Putting People First in Cybersecurity - Tech Talent Spotlight with Nikki Webb

Nikki Webb | Cybersecurity Leader | Community Builder |  Mentor and Educator | Mental Health Advocate

In this edition of our Tech Talent Spotlight, we’re thrilled to feature Nikki Webb, a cybersecurity leader who has spent more than a decade championing the human side of security. As a driving force at Custodian360, Nikki helps shape a UK‑based, human‑led SOC‑as‑a‑Service built to protect SMEs with clarity, speed, and genuine care. Beyond her day‑to‑day work, she’s deeply embedded in the cybersecurity community through initiatives like Cyber House Party, CSIDES, Berks Cyber, and OxCyber, creating inclusive spaces and strengthening the industry from the ground up. Join us as we dive into her journey, her mission, and why she believes cybersecurity is, above all, about people.

Thank you for joining us today, Nikki, why don't you start by telling us a little bit about yourself?

My name's Nikki Webb. I'm a director here at Custodian 360. We're a global MSSP servicing organisations of all sizes globally for managed security services.

Our whole ethos here is that cybersecurity should be affordable and attainable for all sizes of businesses, and we think that we do that quite well.

Thanks for that, that’s great. What would you say first drew you to the world of cybersecurity and how did that path lead you to working at Custodian 360 today?

I kind of fell into cybersecurity. I come from a background in law. My partner was starting Custodian 360 as he was fed up with working in the big vendor world where small businesses were penalized for their cyber security, and I came along for the ride for six months to help him start up. And here we are nine months later and I never left.

So, I think you’ll find a lot of the women that you speak to, who have ‘fallen into’ cybersecurity. I think there's a lot of things about it that I love. It's helping people combined with solving problems, which is something that I'm really passionate about. 

I think one thing that keeps me here is the community. I was at an event just last night and I just love the community within cybersecurity. I love watching the curiosity of young people coming into the industry. I love feeding that. So that's how I came to be here. I don't think I'm ever leaving. I think I'm stuck here now and I love it!

How have your early experiences in cybersecurity or before shaped how you lead today? 

I think every young woman in any industry suffers the same and faces the same barriers.

They're still there. As much as we work really hard to change that, and don't get me wrong, there have been massive improvements, but there's a lot more to be done.  I think at the age that I am now, I can look back now and say that yes, they were challenges at the time. In the moment you often just tell yourself “No, I can do this. I can do this all on my own.” You know, having kids and balancing childcare, work life, that kind of thing. And then obviously later on menopause creeps in. All those great things women go through. I think I'm really lucky, and I don't think my story's unique. I hope my story's not unique. I don't think I've faced the sexist stuff that a lot of women talk about in the industry, which shouldn't happen. I'm really fortunate that I've always had a great village around me. Great men, allies, around me, male allies around me, and great male friends that check me, but in such a way that I don't feel they're saying that because I'm a woman.

However, there are a lot of women that do face those barriers at every point of their career as well. It's not just when you enter, I think as you progress, if you look at women of my age in the industry that are going through certain times and changes in their bodies, in their physical health, we kind of get labelled as ‘we're too emotional’, ‘we're too this’, or ‘she's hysterical’. And we're put down for that side of things. I'm not a hugely emotional person. I'm quite laid back around a lot of stuff. So, luckily, I haven't been labelled that, but I do know women that have, so I think everybody's experience is different. Everybody's pathway's different. 

Mine has been a really positive one, but that doesn't mean that everybody's is. I'd  like to see that to be very, very different. I was at an event last night, which was a women's event. There were lots of young women in there and hearing their stories of struggling to get into the industry and/ or they're just at that stage where they're about to go through their first progression in their careers and they're getting sidelined for male colleagues and things like that.

It still very much happens, but I mean, we could sit and talk about that all day, about what we can do about it. 

I think my early experiences were really positive in this industry and in my career before as well. Which again, is also very male dominated. But I know that I'm unusual in that sense and it's not everybody's story, sadly.

