Women Driving the Cyber Future: Invisible Security, Bias-Free Hiring, and Leadership Pathways

For our Women in Cyber initiative, we’re proud to spotlight Naomi Buckwalter, Sr. Director of Product Security at Contrast Security. September 1 marks Women in Cyber Day. 

It’s a moment to celebrate the women shaping the next chapter of cybersecurity. And our goal is simple: to elevate women’s voices at the heart of technical defense, leadership, and workforce change. 

She has also founded the Cybersecurity Gatebreakers Foundation, focused on opening pathways into security careers.

In this Q&A, Buckwalter shares practical perspectives on invisible security programs, leadership growth, bias-free hiring, and the steps women can take to thrive in product security.

Vishwa: As Sr. Director of Product Security, what outcomes define an excellent program without slowing developer velocity?

Naomi: A good security program is a quiet program. Is there a lot of security “noise” that developers have to deal with? Are they focusing a majority of their time on fixing security issues rather than shipping features? 

If so, that’s an indication that your security program isn’t doing what it needs to be doing - which is being a service for the business. You want your developers to ship features quickly AND securely. 

So instead of relying on developers to remember security configurations, have your security program do things like: providing vetted tools, libraries, reference architectures, frameworks, templates, and automatic security checks built into their SDLC or CI/CD. 

Good security is invisible.

Vishwa: What are some ways we can get more women interested in cybersecurity? Funding scholarships and bootcamps is common, but what evidence proves they work, and how should we measure effectiveness? Please reference placement and retention rates, and skills assessment results.

Naomi: I think we as an industry are doing all the right things when it comes to attracting women into cybersecurity, and there’s not much I would change there. I think security and business leaders have a responsibility to open doors for women to take on roles in cybersecurity and not let personal biases get in the way of hiring high-potential women.

Vishwa: How can women move up into leadership roles in the industry? Which cross-team initiatives most accelerate leadership readiness, and what mastery is needed in skills and risk communications?

Naomi: The most practical advice I can give is to work on communication and building trust between all levels of your organization. 

Learn how body language, tone, timing, and self-awareness can work to your benefit (and to your disadvantage). 

Work on building trust with your company’s technical teams and business leaders. Do what you say you’re going to do. Ask where you can help, and provide practical security guidance as much as possible.

Generalizations aren’t helpful! Be specific in your speech and mindful of the way you are perceived by others in your organization.

Vishwa: What is your advice to women who are just starting their careers in cybersecurity? How can starting in application support build toward product security, and how should newcomers practice threat modeling?

Naomi: For those starting out, the best advice I have is to know what interests you. Cybersecurity is a huge field, with many different roles and responsibilities. Find a domain that interests you, and that you can see yourself doing for a long time. 

Create your small passion project. Learn new things. Break something, then fix it again. And keep learning. That way, when the days become long and the years even longer, you’ll still have the “fun” bit to fall back on.

Vishwa: What skill matrices actually help in product security, and where should competencies be defined and measured? Please map to NIST SSDF and cover secure design and threat modeling, code review, findings triage, and infrastructure as code (IaC) checks. How should hiring reduce gatekeeping while protecting quality bars through published ladders, practical exercises, and paid apprenticeships?

Naomi: The NIST NICE framework does a great job of mapping skills and responsibilities in cyber, so I won’t try to rehash it all here. What hiring teams can do to attract more women in cybersecurity, again, is to reduce bias in their hiring process. 

That means removing names (and any potentially gender-identifying information) from resumes and applications, creating a standard set of interview questions, and not making assumptions about candidates based on gender, etc. 

It’s hard because everyone has biases, but you’ll notice that the more gender-agnostic your hiring process becomes, the more qualified candidates you will see.

Vishwa: As teams plan quarterly work, how should they embed the NIST Secure Software Development Framework (SSDF) for adoption across planning, build, release, and operations?

Naomi: This is a tough question. Not everything in the SSDF is necessary for every business, so I don’t necessarily recommend that security teams follow the SSDF to a “T”. The cost of doing security should never outweigh its benefits. 

There is such a thing as “too much security”. If your team is new to SSDF, you should start with a gap analysis, and see if it makes sense to add in any missing controls, if they exist. 

Then, compare that with how much time, money, and resources it would take to implement that missing control. If the cost of implementing the control outweighs the benefit (i.e., risk reduction to the business) of having that control is not worth implementing. 

Balance the scales out. Implement a “lite” version of that control, if possible.

Vishwa: Finally, what everyday practices, guardrails, and tools best prevent human error across design, coding, review, and operations? Please cover secure defaults, least privilege, secret and dependency scanning, and policy as code. How do you tune these for developer experience, incident response, and continuous learning?

Naomi: The most practical advice I have for security leaders is to truly understand what your developers are building. Understand your system architectures, understand the tech stack they use, and understand the build systems in place. 

And go deep in that understanding. You want to be up-to-date on the software engineering and architecture techniques, tools, and best practices that modern Dev and Ops shops use. 

Once you understand all of these things, it’s much easier to be a partner for engineers, because you understand their language, and can talk to them in a way that’s actually helpful (remember: generalized guidance is NOT helpful!).