Julia Hermann, ISACA Germany Chapter, Leveraging Security Communities to Enhance Your Expertise and Advance Your Career And if it wasn't enough for me, I'm bored and not challenged enough by the volunteering work. I also have a real-life job. I'm the CISO of InfoDesk, a small mid-sized company in Germany working in the public sector space.
So, but before we start, for those of you who don't know what's actually ISACA and why am I here today. ISACA is a global organization, a global association offering credentialing, training and also of course networking opportunities for IT professionals in the space of audit, risk, privacy, security and governance and compliance. And it's a global organization located in Chicago, but it's also represented by local chapters.
So, the Germany chapter I think is one of the biggest one. We are around about 4,000 members in Germany and I'll get to that later what we also offer for you as a security community in Germany.
So, but if we talk about security communities, I think it always feels like this. We have tons of options available. We have global associations like ISACA, like ISC2 where you in the end have a paid membership. You get a certificate to prove your knowledge and certificates of course help you get track also in the industry. You get in contact with certified people as well and I think it mostly drives forward your technical expertise. We have kind of paid membership organizations, the ISF, the Information Security Forum is one of them.
You usually become member as a company and then you also have the community available again with local chapters, with communities where you can exchange on specific topics and you can reach out to other experts. Then we have open communities and we have Matthias here today. He is the lead of the DACH community of the EXO group, the CISO community. I call it an open community because you just have to be in that space and you can participate. You can go to the meetings. We have online meetings where you can exchange and again grow your skills, your technical expertise and exchange with peers.
But we also have company internal networks. We have communities of practice. In my previous company we set up the first, actually we called it a competence center for cloud computing and we brought together the experts from all around the world to have a technical exchange, train each other, share knowledge, share experience on really technical implementations, on development in the technical space. We have trusted cross-company communities. We have in the Munich area, we have what's called the CISO Web of Trust.
It's what I would call a Chatham House Rules community where we have different CISOs from different companies and we exchange on specific topics in a closed circle. You can always reach out to that group if you have a specific question and you get the input from, not maybe from the regulatory body, but you can just exchange with your peers and it drives you forward. But you also have, if you want to grow, you have mentoring, you have coaching available. And I think sometimes for a lot of people it really feels like this.
You sit in front of this big Lego box with different sizes, different forms and different colors. And the question is always, which one do I actually choose? And I mean, let's be honest with the pandemic, also virtual formats really have popped up a bit like mushrooms and it's very difficult to decide where do I go? Which one do I attend?
Because, I mean, like I said it in the beginning, we all have a real life job and we also need to work sometimes. We can't just go to conferences or to meetups or participate in real networking events during the day. So how do I choose? And I think the most important question is not how do I choose, but why do I choose something that I would like to participate to? And if you want to develop yourself, if you want to strive in your career, the first thing is you have to push yourself out of your comfort zone.
I have a good example in my friends and she always says, yeah, but I don't like to go to meetups because I'm such an introvert and I don't like to go there. And I say, but that's the first thing. You step out of your comfort zone and go there. Take someone, take someone with you. But if you want to go, you also have to take the next step. And questions I ask myself at the time and we'll get to a bit in the end on what I'm actually doing is what do I want to achieve? Where do I want to be? What's my next step? And what do I miss to get there? Do I need to develop in the technical expertise area?
Do I need to develop leadership skills or what do I want to reach? And how much time am I willing to invest? Is it something that, yeah, not really. I would like to get something, but I'm not really also willing to give back. And I wrote here, I'm not alone, but you shouldn't be alone because communities are a give and a take. I don't think you can go to a community and just consume. We see this a lot in the chapter work where we have people asking, yeah, but you should do this and you should do this. And we always say it's a community. We can provide you the platform. We can help you.
We can bring you in contact. But I think communities live because you have a give and take and it's a mutual way of bringing things forward.
And, yeah, push yourself out of the comfort zone. Think about your next step. Think about your objective of your goals, what you want to reach. And then usually you find the right solution. So what do you do? You need to choose your building blocks.
