Getting started and moving up in IT and security

[00:00:00] CS: Hitch up the wagons and polish your spurs, because it's high noon, and the searchers are looking for a way into your network. October is National Cyber Security Awareness Month, and Infosec is helping to tame the wild, wild met with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a stagecoach full of provisions to run month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations, and more. Grab Cybersecurity Awareness Month by the horns with this wild bunch of free material from our award-winning LX Labs team.

Just as the wanted posters in the Wild West help the public recognize the region's most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020, or click the link in the description to get your free collection of training materials and help spread security awareness.

Now, let's begin the show partner, partner.

[00:01:16] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

Our guest today is George McPherson, host of the Black Cyber podcast. George has an impressive background in IT and information security and we’re going to talk about a security journey and we’re also going to talk about ways to bring more black, indigenous and people of color professionals into the cybersecurity world.

When George McPherson was pulled through the ranks and pinned as a 21-year-old sergeant in the US Army over 20 years ago, he learned two things about himself. He can accomplish anything he put his mind to and he would always pull others up if he was in a position to do. George prides himself on integrity and insane work ethic, attention to detail, and his greatest super power, outside the box creativity. 25 years in the technology industry with the first 18 in telecom in the last 7 in cybersecurity, George had the opportunity to work in industries such as the military, telecom, local government, healthcare and electric utility. George has expertise in incident response, security monitoring, threat analysis and network security engineering. He’s well-versed in direct and remote analysis with strong critical thinking, communication and people’s skills. George is able to thrive in a fast-pace and challenging environments where accuracy and efficiency matter.

George, thank you for joining us and welcome to Cyber Work.

[00:02:45] GM: Thank you for having me on the show, Chris.

[00:02:47] CS: Yeah, I kind of gave your background here. But I want to get a sense of your career trajectory up to this point. So you started out in telecom. You started in IT, but what sort of got you interested specifically in cybersecurity? What were some of the steps between this point of your career and then jumping into the security side of things?

[00:03:08] GM: Yes. Like you said, I spent 18 years in telecom. Kind of I still loved what I did, but working outside, climbing on to houses, climbing telephone poles, kind of old. I wanted to save more body.

[00:03:22] CS: I’m sure. Yeah.

[00:03:24] GM: I jumped into IT. Kind of went to an IT training program. And to be honest with you, I say I got lucky, but it was a lot of hard work in between. When I got into IT, it was literally January 2013. And I was doing Windows 7 upgrades reimaging, and I literally got my first cybersecurity job 10 months later in October 2013. I know this doesn’t happen for most people, and I did expect it to happen for me, just positive thinking. But when it happened it was like, “Wow!” I really did it.

[00:04:10] CS: Yeah, that’s awesome. How was the sort of cybersecurity changed over the years since you started in the field? Can you sort of talk about the way you did things in 2013 versus the way they’re done in 2020? What are some of the changes?

[00:04:25] GM: What I would say is mobile devices existed for years, but people use them more do more. So it creates more threats. Aside from working on a PC, they like to work on their phones more. You got the rise in IoT. You have IP on everything. You have IPs on refrigerators, even microwaves. It’s just so many things. It’s just a lot harder to kind of manage threats these days.

[00:04:56] CS: Yeah. Yeah, the whole threat surface. It’s just so much larger now and there are so many places that people can get in. You mentioned a little bit, but once you got in to the cybersecurity field, it seems like your skillset and area of expertise grew really, really quickly. From 2013 till now, you went from general IT, to networking engineering, to CSOC analyst and consultant, to the point where you’re implementing and monitoring Mecklenburg County’s security solution. So could you sort of give me a sense of like your learning journey in that regard? What types of learning or study or practice or on-the-job training helped you to move up the ladder that quickly?

[00:05:35] GM: What I’ll say is just a thirst for learning. When I got my first cybersecurity job, I wanted to make sure I learned. In that case, I wanted to learn weak points. But in that case, being green, everything was a weak point. Just learning everything, learning things at work, taking it back home, studying it, doing labs. Labs were key. Studying on my own when I didn’t have the pressure to perform at work, when I could unpack it and see what was really going on and take that back to work.

