Your beginner cybersecurity career questions, answered! | Cyber Work Live
Whether you’re looking for first-time work in the cybersecurity field, still studying the basics or considering a career change, you might feel overwhelmed with choices. How do you know you have the right knowledge? How do you make yourself stand out in the resume pile? How do you get jobs that require experience without having any experience?
Join a panel of past Cyber Work Podcast guests including Gene Yoo, CEO of Resecurity, and the expert brought in by Sony to triage the 2014 hack; Mari Galloway, co-founder of Women’s Society of Cyberjutsu and Victor “Vic” Malloy, General Manager, CyberTexas.
They provide top-notch cybersecurity career advice for novices, including questions from Cyber Work Live viewers.
0:00 - Intro
3:38 - I'm tech-savvy. Where do I begin?
10:55 - Figuring out the field for you
19:16 - Returning to cybersecurity at 68
23:30 - Finding a cybersecurity mentor
29:39 - Non-technical roles in the industry
36:21 - Breaking into the industry
43:46 - Standout resume and interview
51:31 - Is a certification necessary?
56:50 - Related skills beginners should have
1:04:35 - Outro
This episode was recorded live on March 25, 2021. Want to join the next Cyber Work Live and get your career questions answered? See upcoming events here: https://www.infosecinstitute.com/events/
- View transcript
[00:00:07] Chris Sienko: Hello and welcome to our first ever episode of Cyber Work Live by Infosec. As you may know, on our weekly Cyber Work podcast, we’ve talked with nearly 140 different industry thought leaders about cyber security trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry, and today it’s all happening live. My name is Chris Sienko, Cyber Work Live host and Infosec director of online content. And as you can see today’s topic is Your Beginner Cyber Security Questions Answered. I’ll introduce you to our guests in just a moment. Before we get started, I have a few notes for our live audience. You are all on listen only mode that means. That you are muted, but you are still welcome to ask questions using the QA panel provided on the control panel. We had tons of great questions submitted in advance, but we will try to save time for new questions that come in as well.
And with that, I’d like to introduce you to our wonderful panel of guests today. Mary Galloway is the CEO and a founding board member for the Women’s Society of Cyberjutsu, one of the fastest growing 501 (c)(3) non-profit cyber security communities dedicated to bringing more women and girls to cyber. Women’s Society of Cyberjutsu provides its members with the resources and support required to enter and advance as a cyber security professional. With over a decade of information technology knowledge, most of which are in cyber security, Mary’s experience spans network design risk assessments, vulnerability assessments, incident response and policy development across government and commercial industries. She holds a variety of technical and management certifications including CISSP, GIAC, CCNA, etc., as well as a bachelor’s degree in computer information systems from Columbus State University and a master’s of science and information systems from Strayer University.
Victor, Vic Malloy, is your education ambassador currently serving from University of Texas at San Antonio Small Business Development Center and a retired military cyber security professional who has over 20 years of operational experience in government and private sector business application of cyber related solutions. Vic currently leads an organization that among other things develops and offers cyber security programs to enable small businesses to create system security plans and self-assessment resources.
Last but not least, Gene Yoo, has over 25 years of experience in cyber security for some of the world’s largest brand names such as Warner Brothers, Sony, Computer Science Corporation, Coca-Cola Enterprise, Capgemini and Symantec. Founded in 2016, Resecurity, Inc. has been globally recognized as one of the world’s most innovative cyber security companies with the sole mission of protecting enterprises globally from evolving cyber threats through intelligence and has developed a global reputation for providing best of breed data-driven intelligence solution. I’d also like to point out that it was a discussion after recording his cyber work episode that prompted this opportunity to ask questions to cyber security newcomers. So thank you very much for that, Gene.
Mary, Vic, Gene, welcome to Cyber Work Live.
[00:03:08] Mari Galloway: Hello.
[00:03:09] Victor “Vic” Malloy: Hello. Thank you.
[00:03:12] CS: Thank you for being with us today. So to start with, we had a number of questions come in via our [email protected] email. So we’re going to start with some of these. And with each of these questions there’re often a lot of related ones. In an attempt to get to as many as we can, I sort of group them by sort of topic. So the first one falls under the thing that was most asked, which was cert recommendations. So Lukash says, “What would you recommend to a tech savvy person in order to kick start the career in that field? Start from some most basic search like Comptia, A+, or jump straight into the more technical Security+?” So this is one of many. We had people asking what certifications do you recommend for security analyst or engineer. Can I get by with only my Sec+ certification? Is a cyber security master’s degree equally valuable to a CISSP? “What if we don’t have any certification?” said Rahul. So I guess I kind of want to answer not only Lukash’s question, but also get a better sense of like maybe we can all figure out what a good guiding principle is in deciding which certifications you want to chase. So anyone want to start?
[00:04:24] MG: I’ll start.
[00:04:25] CS: Mary, do you want to start? Great.
[00:04:27] MG: So this is a really good question. It’s one we see and hear all the time. My recommendation is to figure out what it is you want to do in the industry, right? Because there’s so many certifications and there’s so many different routes. You can go pen testing, incident response, digital forensics, GRC, and so there are different certifications for that. So figure out what it is you want to do in the field and then start to look down that path to say, “Okay. What certifications would help me get this job?”
There’s a really good site, it’s the NICE framework. I think it’s like niccs.gov or .org that lists out skills and things like that. You can take a look at the skills you currently have and see what kind of jobs those relate to and then look at what certifications and education are required for that type of role.
[00:05:14] CS: Yeah, that’s a really great starting point, and I think it’s really important to sort of go in reverse from what you want to do and then sort of match that like that. So, Vic, Gene, do you have any other suggestions in that area?
[00:05:26] Gene Yoo: Yeah. I would say I’m a very much a slowflake. I mean, having done IT. Being an engineer first and then pivoting to security and then to development and now running a company. It goes along the lines of what Mary said. It’s really about knowing what you want to. When I say I’m a snowflake, because I actually never have gotten any kind of certifications. Actually through conversations with people and whether or not I like the role and what they’re doing and not following the trend, but it was my desire and passion. Like do I like what they’re doing and is that something I want to pivot?
