Epic Women in Cyber — Uma Rajagopal
For more than two decades, I’ve worked across multiple industries to become the cybersecurity leader that I am now. Before I came to Amazon, I served as Information Security Officer at Capital One, where I helped transform our cyber program and improved our response preparedness as well as our governance, risk, and compliance. I also specialize in technology auditing and analysis, threat modeling, and security architecture. I have extensive experience in product security and governance and supply chain-vendor security. In a nutshell, I bring people, processes, and technology together around proactive cyber defense.
What makes me unique is my ability to be results-driven but also empathetic. I believe that cybersecurity isn’t just about policies or responding to threats. Cybersecurity and creating a culture of security can be a business’s key competitive advantage. The COVID-19 pandemic has accelerated the way we use technology and the way we work. Some businesses made three years’ worth of technology changes in three months. The winners in this new world will be the ones who enable people to connect securely, and their businesses will thrive.
To do that, I believe it’s critical to understand the business and build partnerships within it through trust and authenticity. My goal is to inspire and empower the stakeholders that I serve. That inspiration and empowerment is key to creating a culture of security, where everyone understands why it’s important to protect our data, our business, and each other.
A lot of business leaders want to be able to invest in one technology that solves all of their security problems forever, but it takes more than that. When you think about it, security is everyone’s job. As a cybersecurity leader, I set up my teams to lead by example, to educate others, and to create an environment where people feel empowered to increase their knowledge and collaborate with us.
Building that culture isn’t possible without building strong relationships with people. As a leader, I believe that a big part of my job is reminding my team of the big picture that we’re working towards. Reminding them why we work so hard on our projects, spend those long hours, and constantly evolve and change our strategy. It’s about connecting the dots for them and supporting them, even when they’re tired, to never forget that what drives us is solving problems to keep each other and our organization safe and connected.
Cybersecurity is about building resilience for the business. It’s about being reactive as well as proactive in a constantly changing environment. I believe that, in this field, we can’t rely on what’s worked for us in the past. We have to evolve and get better all the time, and that’s what I try to inspire my teams to do. We have to stay multiple steps ahead, even if we’re using legacy technology, or a blend of new and legacy technology. Or maybe we’re facing familiar security threats, but they’re fought in new places. It’s like trying to fly a plane, but the technology in the plane is constantly changing on you, and the destination and weather conditions keep shifting. The problems are changing, and the solutions are changing, but the goal of getting all the passengers there safely is still the same.
How did you get into the cybersecurity field?
Be Curious: Prior to the internet boom, I worked as a programmer building applications in mainframe for the finance and health care industries. I also owned supply chain modules for the manufacturing industry. As the internet and technology grew and evolved, I evolved along with it and realized how important it is to safeguard what matters most and what can we do about it. Learned how to conserve energy aka budget to where it mattered. I came into the cybersecurity field because I’ve always been incredibly curious about why things are the way they are. I’m constantly learning, I love to solve puzzles, and I try to redefine failure as a learning opportunity to move forward. All of these traits make working in cybersecurity a great fit for me.
As my career has developed over the past two decades, I’ve moved from individual contributor to team lead to manager. I’ve been a coach, mentor, and executive. Currently I work in leadership roles, where I help organizations stay safe and keep people connected by driving their cybersecurity strategy and creating a culture of security where people feel empowered to keep each other and their business safe.
What are the main challenges in this field?
Challenge is constant: Cybersecurity faces many of the challenges that other high-tech industries do but with an added challenge of an “arms race” between us and constantly evolving threats. In this field, there is so much emphasis on technology, but not enough emphasis on people, aka human firewalls.
Technology evolves so quickly, and threats do too. Hackers are smart. It’s a constant challenge to remain up to date and stay ahead of threats and threat actors, but it’s exciting.
