It isn’t just plain abuse that can affect individuals or become tiring. Tobac has faced a different issue: She has been often overlooked not only for being a woman but also due to her stature. She says that in meetings she would often get the, “We’ll just wait for the CEO to arrive and we can start,” and she’d have to say, “I am here, we can start.”

She also thinks that people expect those in charge to have certain characteristics. “They don’t expect somebody to have decision making power or to be a CEO and to be able to make those choices. They just might think, ‘Oh, that’s a small person over there in the corner. I don’t think that’s the CEO.’ I do think that I am routinely underestimated because of my stature or what people expect a hacker or a CEO to look like.”

Christina Morillo

Morillo talks about being gaslit a lot. Sharing those experiences attracted another kind of attention from management at companies she worked where leaders “addressed” that people seeing or listening to what she was sharing may perceive she was being abused by her employer. That made her become more intentional about what she shared and what the repercussions may be.

It is no surprise and all the professionals agreed that there is more criticism online against women than men and that increases when other factors are added such as race or religion.

Other profile-building tips from cybersecurity experts

Moussouris brings up a similar topic: how women tend to edit themselves and aren’t good at self-promotion. “I think that, rather than cautioning people against what is too far in terms of promoting yourself and your accomplishments, we should be thinking about how can you advocate and remind people of your accomplishments. Because as far as I have experienced, especially on Twitter, even people who have been following me for a while don’t know exactly what it is that I do or I’m known for…. You should advocate and make sure people know what it is that that you like to do,” she says.

That impacts women even when applying for jobs. According to Gartner analyst Neha Kumar, women are reluctant about applying to a job when they see they meet between 60% and 70% of the criteria. “That is something that’s a given for men that they don’t see the need to meet all criteria on day 1, whereas women feel like they need to meet at least 80% of the criteria. This is a reality.”

One way to overcome that, not only for women but all, is to listen to experts, Budge suggests. There are experts that help people build brands, there are executive coaches, there are executive coaches specifically who help women build their brands, and workshops. In fact, Hunt has done this exact job of helping others build their brand.

When it comes to the perception Morillo had of other visible infosec professionals, she says, “There are no unicorns.” She used to believe that some people were untouchable, and that they were doing “Einstein genius-level” things, and she learned that is not always true. “We can all accomplish the same things. It is just that we have different journeys, and paths and getting there may look a little different.”

Job opportunities that (not always) come from being well-known

The results of being well known can be quite different. Moussouris, who’s been running her own company Luta Security for more than six years, says not a single contract came because of her social media presence even though her company does not advertise. “You know, you would think so, but absolutely no jobs or contracts…. No work has ever come because of my social media presence,” she says. However, because she was already well known and highly regarded, her company does attract clients by word-of-mouth from other customers or because of the work she has done in the past.

Rachel Tobac

Tobac, who does not employ a sales team in her organization, SocialProof Security, tells CSO that she gets more than a hundred of clients every year. “I found that building my company in public has been really effective. People get a chance to see how my clients react to the work that I do because they’re posting about it, because I’m so public about what it is that I do,” she says.

Hunt is no different and he counts on the help of his wife, who has a lot of knowledge about the industry especially around events and what is an acceptable price to charge for speaking at a conference. He is also a tutor for PluralSight.

Morillo had opportunities to speak at conferences, to be featured in magazines. She was part of a book before she wrote a couple of books. Thinking back, she believes that a combination of things made her become more visible, such as being featured in Cosmopolitan magazine earlier in her career. She says she has also been invited to be part of organizations such as Women in Security and Privacy and #ShareTheMicInCyber. Her current job was also the result of her online presence. She became acquainted with a professional online. They later met in person and one day he came to her with a job opportunity.

Different ways for cybersecurity pros to stand out

Each of these professionals CSO spoke to have done great work for the industry. They have done so sometimes in unexpectedly, creative ways but also, and perhaps more importantly, with diversity and inclusion at the heart of it.

Several years ago, Morillo noticed that there were no stock photos of women of color in tech or security. She started a small initiative called Women of Color in Tech Chat, which was meant to be a discussion. She started to pitch to organizations like Digital Ocean, Microsoft. GitHub, and Trello to sponsor a photo shoot to create these stock photos. She says the first photo shoot was such a success the company sponsored another two and these photos have now been viewed and downloaded millions of times.

