“Whatever work was not

being done, I always viewed

that as opportunities,
regardless of role or title.”

Twitter: @KeirstenBrager • Website: www.keirstenbrager.tech

Keirsten Brager
Keirsten Brager is a lead security engineer at a Fortune 500 power utility
company and was recently named one of Dark Reading’s “Top Women in
Security Quietly Changing the Game.” She is also the author of Secure the InfoSec
Bag: Six-Figure Career Guide for Women in Security. She produced this guide
to empower women with the strategies needed to maximize their earning
potential. Keirsten holds an MS in cybersecurity from UMUC and several
industry certifications, including Splunk, CISSP, CASP, and Security+. As an active
member of the Houston security community, she has participated in a number
of panels and public speaking engagements, promoting strategies for success.
In her free time, she loves sharing career advice on her blog, cooking New
Orleans food, and convincing women not to quit the industry.

If there is one myth that you could debunk in cybersecurity, what

would it be?
The biggest myth is that we are one technical solution away from solving all of
the industry’s problems.
Every year, vendors are touting next-generation shiny objects that will
automate all the things, reduce head count, and keep the hackers at bay.
Meanwhile, organizations are understaffed with partially implemented tools
while investors cash out and go on to the next hot technology. Brian Krebs
reports the next breach; we all Kanye shrug. It’s a vicious cycle.
 Keirsten Brager

What is one of the biggest bang-for-the-buck actions that an

organization can take to improve its cybersecurity posture?
Empower the sysadmin to implement the secure configuration settings available
natively via GPO settings, especially around administrative privileges. This limits
the actions authorized or unauthorized users can take without additional tools
or costs to the business.

How is it that cybersecurity spending is increasing but breaches are

still happening?
Is the spending increasing? Or are we witnessing companies that never (or
barely) invested in security finally allocating money for this function? That’s a
conversation no one wants to have.
Many companies are operating in deep technical debt, running legacy
applications and systems that cannot be secured. The need to appease stock
analysts and shareholders has historically influenced decisions around product
time to market, using cheap foreign labor for development, and running “lean”
IT shops. As a result, security is an afterthought or not a thought at all. The retail
industry is notorious for this.
Moreover, when companies do get money to invest, they want to skip the
basics and either go for the shiny toys or perform “reduce the scope to check the
compliance box” security programs. All of this leads to gaps in posture. Therefore,
the people, process, and technology fail…leading to continued breaches.

Do you need a college degree or certification to be a cybersecurity

professional?
There are many people who found success in the industry without degrees
or certifications. However, I encourage people, especially members of
minority groups, to pursue credentials as a way to open doors to leadership
opportunities and multiple sources of income in this industry. Do not disqualify
yourself or give anyone an excuse not to give you more money and power.

How did you get started in the cybersecurity field, and what advice
would you give to a beginner pursuing a career in cybersecurity?
I did the work no one else would do. Technical people tend to like tools, but they do
not always like creating/maintaining documentation, interacting with auditors, and
working in cross-functional capacities that involve dealing with people. I happen to
be technical and a people person, so I took on projects that required both.
I identified security deficiencies and implemented technical solutions. If
policies or procedures did not exist, I wrote them. When awareness training
was not being delivered, I researched best practices and created web-based
training. If no one wanted to lead audits, I raised my hand. When monitoring
was deficient, I deployed an IDS and SIEM. Whatever work was not being done, I
always viewed that as opportunities, regardless of role or title.
Here’s my advice for newbies:
• Don’t be too proud to apply for tech support or sysadmin roles to get your
foot in the door.
• If you are a member of a minority group, connect with people in other
minority groups in the industry. All experiences are not created equal, so
it is important for you to connect with people who can help you navigate
certain issues that others will not acknowledge, understand, or care about.
• Relationships are key: give back to the security community before you need
a job.
 • Publish research, projects, and/or problems you’ve solved on LinkedIn,
established blogs, or your own blog.
• Volunteer at tech user groups, chapter meetings, and conferences.
• Analyze local supply and demand to identify specific talent shortages in
your region and “skill up.”
• Understand the business side of security.
• Be nice, share knowledge, and send the ladder back down when you succeed.

