Tia: I think the second thing I wanna touch on is the whole notion of imposter syndrome. And the reality is it never goes away, but I don't believe it's a syndrome. I think the feeling that you have that gets associated with imposter syndrome is a moment and it's normal. But the thing that takes imposter moment to a level of being imposter syndrome is consistency. And so we can't allow ourselves to consistently question whether or not we belong in the room. I mean, we're in the room, so we belong in the room, we belong in the role, but if you consistently question that, you know, and you actually breathe life into imposter syndrome, then I think that breeds a bit of insecurity.
And so my belief is you're given that opportunity because of the way you demonstrated your ability to nail whatever it is that you were doing before and your capacity to take on more. And you have to have a certain level of confidence within that. So, you know, that starts with starting with the things that you're good at.
Caroline: From Cobalt at home, this is "Humans of InfoSec," a show about real people, their work, and its impact on the information security industry. Tia Hopkins is a cybersecurity executive who has spent the past 20-plus years of her career in various IT and IT security roles. As the Chief Cyber Resilience Officer and Field CTO at eSentire, her work focuses on helping organizations achieve cyber resilience through effective and efficient combinations of people, process, and technology.
In addition to her role at eSentire, she is also an adjunct professor of cybersecurity at Yeshiva University, and she is currently pursuing a Ph.D. in Cybersecurity Leadership. Her mission is to help drive the growth and success of the cybersecurity industry by researching and addressing current industry challenges and trends and taking an innovative approach to solving both current and future concerns.
A LinkedIn instructor and the recipient of multiple awards, Tia is a brilliant model of exemplary leadership, and I am thrilled to have her with me on the show. Tia, thank you so much for joining me.
Tia: Absolutely. Thank you so much for having me. I'm excited.
Caroline: Tia, let's start at the beginning. How did your journey in tech and cybersecurity begin?
Tia: I love this question because I never know where to start. I mean, as long as I can remember, I've sort of been technically minded, if you will. Instead of playing with my toys, I took them apart because I wanted to know how they worked. And in fact, when my mom bought me my first computer, instead of using it, I took it apart. And then I also immediately built my first computer because she threatened me with my life if I didn't put it back together.
But, you know, fast forward to when it was time to figure out what I wanted to do with my life. Not to date myself too much, but I didn't have a lot of guidance in terms of what it meant to be a technologist or good with computers, right? That's just what folks said. You're good with computers, you should do computers.
And so I went to school for computer engineering, but I quickly realized engineering wasn't my thing, but I didn't know what was. So, I dropped out of college four times, a lot of false starts, but eventually, I think I caught fire a bit when I went into a role as a DSL installer back when everybody was ditching dialup modems. And we thought one and a half meg up and down was high-speed internet, lol. And that transitioned to an IT career. And then that transitioned into cybersecurity because I'd made my way up to an IT director role and thought I really wanted to do something with myself or be something when I grow up. So, I did some market research, and at the time you did cloud, you did cybersecurity, or you did DevOps.
And cybersecurity spoke to me, and little did I know I was already doing portions of that in what I was already doing in IT. I just wasn't focused on it. So, I chose it then. I like to say it chose me back, and we've been choosing each other ever since.
Caroline: Tia, today you find yourself in a role as Chief Cyber Resilience Officer and Field CTO. What does that mean, and what do you do?
Tia: What I loaded question. I do so, so much. There's a couple of components to this and I'll start with the field CTO aspect of it. Because actually, I've just moved into the Chief Cyber Resilience Officer role just a couple of weeks ago, a few weeks ago, I think as a result of the work that I've been doing over the past couple of years as Field CTO. And essentially, what the field Chief Technology Officer does is have conversations with customers of eSentire, partners of eSentire. I also, you know, leverage my industry knowledge and experience, trends in the industry, latest threats, all these things to say, "Hey, what are we doing? And are we doing the right things in terms of bringing the right products and solutions to market to drive meaningful security outcomes?" So, that's one side of it. I work closely with our product organization, our customer success organization, sales organization, engineering team, etc., but the Chief Cyber Resilience Officer piece of it sort of brings all those things together. Because, you know, eSentire is a managed detection and response company.
