This series highlights women in technology, to raise their visibility and break down some of the unconscious biases that block the path of women and underrepresented minorities when it comes to technology jobs. I encourage you to share these stories, and your own, with someone who doesn’t “fit” the technologist stereotype. In this small way, we can change the ratio.
Growing up in Australia, Brianna Malcolmson was hyper-focused on golf, and it wasn’t until she took a course in Security and Risk Analysis at Penn State that she found her true passion. Brianna still golfs on holidays, but she chose technology over the pro tours, and as a Security Incident Handler at salesforce.com, she protects the company’s networks from the hackers that intrigued her as a child. I asked her to share her story, and, well, she hacked the interview.
How did you get into Security and Risk Analysis?
I always thought hacking and hackers were very interesting and very exciting. When I was a kid, I remember watching one of my dad’s friends hacking on the internet – I don’t really know what he was doing. One of the first courses I took in college was in Security and Risk Analysis. I realized: this is what I want to do! I got really involved in it, and I went on to complete a degree in Security and Risk Analysis.
I was in the right place. Penn State has one of the best Information Technology focused colleges in America, and their Security and Risk Analysis major was one of the first and best built out Information Security degrees. When I went in, this program was being built, so there aren’t many people before me with this degree.
I went to Penn State on a full ride golf scholarship, undecided about my major. At Penn State, I was immersed in a culture where technology was really big and technology was really interesting, and that’s what brought me back to that passion of computers and the internet. I’d been focused on golf since I was 14. By the end of college, I was more passionate about Information Security than golf.
Were you encouraged to study technology as a kid?
I grew up in Australia in a small rural town, and the attitude towards higher education is different than what I have experienced in the USA. Many of my peers stopped high school in 10th grade (it is not mandatory to finish 12th grade) and many did not attend college after graduating because it is not thought of as such a necessary thing to do. Technology in general was not a large focus in high school. Hard sciences were the areas most students were encouraged to excel in. Where I grew up and went to school, both girls and boys seemed to be equally encouraged to participate in what ever they wanted to do. My parents were always very encouraging of my interests, although I do wish that they had let me play on the computer more when I was growing up!
What does a Security Incident Handler do?
I am part of the Detection and Response team at salesforce.com. We have eyes on all the different parts of our company’s networks. We implement technologies and processes to detect any malicious activity. As an Incident Handler, I’m on the front line responding to alerts that come in from our detection rules and running incidents if the situation warrants one. It’s a fast paced and exciting job. Every day I am applying the traditional incident handling process steps to new and unique situations.
The incident handling process starts with preparation. Everything from response tactics to security technology is planned in order to make our environment secure. When incidents are detected, we then jump into the next steps of identification and scoping of the incident, and containment and intelligence gathering of all possible evidence and information we need. My team is made up of people that have strengths in many different areas, and we use everyone’s unique abilities and skills, whether it be reverse engineering malware, system forensics analysis, or hunting and threat research to rapidly respond to the incident and contain its scope. We work together in high pressure situations as a cohesive team to respond as quickly as possible to any security incident situation.
Once these steps are completed we commence eradication and remediation, which involves removing any remnants of the cause of the incident followed by recovery and follow up/lessons learned. Recovery includes ensuring day to day business is resumed as usual and during the lessons learned phase we identify any new controls that need to be implemented to improve our whole incident response process and prevent future incidents from happening. The whole process also requires concise and accurate communication with upper levels of management at every step, and the ability to adapt and evolve our processes to each individual incident.
Security is my passion and working at salesforce.com where Trust is the number 1 value is truly awesome.
What is it like being a woman in a technology field?
I’m not really sure how that affects everything. I know in Information Security and IT that women are a minority. There are three women on my team, so I’m not the only one. This area in Northern VA (Herndon) is a big information security hub. I know of a few groups in the area that run community events for women in Information Security. These networks are a great thing – it’s good to see diversity and it’s great to see these groups of both men and women that are supporting women in technology. I do feel like it’s needed. If you are in a small team and you’re the only woman, it can feel like you’re the only one everywhere, but with these groups you see that you are not the only one.
Not to hijack the interview, but I’ve got a question for you…
You’ve been interviewing a lot of people, and I read two different perspectives – and I hear this when I talk to people, too – when you ask them, “How does being a woman affect your job in technology?” Some people say, “It doesn’t affect me at all, I haven’t experienced anything, and I don’t feel like it really makes a difference.” Others say, “It does make a difference for all these reasons…”
What’s your feeling on that, after interviewing all these people?
[Mary] Both statements are true, because they come from each person’s individual experience. Personally, I know that being a woman makes a difference, but I like to hear that it doesn’t – it makes me feel like we’ve made progress.
I’m coming from an age where things were so different, and I know that I’m lucky to have gone to college and to work in technology. I look at my mom, who talks about how women could be teachers or librarians or nurses, and that was it. She was an amazing teacher for 35 years, and she liked it, but you hear a little of, “Maybe I would have done something else if I’d thought that I could.”
I came out of college into computer consulting, and it was definitely a different atmosphere – much more conservative. For example, one company had just changed the dress code to allow women to wear pants. I have all of that history, but I’ve never felt that being a woman has been a barrier in my career. My managers have always been supportive – both men and women. I’ve been lucky to have really good managers and work in really good companies, and I think that makes a big difference.
That said, I have had peers who did not have it so easy, so I have a keen awareness. When I was a Product Manager, I kept an eye on developer dynamics. Whenever a new woman joined, even if she wasn’t on my direct team, I would say, “Let’s go to coffee.” At coffee, I would check in to see how things were going, and let her know I had her back.
But enough about me, let’s talk about you…
Did you attend Dreamforce ’13?
Yes! It was my first year at salesforce.com. I had heard lots of great things from my co-workers about Dreamforce, so I thought I’d better get out there and see what it’s all about. It was a great time. I really enjoyed it. Being a new employee, it really gave me a feel of what the company is about and how many different directions it’s going in, and also just how many people use Salesforce and are excited about it. It’s nice to get a feel for the company and the product and the people that way.
What programming languages do you use? Do you ever write Apex/Visualforce?
I’m not a programmer, but I have been learning Apex Code – it is my first programming language. We used the Salesforce Platform to built an Incident Response app that my team uses internally. We started saying, “We need this!” and “We need that!” and “Who can do it?” – and I volunteered. I’m using Apex Code to create an incident record, populate tasks, track workflow, and put other cool stuff into the app.
So much stuff can be done point & click, but so much can’t. I took the Dev 401 and Dev 501 training classes. They were really cool. I took 401 online (instructor-led) and 501 in person – both via a Salesforce training partner. Both were extremely valuable courses. It’s good to have someone telling you the tips rather than going through it yourself. I think everyone should take 401 and 501, especially if you are working with Apex. You need to know what you can do without code first.
Developers @ Dreamforce Call for Presentations is open until June 6, 2014. Check it out and submit your session idea today. The Developer Evangelism team is here to help. Tweet at us or email me directly (firstname.lastname@example.org) if you want to brainstorm session ideas.
Looking for me on Twitter? I’m @rockchick322004, and I tweet about the Salesforce1 Platform and Women in Tech. #DiversifyYourFeed