Thanks for sharing that. I think it's really important to talk about people's positive experiences too, right? Because as much as you are right, and part of the point of this is to talk about where it goes wrong. We've got to also talk about where it goes right. I think, your presence in your industry, in this positive way, is a very good influence on your colleagues around you. Sometimes it's about being there and being the flag carrier. If you've had a good experience, being able to be the one that says, “this is what a good experience looks like”, “this is what we can build towards” is amazing. So, I'm really glad to hear that and I'm sure we'll end up talking more about it as we go on.

I wanted to pivot slightly and ask you about cyber house party and how you founded it, and the impact you've seen it have on the industry and the community. 

Five years ago now, which is crazy to think about, we were all in lockdown. Not having any  break time. I was homeschooling. I was never meant to be a teacher.

We were coming up to what would've been InfoSec 2020. For a lot of us in the industry, it is the one event where we really kick back and where we all come together. Because people globally come into London for InfoSec. It is an event where I get to see some friends that I've got across the world who are only here once a year at InfoSec.

So, InfoSec was coming up and everybody was really miserable about it. Someone who's become a really good friend of mine, Mark Avery, I saw on his LinkedIn, he was doing a thing in the evening online. It was him and a couple of other DJs. There were some talks about mental health, checking in on us all, and stuff like  that. And it completely changed how I was feeling at the time. I was feeling really down. Lockdown was really weird to me. I wasn't used to being in one place. I was used to being out in the office every day. I was used to traveling, seeing loads of people every day, and suddenly I'm stuck at home with school books and people in my screen.

It just wasn't the same. So, I joined this event that evening called Cyber House Party. I was like: “this is incredible!” As the evening went on, obviously it followed the sun, so, people from different communities all around the world were joining and it was just such a great vibe. It was streamed on YouTube and in the side chat, it was loads of people saying things and being really open and really, really honest. I felt like: “I'm not on my own”. It was a huge, huge turning point for me during lockdown. So, the following morning I messaged Mark and I was like: “I absolutely want to help you drive this forward.” He said: “yep, perfect. Come along.” So, it became a thing during lockdown. We did them as often as we could and it became just a really, really good way for people to keep connected. It wasn't like your morning check-in teams call where nobody really wants to be there. It was genuine connection and we had lots of, Rock stars, if you like, in the industry that came along. We heard their stories about how the whole lockdown was impacting their mental health. So, it just became a really good community and a really, really good, safe space for anybody in the industry.

When we came out of lockdown the first event was DTX London. That was the first event where we've all been let back out into the world and they approached us and they were like: “we want to do an in-person one!” And we're like: “we're not event organizers. We've all got day jobs, that have nothing to do with events. We've previously done this in our pyjamas, in our lounges, can we do a physical event?” And it ended up being just the most incredible, even there was. People that had been on the events right from the beginning online, who we'd never met in person, and it was just incredible. To hear the stories in that room that evening. It's really kept me going.

It was like what we did was something really positive. I think there's something really special in watching a room full of strangers that have been connected for so long online come together. It was just so special. That's where it started, and now we've just become known as the after party.

So, any of the bigger conferences, you'll find us either as an after party or we might be on the conference floor. We've raised an insane amount of money for the NSPCC, which is really important to all of us. We sit at about 30 volunteers now, and we've got probably 70 industry DJs on our books that we rotate and we're just like a big family.

And the other thing that we do, which is really special: We do mental health and wellbeing events now. So, we go into organizations and we'll either do it there on-site for them and their employees or some companies want to have an open house that anybody in the industry can come to and we try and make sure that it's a very safe space. Everybody understands that what's said in those rooms stays in those rooms. In each room, we always have a mental health first aider. But we try and put senior people in the industry that have had their own mental health struggles in the room and it's really magical what happens because those older people start talking about it and then you'll have the younger people in the room who might be at the start of their career, say, “I've been going through exactly this. Oh my God, thank you.” Then you have a whole conversation in the room about how different people have dealt with that situation.

So, it's just a really cool vibe and it's something I'm hugely passionate about. Long may it continue. Everybody's welcome. Job titles, stay at the door. We don't care if you're a student just curious about coming into the industry, or you've been in the industry forever. We don't care. We don't care who you are.

That's so cool. It's a kind of decentralized mentorship system. Where you'll have a fun party too. I look forward to seeing what you guys do in the future with that.