Tobac, who has a degree in neuroscience and behavioral psychology, was teaching kids with disabilities before she went into cybersecurity. It was no surprise that after she entered the field and did different works in the space — she was thrice second place at DEF CON’s Social Engineering Capture the Flag contest — that she’d start sharing knowledge. That quickly evolved into cybersecurity training done in person and online. Then she took a step further: She started creating training videos in musical format and it has been a hit.

It started sometime during COVID-19 when she created a video of her singing an infosec sea shanty. Feedback was so good that she started researching the topic and found studies that said 80% of people like to learn content with song and 20% prefer spoken content. So, she set out to create training in musical format and four to six weeks after launching the first video, SocialProof had done 160 demos. Now the content is available in different languages including French, French Canadian, Mandarin, Portuguese, Spanish, and Swedish.

Moussouris is behind the Pay Equity Now Foundation, which emerged from a pursuit to inspire and support efforts to close the gender and racial pay gaps, and a desire for actions to speak louder than words. She is half Pacific Islander and she speaks about it. She understands that even though she is more privileged than other marginalized groups, she uses her voice to promote those where she can.

Diversity ensures discussions don’t become stale

Something Forrester’s Budge cautions is what she experienced 15 years ago, when she saw a few people became very high profile, but they would all speak the same things, leading to stale conversations. “Diversity of views and perspectives is so important, and it is why I love to see so many different people and so many different individuals rise in terms of their personal brands, because we can’t. We can’t afford to have the same old stale conversation,” she tells CSO.

This diversity includes many aspects. It is not only about gender or race but also people from different age groups, people who work across the different cybersecurity spaces, and so on.           

Budge says that when she started her career, conferences would be presented and attended by mostly men. It was a generation “where we [women] had to bust through [the doors].” This is changing, which benefits and helps provide role-modelling to women and other groups that are not strongly represented.

This change comes in many ways, one being the Australian Women in Security Network supporting the creation of a code of conduct for conferences. “We make sure that there are both men and women submitting to speak at conferences,” she says.

Sponsoring new talents and those to follow

Budge says that building a profile is a very privileged thing to do sometimes. What she means is that while some people may have time to work on it, others may not be so fortunate to attend drinks or coffee, or they may not be able to afford early in their careers to attend conferences. She also mentions that a lot of people will have other responsibilities that limit their time such as children, or they care for ailing parents, they may work two jobs. “And my tip there is: Sponsor people, sponsor people who are underprivileged and help promote them,” she says.

A simple example of this happened during the preparation of this story. Moussouris suggested a few names of people who have “very effectively used their personal brand to spread knowledge,” one of these names was Tobac’s. Tobac in turn suggested CSO speak to Camille Stewart. Stewart, who is the deputy national cyber director for technology and ecosystem for US federal government, was unable to take part due to other commitments, but quickly suggested Morillo.

Mossouris also says she always tries to find the original source of something she might share on social media for example. She also mentions the #ShareTheMicInCyber initiative — created by Stewart — that has non-black cybersecurity professionals who highlight people of color.

Beyond Tobac, she also talked about Tanya Janca uses social media to spread awareness about secure application development. There is Limor Fried, the founder and CEO of Adafruit, who Moussouris says, “To me she’s one of the great inspirations for the maker movement in the world.” Another presence in the ‘maker movement’ is Naomi Wu, who also leverage her presence to share useful tutorials but who has faced a lot of criticism for being based in China and also for presenting herself in a physically provocative way.

Morillo tells CSO that this was not the first time Stewart has pushed opportunities her way. She had previously put Morillo forward to replace her in the New America Share the Mic fellowship, though she did go through an interview process.

Should there be limits?

When it comes to setting limits to what one shares online, it depends. Both Hunt and Moussouris understand that the general population may not want to share a lot of personal information online, but they chose to be public. He mentioned @SwiftOnSecurity as an example of someone in infosec who has a successful anonymous Twitter profile. Like everything else, this is a choice.

Hunt will, for example, share photos of his kids while a lot of people choose not to. One thing he says he will never create, though, is a fans-only account. He has written blogs that were very personal and never published them. “And if you were to be unsure,” he says, “I would suggest just starting with the most basic minimal things of which you are certain that you’re comfortable with and then seeing where it goes over time.”