So what I actually – I credit that always lab and always learning on your own and identifying your weaknesses. And the other part of that, I always look to mentors. Either I would find a mentor where I worked on the security group. If I saw somebody that had a high-skill level, I would kind of look at their traits and kind of emulate that and try to work on those traits. And if I didn’t have that person, clear person in that unit, I would just reach out to somebody in the cybersecurity. Somebody I see on YouTube that’s a thought leader, somebody that you just want to follow their footsteps. I think I attribute those two things.

[00:06:54] CS: Okay. I mean, were there particular sort of types of things where you’re like, “Oh, this is really interesting. I want to learn this.” And then that sort of pushed you into like a different area? Were there like just sort of security skills or problem-solving things?

[00:07:08] GM: What I will say is when I first got started, it was jack of trades. We were a small cybersecurity group, but huge organization, healthcare organization. So, we’re just learning everything. So, it was kind of hard to figure out then what I wanted to do. I was just trying to be good at everything. But I took a networking job kind of after that cybersecurity job to get my networking skills up. I did that for about a year and then I jumped on the cybersecurity side. And I actually took a contract, SOC analyst role. And that kind of woke up the blue team side. Instead of doing regular operations, then you started getting into the theory and tracking down hackers and figuring out what’s going on and unpacking that. And that’s really would kind of start that analyst side start coming out, the analytical side.

[00:08:04] CS: Yeah. And then from there – So it says you sort of installed and monitored the security system for – Was it Mecklenburg County’s in Virginia did you say that was?

[00:08:14] GM: That’s in Charlotte, North Carolina.

[00:08:16] CS: North Carolina. Yeah. Yeah. Yeah. So tell me about that. Did you sort of like designed that system? What is the sort of scope of Mecklenburg County’s security system? What are the things that you’re protecting?

[00:08:29] GM: Gotcha. I’ll give you the high-level of that. When I first got to Mecklenburg County, I was kind of hired as a – Because I had that background where I could use many tools. So I was kind of hired as a backup to everybody, because I knew all the tools. And I was brought because of my threat skillset. Most people weren’t doing threat. It was kind of a small team, maybe a few people, three or four people. And a couple months after I started, the firewall got moved on to another position. So that opened an opportunity where my director tapped me on the shoulder and said, “Hey, we need somebody with a firewall skillset. Would you be willing to do this?”

So, I did that for the first year. And then after that, we hired a firewall engineer and I was able to refocus on what I originally came for, was the threat side. And by that time, we started having conversations around shouldn’t we build a SOC? Getting ourSIEM in place. Start putting in the technology, the methodology. And that’s when we started building the SOC out. Start building the capabilities.

And what was funny about it, that team was like a security operations team for is operational daily, just that team. When we started building the SOC out, we started growing a lot. And then we build the identity and access and other security teams. So it’s been a good journey.

[00:09:58] CS: That’s cool. You’re talking about the importance of mentors. Can you give me a piece of advice that a mentor gave you that really stuck with you or that sort of driven you in this particular career journey?

[00:10:11] GM: I definitely have an example of that. A mentor told me to be relentless, be bold. I think that’s like don’t take no for an answer. Find a way to make it happen. That same mentor, the other thing he told me is even if you’re a person that likes to be taken to go in cybersecurity, it’s never too early to start working on your cybersecurity leadership side.

[00:10:37] CS: Okay. Yeah, go ahead.

[00:10:39] GM: You don’t want to be all technical. And then when the time comes to make that leap, it’s such a high leap. So you want to kind of build that in.

[00:10:48] CS: Yeah. So what are some advice – Do you have any advice for people who want to make the leap into a leadership from – Because some people just like to do the problem solving work, and we’ve had a few people say they’re kind of disappointed that they don’t get to do that anymore, because now they’re sort of leading a team. But what’s your advice in that regard?

[00:11:06] GM: Can you say that one more time?

