As part of our Women in Cybersecurity Month, we are highlighting women and their careers, accomplishments and passions. This spotlight features Andrea Simpson, CISSP, whose career spans military service, government contracting and continuing to a position as a CISO.

Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Andrea Simpson, CISSPI am Andrea Simpson, a child of God who has been blessed to work in cybersecurity for over 20 years. My career journey started during my active military duty when I got the chance to be the Security Manager for the communications squadron at Yokota Air Base in Japan. I was responsible for the computer, industrial, personnel and physical security programs for the squadron. It was there that I realized how crucial protecting information systems would be in the future. So, I switched my degree to study information systems management — back then, there wasn't a specific degree for information security.

After leaving the military, I took a job as a technical writer for a U.S. federal contractor. This role helped me learn how to translate technical jargon into plain language, which has been extremely helpful in my career. For any women entering the cybersecurity field, I'd recommend taking positions that bring you as close to the technology as possible. The one thing that has not changed, over the 20+ years I’ve been in this industry, is the need to understand the basics of any technology.

Support Your Knowledge

My next significant role was as the lead tester for security devices, where I led a team of five men. It was a challenging start, as they frequently tested my grasp of the technology and the security requirements. My second piece of advice, always provide evidence to support your knowledge. For every challenge, I consistently backed up my explanations with written or visual proof, which built trust and credibility.

At some point in your cybersecurity career, you'll face the choice between staying fully technical or transitioning into an administrative role. Throughout my journey, I noticed that many security decisions were made without considering their long-term implications. This was a major concern for me because my primary goal has always been and continues to be to protect information systems and the data they handle to the greatest extent possible. It was at that point I realized I needed to be the person who defined the cybersecurity direction, policy and strategy. I needed to be the chief information security officer (CISO).

Moving to Being a CISO

Once I made the decision to aim for the CISO role, every position I took thereafter was a deliberate step towards that goal. I carefully chose roles that would allow me to gain experience beyond just the technical aspects of cybersecurity. I was fortunate to serve as the acting CISO for nearly eight months, which provided invaluable insights. When the CISO position was officially advertised, the chief information officer (CIO) told me it was my job to lose. During my interview for the position, I was asked why I should be the CISO, I confidently stated that I was the best candidate to elevate the organization’s security to the next level.

 

I served as the CISO at that organization for five years, during which I learned a great deal about what it meant to be in that role. However, there came a point where I felt the need to grow further. I set a new goal for myself: to become the CISO at a larger organization. I made it clear to the CIO that I would only consider leaving for another CISO position at a bigger organization. For anyone looking to advance in the cybersecurity field, I recommend being open with your supervisor about your career aspirations. By clearly communicating where you want to go, you allow them to help you develop the skills needed to achieve your goals. My last and current CISO roles have pushed me in new and exciting ways, preparing me for my next goal: becoming a board member of a for-profit organization. If there’s one thing I want you to take away, it’s to know your value and what you bring to any organization. There’s only one you, and you have a unique purpose.

Related Insights