So, for example, if you're not really sure what you want to do, maybe coaching. Start with a coaching could be the right solution to have someone kind of get the questions out of you. Where do I want to go? If you want to develop leadership skills or you have a role model and you think I would like to move in the same direction, maybe mentoring could be a good option, like a mutual one-on-one session. Maybe you're a bit more introvert. You don't want to go to big networking events.
Again, mentoring could be a good option. Or you're really an extrovert and you like to talk. You like to go to conferences. Think about the speech you can give somewhere. You want to go grow technically. Go for a certification, join a global association and then join their working groups. So a lot of options there, but I think it's always for yourself to choose and to decide what do I need, what's right for me. But also to reach this, I think talking to people who are on a similar path is always a good opportunity.
Or, for example, reach out to us, like the ISACA chapter. And then I'll end with this picture and I'll talk a bit about my own story and how I got into this world of security communities. When I started my career, I was working as a security consultant. In consultancy, you had peers, you had sparring partners you could discuss with. And then I moved to a role in the European Aviation Safety Agency and I was this single warrior. So it was always like I tried to do something in security and everybody was like, you're completely crazy. And you need sparring partners, you need people to talk to.
And I didn't have those people in the company and that's back in 2010. I did the CISP certification and I was introduced to the community of the ISC2. We founded the Germany chapter in 2010 and that was my first step into this security community world because all of a sudden I had peers I could discuss with. And this continued to develop a bit further.
In 2014, I got my first ISACA certification and then I joined the, well, you're forced to, but it's a good force, I think, a very positive force, the ISACA Germany chapter. And I discovered they have working groups on specific topics. So we offer working groups on information security, on privacy, on IT compliance. And in those working groups, you meet experts from all over Germany. First thing is you can network, you can exchange with them. But the second thing is we are also developing content.
So we are publishing guidelines, we're publishing white papers, we're developing certificate courses in Germany. And it's been growing. So since then, I became first leader of one of the working groups and then I became part of the board in Germany. But I'm also doing different things. So I've been moderating the Cyber Women, it's a small conference or it's not so small anymore, a couple of times. I've joined the EXO community where I can exchange with peers because my personal drive is to exchange on mostly technical topics with peers.
I have a mentor myself who is supporting me and getting leadership skills. But at the same time, and so this one, for example, or Mentor Me is for me very important because I can't only take, I also have to give back. So the experience I gain, I try to also give back to other people. Cyber Mentor is a very nice small project by universities in Germany where you get mentees.
I think, Max, you can't become a mentor because you have to be female. And for students in school between 7th and 12th grade, you become a mentor for students interested in the Mint area. And I have a mentee now, she's in 10th grade, very, very shy. And she has apparently a huge interest in technology. So I think this is where we can give back to make the community grow and to have people step out of their comfort zone. I started to talk at conferences. I think one of the most, for me, biggest achievements years ago was in the Caesars Palace in Vegas. And it grows.
Once you're in there, I think it grows. You support each other and that's something I also see you need to share. In order to grow, you need to share. You can't keep knowledge to yourself. That's really important. You have to be careful what you share, especially if we talk about company internals. But in principle, to drive this forward, you have to go out there, you have to talk to people. And I didn't want to make this a product story about the EISACA Germany chapter, but of course, we're also looking for volunteers. We have working groups. We do our conference each year.
We have a She at EISACA initiative where we try to support women. If I look at this conference, I wish we would have more representation of female colleagues. So if you're interested in what we do as the Germany chapter and or maybe even also what I do outside the Germany chapter, reach out to us. I will be here for the rest of the day. I think Tim will also be here for the rest of the day. If you want to know more about EXO, you can reach out to Matthias. And if you have any questions, I'm here. First of all, a big round of applause.
Yes, we have a question. Thank you.
Well, I'm going to be greedy and I actually have two questions for you. Sorry, I didn't want to make that a spit take. Sorry. So my first thought is that you're preaching a little bit to the choir, right? You're preaching at a conference where already people are going that are willing to share, willing to participate and so forth. So my question would be, what do you do for those who you described as introverts who might not go for that? And my second question is, which I think is also important.
