Featured Article

International Women in Engineering Day 2020 – a Q&A with Sara Boddy, Sr. Director, F5 Communities

To mark this year’s International Women in Engineering Day, we connected with Sara Boddy, Senior Director of F5 Communities (F5 Labs and DevCentral), to discuss her career to date and why we need to continually strive for more diversity in tech.

When did you become interested in tech?

I started out in the security world back in the late 90s, three weeks after graduating high school. At that time, the practice of security was known as network security, and there weren’t college programs for it.

In fact, there were very few colleges that even offered computer science degrees. I got a job as a receptionist for Conjungi Networks, which was owned by two guys in Seattle that were some of the more forward-leaning thinkers in the security space at that time. They kicked off their business by implementing Microsoft's first firewalls around 1995 and became known as security experts from that point on. We were one of the only businesses in the Seattle area doing firewall implementations, vulnerability assessments, penetration testing, incident response, etc. during that time.

They saw potential in me, and started having me manage the backup tapes (which I wasn’t any good at) and, after a few years, I was doing base configurations on SonicWALL firewalls, writing statements of work and proofreading vulnerability assessments for customers. We deployed firewalls and intrusion detection systems, conducted vulnerability and risk assessments, and consulted our customers through a lot of incident response. Things got really interesting when the company participated in a sting operation with the FBI as part of a big hacking extortion case impacting one of our customers. I think I was maybe 21 at the time and it was exciting work to me. That is when I knew I was going to be in this field for life! Four companies and 20 years later, I still work with Ray Pompon, who was the lead on that case at Conjungi.

How did you get to the position you’re in now?

The beginning of my career was in consulting, which meant I worked directly with customers on different kinds of projects—not just basic security control and implementation. I learned how to consult around compliance, test for effectiveness of controls, and define security programs. Every way that you could fail in security, I've seen it from a consulting role, which was really good experience in the early days of my career.

After 12 years, I got a job in internal security. I stayed for seven years, progressing from a security manager up to the VP of Information Security and Business Intelligence. The company went public while I was there, so I got to build a SOX program from the ground up. We also went through a public company split, and dozens of acquisitions. Some of our business divisions had high appetites for risk, and some were just big targets, like our domain registry and registrar businesses. This put me in a position of constant incident response, and I started to crave something different. I think this type of situation causes a lot of security operators burn out. I moved on when one of my prior managers, who was working for F5, created the opportunity to start the F5 Labs threat intelligence team. This was very intriguing to me. I wanted to move from constant defense into proactive threat analysis and help other defenders that were experiencing the same issues I was. We just weren’t talking about it. I was the first employee of F5 Labs and now, 4 years later, we are a team of 8 researchers that have published over 300 reports, articles, and thought leadership blogs.

What is a normal work week like for you?

I spend a large amount time in meetings talking about the latest research from my team. I also do my own research and writing when I find time at night. I’m always looking at large aggregated datasets to spot patterns and trends. The key is to gain insights into what the bad guys are up to prior to the day they start attacking systems. These insights help me consult with customers on the need to be proactive about security. This is all crucial work and puts businesses in a good position to defend themselves from threats by using the intel from the F5 Labs team.

Why do you think there is a lack of women in engineering and tech roles?

There’s no denying that engineering and technology is a male dominated industry. In my experience growing up, computers simply weren’t something many girls were interested in, perhaps because they weren’t marketed that way. I still think we're in a situation where computers and gaming are still very sexist worlds. I mention gaming specifically because that's how a lot of kids get passionate about computers. They've got gaming consoles and iPads and they want to figure out how they work, or they build their own gaming server. These products are still not being designed or marketed with girls in mind, and I think that contributes to a lack of interest on the female side. Plus, I don’t think there is enough awareness about what this field really is about. It’s really cool! It is constantly changing, there is never a dull moment, and you can make an impact on a global scale. People forget we depend on the internet for modern life to function, and it’s a very fragile ecosystem that needs a lot of help. We desperately need more women in this field!

Did you face any career progression obstacles?

I’ve been very fortunate in my career to work for men that have always championed my successes. I've never had to fight for a promotion and I’ve always had leaders who saw potential in me and pushed me, which helped me grow. I realize not a lot of women have had the same support.

However, like every woman in this field, I’ve run into people that don't want to listen and assume you are inexperienced. No matter how many years I've been in this industry, I still have a lot of people come up to me after a talk and say things like “That was really great. You really do know what you're talking about.” Well, thank you for assuming I didn't! Or, when I’m giving a keynote speech, the expectation is that I got the opportunity because of an interest in diversity versus merit. I think the need to prove your worth or expertise is something a lot of woman in this industry grapple with. My speech coach tells me, “you have something to say, nothing to prove.” I still tell myself that before every opening line, whether it’s a meeting with a customer or a keynote. Women in STEM have to be confident and have thick skin.

How do you think businesses can make the industry more inclusive for women?

Continued funding from the tech industry for STEM schools is very important!

I also think we can help to overcome the gender gap by finding ways to tell cool stories about what this industry does. We need to drive early involvement at state and local school levels. More details about how cybersecurity makes an impact on the world would excite and inspire kids to get into the sector. It may be a while before we start seeing significant differences in terms of gender balance within the industry at all levels, but I’m positive that change is coming. With girls in primary school now learning coding, I’m hopeful we’ll have a more level playing field in years to come.

Do you have industry role models?

I’ve always had really supportive managers and mentors, so I haven’t really had a reason to look for an external role model. I do think women in STEM are really good at creating community groups to congregate, talk, and learn. We are very supportive of each other. There are definitely a few female CISOs that are active on social media that I pay attention to, but I don't know them personally.

What advice would you give to individuals looking to start or advance their career?

Getting involved in your local community is important. Knowing other people in the industry will give you a better idea of the sector and help when new job openings arise.

I think businesses in general need to get more comfortable hiring entry level employees too. There’s a common perception that if you don't have 10 to 15 years of experience, you won’t be able to solve the problem quickly, or you’re not going to be able to consult clients and implement good security controls. That is not necessarily true.

At F5 especially, we’re always on the lookout for smart, curious, ambitious people, especially those who are early on in their careers. I've had a lot of success hiring people right out of college. They’ve always been really keen to learn and grown their careers quickly, take a very creative approach to security and aren’t biased by “the way we do things.”

For additional perspective from F5: