Tanya Janca – An Introduction
Tanya Janca, better known by her online handle SheHacksPurple, has walked a non-conventional path from software development to becoming a leading voice for application security. With more than two
decades of experience in the technology industry, her career path has included roles as a software developer, ethical hacker, educator, and entrepreneur. As Chief Executive Officer of We Hack Purple, an online academy focused on the education of secure software development, and author of the respected book *Alice and Bob Learn Application Security*, Tanya has dedicated herself to demystifying the intricacies of cybersecurity for developers and organizations alike. Her passion for advancing diversity and inclusion is reflected through efforts such as WoSEC: Women of Security, which she co-founded to support women seeking to establish careers in cybersecurity. In this interview, we speak with Tanya about her non-conventional career path, the obstacles she faced in shifting from development to security, her views on the current state of application security, and her vision for a safer and more inclusive digital landscape.
1. What initially sparked your interest in cybersecurity, and what was your pathway into the industry?
I originally started working in cyber security by accident. I had applied for a software development job in 2006 where I was going to write an advanced search algorithm. I had to compete against a lot of people for that job, and when I started I was quite surprised when they informed me that that’s not at all what I would be doing. I would be working in a bunker, several stories underground, doing counterterrorism activities. I’m not allowed giving details about what I did, but I can tell you that I ended up quitting after a year and a half of having constant nightmares. This led me to believe that cyber security was really scary, and that I was not ‘tough enough’ to do that type of work. Fast-forward almost a decade; I was back doing software development and I met a penetration tester. He was in a band, and so was I; we immediately became friends. After about a year and half of him hassling me, telling me I’d be so much better in security than as a developer, I finally agreed to be his apprentice and give it a try. The rest is history. I’m glad that I gave it a second chance, and also that I learned that you don’t have to be ‘tough’ in order to work in our field. There’s a lot more than just counterterrorism in cyber security.
2. You’ve had a diverse career, what was the defining moment when you realised cybersecurity was your passion?
There wasn’t exactly one specific moment when I realized it was for me while I was working. I was talking to someone, and it sort of just popped out of my mouth. I explained that by working in security, I was protecting others, and that I wanted to perform good as part of my career. By protecting others, I feel that I’m doing very noble work, and that’s why I’m so attracted to that part of our field. Doing software development was really exciting because I got to build cool stuff that helped people. But when I started doing security, I had a different feeling, and I’m not sure exactly how to put it into words, but it felt like the work was even more important. That’s when I realized it was a long-term passion.
3. What challenges did you face when breaking into the cybersecurity field, and how did you overcome them?
When I switched into cyber security, I had a lot of challenges. I had to learn a ton of new things, and I had no idea where or how to learn them. I had to convince people to give me a chance, and that was really, really hard. I also had to do all of this while I was working full-time, and supporting myself, and, you know, having a life. It was a lot. I did this by joining the OWASP community. They are so welcoming, so helpful, and they taught me pretty much everything I know. I can’t recommend joining that community enough, I have met so many friends and had so many professional opportunities come from them. It’s just absolutely amazing.
4. If you could go back in time, what advice would you give yourself when starting your Cybersecurity journey?
If I could go back in time, I would tell myself that I should just start in application security from the beginning, and not bother doing pentesting at all. Although doing penetration testing was interesting, and it’s pretty darn exciting when you find bugs at first, for me, it’s not the right job. You need to have a lot of attention to detail, a lot of patience, and quite frankly I’m just not that person. I feel that application security is a much more social job, and as someone who is extremely extroverted, that’s a much better fit for me. I still get to break stuff sometimes, but I also get to hang out with developers, teach them new things, write, cool articles, and basically I’m a helper. It sounds weird, but helping other people feels really good for me, and getting to talk to lots of people is a bonus for me, so that job is much better fit for my personality and skill set. So, I would tell myself to just skip that year or two of learning to be a penetration tester, and that one and a half years of actually being one, and just go right to the right job for me, application security.
5. The Cybersecurity industry is often seen as complex and intimidating, how do you make it more accessible?
I personally am trying to make our industries significantly more accessible by making online courses, speaking at conferences, making free online content, and running the mentoring program #CyberMentoringMonday to help people find mentors. I feel like this question was supposed to be for how can we as an industry make it more accessible, not just me personally. In which case I wish that more people would mentor others and let them shadow them on the job whenever possible. I wish people would share information by writing articles, teaching the rest of their team, whatever you are able to do without breaking your non-disclosure agreements. I feel like we’re much better at keeping secrets as an industry than we are at Marketing, and that is unfortunate, because what we really need is more easily accessible educational content. The other thing that I wish we could do to make it more accessible is have more teams being willing to take on junior employees. If there are no junior employees, there are never going to be new senior employees. It seems really obvious when I say it, but whenever I go to a job board, all I see is senior jobs. We need to take a risk and try someone new.
6. You founded We Hack Purple to educate others in cybersecurity, what inspired you to focus on security education?
I founded We Hack Purple sort of by accident. I had started a different company, to tackle the inventory issue in our industry, but unfortunately, my cofounder and I figured out we didn’t work as well together as we thought we would, so we parted ways very quickly. When that happened, I didn’t know what to do next, and so I put a post on Twitter, asking my followers what I should do. People start offering me money
to train their software developers, and I quickly said yes, because I was suddenly unemployed. The more I did it, the more I liked it. Then Covid started, and so I had to move my trainings online, and I figured why not record them and see if people would want to take them on-demand, instead of having me teach them live, and the rest is history. I’m still teaching peop
le, because we need it. We as an industry need as much education as we can get. We need every developer to have secure coding training, we need every architect to have secure design and threat modelling training. We need everyone to know how to do their job securely and safely and right now universities and colleges are letting us down. It’s up to the rest of us to step up and solve this problem. As one single person, I am doing my absolute best to help anyway that I can, via writing books, making videos, and making courses for Semgrep Academy (which is completely free, by the way).
7. In your experience, what are people’s biggest misconceptions about working in cybersecurity?
I find that people think that working in cyber security is going to be a lot more exciting than it actually is, especially when it comes to penetration testing (the most well-known job in our field). I’m sure I’m not supposed to say this, but after the first couple of penetration tests, I found it pretty boring. We represent hackers in movies as though they’re constantly breaking into things. They’re so powerful, they’re able to get into anything, in just a few minutes. But in reality, it’s hours and hours and hours of scanning, waiting, tinkering around, and having things not work. Movies make it look like you can break into anything in two seconds when in reality it’s thousands of hours spent learning, experimenting, and being a very patient person. I fear that this false expectation turns people away from our industry, when we need everyone we can get. The other common misconception that I see is that people think they’ll make more money, or have a ‘better job’, doing penetration testing than other jobs in cyber security. Penetration testing is a good job, and it generally pays pretty well, but there are so many other jobs that are also great! You can work in a SOC, doing network, security, investigating, and threat hunting! You can work an application security, you can do threat modeling, and help people re-architect their app so that they’re more secure. There are tons of jobs that are full-time and permanent and penetration testing is not the only job. There are so many choices. There’s one for you!
8. What has been the most rewarding project or initiative you’ve worked on in your career?
The most rewarding project that I probably ever did was when I was the CISO (chief information security officer) for the 52nd general Canadian election. I was pretty afraid when they asked me to do the security for the election, because although I had worked in IT for many, many years, and managed many, many projects, there was a heck of a lot riding on the election. I was also new to cyber security, and I was quite fearful that I might not know all the answers, which is a very common fear for people that join our industry. But what I did was what all the best leaders do; I leaned on my team when I wasn’t sure. I had such a great team behind me, and I still value all of those people to this very day. Asking them every time I wasn’t certain meant I made much better decisions. All leader should do that, you hire a team of experts for a reason. It was really amazing to work with thousands of people across my entire country to ensure that every single Canadian that had the right to vote was able to. Everyone that works there is so passionate, they care so much, it was absolutely invigorating every single day. If possible, I highly recommend you volunteering or working on the election in your country, they always need extra help. It is extremely rewarding work.
9. What do you think are the biggest gaps in cybersecurity education and training today?
I think the biggest gaps in cyber security education is that it’s basically not covered at all by universities and colleges. Or if it is, it is not nearly enough (generally a very basic web app hacking course or IAM is all that is covered at most schools, I have only ever heard of ONE school teaching appsec, and I was told the course was quite basic). I have spoken about this repeatedly, and I will do it again: universities, and colleges do not pay people well who do not have a PhD. If I am offered a job from a university, I only qualify as an adjunct professor, and generally, they are offered to pay that is approximately minimum wage. I’m sorry, but there’s no way I’m going to accept that. I’m not going to essentially volunteer for a multimillion-dollar organization, that’s completely ridiculous. That’s why I teach lessons for my books free online, because if I’m going to do it almost for free, I might as well do it my way, and make it free for everyone. I am extremely frustrated that universities and colleges are not covering these topics. Their excuse is that they can’t find people who are willing to teach, but they could if they would be willing to pay a reasonable wage. The problem is them. Yes, I’m biased, and yes, I have very big feelings about this. I am extremely upset that they are releasing new software developers into the world every single semester, that aren’t properly prepared. They (colleges and universities be grossly negligent) are one of the main reasons that we have so much insecure code in the world and that so many people are part of data breaches. I’m very upset by this situation, and I hope that eventually governments make it illegal for them to do this. Could you imagine a trade school that was releasing electricians and they gave them no safety training and then lots of people’s houses just kept burning down? That wouldn’t be allowed, would it? But for some reason, computer science schools all over the world feel it’s OK to do so. They are constantly re-creating problems that many of us in industry are working so hard to solve. It is extraordinarily frustrating. To me, this is not acceptable.
10. Cybersecurity is still a male-dominated industry what progress have you seen regarding diversity, and where do we still need improvement?