Even when I was a project manager or a program manager or being a software development manager, it was something that I was interested to, but I just ended up now running a company, which is separate, but it’s a journey. So I want to focus on a thing, but it’s what you desire first.
[00:06:26] CS: Right.
[00:06:28] VM: And if you don’t mind, Gene, I’m going to steal your icon so to speak of snowflake. There is never ever a duplicate of any snowflake. Every snowflake is unique, just like you are unique with your own fingerprint. So we always talk about who are you and what are those things that trigger your juices and get you going? If you don’t want to sit down behind a scene and look at ArcSight uh indications and warnings all day long, then getting that cert is just going to set you up for failure. And now you’re going to jump into an incident response center, a security operations center thinking that, “Well, I thought I was going to be doing reverse malware engineering,” or, “I was a programmer and I wanted to make more secure programs.” So you are uniquely designed. And I always tell folks, “The person you are and the fact that you’re even here and asking that question, there is something inside of you.”
So I would say before you jump into any program and if you’re going to get into a program, “Oh, by the way, it’s Infosec Institute.” They’ve got the road map for you.
[00:08:05] CS: It’s in the mail, Vic. Thank you.
[00:08:09] VM: I mean, honestly, get a mentor and let that mentor look at you much like Michael Jordan. I mean, Michael Jordan’s got innate skills, but guess what? He tells you, he failed more than he succeeded. And I will tell you the same for myself. I failed more than I succeeded. So when you say that when I was a college freshman about this time back in 1984 on academic probation studying computer security, you would become the chief information officer for a national security organization in charge of the infrastructure. Are you kidding me?
So be a snowflake. So by being a snowflake just like Mary said, know who you are. Surround yourself with a community of coaches, and mentors, and supporters, and advocates who will help guide you through that process. Don’t go blindly into, “Well, I’m going to get this certification and I get a job.” You are created with more ingenuity and more capability than that. So don’t fall into the banana in the tail pipe, “Oh! I got the years, but do you have the gears?”
I mean, I love the fact that folks have certifications, but what I’m finding is they got the years, but they can’t put the truck in gear. I’m like, “Are you kidding me?” You are about to take charge of a corporation’s information system. And we know in 2021, six trillion dollars is what the bad guys are banking on. We just came out of SolarWinds winds. We just came out of Microsoft Exchange vulnerability. We don’t need you to be just a cog in the wheel. We need you to be that snowflake and find and find your way. Yeah, the certificate will give you a ticked in the door, but your ticket in the door so you can put the organization and gear and effectively work in a team. I’ll be quiet. Yeah.
[00:10:32] CS: No. It’s great.
[00:10:35] VM: Don’t get me started.
[00:10:39] CS: So while you all you all were giving those great answers, we got another related question in from Cynthia. And if that was the ten thousand foot view, then this is the fifty thousand foot view. Cynthia asks, “Cyber is so vast. How do you figure out what you want to do?” So if I can give one self-serving answer, check out Cyber Work every week. An awful lot of our episodes are about what is it like to be an incident responder. What is it like to be a digital forensics expert? What’s it like to be a cyber security manager? What’s it like to be a project manager?
One of our scholarship winners was an auto mechanic who wanted to get in cyber security. Didn’t know where to start. He said he watched like 30 or 40 episodes of the show and just watched every one of them that showed a different career angle and said, “Oh! This looks interesting to me. That sounds like something I can do.” But do you guys have any other suggestions in that area? How did you sort of narrow down your interests?
[00:11:38] MG: I was going to plug Women’s Society of Cyberjutsu. We do a day in the life webinar as well — I got into this – So I was an architecture student before I became an IT person, and I moved to Georgia, and the architecture program was too far for me to go to. So Columbus State had a database administration program. That’s how I got in. I have done nothing with databases since college, and it wasn’t until I got my first job at Accenture that somebody showed me how to hack the systems that I was actually working on. And I said, “Oh, shit. I want to do that.” And that’s kind of how.
So I saw somebody, right? Like you said, there’re so many different avenues and so many different ways to get in. Vic, you said finding a mentor. Finding mentors, getting on LinkedIn, looking at what some of these jobs other people are doing. Talking to them saying, “Hey, what’s it like in your job? Trying to figure that stuff out, right?” If you like to be technical hands-on, okay, go to hacking, or go to vulnerability management, or go to defer or whatever. If you don’t really care for the hands-on stuff that much, you go for the policy side, the risk side, the PCI, DSS stuff, that type of thing, the auditing side of it. You have to not be afraid to ask for input advice and don’t go into the conversation of, “I want you to just give, give, give. You got to be willing to give something back as well.” It’s a two-way street.
[00:13:22] CS: Yeah, I totally agree with all that. And, yeah, I think you all basically said the same thing, but not afraid to make your mistake first. I think a lot of the fear of I don’t know where to start is what if I choose the wrong thing and then it’s the wrong thing and then – Yeah, try something else.
[00:13:39] MG: Try something else. Right.
[00:13:41] CS: Right. Okay. So – Oh, I’m sorry. Go ahead. Go ahead, Gene.
[00:13:45] GY: I think everybody who’s been in the job field, I mean, no matter what the job is there’s going to be technical, non-technical in business. And being realistic, I think part of the bigger problem is that corporations and companies alike, they oversell the greatness of their IT business, but yet they don’t really socialize or articulate what it feels like to be in a day-to-day, and it’s mundane, it’s slow, it’s meeting, locations. And no matter what the size of the company and the team, and I always tell people, it’s like, “Look. We always talk about 80/20 as a magic number. It’s like 80 percent you’re going to be operational, 20 percent innovative.” Well, not really. It’s like 99 to 1, because that’s — it’s a lot of work. And I always tell people, it’s like, “Always be honest with the candidate.” And then if you are in a job pivot or a job transition where you’ve been in the business stuff. Use that business knowledge to understand what people do, because actuality or – I always tell people, academic versus reality is two different things. It’s not sexy. It is cool if you’re a consultant, but it’s not cool if you’re in a business. It’s not. It’s okay though. I like some of those things.
[00:15:16] VM: Yeah, I think the catchphrase for 2021 and 2020 has been pivot. So for those who know me, I always use an acrostic. So the first letter is P. And in basketball, when you pivot, you have a pivot foot. So you got a pause. Which foot are you going to use as you pivot foot? Because if you don’t, guess what? You just traveled bro. I’m for march madness, baby. So you got to pause. It’s the same thing as you’re going through this pandemic and you’re going through all of this turmoil and uncertainty, take a breath. Just stop. Don’t rush into anything. And then after that is inventory. What do you have? Use what you have. If you have a passion for being curious, or a passion for being creative, or a passion for being a puzzle master, or a puzzle – There is a place for you in cyber security. And it’s not always the guy that’s working with ones and zeros. A lot of what we are dealing with is this carbon factor.
So if you understand human psychology, training and development. I mean, we talk about the National Cyber Security Awareness Month. That’s all about human behavior. Now like Fog’s behavior model, Dr. Fogg, if you haven’t looked that up, behavior is an equation of motivation, ability and being prompted. So when you have that understanding that even if you’re a technical person, I can trick you by sending you a text message or an email or even call you and use deep fake technology, artificial intelligence, and modify your behavior because of a prompt that you’re going to respond to. So guess what? None of that was digital. That was all carbon factor. So how do take your understanding of being a psychology major help us, who are the cyber ninjas, working with the ones and zeroes and building that secure enterprise talk about this human factor, this carbon factorm, that has to jump in there?
And then V, having vision. So don’t you see yourself, like I said before, as a cog in the wheel. You were created for something far, far greater than that. And then I was on a call before this. Organization. So once you’ve paused, you’ve taken inventory, you’ve got vision. Organize yourself. Don’t be like Vic. I’m –Look, 12 steps. I am the most unorganized organism on this planet. But I tell you, when you organize, then you can take action. Don’t just jump out there and pass the ball and be like my alma mater, Mean Green. You make it to the 64, get to round one, and you can’t even get past the second half because you can’t even pass the ball and take action. I’m like, “Come on!” I mean, I’m proud of y’all, proud of Mean Green and everything, but, dude! Pivot.” I mean, you had Villanova. Damn, bruh! I mean, you lost focus. Stayed focused. And you are a snowflake. So be your own unique snowflake.
[00:18:58] CS: Nice. All right. Now I want to jump in with my next question here. We had several people ask questions and they were all sort of age-related. So G Patrick Bryant says, “I retired from a 20-plus year career in IT a few years ago, but I’m seriously considering getting back into the saddle. After doing a ton of research, I’ve come to the conclusion that cyber security is the best fit for me, but I have concerns about attempting to re-enter the IT arena at my age. Please level with me. Is 68 too old to go through a boot camp and become a viable candidate for cyber security position?” Follow-up question, “If I’m not too old in your opinion, what if any age-related issues would you think I’d encounter in my search for work?”
So we had a couple people, one in their 50s, one in their 40s. So this is clearly something that people are thinking about right now. I understand that it’s never too late to start, but can we speak at all to you what some – All right, Vic’s got his hands up. Vic, you want to take the lead on this one?
[00:19:52] VM: Does anybody know the story of Colonel Sanders?
[00:19:55] CS: Oh yeah
[00:19:57] VM: He was 65-years-old and he got his first store to make his Kentucky Fried Chicken. So you think about that. He’s 65-years-old, had his recipe for over 30 years. So when did he become a successful business owner? I would say when he had his recipe, he believed in this recipe, and everybody kept telling him, “No. No. No. No. No. No.” But when he’s 65-years-old, he knows that’s his dream. He knows that’s his purpose. Know your dream. Know your purpose. Age is nothing but a number. You don’t check out until you check in with your purpose.
[00:20:41] CS: All right.
[00:20:42] GY: I don’t know about the story, but thank you. In the past before I was running Resecurity, you know we did have several folks that were of the different ages, and I think there’s two kind of the economy of the problem here. Whether people who have no experience or who’s transitioning that has no experience, and then people who are older, who’s senior, or who has other business experience. The part of the – So my recommendation to the both groups is don’t be afraid. But the problem we need to solve is the person in the middle, the person that’s hiring, because they don’t have that vision, the ocular, to understand the person with an experience has experience in different things. And we often hire people of different age groups, and I just say this very politely, but people who’s not from IT or security, but who’s come from business, but who’s been there for 20, 40 years. Because they have the patience, the business acumen, they’re more – I’m not saying they are more, but we found that they have some better experience than handing it off to somebody who just graduated a college, versus a college graduate or somebody who’s hasn’t been in the cyber or IT field. We tend to just like interview them like, “Well, you don’t have this, this, this, this, this technology or this government experiences.” And I always tell my managers in the past like, “And you did when you started this?” And I say to the, I gave you that managerial position. I’m willing to put my name on the line.
And so for the people who are listening, remember too, it’s who you work for. Don’t be all worried about your age your experience. 50% of my management team when I was working in the bank were all females, minorities, and we put it that way not by design, but by intention, because we needed to bring these people up. Because when you leave, you need to make sure these are the right candidates to lead the group, nothing to do with skills. It’s all people. Technology, you can learn all day long. If you don’t have passion, you’re not going to learn anything. You’re just – So don’t worry about age, young or old, it doesn’t make a difference.
[00:23:43] MG: Great question. I’ll leave it to those two.
[00:23:46] CS: All right. So actually we the next question is something we mentioned a little bit already, and I want to get a little more into it. YouTube78 says, “Where would you recommend to look for a cybersecurity mentor? And Tommy B. also on YouTube said, “What are some groups that help people get into cyber security?” I’ll start with mentors. Where would you start in in looking for a mentor?
[00:24:22] GY: Company you should work for should have a mentorship program. Part of your onboarding, you have to designate a mentor for that person. So that’s always a great thing. To answer the question, where to look for it? It’s what I tell the horizontal friends and vertical friends. And if you’ve got a bunch of horizontal friends, they’re not your mentors. It’s not an association. It’s not a group. It’s having the right circle of friends that you want to grow. I think there are a lot of really good organization for mentorship, but what I always ask the people is when you go to those things, make sure they have a plan. Make sure you have a set of times when you’re going to meet consistently, because we don’t want to get inundated with the brand or name versus are they committed to you for doing the work?
Like when I used to read for kids, it was committed Tuesday, Thursdays. Every week for three months I was there and committed. I mean, I think part of it is, is that we don’t give them the – We have to give them the right direction and guidance and ultimately lead to a job, and it’s a big weight for a mentor to have. I mean, I think Mary’s organization, where I’m sure people are just coming in and ultimately their need is I need a job. Like can you deliver? It’s hard.
[00:25:51] MG: Yeah. So we don’t offer a formal mentorship program because, one, it’s difficult to do it successfully and have it be impactful. So we did it a little different. It’s more informal mentorship. So we host networking events. When you can go to stuff in person, going to things like on meetup.com and meeting folks and talking to people is a great way to kind of attach yourself to somebody that could potentially be a mentor for you, right? And mentorship, having those set meetings is great, but outside of that, it’s got to be organic I think, because if it’s not organic, if you don’t feel comfortable talking to the person that is supposed to be your mentor, it’s going to be difficult for you to ask questions, to be vulnerable, to do that stuff. So networking events are great places to find mentors or at least go on that path to finding somebody.
Joining different like – We have a really active Slack channel, and I swear out of that Slack channel people have gone off and formed their own friendships and mentorships and had those conversations outside of the organization. So finding places where you can at least interact with other people to sort of see who’s out there and what’s available is probably the best way. And LinkedIn, always a good one.
[00:27:29] CS: Yeah, put it to use. It’s not just a joke for stand-up comedians. There’s a lot to be done on LinkedIn.
[00:27:34] MG: Oh yeah.
[00:27:36] VM: Yeah. So one thing I would say is be a mentor. Almost like, “What do you mean be a mentor? I’m new to this.” There’s a program called Cyberpatriot. CyberPatriot was started a little over 13 years ago, and I’ll go ahead and put a plug in for the Center for Infrastructure and Security at UTSA. So note the name, Center for Infrastructure Assurance Security, CIAS. So before it was cyber, it was information assurance. So they went to Florida and said, “We want to take these high school students and give them a Windows Operating System and say we want you to harden this Windows Operating System.” So they started with the Windows Operating System at that time. So they’ve matured up to where they are today to where not only is this a national platform, it’s an international platform. We have Cyber Guardian, Cyber Sentinel, Canada, UK, around the world where you can go into middle schools and high schools and find students who have an interest or a peak in science, technology, engineering and mathematics and say, “Hey, look, here’s this competition. Oh by the way, they have resources for you. And oh by the way, they have coaches for you and then they have mentors.”
So as a mentor, you know a lot. You learn a lot more than you think you do. But guess what? In this case, these students are graduating high schools with their CCNA, their Security+, their Network+ and then they’re going back and they’re teaching the middle school students. So guess what? You as a mentor doing what, you’re learning. And oh by the way, when you’re doing that, there’re corporate sponsors like Lockheed Martin, the big Ten, Boeing and Russell guys. They’re like how are you as a mentor being that effective with these students and why are you not in my organization? So give, back to Mary’s point.
[00:29:41] CS: There you go.
[00:29:42] ML: If you want a mentor, be a mentor.
[00:29:46] CS: I love it. So the next couple of questions, I’m actually going to sort of switch the next two questions together. I’m looking at them and they’re of coming from the same place. So we have AQ on YouTube said what are some non-technical job roles in the industry? And then in the next one we had people asking about technical requirements as a barrier to entry and they’re saying – Jorge says, “I’m very interested in the field but I don’t have a tech background. I have a degree in international studies. I worked in my home country’s ministry for foreign affairs for a while and has been working in finance for a large software company. I’ve started looking at several different self-taught resources, but I keep feeling overwhelmed by it all. What would be the best advice for someone in a situation like mine?”
So I think those are sort of coming from the same place. There’s a lot of concern that cyber security is only for people with a computer science degree or who have been coding since age five or that there’s nothing else out there. And we see that all the time in comment sections or people writing to the show. So I want to just sort of speak to three different people who have come to it in such interesting ways and have come from different backgrounds and tell us about some of the non-technical aspects of the job that you can do or that you have done.
[00:31:08] MG: Who wants to go first?
[00:31:10] CS: Let’s start with Mary?
[00:31:12] MG: Yeah. I know a lot of folks that have like interior design degrees and like business degrees and liberals liberal arts or whatever that are phenomenal because they think differently. Their mindset is different. They’re not thinking in the ones and zeros. So they can see the bigger picture a lot of the times. So while having a technical background may be important for some aspects of cyber security, it’s not necessarily. I think Vic you mentioned it about understanding the people side of cyber security is really, really important, because at the end of the day that’s our first line of defense, right? If somebody gets past the human, that’s it, unless you have the technology in place behind it, but they’re not exploiting necessarily the technology. It’s the human person.
So being able to understand that aspect of it is really important. And then with the finance degree, that’s even more important from the business perspective. How is this cyber security program affecting my bottom line, my ROI? How are we improving and still keeping the stuff available for people to utilize and to access? So having that different mindset I think is really, really important because it’s going to make the whole cyber security, the whole security infrastructure more robust, more secure. Yeah, definitely. Doesn’t matter what your degree is, because most of the time jobs are looking for – most of them say they want a degree, but a lot of them don’t need it. And so that just helps you when you’re trying to find that job in the first place.
[00:32:49] GY: And there’s plenty of non-technical jobs, program manager, project manager, business analysts, report writer, research analyst. I know we put a label cyber, but everybody has a role, non-technical – Technical just means whether you know the technology or you could touch the technology or you could operate a technology. That’s easy. Don’t be overwhelmed by it. But the key is, is that there are a lot of functional roles. I mean, we hire technical writers. We hire business analysts, even accounting things. But the key, the question you have to ask, I think what Vic said earlier, was is this what you want to do? You could still be business where you were except that you could be in a cyber company or a cyber organization. Don’t fall into the wave of the labels, but if you like doing accounting and you want to work in cyber, be an accounting firm in cyber.
[00:33:52] CS: Yeah. As needed as any other role in the company.
[00:33:57] GY: Absolutely.
[00:34:00] VM: Yeah. So I’m going to really just blow people’s minds. When a cyber incident happens, what do you need? A spokesperson. Yeah, I’m going there.
[00:34:13] MG: Well, legal too.
[00:34:18] VM: You need someone that is credible that can represent your organization and communicate in terms that doesn’t get you an even more deep kimchi. And then to Gene’s point, you better have a lawyer who is cyber savvy. You don’t need no lawyer to talk about, “Well, what’s a firewall? What’s a DMZ and why is it that he said incident as opposed to breach, privacy, GDPR and the California Consumer Protection Act, the CCCPA?” I’m like – And now with DOD. If you don’t have your CMMC, which is your Cybersecurity Maturity Model Certification, you can’t even get in the front door. So what can you do with a non-technical you know background or interest in cyber? A whole lot. But once again, it’s who are you and what is your value? What is your purpose? What kind of snowflake are you? I’m going to be doing a snowflake for the rest of my life. I love that. I love that.
[00:35:21] CS: And when you think of jobs like threat modeling or risk analyst or whatever, like the tech aspect of it is you can learn the parts you need to learn on the fly. We hear that so many times on the show. We hear that from all sorts of guests. We’ll teach you the tech. If it’s digital forensics, we’ll teach you the tools you’re going to be using. But um Amber Schroeder of Paraben was on and she said her best digital forensics expert was a former child psychologist who knows – When he had to look through 140 text messages in this phone and get some sort of a pattern for stalking or threatening behavior, that’s the person you wanted to come to. It didn’t matter whether they had been using the E3 platform for five years or whatever. They want the psychology, they want the thought process. Yeah, again, like Ray Bradbury said, “Jump off cliffs and build your wings on the way down.”
So moving along to another set of questions, and again we had a number of people ask I think variants on this. This was sort of related to sort of breaking out of a stuck or a non-cyber role. So like Philip Ruffin says, “I’d like to know the best way to break into cyber security from the help desk. I have extensive experience from the help desk in a large environment of approximately eighteen thousand plus users. I’m in school for cyber security. I’ll be obtaining my Sec+ within the next few months. What route should I take since I’m still in school and I’m not in a feeder role?”
Again, we got variants on this, “Can a season lawyer become a cyber security expert?” “What if someone is working as a network engineer who wants to switch to cyber security?” That’s from Chitali. Another person says, “I’m 36 and transitioning from 15-year career in restaurant management, but graduating in november 2021 but has no idea how to get any hands-on experience.” So I feel like these are all sort of speaking to the same thing. And we’ve been talking about this it sounds like for the whole episode here, but people feel like it’s very hard to see how they can transfer the skills they have now in their minds to a cyber security role. So do we want to sort of assuage the minds here? Gene, you want to start?
[00:37:32] GY: Because it’s so asinine the problem we have. And for all those – Every one of you who are trying to move from transition from your IT job like to help this and network, you have a such a great opportunity. There’s nothing you need to do because you already know this stuff. You’re already working with the security team. Is too egotistical and not give you that opportunity. Time to find another job in the cyber, because I can tell you right now, I hire more people from IT in the past than bring it from the outside, because they have the tribal knowledge and interesting knowledge of what ideas in order to secure better, my personal opinion.
Help desk people are the best. Why? Because they have helped every problems that people have solved. They have their relationship with the people. But if you’re trying to transition within your own security team because it’s a fancy thing that you want to go through, but if they’re not even giving you that opportunity for internal transfer, move on. It’s completely useless. Find another company. And I guarantee you, people want those skillsets who are right, in my opinion.
For the people who are transitioning from a different job, like I know you mentioned a restaurant manager. Perfect opportunity. You could be a channel manager, partner manager for cyber security company. You have the experience and having the gift of gap.
[00:39:10] CS: Yeah. I think there’s that fear that I have all this experience in this one thing, but they almost feel like I have to sort of push it away and learn a new thing. But like Vic said about taking inventory. What do you have at hand and how does this translate to something that people in cyber security would want? Am I representing that correctly?
[00:39:36] GY: Yeah.
[00:39:39] CS: Okay.
[00:39:41] GY: 1 in a 100. We used a scale of one to ten, right? I mean, a hundred to one ratio when it comes to budget versus staffing and IT versus security, and it’s just the same. Security stack is like this big of how many software we actually manage. Sure, it’s small people, but here’s IT. So you’re in IT. You are way more advanced and ahead than what you would think.
[00:40:12] MG: Yeah, I got started as a network engineer. I had no clue. I mean, I had gone to school and I’ve gotten my degree and all that, but I had never touched any of it. And then I got that first job and then I saw the security side of things and I was like, “Okay. I’m going to work to get to that point.” And so I made it a point to go and study Security+ because I was working for the government at the time and you had to have it. This was way back in the day. And then I was like, “I got to do CNNA security,” because I was working on CISCO equipment and I wanted to learn more about securing CISCO equipment. So, one, if you haven’t asked how to move around in your company, you need to. And then if they’re not giving you that opportunity, then just say, “Kick rocks. Bye.”
But two, what are you doing outside of work? What kind of things are you doing outside of work? Are you building a home lab? Are you participating in cyber competitions? Are you mentoring cyber patriots? Because you’re learning stuff when you have to do that, right? Cyber competitions, and I just spoke on this yesterday, cyber competitions are really, really valuable because you’re learning. In some instances, you’re learning about real-world issues and how to fix them and how to navigate those issues. So even if you’re from the restaurant sign, if you want to get into the hands-on or just want to learn about cyber in general, participating in competitions is a really good way.
Ctftime.org is a great site that lists out tons of competitions across the world. They have write-ups for what folks that have solved those problems have done, and you can start looking at that stuff to kind of get some more experience, and then put it on your resume. I participated in NCL or CCDC or whatever competition it was. And if you placed, that’s even better. But that’s also a good way to have recruiters look at you because all of the companies that sponsor are looking at, “Okay. Who’s done what in this competition? Let’s talk to these people. Let’s do X, Y, Z.” So that’s another way to get in.
[00:42:18] VM: Yeah. And just like what I said before, pivot. Pause, slow down, figure out who you are. Take inventory of what you got. And the other v would be value. What value do you have that you can present with an organization? And to the point, if you’re sitting there at the help desk, the value you have is trend analysis. So while you’re sitting there at that help desk and you say 25 of your calls are for password reset, now, you can go to the identity and access management team and say, “Look. We’re having an issue here. It’s a trend with regards to how people’s accounts have been provisioned.” Either hopefully you’ve moved past just the username and password. You’ve gone to multi-factor authentication — but if you’re still in that mode, now you have a use case to where you can go into the identity access management team says, “What will it take for us to move off of username and password to get to a multi-factor solution? I’m on the help desk. How can I help you?” Proactive. Have vision of your value. And then you know organize yourself, take action. And to Mary’s and Gene point, if they don’t see your value, know your value. Somebody else will compensate you for it.
[00:43:57] GY: Exactly.
[00:43:59] CS: All right. So this transitions nicely into the next question here. Mary mentioned putting your CTF skills on a resume. What makes a candidate really stand out on paper and then in an interview? If the choice was between two people with similar credentials, what would push one candidate forward? That’s from Haley Berger.
[00:44:20] MG: When I worked at the Venetian, and I would sit in on interviews and hiring for our SOC positions. If somebody had cyber competitions on, we put them at the top of the list automatically, right? One, it shows they have initiative. They’re not just going to work to work. They’re actually going home and looking at stuff and they’re playing around and they’re tinkering. So they want to learn this. So automatically those folks would be at the top of the list. Projects, if they’ve worked on any projects, know like open source projects or anything like that, or they’ve done volunteer work. We look at – Those kind of things make you stand out because we know, “Okay. You really do want to be in this industry. You really are taking the time to actually learn and grow and build your skills outside of your regular job.” I think those three things for us was really important.
[00:45:12] GY: I’ll be honest and say I’m a terrible, terrible interviewer. I’m mean — but those who actually came on board to work for me understands why, and it’s not because I’m trying to be mean about it, but I’m also trying to get the worst and best out of them. It’s basic psychology. And I need to see that they’re able to handle it. And one guy I actually said, like, “You’re like the hardest and probably the worst interviewer I had, but I really learned a lot.” And then he said, “And I’d like to come in for a second interview.” See? Initiative. I said, “You know what? Come back in,” and I actually hired him because he represented himself and knew how to handle it, because part of our job is not really technology. I mean, all these brands and stuff, it’s not that complicated. If you have to learn a new technology on the job, that’s a different problem. Like — a firewall is a firewall. You shouldn’t have to learn, because the concept should be the same. There’re policies and rules and there’s things that you need to do on a day-to-day basis for hygienic stuff. Very simple.
When people come in with paper versus the interview, you could clearly see what they can or can’t do not mentally, because we need problem solvers and people who wants to challenge you. And like I said, I would admit that I’m not the best nicest person in the world, but those who have gone through my interviews and who actually landed a job with the companies I’ve worked in the past, I know they are continuing to be successful.
[00:47:09] CS: Yeah.
[00:47:10] VM: Yeah. Gene and I have similar pedigree with the computer sciences corporation. I don’t think we work together at the same time, but having an entrepreneurial mindset. And so when I say having an entrepreneurial mindset, if you’re going to be a business owner, that means that you have what? You have vision and you’re willing to take the risk to provide your product and service at a cost price point that’s secure and on time and on schedule. So that helps you have an intelligent conversation that lifts the words off the paper to say, “I’m not just a paper tiger, but I’m the real thing, and I will deliver, because I got to eat.” And COVID 2020 —and I’m down here in San Antonio, Texas, but we got snowbit.
[00:47:59] CS: That’s right. That’s right.
[00:48:02] VM: Three days with no power. I’m like, “What?” So I’ve already made the pivot. We’re going solar. So while our leadership may think that solar’s a joke, it ain’t no joke to me.
[00:48:16] CS: Save my pennies. Trust me.
[00:48:18] VM: Yeah. But have that entrepreneurial mindset. That will set you way above. I mean in addition to everything that Mary said, yeah, definitely. Hack the box, CCDC, being in Cyberjutsu, Blacks in Cybers, SANS has their – just put your brand out there and you’ll get – Hey, you’ll get recognized.
[00:48:44] CS: Yeah. And I’ll jump in rather self-servingly here and point out that the Infosec skills platform has several learning paths with cyber ranges which allow you to develop hands-on skills using skills platform and virtual machines. That’s going to allow you to eliminate the catch-22 of not having the experience. You can show, “I’ve done this thing. I’ve done this thing.” There’s not that huge of a gulf between I did this in a training platform and there’s a little bit of a jump to I did it for a company, but it’s right up there. So don’t be afraid to go in there and get your hands dirty with these things.
[00:49:24] VM: I’m going to piggyback on that one, Chris. So on the cyber skills solution, I was mentoring some middle school students. And when I say mentoring, I mean, they were like scatterbrained to everywhere. So I took the challenge and said, “Well, I’m going to teach you guys some Linux.”
So I’m sitting up in the front of the room trying to show them, “Okay. How do you figure out what directory you’re in and what command do you type?” And it’s PWD. And it’s like Charlie Brown, “Wonk-wonk-wonk-wonk-wonk-wonk.” I put them in front of the skills port terminal and they started going step by step being prompted. They did in one day what I couldn’t do in one month. I’m like, “What?” I’m like, “Shut your mouth.”
[00:49:54] GY: What’s interesting, the way we used to teach, right? The board, I don’t know if it’s the aspect of the whole COVID or just the people’s mentality of [inaudible 00:49:47] first. There’s a different degree of consumption of like even education. Unfortunately, whereas Vid, Me, or Mary would be like, “We want to educate and feel my passion”, but yet it’s like, “Okay, do I get points for this? That’s the problem because they’re – I think for the listeners, you have to understand that some people, ultimately it’s not technology. You can learn. But if you don’t have that – And then like when Vic was talking about the cyber range or Mary was talking about these groups and people that are doing especially on her organization, you could see the spark when people talk about it, and that’s literally what I look for in an interview. Like are you interested in this job? And I just told you how horrible you are. This company is terrible. And yet you have the spark of eagerness, right? Everybody used to call me the grinder because I just grind people.
[00:51:34] MG: Can you interview me please? I need to prep.
[00:51:39] CS: I’m going to hire Gene to interview me every six months.
[00:51:41] MG: Right.
[00:51:43] CS: I need to be pretty sharp here. All right, so moving from the job search and resume skills, I want to talk to just a real small specific point regarding exam difficulty. Jeff Dunlap says, “What advice would you give to someone who has a strong desire to learn and work in cyber security, but who has a really hard time taking exams? For perspective, I failed Security+ and can’t really financially afford to keep taking it. Is there a certification absolutely necessary to break into the field? Again, I know we said that your skills are your skills, but if you really need to take the exam and exam taking is hard for you, do you have any thoughts on that?
[00:52:24] MG: I felt Security+ and CISSP — the first time.
[00:52:33] CS: I mean, from what I’ve heard about, that sounds like the default – like I don’t know too many people who are like blasted through the CISSP on their first try.
[00:52:40] MG: Right. It’s like how are you going to be in security and you can’t even pass the basic security certifications? No. But it’s going to depend on the role you’re trying to go do. You got to look at the jobs that are out there. Security+, yeah, it’s a great one to have because it’s going to help you if you’re in the government because you have to have that – I think it’s still DOD8570 something. But if you’re struggling with taking a test, find a study group, right? We host one. Actually have one tonight for Cloud+ that I’m hosting. So I’m going to take the Cloud+ so that I can teach it at the University of Maryland. And um it’s really helpful just to go through questions and talk to other people and understand how to answer the questions.
There’re tons of free videos, there’re tons of free apps, there’re tons of groups. I think I see Security+ study groups like every other week and they’re free, or you can just get a group of your friends that are also studying and say, “Hey, let’s study this together. What am I doing wrong? How can I answer these better? Or how can I think about answering these questions in a different way to where I know that I know the material and I know how to eliminate the wrong answers.” I mean, there’s no real right or wrong way to study or prep for a test. It’s going to be based on what works for you. But it’s okay if you failed.
[00:54:07] VM: Yeah. And I will also say that Infosec has a great boot camp program. And then they also have other resources that will help prepare you for passing the test. But to Mary’s point, if you’re having a challenge passing the test, it could be an issue of two things. Test taking skills or you have an anxiety in in reading and processing the information that’s being presented to you, because I will tell you, I will overthink the question. Just answer the question. I’m trying to go into the network topography and, okay, is this a switch? Is this a routers? Trying to problem solve as opposed to answering the question. So test taking. So don’t be discouraged. Thomas edison did it a thousand times to now we have lights behind us. So if it’s what you really, really want, you want it bad enough, just keep fighting for it.
[00:55:19] GY: I’m going completely opposite, like, “Look.” Well, no. I don’t mean it facetiously. It’s I have a problem taking tests. Period. Like I don’t do well. I mean, I don’t even know how I even got my SAT scores in the past. My background is architecture, civil engineering, mechanical engineering, nothing to do with what I do. But the test taking, don’t stress too much over it. And whenever you’re in an interview or you’re having a conversation, just be upfront. I have a hard time taking a test. It’s just how I am.
I’ve been seeing some portions of the people who are getting into the field, I’m not just talking about security, where they may have some sort of disability or they may have some challenges that it’s unable for them to study at home or work because they’re having multiple jobs. So I think it’s important like utilizing infosec as a key to learn things is good, but don’t get too hung up on it. You have to eat. It’s life.
[00:56:36] CS: Yeah.
[00:56:38] MG: And be honest. Real quick, be honest with yourself and with the folks you interview with. My current job, I told them straight up, I said, “I’m not a scriptwriter, but I still have the job because I was honest and I did my best on the challenge that they gave me and I reached out and I said, “Hey, this is where I’m at. This is where I’m struggling.” And I was like, “Okay. What if you tried this?” And it’s like, “Ah! Okay.” So just be honest. And if they don’t like your honesty, that’s not the company you want to work for anyway.
[00:57:10] CS: Yeah. All right, so we’re coming to the end of the hour here. We got about four minutes left in in the hour, and we had one more question. It was from Professor Samantha Groh who is with the University of Cincinnati. I’m happy to say that as I look through it again here I believe we’ve answered most of the questions here, but this is kind of an omnibus question. She says, “I’m a co-op advisor at the University of Cincinnati primarily with engineering and IT students.” She asked, “Would you differentiate these certification certificates if you recommend focusing on if a student is completing or has recently completed an IT degree versus computer science or computer engineering? If a student is unsuccessful in finding a directly related cyber security co-op, what fields, companies or roles would you recommend and what niche fields or related skills do you think surprising – They might find surprising or be important to know? I think a lot of this is sort of going back to things that we’ve talked about throughout here is where do you start? Where do you start looking? And I guess if you there’s anything you want to add regarding these questions, I think the answer in this case is listen to this webinar.