What is your specialty in cybersecurity, and how can others gain

expertise in your specialty?
I specialize in deploying and maintaining advanced monitoring solutions to
maintain secure configurations, support incident response efforts, reduce risk,
increase automation, and comply with regulatory requirements.
You gain competence and confidence with dedication to your craft. You
do not have to wait for invitations to teach yourself anything in the age of
the internet. Many companies have free versions of their products on their
websites. If you have an opportunity to work for a product company like Splunk
or Tripwire, both are inclusive companies that provide pathways into careers
in some of the largest organizations in the world. Those are just examples.
Working directly for the product companies is one of the best ways to gain the
technical skills needed to build expertise in this area.
Working in sysadmin, tech support, and compliance roles can also prepare
you for this specialty. It really requires someone well rounded to be successful.
The industry loves to glorify tech skills (and they are important), but people skills
are a huge asset.

What is your advice for career success when it comes to getting

hired, climbing the corporate ladder, or starting a company in
cybersecurity?
• Always negotiate total compensation, not just base pay.
• Be so good at what you do that people cannot ignore you.
• Create SMART goals to drive your career.
• Your career plan is not a one-time exercise.
• Have a results-oriented résumé.
• Your network determines your net worth. If you’re part of an
underestimated group, your journey will likely be filled with obstacles that
others may not face. You will also have to put in extra work to gain access
to opportunities. Do the work, network, and find mentors.
• Control Google results about yourself with an online portfolio.
• Dress for the job you want, not the one you have.
• Some jobs are just chapters in your career; close them when necessary.

What qualities do you believe all highly successful cybersecurity

professionals share?
Being highly successful is subjective. Some people define success by the
number of social media followers. Others define it by industry fame. I lean
toward defining success by using influence to make a positive social impact.
People who do that share a common character trait of wanting to empower
others. They also lead with empathy.
We need to elevate these influencers and stop worshiping the people who
exhibit toxic behaviors.
 Keirsten Brager

What is the best book or movie that can be used to illustrate

cybersecurity challenges?
Geostorm is a movie about, network-controlled government satellites built to
control the climate, but greed is involved. What could go wrong?

What is your favorite hacker movie?

BlacKkKlansman, a movie based on a true story about the first African American
detective to serve in the Colorado Springs Police Department. Soon after joining,
he went undercover and infiltrated the KKK.

What are your favorite books for motivation, personal development,

or enjoyment?
• Becoming by Michelle Obama
• How Exceptional Black Women Lead by Keirsten Brager
• Secure the InfoSec Bag: Six-Figure Career Guide for Women

What is some practical cybersecurity advice you give to people at

home in the age of social media and the Internet of Things?
• Use a password manager.
• Add two-factor authentication to high-risk accounts.
• Review security and privacy settings regularly.
• Communicate securely and privately where possible.
• Talk to your family about digital security and privacy checkups.
I published a 60-Minute Digital Security Checkup on Homeland Security
Today. You can check that out here: https://www.hstoday.us/subject-
matter-areas/cybersecurity/cybersecurity-101-five-back-to-
school-tips-to-stay-safe-online/.

What is a life hack that you’d like to share?

In our line of work, we all spend an extraordinary amount of time staring at
screens. Therefore, I’m going to propose a self-care hack: follow fewer people on
social media.
When you’re new to the industry, you’ll want to learn all the things and follow
all the people in the listicles and #ff lists. Let me warn you: it is not healthy.
Instead, replace some of the time you spend mindlessly scrolling social media
with some form of physical activity. You can do this even after you’re a parent.
I used to sit on my phone while the kids practiced for sports after school. Now
I bring my dumbbells or kettlebell to exercise while they practice. I also started
walking, riding my bike, and/or doing Zumba several times a week instead of
staring at my phone in disbelief about the current state of world affairs.
My point is that you do not need a gym membership for self-care. All you
need to do is decide less social media, more self-care.

What is the biggest mistake you’ve ever made, and how did you
recover from it?
The biggest mistake I made during my career was believing that I had to be 100
percent qualified for roles with a job description that were a college-essay long.
I recovered by coming to the realization that I do not want roles that are five
positions written as one.
I also decided that I would apply for future roles of interest even if I am not
100 percent qualified. If a reality TV star can be hired to lead national security, I
can do anything. ■