Like much of the technology industry, the cybersecurity field has highly paid jobs, flexible working schedules and rewarding growth. So it’s an immense and constant challenge to retain the best talent. There are more jobs available than there are people with the skills to take them. The market is extremely competitive, and the pandemic has only made that more complicated. Almost half of Americans are rethinking their career path post-pandemic. Plus, the stigma of quick job-switching has almost disappeared in the tech field; it’s much more common for candidates to stay with an employer for shorter periods of time than it was just ten years ago. Employees want to feel that their work is engaging and has purpose and that their company has a clear mission and values that align with their own.
Also like many of the high-tech fields, there are not enough women in this industry. We have a major need for diverse backgrounds and voices in cybersecurity. Risk assessment is in women’s DNA compared to men. We are naturally security-minded. We have an affinity for considering “what if” scenarios, which is critical in designing any product for customers
What are the things you’ve learned being a woman in cybersecurity?
Own it: Female representation and inclusion in the cybersecurity field has come a long way, but we still have more progress that needs to be made. As far as representation, we’re doing much better than we were previously, but we’re still not there yet. Women now make up 24% of the cybersecurity field. So we still have a long way to go, especially for women in leadership roles.
Consider this: Sometime, somewhere, we have trusted AI more than we have trusted security professionals who come from non-traditional backgrounds. That means that we have trusted the decision-making abilities of machines — programmed by people with natural biases — more than the decision-making abilities of people sitting at the tables with us, simply because they look different from us. Let’s let that sink in.
As leaders, I think if we can identify talent and train them on the security skills, that is going to be the real game changer as far as getting more women into the cybersecurity space. Employees agree with me on that too. This year 71% of employees said that offering training and on-demand courses is one of the top ways that employers can support their learning. 82% of employees said that they support governmental policy as a way to encourage employers to offer skills training to their employees. If we can build robust, company-sponsored training programs, that would be a great way to recruit and retain talent — and importantly, diverse talent. We can also help encourage young women to seek out STEM learning opportunities from an earlier age and invest in these programs. Another great outcome of doing this is that we’re also helping their male peers to collaborate and support their female colleagues in these fields as well, which helps everyone.
There is a tendency for women not to apply to jobs unless they meet 100% of the requirements, as opposed to men, who are more likely to apply to jobs if they meet 60% or more of the requirements. This has to change. Women are also less likely to apply to jobs whose posting has a language like “hunter” or “ninja,” which we tend to see in the software space. Employers can increase the number of female applicants at the top of the funnel by reviewing their job postings for gender-preferential language, taking out job “requirements” that aren’t absolutely necessary or labeling them as “nice to haves.” I’ve also seen employers include a line that says, “We know candidates have diverse experience, so we encourage you to still apply even if you don’t meet 100% of the qualifications listed here.”
Lastly, don’t underestimate the importance of the men around you acting as allies. Biased behavior is often invisible to those who aren’t affected until it is pointed out to them. Creating a workplace culture where it’s safe to learn and make mistakes is conducive to helping others understand their biases and work to combat them. A few years ago, a strategy that female White House advisors had started using to get their points across at the table went viral. It came to be called “amplification.” When a woman made a point or contributed an idea and it wasn’t acknowledged, another woman would repeat it, giving credit to the original speaker. When other women nationwide heard about this technique, they started using it in their own workplaces to great effect. But why must it be only other women amplifying each other’s ideas? Men can help out with this too. Think about a discussion where diverse points of view are acknowledged and considered, so the very best ideas win.
What advice would you give to women who would like to join the industry?
Come on in! It’s a great place to work. I’ve spent my career surrounded by clever, dynamic, helpful, and enthusiastic people who are keen to learn and share their knowledge. If you’re someone who is curious, trustworthy, loves solving puzzles, and doesn’t like to get bored, it’s a fantastic field to work in.
Don’t feel like you need to follow the crowd. I find that a lot of women count themselves out because they worry that they aren’t “technical enough.” The cybersecurity industry is growing all the time. It spans so many different disciplines and domains that all require security-minded problem solvers, so don’t be afraid to explore it. Chart your own path. Many people who work in the industry now didn’t originally plan to be there. Don’t worry about being perfect at the start or having everything figured out all the time.