Moving on to industry outlook now. Cyber threats are evolving particularly quickly with AI. So, as they become more sophisticated, how are you guys as managed service providers keeping up with that, especially with your USP of being affordable for small businesses?

Great question, that's what these bags under my eyes are about.😁

I think we're seeing a big shift at the moment and we all have our own arguments for our own cases, but I think MSPs and MSSPs, they're becoming the backbone of cybersecurity for the SME market particularly. I think as everything evolves, like the threat landscape, so does our responsibility, if that makes sense. Two years ago everything was about detection and response. We don't want to be in that constant: ‘what's going to happen next’ area. What we want is, rather than being responsive, we want to be proactive. So, before it gets to that point, we've prevented anything bad from happening. You're never going to prevent everything. 

I really hate talking about AI, but with AI, the ‘bad guys’ are just one step ahead all the time, and they're always going to be. So, we have to work on the resilience and the education piece and all of that great stuff that's really important and so is collaboration.

I think we live in an industry where we have so many big vendors who keep everything so close to their chest and as the landscape evolves and AI comes into play, we need to get a lot better at collaborating. So, I think for us here, we really do our best to demystify cybersecurity.

You've got some organizations that don't really understand what cybersecurity is. They don't really understand why they need it, but they know that they need it. You can be really unethical about that. If you go and have a look on the internet, you'll find lots of companies that do it. They will literally sell them everything that they sell. It might not be a managed service, but they will sell them it. The SME then buys into that, they trust them, they buy it, they spend all that money, but they don't have the people in-house to drive that technology. 

Technology's incredible. All of the technology is brilliant. It blows my mind what technology can do. But technology can only do that with the people behind it that understand it and know how to drive it and maximize its potential and its capabilities. So, I think there is, there is a big gap, but I think we're moving from managed service providers. The ones that are doing it really well are moving out of that MSP world almost into a trusted advisory world. But you are always going to have the people who, don't do it so well. So I think there's a big disjoint there.

Primarily to keep on top of things, it has to be proactive security, and we have to build on company's resilience. You have to look at  your resilience and that's something that we massively push with all of our customers. If the bad stuff happens, what are you going to do? How are you going to communicate with your teams? How are you going to make sure that your business carries on running? How are you going to recover successfully if everything that you own has been taken away, everything that you use daily. So, resilience isn't just about having the best technology, although a lot of organizations would lead you to believe it is. It's about the process and the people within that process. So, you can't just look after one of those things. And I'd love to see us go back to a place where people process technology because that works. Then when stuff goes bad, it's those people that are going to keep your organisation going.

So that's very much the way that we encourage people to do their cybersecurity and that's all you can do. Another thing is to be really, really careful about the language we use and not use scare-tactics because all it does is make people bow their head in the sand and we never get any better at it.

Maybe we could talk about people being the biggest risk and the biggest benefit to an organisation and how important training is within cybersecurity, because really it sounds   what you're saying is that the key thing is to put plans in place to train people to know why certain security actions are important?

I mean, there's a lot of people that say, ‘security awareness training fixes it all’. It doesn't, and a lot of it is very repetitive. It might be helping somebody spot how to have a look at a URL on a website or to be really careful about what they click on, what attachments they open, and stuff like that. The fact of the matter is we're human beings, right? We're all busy at times and I mean, if you had to look at my own phishing report, it’s probably horrific.

I'm probably the biggest human risk in this building, and it's because I'm busy. If something comes through and it says it's urgent, I will click on it, if I'm being honest, and I think if a lot of people were, they'd say the same. But when you look at that in an organization, what we want to do is we want to give everybody within that organisation, not just in the IT and the tech departments, we want them to be able and feel confident enough to admit that they've clicked on it at that moment, we don't want them covering it up. What we want them to do is to have clear process of how they report it. So, for example, on our emails here, we have a little phishing hook. So, if I click on something and I know it's bad, or anybody does, or any of our customers do, they click that hook automatically.

"I'm a firm believer in, ‘No blame’."

It's about time. It's about making people feel safe to be able to come to you and say: “look, I've made a mistake. This is what I've done. This is what happened. Can you help me?” And I think for so long, we've positioned humans as being the problem that needs to be fixed. And you just alluded to it there, actually, they're our greatest assets. They're the ones that we can use to spot things that don't look quite right. They're the ones that, if we make them feel safe enough to do so, they're the ones that are going to alert us that there's something wrong. Which gives us chance to fix it. I'm a firm believer in, ‘No blame’. We need to equip people, not blame people and it goes back to that fear-thing I was saying just now, we need to build confidence and not spread fear. I saw one the other day, which really annoyed me, the gotcha kind of phishing emails and it's like making an example of them and  their screen lighting up bright red and flashings the whole office. That's quite gross behavior, I think. I don't think that's very nice. 

You need to also know your audience. Every single organisation that I go into and I do any kind of incident response training or training in general, I make it relatable to that organization or to that department. For example, the accounts department is a very different conversation from, say, speaking to the HR department. They've got two different business goals. Two different functions within the organization. It's two different types of training jargon as well. Jargon, buzzwords and acronyms in our industry, just stop using it, just use clear plain English. We don't need it. It just confuses people. I said it earlier, the language that we use is really important because that language is what breaks down those barriers far quicker than any piles of technical policy and all that kind of stuff. It's language. Language is really important and it's empowering as well. If you give your employees the tools to be able to act when something goes wrong, it instills trust in them and it shows that we're trusting them to report suspicious activity. And if it's not, so what? If it is so, brilliant. You've just saved the company from being hit with ransomware. So, I think it's important. We need to give people the tools and not technology tools, but the tools to understand themselves and for their own resilient toolbox. It's okay to challenge something that doesn't look right, we want you to do that and give them a little bit of ownership on it. It's all about language. 

It's about language and how we talk to people, but absolutely human beings, they're not the weakest link. They are, in fact, our biggest asset. 

How do you work out what the right way to approach something is? 

Before you go into an organization, it is a good idea to get some information. You can have a look on LinkedIn; you can see what kind of stuff they post. You can kind of figure out from that as well what their appetite for cybersecurity is. Do they write stuff about it? Do they comment on stuff? That kind of thing. Have a look on Glassdoor. It's no different. I try and put myself in the position as if I'm going to interview to go and work at the company. That's how I approach it. Have a look at what ex-employees have said and things like that.

And then you can get a really good feel of what the culture’s within the company. That decides how I approach them. And let's be honest, I'm a female, if I go into a boardroom full of men, I'm going to be a very different person to what I'm going to be if I go into a boardroom with a fairly balanced audience. And that's just the way it is, because if I'm not, I'm going to get eaten alive and they're not going to listen to me. So, you have to be a bit of a chameleon, I think. I like to think that I'm quite a good chameleon. I can change my colours to suit the environment that I'm in. And that's it really.

What progress have you seen around gender diversity, but also kind of mental health acceptance in tech, cybersecurity and what are your big barriers that still need to be broken down? 

I think diversity around gender, in particular, it's quite a funny one, to be honest. I saw a post the other day where someone who I really admire in the industry was like, ‘What? There was no woman available?’ And it's an event, I think it's this week, sometime in the evening, and the panel is all men, the moderators are men and then you look at the people that are attending it, they're all men. And it's kind of: ‘well, there were no women available at all.’ So, that is still very much a thing, I think.

I think I have to be careful what I say because I don't want to upset all the women in the industry. I've been in a position where I've been part of the judging panel for court papers for conferences and stuff, and a lot of the papers, I'd say probably 90% of the papers this particular time were men. You can only pick from the pool that you've got. So, it's a process, a call for papers, you can only pick from the people that choose to submit. However, when you then look at the conference and it starts at eight o'clock in the morning and it doesn't finish till half past five, six o'clock at night, that's a huge blocker there for any woman that's got a school run to do, got a nursery pickup to do. At the end of the day, they're not going to submit a paper because when I'm worried if I submit a paper for this and my talks at eight o'clock in the morning, I've then got to withdraw, which then makes me look flaky or not reliable, all those kind of things. 

Yes, the women are there. I mean there are absolute icons in the industry at the moment. Trailblazing for the rest of us, they're there, but I don't think the conferences or events give enough thought around the other things that women do outside of their working hours. And I'm not saying that men don't do that as well, but that is a fact of life. 

I was in Paddington not so long ago, and it was one of those really horrible evenings and it was really raining and all the screens just went blank. Everything's cancelled, everything leaving Paddington, and there was a woman who was absolutely hysterical. Her husband was working in the States at the time, and her nursery closed at six o'clock and this was at 10 to 5. It's the ‘how am I going to get home?’ I think when we look at senior roles, especially within fifties, I'll use London for an example 'cause that's where we both are, women have to consider that. Women have to consider that our trains don't do what they're supposed to do in this country. We all know that it rains, it's too hot, anything. We have a lot. So, as a woman, I'm going to drop my child off at nursery at say, seven o'clock in the morning, go off into London on my train, and risk not getting back to pick up my child from nursery.

With a big shift at the moment as well, obviously of going back to the office. I don’t know why, because we've all done pretty well for the last five years at home, but there's a big shift of going back into the office as well that has a huge impact on women applying for those higher positions, progressing in their career, I suppose is the right way of saying it. I do think there's been progress. I do think that. I don't look at conferences or event schedules and think, ‘oh my God, here we go again. It's all men.’ Because I do think I didn't have people out there who are really trying to turn it around, but I think that they need to be more mindful of, for example, if you put a couple of papers out, why don't you say that women's speaking slots, I don’t know how you word it, because I'm not, not great with words and I don't work in HR, so no one come for me. You can't do a man and women's call of papers, but do a women's call of papers. But put a caveat on there to say if you have time restraints around early mornings please add that and we'll accommodate that and do your appointment over lunchtime. It takes away the stress from the woman that's going up to speak in front of hundreds, sometimes thousands of people worrying, ‘oh my God, I’m the last talk of the day, am I going to get back for childcare, etc. So, I think that's really important. I also think, there's some great initiatives at the moment where women can go and feel fully supported. I don't think that we always had that. I think we've had places we can go where we might have felt represented, but representations and being supported are two different things. 

Also as well, flexible working, which we've kind of touched on anyway. I think within our day-to-day job roles, there has to be flexibility. That's not just for women either. Some men need that too. But I just think we need to have a look at that. My most productive time, it still is after seven o'clock in the evening. I could do three days’ work between seven in the evening and 11 at night. So, yeah, just have a think about that. Just because somebody's not working box down at nine to five doesn't mean they're not an incredible asset or team.

"Saying it to a room full of people that agree with you and I might not be right"

Is it still a tick box? Yes, I think it is. I get offered to be on panels and I have a look and I'm definitely the token woman. No, I'm not doing it. The other thing which is important to mention here as well, we have loads and loads of great female-led organizations within the UK that are there to support women and build your tribe, all those kind of things. Great stuff. I do think that we need to have a look at getting men into those groups because I do think we're becoming a bit ‘echo chambery’. I'm talking about the things that I need and that I need to see from the industry and I need to see from my allies not really working because there's no men there to hear what I need. So, saying it to a room full of people that agree with you and I might not be right. 

I might be being really unrealistic about what my expectations are, but also what does my male colleague want from me? What can I do to support him? Is he having a really bad time at the moment? Is he struggling with childcare, juggling it with his wife? Has he got a relative that he's looking after at home? And the other thing that you can't ignore. It's not just in our industry; it is in the UK. Men and their mental health and the suicide rate for men in this country is just so incredibly sad. Are we doing enough to look after men within the industry? Probably not. No, men, as we've just alluded to, they tend to fit in the senior roles. If you look at big incidents that have happened just in the last few months. Probably 90% of those teams are male. Where's the support for them? Have they been looked after properly by their organization? What they've been through is traumatic, and I know people think that that sounds quite melodramatic, but it has been a trauma, what they've been through, they haven't slept. Probably haven't seen family, haven't had downtime for weeks. Who's helping them process that and come back from that.

So it does work both ways. Men don't suffer the same biases that we do as women, but they definitely, from a mental health point of view, they've got exactly the same challenges. So, the mental health and wellbeing bit, that's a combined push that we need to have.