So, I will say, to simplify that, we're an outsourced SOC as our primary focus. But when you're conducting these activities for customers, you're giving them a lot of data, right? What do I do with this? We stop this threat. We're making this recommendation. We recommend you go put this control in place. And for an organization that needs to outsource a SOC, sometimes they need help figuring out what to prioritize when you're providing them with this information.
And so landing on resilience is really what we're delivering to our customers as an outcome. Because whether you're getting a pentest or you're focused on compliance, or you wanna be able to have an organization that's hunting for threats on your behalf 24/7, at the end of the day, you wanna ensure business continuity. And so that's where the umbrella of cyber resilience comes from. And NIST actually defines that cyber resilience as the ability to anticipate, withstand, recover from, and adapt to an adverse event. Okay. And obviously like in this case, a cyber attack. And so my responsibility is owning the end-to-end strategy of what that looks like in terms of delivering that outcome to our customers and aligning the appropriate services accordingly.
Caroline: Incredible. I love your customer focus. I love your cybersecurity resilience outcomes focus. That is super cool. Tia, there's a specific part of your story that I'd love to hear more about. In the intro of your LinkedIn Learning course on "Building Your Cybersecurity Talent Pipeline," you say, "Where I am today wouldn't be possible if someone hadn't given me a shot when I was trying to figure it all out." I'd love to hear more about that. And in particular, I wonder if there's a specific event or person that you think of when you look back.
Tia: Yeah, that's a good question. And when I think back on that, there are a couple of pivotal points, I'll say, in my career. And the first was even before I was in cybersecurity, I was in a role as an IT director. And I was put into this role because the owner of the organization that I was working for at the time just saw something in me. You know, I was doing what I thought was right for the business, helping customers, solving problems. You know, he felt that I was resourceful in all these things and he put me in a role as an IT director. Now, at the time, I didn't have a single certification in industry, again, back to dropping out of college four times. I hadn't finished a degree yet. So, that blew my mind a bit.
And when you think about the typical advice, I'll say, a newcomer or someone that's been in the industry for three to five years is maybe looking to take on more responsibility or get into leadership, a lot of times the advice that they're given is, you wanna go out and get all these certifications and you wanna go out and get this degree or this certificate, or, you know, sit through this program. And that's all well and good because you do need some theoretical knowledge within the domain that you're responsible for, but there are some, I think, skills that really can't be taught in those types of environments. And that's, to my earlier point, like, resourcefulness, critical thinking, storytelling, like, all these things that fall into that category of soft skills that sometimes makes technologists wince a little bit, but it really is important. And so just grit, you know, hard knocks, and just trying to do the right things landed me in that role. And it really opened my eyes to what was possible just through hard work.
And then I think the second one was when I decided to make the hard pivot into cybersecurity. Because like I said, it was part of what I was doing, but it wasn't my focus. And so I remember going through a couple of job interviews and I'm just trying, you know, doing the best I can. I'm not really sure what cybersecurity companies are looking for or what a good cybersecurity professional talks like in an interview. And so I learned a lot in this process. And when I finally landed my first role as a systems engineer underneath a cybersecurity practice, I didn't feel like I was qualified for the role, but I do believe that I was hired based on my passion and my aptitude, which I was able to clearly demonstrate to the hiring manager.
And in fact, I got two offers that same week from two companies that I felt, like, I wasn't qualified for. And so that was eye-opening for me because I have, you know, obviously excelled in my career since then, but they didn't have to do that. And I think if we take more chances on people now in the industry, especially given the current skills gap, I just think we're being a bit too rigid about the things that we're looking for with this talent. And that's why I am so passionate about, I'll say, you know, preaching the good word around what we really need to be looking for in some of these gaps that we're trying to fill instead of looking for people that, you know, come out of the womb as cybersecurity professionals. I hope that answers the question for you.
Caroline: It's fantastic. You know, and I actually wanna ask you a follow-up question, which is, you were just sharing with us, as you grew in your career, you were stepping further and further into leadership roles. And what I'm hearing and what I'm learning is that sometimes you found out that your expectations of yourself and your expectations of the role were actually different. And in fact, like, maybe dramatically different, maybe dramatically higher and different than the hiring managers who were giving you job offers that you didn't necessarily expect to receive.
