Woman in a man’s world: how Finnish nursing student became a cybersecurity star


Who would have thought that Laura Kankaala, now leading a threat intelligence team in Finland, ever doubted herself to the point where she nearly sabotaged her own career?

Laura had never considered ethical hacking as a career, so she went to nursing school – only to learn that she fears needles and blood. But eventually, she discovered another way to help people.

Fast forward a decade, and Laura is leading a threat intelligence team at a cybersecurity firm, F-Secure. She has even been featured as a professional hacker on a Finnish TV channel, Yle, and a series called Team Whack where she demonstrated that everything is hackable.

Cybernews sat down with Laura to discuss her career path, the biggest struggles women face in cybersecurity, and why nonetheless it is well worth breaking into a male-dominated industry.

This interview was edited for length and clarity.

How did you get interested in cybersecurity? Was it even your first choice of studies and career?

No, it was not my first choice. When I was younger, just a kid, I wanted to work in the video-game industry. But in my family, we don't really have anyone working in IT or cybersecurity.

I went to study nursing first, for a year. But I have a phobia of needles and blood, so that didn't really work out! I appreciated helping people, that felt natural, but some aspects of it threw me off.

But since I was a kid, I've been playing video games a lot. I've developed websites and things like that, growing up with computers and all things IT-related. I saw this opportunity to study at the University of Applied Sciences in Finland. I studied IT and decided to give it a shot.

During my studies, I became familiar with the concept of ethical hacking and how to practice that legally. That was a groundbreaking and revolutionary moment for me. It was something that I was very interested in. I had a very Hollywood notion of what hacking could be. In the movies and on TV, you see these people just typing away on their computers, and things are exploding somewhere. It seemed like a very intriguing and interesting field, but I had no idea you could do that for a living.

We had an introduction to ethical hacking, then I started to study it on my own. At my first job, I was in the security consultancy field, where I then did hacking. I hacked websites and different types of applications. And then I went from there. I never knew when I was younger that you could hack and earn a living. Fortunately, the world has changed, and it has become evident that companies need ethical hackers.

You say that hacking is not like Hollywood, but I bet there's some exciting stuff, right?

I'm no longer working in a security consultancy role, so my day-to-day job is no longer hacking. I'm now leading the threat intelligence team here at F-Secure. And we need to understand how hacks happen, how threat actors work, and how different types of criminals are getting into sensitive information of private individuals. For example, what kind of malware they employ and what kind of tools and techniques they use.

I get excited when I learn something new or that I wasn't aware of. I'm very excited to broaden my knowledge all the time. That's one of the best things in this cybersecurity industry because it's about constant learning. Things that were an issue a month ago are now being patched and fixed, and we're dealing with new things. Of course, legacy software and legacy things still exist. But even then, we are inching towards new ways of how technology shapes our lives.

You were featured on a TV series, hacking into everyday objects. What are the most unusual ones that you managed to break into?

We hacked into IoT [internet of things] devices, cars, a person's private life, a gaming stream, a company, and so on. We had a really broad set of targets. Personally, the most interesting and perhaps fun experience was when we hacked into this live gaming stream. There was an event taking place: we hacked into the live stream, cut it off, and then displayed our own video in the middle of the stream. I thought that was the most fun thing to do, because gaming is close to my heart. It was a fun episode to film.

You demonstrate that it's possible to hack basically into everything, so aren't you paranoid about security and privacy?

I became much more realistic about the threats. And unfortunately, I know a lot about the bad things that are happening. At the same time, I also know the steps I can take [to mitigate them]. Hopefully, I can propagate that information to others as well. There are some simple and easy things that all of us can do, to protect our online identities and existence.

For example, using strong passwords and multi-factor authentication and keeping devices updated. At the same time, there is the probability of falling victim to a cybercrime. So that's something we all need to recognize and deal with. Sometimes, we may fall victim because, for example, we accidentally gave our credentials to social media or gaming accounts. Then there are some tricks that someone can do to gain access to our devices or accounts. And sometimes, to be honest, it doesn't even have to be a cybercriminal. It can be someone close to you. It can be your spouse, or your friend who knows your password to your mobile device and then reads through your messages.

Let's talk about women in cybersecurity. They account for a mere quarter of the workforce in the field. How do you feel, being a woman in a man's world?

Based on my experience, women are underrepresented in the cybersecurity industry. There is much work to be done to bring more women into the industry. There are many reasons why this happens. As a kid, I had no idea what working in the IT industry meant. No one ever told me that. I didn't have anyone to look up to. I was just lucky enough that I ended up here somehow.

Some women feel they are discriminated against in cybersecurity, others complain of career delays. Have you faced any of those challenges or at least maybe witnessed other females facing them?

Yes, absolutely. When I was younger and starting my career, I would face this kind of treatment more regularly. I don't think that people mean to be mean or evil, but it's just hard-coded in the world we live in. I remember this one situation when a person told me it must be hard to be taken seriously because you smile so much or look like that.

Of course, it hurt me because I thought there was something fundamentally wrong with me. But in time, I've just brushed that off. Maybe this person didn't mean anything [by it]. It can also be difficult to address this sort of behavior when you are a young woman breaking into the industry or changing careers, where you start in a very junior position, and you look up to your colleagues and peers. It can be really difficult to defend yourself and address the situation, especially while it's happening.

It's very important to be aware of that behavior and proactively try to eliminate that environment in workplaces.

Do you think it's possible that one day our workplaces would be so diverse we wouldn't even talk about genders anymore?

It won't change overnight, but I hope it will change in time. When we put just enough effort into building diverse working places and communities, this kind of mindset would change. And I'm sure it is changing already. I'm very hopeful. This applies not only to the cybersecurity industry. At least in Finland, there are a lot of women working in nursing and not many men. Advocating other types of workplaces for men, why are we not doing that?

What do women bring to the table, apart from the fact that we are just as good at being specialists as men are?

I think it's about team composition. When it comes to cybersecurity, it's not a problem that one person can solve. It's not a problem that a couple of people with similar backgrounds can solve. We need to have diversity in cybersecurity. If we want to solve these complex problems, we need people from multiple backgrounds and people with different experiences. It always comes down to teamwork. No matter how fancy or cool hacking sometimes is, it's just one part of solving a bigger puzzle of how we make the internet and the systems we use safer in the future.

How would you encourage females of any age to try out cybersecurity?

It's important to understand that everything we do is a matter of learning new things. Finding something that sparks your interest is absolutely crucial. It doesn't have to be programming. It doesn't have to be hacking. It can be something else that touches upon cybersecurity. I wish I had never doubted myself, like starting my studies: I was questioning whether I was good enough for this. Having this self-doubt is very sabotaging.

Secondly, if there are issues with the workplace and you're not sure if someone is treating you fairly, I suggest reaching out to communities. There are communities in many different countries, such as Girls Who Code and Women4Cyber, that can help you if you feel alone or don't know who to turn to. Communities are there for you: you can turn to them and get an external opinion on your situation, or even moral support.