[00:11:09] CS: Well, I guess I was just saying like for some people it seems like there’s a leap between just doing the cybersecurity work and solving the problems and chasing the bugs and stuff. But then once they go into a management or leadership position, like they kind of lose part of what they liked about it, because now they’re just leading other people who get to do the fun stuff. What is your advice in terms of not even related to that, but just what is your advice for making the jump into leadership from just being a worker?

[00:11:37] GM: Got you. What I would say is in meetings, you may be given the opportunity to kind of give a point of view on things. Don’t be quiet about it. If you have a good idea, definitely bring that up. That’s a strategic side, a leadership side kind of building that skillset. Another thing you could do, you do your technical duties throughout the day. But you can go to your supervisor and you can ask is there a small project that I could spearhead? That can build that problem solving, what it takes to make something happen. You see the holistic picture, not just the technical side. So that’s what I would definitely recommend.

[00:12:19] CS: Yeah. I’m excited to talk to you about your podcast, Black Cyber. So what got you interested in hosting your own podcast? And for people who are unfamiliar with it, what’s your nutshell description of what the program is about?

[00:12:33] GM: Gotcha. What got me interested in the podcast ever since I’ve been in cybersecurity, I’ve been trying to help others get into cybersecurity. I make posts and articles on LinkedIn that kind of motivate people and help them and even some technical posts. I was just trying to think of different ways to do that. And I think one day I was on YouTube and I was looking at some of the top podcasts and I started getting entrenched in it, and it was really interesting just to see people kind of talk things out and unpeel things in a podcast.

So I came out with an idea for the podcast. The podcast is basically to help all people get into cybersecurity, but is mainly geared towards African-Americans to cover that diversity side. For new people trying to get into cybersecurity, for mid-level, how do you get to that next level? Once you’re at the mid-level, senior cybersecurity and just to kind of be successful throughout your career. What I also stress is you’re not just an employee. Some people may look at it different. You have some old school people in cybersecurity may say it’s just about the work.

[00:13:45] CS: It’s just a job. Yeah.

[00:13:47] GM: Yeah. My belief is it’s a brand as well. You should treat yourself as a brand and do things that reflect positively on your field.

[00:14:01] CS: Yeah. Now do you sort of start each episode with a topic in mind or do you get a guest first and then sort of see where it goes? How do you sort of structure your podcast? What can they expect?

[00:14:13] GM: Got you. First episode, and I was doing research before I started and then just like, “Hey, start talking.”

[00:14:19] CS: Yeah. Got to get the content out there.

[00:14:21] GM: Oh yeah. My first episode kind of just told about why I was starting the podcast and how I actually got into it. After that, I had a few more, just kind of reflecting on some things that would help people and motivate them and get them in the industry. Think about episode 3 or 4. I started incorporating guests and start digging into topics of successful people in cybersecurity that could give good advice and help people get into the industry.

[00:14:53] CS: That leads into my next question. What’s your favorite piece of advice you’ve either given on Black Cyber or that one of your guests has given listeners on Black Cyber?

[00:15:03] GM: Favorite piece of advice. Stay motivated. And as rewarding as cybersecurity is, that’s why I’m pushing people to get into it, because it’s a very rewarding field. Know the flipside. It’s a very hard industry as well. It’s a very stressful industry. You have to manage that. And when you’re initially getting in, you’re going to get a lot of noes. You’re going to have to not take it personal. Just keep going.

[00:15:33] CS: I mean, that’s a really good point. You talk about your sort of insane work ethic and your relentlessness, the importance of relentlessness and so forth. How do you avoid burnout?

[00:15:46] GM: I think I avoid burnout by having other interests. I do acting on the side. I do voiceover on the side. I used to do a lot more acting. But when I got more serious about cybersecurity, the time – I mean voiceover, you can do at home. So that’s perfect.

[00:16:04] CS: Yeah, especially now. Everyone is doing voiceover at home I imagine. Just get a good mic and a good internet cable – connection.

[00:16:10] GM: Oh yeah.

[00:16:10] CS: Yeah. I want to talk about the sort of one of the big cornerstones of Black Cyber. What tips would you have to people of color who are trying to enter the world of cybersecurity and what are some of the ingrained pitfalls of the industry that you had to learn to sidestep over the years?

[00:16:27] GM: Got you. What tip I would give them is operate off the 10X rule. Do 10 times more. Work super hard. Everybody knows we have a diversity problem. It’s like for whatever reason, and it might be that’s another conversation. We’re unseen. So, I’m like do 10 times more. Be creative. Find ways to just be successful in the industry.

[00:17:02] CS: To that end, could you give any recommendations to give to organizations to make their workplace corporate culture more welcoming to a diverse workplace?

[00:17:10] GM: Gotcha. What I would say about that is, first, I would look within. And I you could honestly say – If you couldn’t honestly say that that was a diverse environment, I would first look into the marketing. If I go to a website and I’m looking for careers and I look at that website and that website is only one type of person and that person doesn’t look like me, subconsciously I may say I may not be a good fit or not good fit or I may not be able to work here. I may not get the job.

[00:17:49] CS: Yeah. I mean to that point, I think there’s a big conversation within the industry and within HR and within people who – There are companies that really do want to recruit more black people and more women, more minority professionals. But they’re not only not able to hire them, but they’re sort of not able to make themselves desirable to the professionals they’re trying to recruit. So you hear a lot of excuses like, “Well, we’d like to hire more inclusively, but we don’t get any applications from women or minority candidates.” And this speaks to sort of a problem on the sort of job posting side and the HR side. Do you have any sort of thoughts in this regard into where to find more people of color and so forth?

[00:18:36] GM: Gotcha. Yeah, I got a pretty good idea. And I think I’ve seen one company doing this, a pretty big company. But I haven’t seen it kind of circulated, and it is a good idea. I would recommend to those companies to zero-in on HBCUs that may be in your city.

[00:18:58] CS: Yup.

[00:19:00] GM: You can go out, talk to them if they have a cybersecurity program. You can go out, talk to them. Let them know you’re interested. So that kind of piques their interest. Put your company on their radar. Let them know that, “Okay, that’s a big move. You come into an HBCU and you’re talking to us and you’re kind of setting up this pipeline.” So I think that’s a good quick easy way to kind of start going in that right direction.

[00:19:29] CS: Yeah. And I think there also needs to be sort of a sense of building a bench too. Because if you just hire a lot of African-American candidates in sort of entry levels, then it gets hard to figure out how to move up into managerial and CEO and SEO or a CISO and so forth like that. I mean, you really have to kind of build the bench at all levels. I mean, that’s going to require sort of a multi-pronged attack in this regard in terms of like really making a conscious decision, right?

[00:19:58] GM: Yeah. I definitely want to add to that. It’s not about just African-Americans. The keyword is about diversity.

[00:20:04] CS: Yes. Yeah. Oh, yeah.

[00:20:06] GM: Yeah. When you’re trying to figure out problems, you need different ways to look at that problem and you need people from different background and different ethnic groups, different cultures. So that’s where it’s like that’s where you should be operating from.

[00:20:19] CS: Yeah, and not just men and women and different races. But different – People with physical disabilities. Or we’re hearing so much about how so many security things that if you’re thinking in terms of like, “Well, everything just works for me,” they keyboard, this, that and the other thing. If you have someone that has – Where not everything is a default like that, you have more solutions at-hand. This foundational thing that I didn’t even think about is right there in front of me. But you need a lot of different conversations at the table. And also you need to be listening to all of them.

[00:20:57] GM: Oh, yeah. Yup.

[00:20:58] CS: Yeah. So not just in terms of hiring more diverse professionals, but I want to sort of also talk about the workplace culture and the way companies can move their workplace towards a more friendly and accommodating space for a diverse workplace. Because like you said, if you look at the staff list and it’s all sort of unified race or background or whatever, it’s hard if you’re the first person to go in, have a different background and not feel like it’s sort of like us against them or us against the world or whatever. I think that there can be things that can change within corporate culture. Do you have any thoughts on how to sort of bridge that a little better?

[00:21:42] GM: I do have an idea, and I’m not speaking as the expert. What I would recommend with certain companies – And that is a buzz word now, diversity and inclusion. So most companies have that department. If you don’t have that department, that’s your first thing you need to do.

[00:22:02] CS: Yeah. It needs to be a part of the culture.

[00:22:04] GM: Oh yeah. And once you get that in the culture as a hiring manager, how do you reach out there and collaborate and start brainstorming some initiatives that create that. They’re the experts. They can think out of the box trying to help you with those issues and close that gap.

[00:22:22] CS: Yeah, I totally agree. So speaking of sort of a related thing, and it comes up on our show all the time. But do you have any thoughts on the so-called cybersecurity skill gap or talent shortage? Where do you see that? Do you see that in your own workplace and do you have any thoughts on it?

[00:22:38] GM: Yeah. I do have a couple thoughts on it. I think there are a couple parts to it. Hiring managers, when you’re writing a job description, you have to – And I don’t want to offend anybody, because hiring managers are very smart at what they do.

[00:22:59] CS: And they listen to this show.

[00:23:00] GM: They listen to this show. But be honest though about what you’re really looking for in that role. Just don’t buzzwords in the job description and say, “That sounds nice.” And then when you put it out there, you wonder why you’re not getting the right feedback. Other thing I would say is when it comes to job descriptions, don’t make them so specific that you close everybody out. Use more ors in a resume than ands. Because if you use a bunch of ands, you’re going to disqualify a lot of people out. And to them at first thought, they might say, “Oh, we eliminate 90% of the people and we got 10%. Oh, that’s the best 10%.” But is it the best 10% or is it just 10% and you left some of your all-stars in the 90%?

[00:23:54] CS: Yeah. Absolutely. Yeah, you’re closing things off. I mean, let’s talk about that a little bit too. What are your thoughts if you’re looking for a job in cybersecurity and you see something and you see one of those kind of things where they’re looking for a unicorn candidate? Obviously, your advice could be to push through. But like what are your thoughts on – You see something. I might not be qualified for it. Do you go for it anyway?

[00:24:22] GM: My rule is if it looks like a little bit of a stretch, a stretch is always good. That makes you better. If it looks like a huge stretch and maybe you’re wasting your time and the hiring manager and the recruitment. You might be wasting everybody’s time.

[00:24:42] CS: If you can learn it over a couple of weekends, maybe it’s worth it. But if you get there a month later and you’re like, “I don’t even know what you’re talking about.” That could be a problem for everybody.

So to that end, we’ve had some mixed messages in regard to hiring practices in cybersecurity. And you were saying that there are too many ands and not enough ors. But what are your thoughts on organizations that emphasize the need for traditional educational credentials, like a BA or a BS? Do you think that’s even important anymore? Does that say something important? Or are you of the opinion that if you can do the work, then you should get in?

[00:25:22] GM: I’m of the opinion of if you can do the work, you should be able to get in. But at the same time, I know when you vet people, you do have to prove that you have that knowledge either if it’s a former position, certification or a degree. I wouldn’t hold a whole lot of weight in degrees. There is some capacity word. It’s important to hire leadership positions, maybe important. The important thing I would like to point out is sometimes you have a hiring manager that’s all on way onboard with that. But there may be a policy, an HR policy that they don’t know about that says, “We only hire someone with a degree.” So they would almost have to talk to each other and actually be on the same page about who can we hire? What are the stipulations? What rules them out beforehand?

[00:26:21] CS: Yeah. That’s what I was just going to come up to, is a lot of people in the cybersecurity or the security department say as long as you have the background or the cert, it’s fine. But you were getting these clashes where HR is the one doing the job descriptions or doing the final vetting. Even the cybersecurity people are writing the job descriptions and saying degree not necessary. But then if they don’t see it – It seems like this is going to be a big problem for the next couple of years of sort of getting HR onboard with what’s the security department actually needs. Yeah.