[00:58:21] MG: Yeah, and then reach out and reach out.
[00:58:23] CS: And reach out, yeah.
[00:58:27] MG: I’m sure all of us are – We’re all busy, but I’m sure sending a message and saying, “Hey, I heard you on the webinar. I’d be interested to know if you could help me with something and then we can go from there.” This is a hard one, because there’s a lot of places where you can find jobs, LinkedIn, our website, Blacks in Cyber, the different schools, their websites. Again, it’s really difficult to say what a student should do as far as like a niche because it’s based on what the student wants to do and what their skills are and what they see themselves doing.
I mean, I worked for a casino for four years. I didn’t even think about cyber security in a casino because I was working in the government for my entire career. So every industry has a need for cyber and IT people regardless of the industry. And I think the financial industry and like the retail, those spaces probably needed a little bit more than the traditional companies that we think of because they’re always getting hit. Critical infrastructure, that area is a really booming area as far as security goes too. So just got to go out there and look.
[00:59:51] CS: Yeah.
[00:59:55] GY: I would actually put this back on the university. So we have some strategic partnership with the university in Georgia. We actually are partners with – We have an educational partnership with UNLV and even like one of the oldest university, Bowie University, that we’re trying to work with them. But the problem is the educators and the school faculty has their own set of things that they’re trying to do, and we put our products and services at no cost for education and research and depending on whichever research tier you may be. And they need to commit the time to working with the companies to say like, “Okay. We will add you to this.” But it’s a lot of give and take unfortunately. And for me I like give them all the access. We’ll do the training. We’ll do like all the stuff and give the students opportunity to listen and learn and everything else, but then we’ll make ourselves available. But how much are the faculties actually committing to the students? And they’re saying, “Okay. We’re going to teach about all these. We got these companies lined up,” but there’s always a – I hate to say this. There’s always a financial transaction or some sort of a – A lot of that has to happen. That’s the unfortunate, and the people that suffer are the students.
Now, before this particular I think professor go, I would just tell the students like what Mary said, socialized network, and like what Vic said, have a vision what you want to do. But they’re still young sprouts coming out so they’re going to have lots of ideas, but it’s like they need that constant like feeding of information like their social media unfortunately. But I don’t think there’s one solution, but kind of like going back to what Mary and Vic said, it’s like you need to have passion and you need to have focus.
[01:01:57] VM: Internships, apprenticeships would be a great uh resource for the university to consider. I know the Department of Labor is working with a group out of Maryland called ICF, and it’s called the Cybersecurity Youth Apprenticeship Initiative. And so the Department of Labor has put aside funding to help place graduate and undergraduate students with companies who are looking to pursue cyber security. So the Cyber Security Youth Apprenticeship Initiative with Mike Lawrence and his folks is a great resource that they can tap into. At UTSA, I would be remiss if I didn’t talk about the school of business. They have a UTSA cyber range, and on this cyber range they’re offering training and courses to help operationalize what you’re getting as a graduate and undergraduate student. And in this flexible hyper realistic environment you can be an analyst and actually see what it is that you would have to perform as a task if you were a SOC analyst and understand that you have to find you know the source of this web defacement. You have to find the source of this apache vulnerability or this DDoS. Is it coming from your organization or is it coming from outside your organization? And how do you work together as a team? Because if you think that you’re going to do this as a graduate student by yourself, sorely mistaken. It’s just too much for you to try to do to digest. But once again, Infosec Skills has a great resource. Check in with the staff that Jack has assembled and give Megan Sawali a call. I mean, folks are – I’m here. Hey, look, like I tell folks, that my passion is to help you reach your potential. You’re a snowflake. You’re not going to be a Vic, you’re going to be a Gene, you’re going to be a Mary, you’re going to be a Chris, or you’re going to be a Jack or you’re going to be a Megan. Be who you are.
My commitment is to help you get closer, one step closer to that step, so you can pivot. And we already talked about that before. But you are here for a purpose. Don’t exit this life without knowing that. And then I will plug my friend, Jennifer Redmond, talking about you know self-care we have too many information security professionals who are not taking care of themselves. Please, please, don’t make a permanent decision for a temporary situation. Don’t beat yourself over the head about, “Well, I failed my team or I failed my organization.” You learned, and we need you. So please don’t ever think that because you aren’t the Mark Zuckerberg or the or the Bill Gates and you haven’t risen to the level of cook and – You are here to be you. Please, please, please, please. I’m begging. We’ve got this issue with mental health and we have a responsibility and we need you. So please don’t make that kind of decision.
[01:05:23] CS: Well, I’m going to end on that. We’ve hit the hour. And I just want to thank you all so much. I’d like to thank everyone at home and work for listening to checking out this first episode and absolutely not the last of Cyber Work Live. If you enjoyed this and you enjoyed our guests, I’ll point out that new episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. You can also check out past guests including whole episodes with Gene, Mary and Victor at infosecinstitute.com/podcast.
If you’re interested in free hands-on cyber security training instruction, check out Cyber Work Applied. Tune in as expert infosec instructors teach you a new cyber security skill and show you how that skill applies to real world situations, and of course it’s free. So to learn more, go to infosecinstitute.com/learn to experience Cyber Work Applied.
I’m happy to report that we are planning to host Cyber Work Live once per quarter. The next episode topic and guests are still being finalized, but to get the latest updates for future Cyber Work Live episodes, go to infosecinstitute.com/events. And lastly I really want to thank you all again and thank our wonderful panelists, Mary Galloway, Vic Malloy, and Gene Yoo for joining us today. And thank you to all of our guests for attending and submitting more great questions than we even knew what to do with. We look forward to hosting another session like this in the future.
So as we end this presentation, a very quick survey will appear. If you would like to take just a moment and share your thoughts, it’d be appreciated, and it helps us to produce more great content in the future. Thank you all again for listening and watching and have a great day.
[01:06:07] GY: Bye everyone.
[01:06:12] VM: Bye everybody.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.
Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.