I'd love to ask you, what advice would you share with our listeners who might be in a position where maybe they're starting a leadership position or they are feeling like they're not quite ready for a new position and they might find themselves in a similar kind of mental situation where maybe they've got some imposter syndrome going on? What advice do you have for folks?
Tia: Yeah, I love this. First step is breathe and take a moment to enjoy what you've done. You worked hard to get there, you know. And trust me that there'll be plenty of time to freak out while you're in the role, but just take a moment and say, "Holy cow, I did this," and just sit in that for a moment, okay? That's number one.
I think the second thing I wanna touch on is the whole notion of imposter syndrome. And the reality is it never goes away, but I don't believe it's a syndrome. I think the feeling that you have that gets associated with imposter syndrome is a moment and it's normal, okay? But the thing that takes imposter moment to a level of being imposter syndrome is consistency. And so we can't allow ourselves to consistently question whether or not we belong in the room. I mean, we're in the room, so we belong in the room, we belong in the role, but if you consistently question that, you know, and you actually breathe life into imposter syndrome, then I think that breeds a bit of insecurity.
And so my belief is you're given that opportunity because of the way you demonstrated your ability to nail whatever it is that you were doing before and your capacity to take on more, and you have to have a certain level of confidence within that. So, you know, that starts with starting with the things that you're good at. You know, there's something that you're really good at, that you're really confident in that helped get you to this point. So, lean on that, but also be really honest with yourself and open your eyes to where you might have gaps. Build allies, get feedback, build strong relationships. That's what it's about.
You know, I've learned in this industry that people with relationships that aren't, I will say, incredible at what they do, sometimes have more successful careers than people that are extremely incredible at what they do but don't have strong relationships. So, you know, I would say give yourself a minute. Don't fall prey to imposter syndrome. Don't deny it. It's a thing and it's gonna show up forever, but let it be a moment and that's it. You know, know your worth, know your power, stand in it, and then grow from there.
One of the things I like to say, it's not mine, but I do live by it, that the quickest way to change your life is to change your mind. So, don't sleep on the power of perspective. You know, if you're in that room, you belong there, and if you're trying to get to the next room, work your way through the room you're in and build up that confidence until you're ready to knock on that other door.
Caroline: I am just receiving your words. I'm letting them sink in. I'm hearing them for myself. I feel literal tingles in my body as I hear you speak. I was just chatting with a really good friend of mine the other day and I literally said to her, "I'm really super excited about this thing and I'm also overcoming some personal imposter syndrome. Like, do I really have something valuable to say and contribute?" And she responded to me and she said, "Wow, you are maybe the most skilled application security person. I know your credentials are impeccable and you know, and have implemented so much. It's amazing when the most awesome people have imposter syndrome because the rest of us are thinking, what, hard." Yeah. I totally have these moments, and I'm just, like, receiving your advice. Thank you.
Tia: It's because we care, you know.
Caroline: It is! It's totally because we care! Oh, I do care a lot. You know, Tia, I've got these precious few moments with you and I'm just gonna keep asking your advice. Here's another question I've got. When you're inheriting a new team for the first time, so say you're joining a new company and you've got to lead a team that's already there, that comes with unique challenges. I wonder if you happen to have advice for that particular situation.
Tia: I do. And I will start out by saying that this is based on my leadership style. So, I am a servant leader first. I believe it is my responsibility to make sure my team has what it needs to be successful. And then I also have to make sure that my team is driving the outcomes that I'm accountable for to the business. And so when I take on a new team, you know, the first thing...because I already... If I'm taking on a new team, I've already got the business side of it, and where the business wants this team to go, and what the business wants this team to do, but I also need to connect with the team.
And so the first thing I do, back to relationship-building, is I have a meeting with the entire team and, you know, just introduce myself, you know, humanize this title, right, that the business has probably put in front of them, help them understand where the business is going, what their role is in that, how they contribute, how they knock it out of the park, and position it not as something that's scary like a new leader's coming in, am I gonna have a job tomorrow? No. Like, this is an opportunity, right? If a new leader is being put into this role, then that means it has some focus from the business, so we have an opportunity to go off and do a lot of the things that you all have probably wished you'd been able to do in the past.
