Alethe Denis is a Senior Security Consultant on the Red Team at Bishop Fox, who has advised and developed solutions and strategies that have driven the improvement of global security programs. Her work has helped businesses unlock opportunities to enhance security awareness as well as security tooling and capabilities through offensive security testing.

Alethe is a public speaker at major conferences and a trusted source for national and sector reporters and editors, and her perspectives have been featured in numerous outlets, from The Wall Street Journal and Der Spiegel to DARKReading and Morning Brew. Her work has earned her many distinctions, including a DEF CON Black Badge, a board seat on the DEF CON Groups Board, and recognition as an industry expert.

1. Tell us a bit about yourself, your background and your current role.

I’m most well-known for winning a social engineering competition at DEF CON, the world’s largest conference for security consultants and ethical hackers. To win, I compromised a Fortune 500 company using just a telephone, live in front of hundreds of people. I was awarded the coveted DEF CON Black Badge, which was a pinnacle moment for me in my security career.

I think that people outside of Bishop Fox would call us ‘ethical hackers’, but my work is in leading initiatives that educate companies on how physical engagements could lead to a breach. Our social engineering emulation services create authentic attack scenarios that combine with the Red Team’s technical hacking expertise. We also deliver tabletop exercises that test companies’ incident response (IR) plans and identify gaps in IR processes and training of IR teams.

2. You’re known for your work and success in social engineering – how did you develop this skill and how has this area of cybersecurity changed since you began?

I studied Chemical and Molecular Sciences at university where I was introduced to security through designing and development studies. I’ve had a variety of roles from project management to market intelligence roles, and when added to the skills I’ve gained in research and making the findings accessible to the average person, they transferred well to the security industry.

In the last five years, we have a better understanding of which metrics provide the most valuable insight, but tens of thousands of dollars are still spent on social engineering assessments in hopes of improving security posture with only awareness training and policy change. The way we approach assessments now, is to focus on how we can help businesses evolve their security programmes from reactive to preventative through the layering of technical security tooling and defences.

3. Has your career played out as you would have expected/planned?

Absolutely not! I didn’t finish my degree. After growing up split between the two, I moved from South Africa to the US permanently and took a minimum wage job at a pet store. I’ve worked in Escrow and Title insurance, and for a major global telecommunications company. The craziest decision I made was to become a social media manager for a new app that was a competitor to Instagram, which ultimately failed. It was only in 2020 that I took my first job in security. It was always an interest, but it wasn’t in my plans when I left university rather aimless.

4. Have you faced any career challenges along the way and how did you overcome these?

In a previous role, I realised how difficult it is to work for a company that viewed people as just a commodity. The company wasn’t capable of recognising my contribution and though I was meeting my targets, my title wasn’t adjusted, and I wasn’t compensated based on my responsibilities. I was frustrated and felt stuck, but it pushed me to pursue my interests in cybersecurity and the company lost six years of experience for the sake of about $30,000. I’m still friends with my former boss and she uses this as an example of why workforce retention is so important!

5. What has been your biggest career achievement to date?

The day I joined Bishop Fox was very special to me. I almost couldn’t believe that it was happening. I knew how prestigious the company was and the level of expertise on their team, so having that validation of my skills felt like such an achievement.

6. What is one thing do you believe has been a major factor in you achieving success?

It’s in my nature to be extremely competitive and perseverant, which has been a huge factor in my career. But the support of my husband has been a major influence on me when my confidence was low and I needed reminding that my contributions and skills have worth.

7. What top tips would you give to an individual who is trying to excel in their career in cybersecurity?

Take advantage of free learning resources. Find somebody that you connect with and is willing to advocate for you. Be a sponge for knowledge.

Don’t overfocus on certifications. Collect the skills but also get involved with the community, whether that’s through contests, events, or conferences. Having a strong network of people that know your name and your work will help you to get jobs as your career progresses.

8. What barriers for women working in cybersecurity, are still to be overcome?

I think in a male-dominated industry, it’s easy to be weighed down by the negatives, like being underestimated or treated differently for being a woman, or part of any underrepresented group. I try to always focus on the positives, like accomplishments, personal wins, career achievements and constantly look forward with the right mindset. It’s also vital to surround yourself with people that share that mindset and want to advance your career, because if you need to raise your concerns, they’ll give you confidence and support when you need to raise concerns.

9. What do you think companies can do to support and progress the careers of women working in cybersecurity?

Actions speak louder than fancy PR campaigns, and if a company is serious about supporting women, there needs to be a top-down buy-in from everyone. Speak up for women and take action with women’s ideas, then hire people who support this belief system. Create a workplace that people are ethically and morally proud of, a workplace with people who display integrity. Hiring managers can also remove salary history questions from the application process to avoid women undervaluing their work, which props up the gender pay gap.

10. What resources do you recommend for women working in cybersecurity, e.g.podcasts, networking events, books, conferences, websites etc?

Use events to find your tribe. Many different groups with a variety of interests and specialisms gather for conferences, which makes them excellent places to find people to create a community. I’m happy to give anyone a beginner’s guide to DEF CON! Or if you’re not headed to Vegas, there’s a large online presence to engage with as well as local DEF CON Groups spread out around the globe.

The Diana Initiative is a great resource that supports all underrepresented groups in information security and in the hacker community. Cyberjutsu also empowers women to succeed in the cybersecurity industry with learning programmes, workshops and mentorship.The Women’s Cyber Academy from SANS™ Institute is another wonderful training resource.

Read more from our inspirational women in tech here.