Hillary Benson is the Director, Product at StackRox and has an incredible background in government and military intelligence. She holds two degrees, including a Bachelor’s Degree in Management Science with a focus in Finance from Massachusetts Institute of Technology and a Master’s Degree in Security Studies with a focus in Terrorism and Substate Violence from the Georgetown University Walsh School of Foreign Service. Additionally, she is a Master’s candidate in Computer Science at The Johns Hopkins University.
But, her experience isn’t limited to her education. She started her cybersecurity career at the National Security Agency, where she spent almost six years as an intelligence analyst, technical collector, and product leader. She moved into the private sector as a red team operator and has shifted gears in the last three years to focus on building product at a leading container security company called StackRox.
“Of all the things to get into without formal education or training, there seem to be a lot of people who either cross-train from other fields or enter security without any formal education. Which is pretty awesome, I think.”
Q. Describe your role as a Director, Product in 300 characters or less
My job is to distill business opportunity into a technical vision and development roadmap for our flagship security product, the StackRox Kubernetes Security Platform. We’re building a product that enables security practitioners to rethink their approach to security by leveraging container technology.
Q. Your background – both educational and professional – seems very focused. Have you always aspired to have a career in this industry?
From a very young age I had an interest in technology, security, the military and intelligence. I can certainly tie all the threads from those interests to where I’ve ended up, but I wouldn’t have been able to predict that my path would look the way it does.
I generally attribute that to the fact that the most interesting opportunities are usually the most difficult to predict, and I am constantly searching for the next interesting problem to solve. My approach to life can lead me down very unexpected rabbit holes.
Q. What professional experiences have guided your career path the most?
Certainly NSA had a huge impact on my career direction. I landed there by luck, really, after shotgunning online job applications. I applied on the right day, they picked up my resume, and before I had even graduated I was in the clearance process.
I joined as an Intelligence Analyst and participated in a program that allowed me to rotate through a number of offices within NSA to get experience in different disciplines. I gravitated toward technical analysis and collection. That track led me to Tailored Access Operations and stoked my interest in offensive security. The rest is history.
Looking back on my career up to this point, many of the contributions I’m most proud of took place during my time with NSA. At certain times, I had an extreme sort of impact that you can’t replicate in the commercial world. From a business perspective, though, I’ve learned more in the last two years than I ever hoped for and am extremely proud of the product that my team has built at StackRox.
Q. Since you’ve sampled a lot of different disciplines within cybersecurity, do you think people tend to have a narrow view of the industry and the jobs available in it?
People hear “cybersecurity” and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.
A lot of what you do as a security professional involves bridging gaps between security teams and the development and operations teams. So much of the job is convincing people that the security risks you find are worth fixing. You can’t do that if you only have technical skills; you have to be able to talk to people and to influence them.
Q. Do you need certifications or a degree to get those skills?
Actually, of all the things to get into without formal education or training, there seem to be a lot of people who either cross-train from other fields or enter security without any formal education. Which is pretty awesome, I think. It’s not uncommon to hear someone say something like “Oh, I studied psychology, then took a year off and painted, and now I’m a penetration tester”.
There are many people in security who gained the knowledge and landed a job without a formal degree. A lot of the folks I’ve worked with were independent and curious problem-solvers—I think not in small part because a lot of them fought their way into their role by proving their competence in the field. You don’t necessarily have to take the traditional route and get a four-year degree. If that works for you, great. But if you’re looking to switch careers or you’re confident in your specific passion for the security industry, there are other ways to get the requisite technical skills.
The OSCP is a great training ground for aspiring penetration testers who want to nail down the basics. Joining a bug bounty platform like HackerOne or Bugcrowd is an excellent way to get hands-on experience with finding bugs in the real world. And almost nothing beats learning to code—what better way to understand how security issues materialize when building software but to try to build it for yourself?
This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more.