So, my first thing I guess is to, you know, bring myself down. Don't look at me as a title. I'm human just like you. And then we're gonna go do some cool stuff. We're gonna crush it and get everyone excited about that. And then what I like to do is have a one-on-one with everyone on the team, whether that's five people or 50 people. I want to talk to every single person. I wanna know what gets them excited about coming to work every day. I wanna know what makes it hard for them to get out of bed on those days where they don't really feel like they wanna come to work and would rather call in instead. And what does a good day look like for you? What does a bad day look like?
And I do dig in on the personal aspect of it first because I think everyone on the team should feel like they matter. And then I get into, you know, things about the business. What would you do differently? What have your experiences been, etc.? Because when I transitioned into leadership, I'll say the thing that I was most concerned about is not being good at my job because I told myself what made me good at my job is that I was doing it myself.
And, you know, the further you go into leadership, the further removed you are from being the, you know "feet on the street." And if you can't rely on your team to be fully transparent with you and tell it like it is and feel like they're empowered to do so and that their voice matters, then you're gonna have gaps, right, and you're not gonna be able to make the decisions that you were historically able to make that got you into leadership because you're gonna be lacking the context that you had when you were doing it yourself.
So, for me, it's all about trust, right? Getting the team bought in, feeling like they have an ally, feeling like they have a representative, someone that's gonna go to bat for them, but also make it very clear. Listen, we're gonna have to make some hard decisions because, at the end of the day, we are still running a business, but at least we'll make those decisions feeling like all feedback has been considered. And that has served me really, really well.
And then once I get my team settled, I go off and I start building relationships within the organization to reduce friction and drive efficiencies cross-functionally, etc. And then, you know, once we're I think operating like a well-oiled machine, then I just have... This is a personal thing for me. I always like for my team to have a brand. I want everybody in the business to want to be on Tia's team. I want everyone on Tia's team to be excited to be a part of that team. And it's always important to me that my team have an incredible brand within the business and that we have a reputation for being great at what we do but having fun while we do it. I hope that's helpful.
Caroline: Wow. I really love how you emphasized the theme of, look, you can only accomplish so much as one person. What a team is capable of doing together is so much greater than that. I love you talking about how you value servant leadership and really what that means to you. And I mean, this brand thing, you know, you've got me thinking, like, "I wanna be on Tia Hopkins' team," you know. I mean, that is phenomenal. And what an uncommon brand for security leaders. That's really cool.
Tia, those of us who have been in leadership positions, and certainly all of us who've observed other people in leadership positions, sometimes I think that leaders can get stagnant in terms of their style, in terms of how they do things. And you know what? This concept, it doesn't only apply to leaders, maybe it just applies to all of us. You know, sometimes there are times in our lives and in our careers where we can get a little comfy and we can think, "Hey, I've got a thing, and I know how to do it, and I've got it worked out." And I wonder about a side effect of that type of mindset and how it might result in some complacency. I wonder what you think about this topic, this concept, and I wonder if you have any thoughts on how we might each kind of look out for it, you know, how we might be able to identify signs within ourselves that we might be getting a little complacent?
Tia: Yeah, there are so many layers to this, and honestly, I feel like I might be cheating a little bit. So, maybe a bit of an overshare, I don't know. But I was diagnosed with ADHD at the beginning of COVID, and so many things made sense to me because I have to be doing, like, a million things all at a time, and I have a million thoughts running through my mind all at one time. So, complacency, to me, feels a lot like boredom. I start to lose my passion. I'm not very clear on what my contributions are anymore. I'm not excited about doing what I do every day. You know, work feels more like an obligation than a challenge. So, those are the signs for me. And I mean, I'm hopeful, I think, you know, most of those or some of those should relate to everyone, at least one or two of them. But I think the mistake people make is looking externally first for the answers to why that might be, you know. We need to look internally first.
