Welcome to our Speaker Spotlight series, where we are getting to know some of our past Diana Initiative speakers.
Meet Yolonda Smith, one of our 2020 Keynote speakers. She will be presenting “What Does It Mean to be a Barrier Breaker?” on Saturday, Aug 22. Yolonda also presented “It’s Coming From Inside the House: An Inside-Out Approach to NodeJS Application Security” and “Backwards and In Heels: You Must Know the Business to Secure the Business” at our 2019 event.
Yolonda Smith is the Head of Cybersecurity for sweetgreen, as well as a Veteran of the US Air Force, where she served for 8 years as a Cyberspace Operations Officer. Yolonda holds a litany of degrees and certifications including a Bachelor of Science, Computer Science (University of Notre Dame, 2005), Master of Science, Information Technology, with a concentration in Information Assurance (University of Maryland, 2010) as well as GSEC (2008), GCIH (2011), and CISSP (2008) certifications.
How did you get started in Information/Cyber Security?
I think the common trait amongst those who are successful in Security is an unwillingness to accept the world as it is put in front of them. I was always the kid who questioned “why” and wouldn’t be satisfied until I understood the answer. That attitude DID NOT serve me well in school, but it served amazingly well in the Air Force who really gave me the runway I needed at a time when the country was really turning the corner on its dependence and prevalence of networked systems. My junior year in college I earned an Air Force internship in upstate New York where I got my first real instruction in how things work so I could exploit how they break. I spent the summer wardriving and nmaping and wiresharking and buffer overflowing and I was lucky enough to be able to take those lessons and apply them as an Air Force Officer.
Who inspired you, and why were you inspired by that person?
My Mom, who taught me that my future was my own to write. She never told me what I was *supposed* to do. Never made me feel like I wasn’t good enough or smart enough to do whatever I wanted and, when the world proved that to be false, she was the first one to knock the dust off my skinned knees and hurt pride and tell me to try again
My Dad taught me to be inquisitive and introspective. He was the first one to put a computer in my hands and to show me the possibilities of what could be.
Can you share some challenges you’ve faced in your career?
The Black Tax + The Pink Tax = The Mauve Tax? It’s constantly being underestimated, underpaid and undervalued by virtue of being a Black Woman in Tech. It’s walking into every meeting *every meeting* as the “other” and having to fight to be heard, but at the same time not wanting to appear as the “angry Black woman”. It’s knowing everyone is waiting for you to finish a project or achieve an outcome so they can copy it and take the credit or watch you go down in flames. It’s you spending nights and weekends building up only for Monday Morning Quarterbacks to show up to tear down and criticize what they could have never done on their own. It’s learning to thrive on being doubted and dismissed. It used to really depress me when someone told me that I couldn’t do something. What they were really saying was they couldn’t do it, so it must be true for me too. Now when I hear that, I just smile and get to work.
What advice would you give other BIPoC looking to enter this field?
1. Build your portfolio: all those side projects and tinkerings and blog posts and project prep work and presentations you did? Hold on to them, keep a copy, get them organized and reusable. As a BIPOC in this field, you won’t have the luxury of OJT. You need to prove you can solve problems on Day 1
2. There’s more than one way to get into Security: this field is ultimately about exploiting the assumptions that humans make about their world and how it works. You don’t have to be a pentester to do that. Don’t turn your nose up at “non-security” jobs, in fact, I’d encourage almost everyone to get started by working on an IT Help Desk and then (potentially) moving to a system (or cloud or network…) administrator role. You’ll learn a ton about how things work as a technologist AND you’ll get a chance to actually help solve people’s problems by getting to the root of their assumptions. I’m a big proponent of the ‘itsy-bitsy-spider’ approach to career progression–move laterally; become the subject matter expert; move up; repeat. Your career in Security may not start with poppin’ shells, but, like any attacker, keep your eye on the end goal and you’ll get there.
3. Pick something: A LOT of people tell me ‘I want to get into security’ and my immediate next question is ‘doing what?’ then I get the deer in the headlights response. Listen, “Security” is an umbrella term for a literal ocean of things. What about ‘Security’ do you find interesting? What do you see yourself doing? Who else do you know (or know of) doing the thing you want to be doing? Why do you want to be in Security? What do you want to learn? IAM? IoT? Networks? Wireless, wired, software defined or IaaS? Where do you want to work? SpaceX? Reliant Energy? Starbucks? Capital One? Sweetgreen? PNNL? It’s hard to help folks who haven’t done a modicum of independent research. Pick something. Literally anything–I promise there’s a security need wherever you want to go, but you can’t swim if you don’t get in the water.
4. It has to be about more than money: A lot of us get into Tech (and by extension Security) because you can make pretty good money in a relatively short amount of time, but then they find themselves in environments where the money is good, but the attitudes are stank. Nothing, I mean nothing, is worth dealing with toxicity, harassment or abuse. You need to get clear with yourself on what your boundaries are and be prepared to move on if/when those boundaries are violated because, trust, people will try it, especially with you. Focus on becoming a deep subject matter expert in something (skill, task, project, technology, process, regulation or policy), excelling at achieving your defined outcomes and ensuring the rest of your team can achieve their outcomes. That way, if you do have to move on, you’ll be able to take that expertise some place else with the evidence that you’re able to execute.
5. Get really really good at writing and speaking: You may be the best pentester in the world, but if no one can understand your report, you may as well have not shown up. Whether we like it or not, success in our jobs is predicated on people in “the business” being willing to adopt our ideas and implement them and the truth is that as a BIPOC, you’re going to have to prove yourself more than others. That starts with how you communicate. Your words need to be clear, concise, action/outcome oriented and rooted in executing business objectives. Eliminate words like, ‘I think’, ‘I believe’ and ‘ah…, um…, well…’ from your speech–it diminishes the power of your words. Additionally, get in the habit of making eye contact with the people you’re talking to. It goes a long way towards conveying authority and authenticity while engendering trust in your abilities. This is not easy. Start small (like with email) and keep working at it. If you really want to put yourself out there, apply to speak at next year’s Diana Initiative!
Are there any groups that have been supportive or extra helpful on your journey?
In general, I’d recommend reaching out to LOCAL chapters of folks doing what you want to be doing–you need to build your network. That includes Defcon Groups, OWASP, WISP (Women in Security & Privacy), WiCyS (Women in CyberSecurity), ISSA (Information System Security Association), Women’s Society of CyberJutsu. BiC (Blacks in Cybersecurity) and ICMCP (International Consortium for Minority Cybersecurity Professionals) are excellent. If you’re on the leadership track, I’d get hooked up with the Executive Women’s Forum (EWF). I’d LOVE to get invited to the BSides CISO track (wink, wink, nudge nudge).
Thank you Yolonda for sharing all of this great information.