[00:26:57] GM: Oh yeah.

[00:26:58] CS: So obviously the last six months or so have completely changed the employment landscape yet again her. In your view, what’s the job market like right now in the age of COVID-19? Are companies looking for candidates? Do you have a sense of whether the process has changed for being noticed or getting an interview or starting and working on a job these days?

[00:27:19] GM: What I would say about that is I probably get a lot of hits on recruiters all the time. First, when people started going on those first month or two, our organization wasn’t hiring. You weren’t seeing a lot of jobs going up. And then I think after about two months, two or three months, I think people started figuring it out. We can definitely work from home. This may even be a good thing. And then that’s where you create, as a good problem where people have to interview with – I give advice on that, that you want to practice video interviewing.

[00:28:04] CS: Okay.

[00:28:05] GM: Luckily we’ve had a little bit of practice, because now we’re working from home. Everything is virtual. You learn how to work Zoom and other video platforms. So that’s what I’ve seen.

[00:28:19] CS: Now you said you have some advice for sort of practicing like video interviews and stuff like that. Do you have any sort of interview self-coaching tips?

[00:28:29] GM: What I’ll say that, I think when I did my SOC analyst contract position, that was fun and different because I never did a video interview. But what I did with that is I looked online for some study questions. Look at the job description. Kind of do a mock. I’m all about practicing, preparing, kind of do a mock interview. Put yourself on a Zoom. See how it feels. Go through the questions. Reel through the questions. How would you answer? How would you elaborate on those questions? And your dress code. I have my suit on for the interview. I got the job just off the video interview.

[00:29:14] CS: Nice. Okay. So it is possible then. Yeah. Yup. We’ll all get to meet and shake hands somewhere else down the line here.

[00:29:22] GM: Oh yeah.

[00:29:23] CS: So a lot of our listeners are just starting to think about careers in cybersecurity. I mean, we’ve sent out a survey and a lot of people are saying they have zero to 4 years in cybersecurity. So I’m always conscious of like pitching this to people who are entry level or pre-entry level. People who are in like helpdesk or trying to take the next step up. What tips do you have for new comers who might feel a little intimated about where to start their job search in cybersecurity?

[00:29:48] GM: I would say, as far as your job search online, is to search smart. If you don’t have the skills you need to using search terms like associate, junior, entry-level, to kind of key on the companies that may be willing to give a chance to somebody it doesn’t that experience. What I would also say is level the playing field. If you’re going to be entry level, at least work and get your Security+. It’s harder now. They have more real-world questions, which is good. But it’s not an impossible certification to get first coming into the industry.

[00:30:31] CS: Nice. So okay, as we wrap up today here, if people want to know more about George McPherson or the Black Cyber podcast, where can they go online to find you?

[00:30:41] GM: They can go to my LinkedIn. They can just go to LinkedIn. Type in George McPherson and maybe cybersecurity to make it up if there are other George McPhersons. You can Google Black Cyber podcast. And if you Google that, it will come up. You’ll see kind of all the different platforms, Spotify, Apple.

[00:31:01] CS: Okay. It’s on all the standard podcast places. Great. Okay. Great. Well, George, thank you so much for joining us today. This was really enlightening and a lot of fun.

[00:31:08] GM: Thank you, Chris.

[00:31:09] CS: All right. And thank you all as usual for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec to check out our collection of past tutorials, interviews and webinars. If you’d rather have us in your ears during your weekday, all of our videos are also available as audio podcasts. So just search Cyber Work with Infosec in your podcast catcher of choice. And thank you to everyone who has been rating and reviewing. Hope you’ll keep doing that.

As a reminder, from the top of the show you saw a little video of me in a cowboy hat, to download our free Wild Wild Net security awareness campaign, including posters, infographics, newsletters, email templates, presentations and more. To keep your employees safe, go to infosecinstitute.com/ncsam2020 to go get it all.

Thank you once again to George McPherson, and thank you all for watching and listening. We’ll speak to you next week.