Something that I'm always doing is challenging myself, assessing myself, testing myself. What are my gaps? You know, where can I improve? You know, from a leadership perspective, you can't ever be a perfect leader because if you're a leader, especially a people leader, people are changing all the time. And even if you're not a people leader and you're just leading in a business, the business changes every day.
And so if you're not changing, you're falling behind. But the reality is when you're facing the same types of problem every day, even though they might have a different face, that can start to feel a bit monotonous as well. So, taking a step back, right, and making sure you can see the forest through the trees. Breathing a bit. You know, it might just be that you're burnt out and you need to take a break. You know, this feeling of complacency or boredom can manifest itself in different ways, you know, and the push to more work from home as a result of the pandemic. I mean, I've never seen people more busy in my life. So, burnout is a real thing.
So, I would say, first off, make sure it's not that. If you go through kind of all your checks and you land on, you know, I think I'm just really not stimulated anymore, then you also need to find out why that is. Because, you know, when I mentor or I'm mentored, sometimes I get the feedback, "Well, you know, have you talked to your leader about how you're feeling?" Or, you know, I'll ask a mentee, "Have you talked to your leader about how you're feeling?" And sometimes it's a yes, and sometimes it's a no.
But the reason I say you wanna self-regulate is because when you do have that conversation with your leader, and you should, they're gonna wanna know what it is you're looking to do. You can't just say, "I'm not challenged anymore. I feel like I wanna be doing something different." Because a supportive leader will say, "Okay, well, I mean, what are you interested in? How can I help? What do you think you wanna do?" And if your answer is just, "I'm bored," then you've wasted your leader's time and you may have blown your opportunity.
So, you know, I know I might be going on a bit of a tangent here, but I would say just, you know, check in with yourself regularly. It's normal, right, to feel a little demotivated. Because, I mean, let's be honest, it takes a lot just to get out of bed in the morning. And so you wanna do things you enjoy because things that you're not passionate about just makes it harder to move throughout the day, and no one has time for that. And so when you get to a place where you feel like you need something different, identify what that is and be honest about it, but also be honest about whether you're giving your all to what it is that you're doing or if that's even what you wanna be doing anymore. There's a lot of elements that go into why you feel this way, but just don't look externally first because a lot of times there is something internal that needs to be identified before you start having those external conversations.
Caroline: Super cool. I appreciate your choice to share with us about yourself. I find myself inspired to share something as well which is to say that I have learned about myself that I am simultaneously excitement and stimulation-seeking. And I also think that there are ways in which I identify as highly sensitive. And so before I knew about these terms and what they meant to me, I, would just, like, run around and tire myself out. And so I'm at a different stage in my own self-awareness where I'm learning to recognize that sometimes when I feel fatigued that I have an opportunity to notice my pattern, to seek excitement, and seek stimulation, and I have an opportunity to actually recognize the parts of myself that are highly sensitive and just, like, go take a nap.
Tia: Sometimes it's that simple.
Caroline: Yeah. Well, and it's a funny thing because I do think that in different workplace and societal cultures, there can, with regards to sleeping and getting rest, and getting an abundance of rest can have this really interesting perception. Like, even within myself, I noticed that over the last year or so I've gotten really comfortable with saying to, for example, my stay-at-home husband who watches our kids when I go to work all day, like, "Hey, I'm really tired. I know you just watched the kids all day, but I really need a nap. Can you, like, watch them for one to two more hours?" And I've actually had to work through my own kind of, like, shame and embarrassment and recognize, like, that's a need that I have that I want to ask for.
So, yeah, did not actually expect that we were gonna get here on the podcast, but I'm thrilled that we have, right? Because I think that, you know, to the extent that we're comfortable doing so, when we choose to share these little things that we've learned about ourselves, you know, it's possible that someone listening might be able to identify it or think about what something similar might mean in their lives.
Tia: Oh, absolutely. Absolutely. And that's why I say self-reflection is so key because self-awareness goes a long way, you know. It gets you further in your conversations, your interactions, your relationships, and it's not an easy thing to do, but it's so rewarding once you get comfortable with it. It really is.