You will fail, stumble, and fall, but eventually you will figure it out. Failure is a part of the process. I once heard someone describe it as being a player in the game. Winning and losing is part of playing the game. If you don’t put yourself at risk of losing, not only can you not win, but you’re just a spectator. To learn, you must get into the game. Do the hard things. Study something that challenges you, ask a question, or reach out to someone new.
Seek out mentors you trust who can advise and support you. If you’re not sure how to do that, find a reason to go connect with people. Pick something that you want to learn, and go talk to someone who’s an expert at it.
Take time to pause and reflect. Think about what’s going well and what could be better. It’s not a sign of weakness to reevaluate and adjust your goals as you move along your journey; it’s a sign of wisdom.
Who are your role models?
Everyone to a certain degree: That is a very difficult one to answer! There are so many role models out there for various aspects. I think it would be impossible to pick just a few because everyone inspires on some level. I like to take inspiration from every small or big individual who comes my way.
I think the biggest one is my family, especially my mother. She believed in education, especially women’s education. I wouldn’t be here if not for her. My spouse and my twin boys have been incredibly supportive, which has helped me to excel. At home, I seek motivation from how curious my kids are when it comes to exploring new things. They ask questions constantly. They have a “never give up” kind of attitude. They can stumble and get up and just keep going.
In the professional world, I’m blessed to have had many mentors who have supported me and helped me learn and grow. What’s special and unique about a mentor is that you might not realize what you’re learning at the moment, but you can look back and realize that it had a significant impact on your career trajectory and the type of leader that you are. It was a mentor who taught me to view problems and situations from a high level rather than going into a deep dive. In other words, seeing the forest for the trees. Without that ability, I would not have been able to lead large-scale cyber transformations with multiple stakeholders and lots of moving parts. I’ve also had a mentor who coached me on the importance of authenticity. Having the confidence to truly be yourself and even showing vulnerability at times can be scary, but it ultimately makes you a stronger leader that people want to follow.
If you could go back in time to your first days in the industry, what would you do differently or tell yourself?
Wouldn’t change a thing: Honestly, I have no regrets because this is my journey. Despite making some mistakes along the way, if I could go back, I would still make the decisions that I made. If I had to pick, I would warn myself about Imposter Syndrome, which is when someone doubts themselves and their abilities, incorrectly thinking that they lucked into their successes and/or do not deserve their achievements. If I were able to start out again, I’d tell myself to ignore the voice in my head that tells me I’m not as good as the other people in the room. When you think about it, there’s a good chance that the other people in the room, to a greater or lesser extent, have the same voice sometimes.
Along with that, I’d remind myself that it’s okay to be yourself. It’s okay to tackle a problem the way you want to tackle it. Create a strategy that might not look the same as someone else’s. There are a lot of successful cybersecurity professionals and leaders out there who aren’t all the same. You don’t have to change yourself into something that you’re not because you think it’s what you’re supposed to be in order to be successful in this space.
In cybersecurity, you have to build a strategy that is proactive in normal circumstances but adapts when things change or when you experience a major obstacle. I wish I realized sooner that building a career is the exact same. The future has so many unknowns. We can’t always predict what the job market or technology market is going to look like in the years to come, so we have to be ready to adapt. Also like a cybersecurity strategy, we have to constantly test our career plan. Look back at it and ask ourselves, “Is this working for me right now? What do I need to change to get to where I want to be?”
If you are a founder or a member of a community for women in security, can you introduce it?
We are community species:I believe it’s incredibly important to give back and serve your community. While I embrace my role as a mentor and thought leader in the cyber industry, I’m also proud to call myself a volunteer and advocate for diversity, inclusion, and belonging.
Currently serve as:
- Board of Director for Cloud Security Alliance, DC Chapter
- Founder and Board of Director for Non-Profits
- Chapter Lead for InfoSec Girls, Washington, DC
- Advisory Board Member for Cloud Advisors, Unified Compliance Framework
- ECCouncil CISO Exam Writer