Over the last couple of years, you had more and more young CISOs or even established CISOs who had like the imposter syndrome. And I think those kind of communities can actually help you to see if you're an imposter or not. So those would be my two questions. So I think the first question is you're all here. That's really good. And I would really call on you to transport this message also to your team members and in your company, maybe not only your team members. And this is footnote, this is very stereotype, but also reach out to your female colleagues.
We see a tendency that male colleagues are much more willing to go out to network. You all know this, again, stereotype. They read the job description, they apply. A woman reads the job description or the conference and says, I don't miss the or I don't have all 10. I just have nine and a half. So I don't. I don't want to speak because there are only experts in the room. Don't worry, they are not all the experts. For your second question, yeah, absolutely. I think these communities can help there as well.
Well, what we've seen in applications a lot is that people completely overestimate also what they are capable of, especially young people. And you have weird requests when it comes to salary and the expectation of working time compared to what they're actually willing to do.
Well, I think a lot of it has to do with, you know, we're here. We want to build these communities. And if we have a staff member that's an introvert, we can encourage them. I have plenty of introverted staff members. And get them to come out and let them understand that, you know, people want to hear what you have to say. And another thing we can do as the non-super introverts are the ones who overcome it is if we go to one of these networking events and there's a new person there that's obviously introverted, help them out, support them so they keep coming back.
You know, sometimes introversion is, I don't know, it's just a fear, right? It's insecurity in most cases, yeah.
Yeah, so it's also incumbent upon us to build these communities because just because someone's an introvert doesn't mean they don't have great ideas and great things to say. Yeah. Sorry. Any other questions for the moment?
Yes, please. Thanks. So what about people who aren't like really keen on talking a lot to others but actually doing something useful, maybe even volunteering, helping those who are less educated and stuff like doing practical stuff. Would they fit somehow into this community?
Yeah, definitely. So for example, like I said, our working groups, a lot of people are not up to speaking in public. So I had to get used to that too. So we in the ISAC Germany chapter, we offer these working groups. You don't have to speak in public. It's small groups. I think the biggest one we have has about 25 members. They meet on a regular basis. Even if they wouldn't want to be listed, namely in publications, they could still contribute on a technical level. ISACA Global also offers working groups you have to apply.
And then it's again small groups where you don't have to speak in public. Or you could work on contributions to the OWASP community, for example. It's all happening in the background. There are so many opportunities where you can participate to community work where you don't have to speak in front of people. So I think there are definitely opportunities. And it's not really for everyone. I think some people are also happy where they are. And that's not bad.
We also have to have people who are just willing to kind of do something repetitive, maybe, or something to continue doing something they want to do for years, who are not keen on developing. So I think that's also fine. It's not really for everyone. Thank you. Last questions? Thanks. And just on that note that just came out. I think also where people who are not eager to speak or who are very much introverted. OWASP was a very good example, I think.
And then additionally, for a developer, for example, any project on GitHub, for example, that has maybe some security requirements in there or some service, that could be also a huge potential to just work on that and showcase that you are actually contributing for our overall security society in general. But for me, what I would also love to just note and say is that I know that we have to do way, way more in terms of getting female people, female persons into Mint and into security as well. And I very much appreciate you showcasing these examples there.
But if I hear that the cyber mentor thing, for example, is only for women, I feel that's maybe a missed opportunity because I would love to actually support that with my time if possible. But now I'm just outscoped. I fully agree that that's always a very rough discussion. You see the color picture down there? That's the logo of our, in my old company, our internal network. And I have 38 seconds. We did talks to our executives and we asked them if we should do a closed female network or if we should do an open female network.
I'll let you guess how many of the women said we should make a closed network executives. It was the majority. We decided against it and we also invited male speakers because you can only get women into these fields if you get the male colleagues as allies.
Otherwise, you segregate yourself. So I'm fully with you. I think in this case, it's because you could do it. But I think what they want to achieve is that the girls are so shy anyways. They are really, she didn't even dare to send me a message. 10th grade girls. So I think that's why they chose to do it only with female mentor models. But I'm fully with you. In general, it should be open to everyone who's willing to give. So a big thank you. Thank you to Julia. Thank you.