Caroline: Tia, final question I've got for you. You are a C-level executive, you're a professor teaching network data and communication security. You also coach on how to nurture industry newcomers. And so I'm curious because you've got this really broad spectrum of kind of roles that you work with. You work with employers, you work with inspiring students, and I wonder, what do you think we as an industry can do to make sure that more and more people get their chance to join our field and demonstrate their true potential?
Tia: I really think there's a lot that we need to do at the core, and this is world according to Tia. But, you know, to your point, with all the things that I'm doing, I do talk to, like, a broad range of, you know, experts today and aspiring experts. And the reality is, because as an industry we're struggling to, I'll say align or standardize on what good looks like, it makes it difficult for someone coming into the industry to know what they should focus on. And, you know, security has 50-plus domains and then there's 50-plus bullets underneath each of those domains, and then we don't do ourselves any favors by, you know, having 1 title for roles that do 10 different things. It gets to be very confusing for an individual that's considering a career in cybersecurity information security. And my message is, guys, it's as confusing on the inside as it is on the outside, you know. Take the chance.
A lot of folks that I know that are doing incredibly well in this industry is because they brought something unique to the table, and that's what this industry requires. You know, I often have conversations about, what are your differentiators? And how are you different from everyone else? And the reality is no one in your life has gone through the same journey that you have. So, there is a difference in perspective or thought, whatever it is that you can bring to the table. So, you know, that's my word to the newcomers and those wondering if this is something that they wanna do.
And then for those of us already in the industry, I'll say those enlightened ones of us in the industry that understand that for us to attract the type of talent that we really need, we have to get away from the standard, you know, study for this exam, take this exam, take this course, you need five years of experience in this technology that just hit the market a year ago. And it's not the answer, but I do understand that the stakes are high.
So, you have to be careful about the type of talent that you're bringing to the organization, but I really do think it's a matter, not of I need to go higher, 20 or 30 mid to senior-level professionals. You actually need to do a bit of a reorg and carve out the less critical tasks and create room, right, for newcomers to the industry because there has to be a set of tasks in every organization that are boring, and repetitive, and mundane to your mid to senior-level talent that makes them not enjoy coming to work every day.
And then when you carve that off from them, they can focus on more interesting things. It gives them the opportunity for mentorship as you bring in these newcomers, and then you create, like, this pipeline, and now we have a funnel. And I think if we start there, we can get to a point or get to a place where newcomers to the industry have some sort of idea of, "Hey, here's the baseline set of skills that I need to bring with me in addition to all of the awesomeness that I am just because I'm who I am, and then I'll land in an organization and I'll experience some growth there." Because I don't care how much you know about security or technology or whatever it is, when you join an organization, you have to learn their business and you have to learn how they're leveraging technology to solve problems, and their standard operating procedures, and their process for this, and that. So, I mean, it's a huge learning curve no matter what.
So, let's stop putting so much pressure on the folks that we're bringing into our teams. Let's make more room for new folks to come into the team, and structure our programs in a way that doesn't put so much pressure on needing these highly qualified individuals that have been doing these things forever, that we're not gonna be able to retain anyway. There's just so many things that we can do. And then as an industry on, you know, the business side of it, when we start to do more of that, then that'll give insights to these academic institutions in terms of how they can better prepare, you know, students for the workforce, right? Because I think right now there's a lot of theoretical preparation going on, so they can have a ton of conversations, but can they actually solve problems? And, you know, once we fix our own houses internally and start to open up more opportunity for these newcomers, then I think academia can follow behind quickly.
Caroline: Phenomenal. This is a podcast episode that I wish I could have listened to 20 years ago. And I'm so grateful to you for sharing your thoughts and your wisdom with us today. Folks, just so you know, Tia is working on, at any given time, a number of extremely important things. We have worked through a couple of little bumps trying to get our recording on the calendar. We did it. We're persistent, we're committed. It's important to both of us. And Tia, I just thank you so much for spending this time with me today and for sharing your thoughts with our listeners.
Tia: Absolutely. I can't thank you enough for having me. This has been a great, great conversation.
Caroline: "Humans of InfoSec" is brought to you by Cobalt. We're a Pentest as a Service company. And you can find us on Twitter @humansofinfosec.