Thanks. What you touched upon there about homeworking is interesting. Because you do wonder sometimes why are we all coming back to the office when, especially women, but men too, homeworking can be so convenient. 

I think that's really important as well for women and this is going to sound like I'm not a girly girl, but if I decide that I'm going to do my hair and my makeup in the morning, and this is going to sound so trivial to so many people, but nobody talks about it. That's an extra hour and a half in the morning for me to get ready to go and get on that train, come into town. So, if I'm staying at home or if I'm just coming into my office here, it's scrape my hair back. I don't really care. It's a little bit different for men. They shower, they shave, they get dressed, and they go do, I mean, my husband can be out the house in half an hour. That's from getting out of bed to walking out the door. That's not happening for me. So, again, you haven't only got that commute, you've got that hour and a half before that commute. So, before you even get into work for nine o'clock, you've done four hours and it's just really hard work. Makes you wonder how people did it daily, right? But I mean, and I'm sure some people would come back and say, ‘well, that's a preference’. And you might say to them, it's also an expectation that women have, that men don't and I think that's really where we bring that to. People might ask you if you're okay, if you were to scrape your hair back and come into the office in that situation, not something that you really ask men. Even if they've got a bit of a five o'clock shadow, I would say no. You just think they've been out and had a good night the night before. 

I just want to move the conversation onto kind of the last topic, which is the new generation, young people coming into the industry and I'll give you an opportunity to   maybe talk about if you work with anyone who supports young people in the industry. I know we've talked about how Cyber House party does, but I think I want to ask you very specifically what's the one piece of advice you'd give those young people starting out in the industry?

Okay. There's some great advice and there's some fantastic initiatives as well for young women, which weren't there when I started out. They're doing great things. I think one thing that I do notice about the next generation that is coming in is their mindset. It's very different. They are absolutely not afraid to challenge the status quo, and I love that. They're not afraid to talk about mental health or diversity or ethics and talk about it really candidly and really honestly. And I think that's a breath of fresh air and it's something that our industry needs and they're definitely going to develop the future of cybersecurity with the integrity and heart that they come with. So, I love that. That's really important for anybody starting out in our industry. Finding your village is really important. Many years ago when my oldest son was born, he's 26 now. I was doing it on my own kind of thing and yeah, I was told that I needed people around me. I needed a village. “It takes a village”. I was like, ‘no, absolutely not. I can do this all on my own.’ But day two, I haven't slept and I realised I need a village. 

So, as you move into cybersecurity, you have your old friend group. Something horrific happened. It was about eight years ago, and it had been one hella four days and we went for drinks on a Friday night. I sat there trying to talk about it and I'm crying about it, and they're looking at me and they're like ‘what are you talking about?’ So I've got no idea what it's like when there's an incident. I think it was going really, really wrong. And I quickly learned then that my friends, my village within the industry, they're everything. They're a safe space for me. I trust them. I can talk to them about anything. And they've become  an extended family. I mean, they're my best friends, but that's really important.

So, I think networking is absolutely key. And I know it's awkward and it's really cringe and I still get sweaty palms and probably have to go and have a glass of Dutch courage before I walk into networking events because it doesn't come that naturally to me. I find it really awkward. It's really important and as you grow in the industry and as your profession grows, you'll be so grateful for those people that you meet in the beginning.

If we're going to talk about mentoring and sponsorship, that kind of thing, they're two very different things, but obviously from a mentoring point of view, to find a mentor at each stage of your career is really important. It's helped me massively, and everybody needs a different mentor, but they're there to guide you, give you perspective. They're there to listen to you and they’re very often on that networking. Whether it be your mentor, other people you meet, that then become your sponsors because I might see somebody today that's looking for a certain somebody and they're describing. I met this woman the other night, this young lady the other night at this event, she's perfect for that. Then I become her sponsor and you just build and build and build from that. But I think that's really important. 

The other thing is as well, just be really curious, if you ever walk into a room and you know everything already, you are in the wrong room. Do you know what I mean?