I have seen a lot of improvement in how many women and people from underrepresented groups are joining cyber security since I joined this field full-time in 2014. I remember going into every single meeting and always being the only woman in the room when I started. Now there’s often at least one other woman, but not always. When I go to conferences now, I’m not the only woman in the room, and that is super fantastic. This has been improvements by many groups of people working tirelessly to try to ensure that more women, people of color, people with disabilities, people that are neurodivergent, etc. all the other people who are generally under represented, are feeling welcome, wanted, and and included in our industry. Groups like Women’s CyberJitsu, WISP, and many other groups that are full of amazing volunteers who I value very much.
Where do we still need improvement? I wish that more people would offer to mentor underpresented people. I personally mentor several people. I have people ask me all the time to mentor them, but I would be a terrible mentor if I had 400 people under my wing, so I try to save times for the ones I have, and for the rest, I try to help them find people via my mentoring program, #CyberMentoringMonday, which I run every single Monday on Twitter, blue sky, mastodon, and LinkedIn. I know that we don’t all have time to mentor people, but if you are considering mentoring, someone, if you can choose someone from an underrepresented group, that would be very, very helpful. I have had many mentors, and I am so incredibly grateful to each and every one of them. I would not be where I am today without them.
11. How can businesses and organisations better prioritise security without it feeling like an afterthought?
This question is a tough one! I generally only speak about how to secure a software, because that is my specialty, meaning I will answer from that perspective. The best way to ensure that an organization prioritizes security is to make it part of the system development lifecycle. Every software developer should be following the SDLC, and if security activities are a part of it, then they will happen every time. I write about this and talk about this all the time; I am very passionate about secure SDLC’s. They also should run an application security program, which includes a secure system development lifecycle, policies, incident response plans, developer education, and more. We need to make it legitimate, by making it a formal program.
12. What role does mentorship play in cybersecurity, and how can aspiring professionals find the right mentors?
I personally believe that mentorship is essential right now, because educational institutions have been letting us down so badly. I do hope that eventually people can learn all the things they need to learn when they go to university or college, like they can if they want to become an accountant or many other types of jobs. For now, though, I believe that we can’t really get very far without mentorship, because there just isn’t formal education available on all the things that we need to learn, and especially not at a price that most of us can afford. With this in mind, I started a mentoring program in 2018 where people post that they are either willing to mentor people, or that they are looking for a mentor, and then people find each other. To be clear, I do not match people, because I am a terrible matchmaker. I’ve tried so many times, and I am terrible at it. However, I am a great connector, and so please check out my mentoring program, #CyberMentoringMonday, which I run every single Monday on Twitter, blue sky, mastodon, and LinkedIn. Just look for the hashtag #CyberMentoringMonday and you will find us.
13) With the rise of AI and automation, how do you see the cybersecurity landscape evolving in the next 5-10 years?
I am hoping the AI and automation help us stop doing the boring parts of our jobs. Just like everyone wants. That’s what we made them for, to get them to do the boring stuff, so that we could do the fun stuff. It’s the same reason that most of us learned a code, so we can automate the boring stuff. I am hoping in the future, to be quite blunt, that we no longer having people do almost anything manually. I’m hoping what we do is analyze huge data sets, teach computers to defend us better, and do exciting projects that move our entire industry forward.
14) What emerging cybersecurity threats concern you the most, and how can individuals and businesses stay ahead of them?
Threats that concern me the most are old ones. The threats are: not having budget to hire people that know what they’re doing, or, hiring people and then not having any money to train them, or not having the money to give them the tools that they need. Threats like working your staff so hard that they end up burning out and then aren’t able to do a good job. Threats like terrible management, that makes people not want to work in cyber security, so they think that every workplace is terrible and that the industry isn’t for them, when in fact, it’s just a terrible manager. It’s not that I think that there’s amazing new threats that we need to worry about, it’s that I think that so many of us are overworked, our budgets are too small, and we don’t have enough education to do a really great job. I know that’s a boring answer, but that’s what I’m actually worried about, that we don’t have enough resources to do the basics.
15) If someone wants to get into cybersecurity today, what are the three most important skills they should develop?
There are many different jobs in cyber security, but to get any of them, you need to have a good communication skills, time management skills, and work hard. You also need to be able to learn new stuff, and ideally you would enjoy learning. If you don’t have good communication skills, you won’t go very far in your career. If you don’t have a good time management skills, you will constantly struggle, and be stressed out. And you just plain need to work really hard to work in cyber. There is so much work to do, and we really need your help. If you are reading this, I strongly encourage you to join our field, we need all the help we can get, and that means you!
I hope you enjoyed this brief insight into such a talent in the Tech Industry and I thank Tanya for giving me some of her time up to do this interview for Cybaplug.net.
I will be doing more interviews in the near future, so keep on the lookout on Cybaplug.net!
A Cybaplug.net Tech Interview
Hi I'm Olly, Co-Founder and Author of CybaPlug.net.
I love all things tech but also have many other interests such as
Cricket, Business, Sports, Astronomy and Travel.
Any Questions? I would love to hear them from you.
Thanks for visiting CybaPlug.net!
