Amy Johnson is the Information Security Manager at Herbert Smith Freehills, an international law firm with headquarters in both London and Australia. She’s worked in cybersecurity for over six years and started her career as a Lead Investigator at Freshfields Bruckhaus Deringer. Before entering the cybersecurity industry, she worked in Human Resources.
While she doesn’t have a formal education that’s focused on cybersecurity, she’s earned five certifications to-date, including her Certification in Information Security Management Principles (CISMP), Certified Information Security Manager (CISM), Certified Data Protection Officer (CDPO), ISO 27001 Implementer, and Certified Information Systems Auditor (CISA).
Next, she’ll aim to earn her Certified Information Systems Security Professional (CISSP) qualification.
“I come from an HR background and was able to learn on the job and catapult myself into a more senior position. To me, cybersecurity roles don’t necessarily come down to technical skills. ”
Q. Describe your roles as a Security Manager in 300 characters or less.
I monitor system user behavior and I review client security requirements and questionnaires. I’m very much forward-facing and part of my job is to guide the firm and our people on how to work with information and technology in a safe and secure way.
Q. How did you get started in this industry?
I don’t have a background in cybersecurity. I actually studied HR and worked in that industry for years. About two years into working at Freshfields Bruckhaus Deringer, Mark Walmsley, who was the CISO at the time and still is, started creating a new group called the Information Security Group (ISG).
At that point, I was ready for a career change. I wanted to do something that wasn’t just exciting every day, but different every day. The idea of protecting people, investigating threats, and creating training materials about the evolving risks in information and cybersecurity really, really interested me.
I decided to go for it and got the job! I was the Lead Investigator there for about five years. Since then, I’ve earned different certifications and have really catapulted myself into a more senior position that I’m in now at Herbert Smith Freehills.
Q. Did your previous experience help prepare you for your first role in cybersecurity?
Monitoring/ investigating systems can be a sensitive subject which means you have to be hyper-aware of data privacy laws, etc. That’s something I was able to bring to the table because of my previous experience.
But, to really be successful in a cybersecurity role, you have to be familiar with not just the current threats, but the new and evolving technologies. You have to stay on top of that. I didn’t get that exposure until I started. I also didn’t have any technical skills when I started. I learned on the job, which – to me – is far better than going to study.
Cybersecurity is really about putting what you know into practice.
Q. Do you have any thoughts on why women only make up a quarter of the cybersecurity workforce?
A lot of women in tech might not see cybersecurity as a suitable career path because it is considered quite a masculine profession. That’s probably ingrained at a very young age. It’s important to not be discouraged by that, though.
Bear in mind, I came from a HR background; that’s a field where you’ll often work in a team that’s all women. Moving into this industry, I’ve often been the only woman within the teams I’m working in. But, that doesn’t mean I don’t feel like I belong. I don’t find men that intimidating!
Women can be just as successful in this industry and opportunity, recognition, and progression are absolutely available to those who work hard.
Q. In terms of progression, do you feel like a career path to a more senior position is clear?
To be very honest, I’m already very proud of how far I’ve come in the last 10 years. When I first moved to London, I was making significantly less than I’m making now. I’ve consistently worked my way up the ladder since then. I’d still really like to learn and grow more within this industry and I certainly have dreams of being a CISO or a head of a department eventually.
But, the opportunity for growth can really depend on how big your department is. Cybersecurity is still growing, and not all organizations have large teams which means you may not necessarily see what your next step will look like or what skills you need to develop to take that next step.
It can be hard. But, the skills you get at any one organization are really transferable.
This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more.