I mean, I don't tend to go to events I don't think I'm going to learn anything from, I'm always learning. I love learning about new things and new techniques and technology, not just the tech side of it. You are never going to know everything, and that's how you feel when you come into this industry. You feel, ‘oh my God, I need to know’, you are never going to know everything, and nobody ever will. So, nobody else sat in that room knows everything either. I think imposter syndrome, as much as I think it's a bit of a buzzword, it is real. Especially in this industry because we move so fast, everything moves so fast, the threats and the technology move really fast.

So, you have to remember that everybody that you look at that's an expert in something that you might be working at the moment, they were you before. Do you know what I mean? That they didn't just become an expert overnight. They've been there for many years and they've built it and just show up. Show up as yourself. Be yourself. And I genuinely think that if you can show up, do those things, the networking, build your village, the rest follows. Just be true to yourself. I think that's the most important thing. Just be yourself. 

What's the most important skill for someone to have?

Curiosity. I think when we interview here, we don't look at certs, we don't look at education. I don't even think we get to the education bit because for me it's about when I interview somebody. You can teach anybody anything. So if you think about our roles in cybersecurity, a lot of it is learning. So ,all of that's teachable. It's how you show up. So if I'm interviewing and somebody, they're asking me loads of questions, they're really curious and they've got that attitude where I think I could really work with you and I can teach you and we can go on this journey together. That for me is the most important thing, is curiosity and ‘I want to learn’, they sound really  wishy-washy soft skills, but those soft skills are what are going to make you a great professional within cybersecurity because you want to learn and that's something else. This is a reality check for anybody who's coming into cybersecurity that thinks they're going to learn one thing, and that's the end of it. It's not. We learn, all of us, even people that are about to retire in this industry, we still learn new stuff every day. So it's not a one degree, one certification, that's it for your career. Cybersecurity isn't that. It's, you grow daily and you learn daily. So, you need to be a bit of a sponge.

Education will never stop for the whole of your career. Just be prepared for that. But know yourself and know your worth and understand who you are and where you want to be. 

The other really important thing is, as well, you'll talk to people that come into the industry and they pigeonhole themselves, right? I want to be a pen tester. They don't realize that there's that little cool bit of it, but the rest of it is all writing reports and writing and writing and writing and writing. There's so many different areas. But yeah, pen test tends to be the thing when you ask young kids in college. ‘I want to be a pen tester. It's really cool.’ It's not that cool. But anyway, don't pigeonhole yourself because it doesn't matter which direction you go in. You might think, I really want to work in GRC, I really want to work in policy. And you might get there and be like ‘this really isn't for me’. Stay there. Do your year, two years’ experience there. Cybersecurity is such a beautiful industry because you can pivot so easily. Every job that you do will be relevant to another job in another area of cybersecurity. So, just because you've gone on one path, don't think that that's it. You'll sit there for the next 50 years.

Pivot. Pivot and go and try something different. Because there's all different flavours and there's something for everybody. 

Thank you, is there anything else that you want our readers and listeners to know about?

So for the women, which it will be primarily women that listen to this, there's ‘women in cybersecurity’. It's free to join. There's great mentoring programs in there, brilliant events,  booster, networking, that kind of thing. Definitely join that one. There's another one as well called, ‘Women in Tech’, again, great mentoring programs in there, great events, across the country. They're really good. And then one that I think is really important to mention is the Mental Health and Cybersecurity Foundation. They're doing loads of work, loads of research at the moment on how specifically they help people that are struggling with their mental health in our industry because it is quite specific. We have quite niche things that we're going to go through in our careers, we need that kind of help. We don't need just general mental health help, if that makes sense. So, they're the three that I would really say that, everybody should be following, joining, attending their events and building their village. It's a great place to start. 

Thank you again to Nikki Webb for sharing her time and perspective. Her story is a reminder that strong cybersecurity starts with people, not panic. From building an affordable, human-led approach at Custodian360 to creating space for real connection through Cyber House Party, Nikki shows what leadership looks like when it is grounded in care, clarity, and community.

Our Tech Talent Spotlight Series aims to shine a light on individuals like Nikki, who are driving change and pushing the boundaries of what's possible in the tech industry. It’s an opportunity to showcase expertise to a wider audience and inspire the next generation of technology leaders. 

If you or someone you know would like to be featured in our Tech Talent Spotlights please reach out on hello@franklinfitch.com .