Last week I highlighted some of the brilliant stories which are covered in our new eBook, “Diversity in cybersecurity: A Mosaic of Career Possibilities”.
For this blog, we meet some new folks, and uncover how they got their unique starts in the industry.
What’s interesting about these stories in particular, is that most people started in a general field of technology. But something happened during that time to persuade them to go into cybersecurity.
There wasn’t a defining moment for me because cybersecurity as an industry wasn’t really called an industry yet. I became a hacker at an early age, but back then, we were just focusing on computer security, which was an offshoot of computer science.
I think a lot of people who have been in cybersecurity for as long as I have—over 20 years professionally—have a very meandering path that led them down this career rabbit hole.
For myself, I was a molecular biologist, and I was working on the human genome project at MIT. I decided molecular biology wasn’t for me, but I wasn’t quite sure what I wanted to do.
So I took a detour, which I thought was temporary, into the systems administrators group at the genome center at MIT. I helped them build those systems out, and then, I took another systems administration job at MIT in the Department of Aeronautics and Astronautics. There, I took care of the network that helped launch some Mars rovers. This was the late 90s we’re talking about here.
From there, defending the systems that I was in charge of led me back into the nascent security fold.
I was interested in computers from a young age. IT was always my favorite subject; I always wanted to pursue something in technology as a career. I remember when I was about 14 or 15, I completed the IT material so quickly in class that the teachers ended up having to write up separate extra exercises just for me every week!
After school, when I was about 16, I progressed to college to complete a BTEC Level 3 Extended Diploma in Software Development. Over two years, I learned to build and program everything you could think of: websites, games, mobile applications, scripts, and more. On this diploma course, we had a networking module that focused on security.
It was at this point when I definitely heard my “calling.”After nearly two years of building things, I discovered that breaking them was much more fun!
Following this “Eureka” moment, I applied to study a BSc (Hons) in Cyber Security Management at university.
Four years later, including a year’s placement in industry and a huge amount of community involvement, I completed my degree with First Class Honors. I’m now about to commence my first role in the industry as a Junior Security Consultant of penetration testing.
I was working as the Webmaster and Linux Administrator for a company whose endpoint security product blocked USB flash drives from connecting to systems. At that time, my only exposure to security was on the defensive side.
I was curious about how the USB malware we were trying to block worked and how it got into forums where some of these tools were being traded. I therefore started experimenting with them and set out to build several Proofs of Concept (POCs) that would steal data from systems, phone data home to a server, etc.
I went down a lot of rabbit holes in my research, and I even built a website called USBHacks.com that provided samples of the USB malware to help educate network admins. (This was also the first time the FBI reached out to me.)
Around this time, one of my co-workers had his car broken into and his laptop bag stolen. We joked about what would have happened if a thief had stolen my bag and plugged in one of my weaponized flash drives into a computer.
After the conversation, I started building tools based on my USB malware that were designed to protect devices and data if they were stolen.
Like most people, I fell into cybersecurity through exposure to some really big security events. I had a background in IT transformations. Security was becoming increasingly important at the time, but it was still low on the radar unless you worked at a bank or financial organization.
That all started to change with the big virus attacks. Code Red, Nimda, and the “I Love You” virus all swept us up by surprise at the time (security was still low on the radar unless you worked at a bank or financial organization). In one of the virus attacks, I saw a whole corporation lose its email system.
This didn’t occur simply through the attack; much of it transpired because of a faulty incident response. Everyone at the company was panicking and answering every warning email with a “CC all” reply. So it ground to a halt.
It struck me that this meant nobody knew how to prevent or respond to these attacks and that security was going to be vital going forward. All our digital transformations would come to naught if a simple attack could cripple us. So we had to develop security in the same way that we were changing IT.
I think the final confirmation for me came when we read reports from SOCA and other organizations that showed the link between hackers and organized crime. It struck me then that we were not dealing with script kiddies but bad people who were committed to doing bad things to innocent victims. This was more than just a job; it was a calling.
It started when I left college and joined the United States Marines. I was in the U.S. Marine Corps, and my military occupational specialty was in electronics and secure communications. From there, I shifted into networking and specifically network security. That’s when I knew that cybersecurity was for me.
After I left the Marine Corps, I joined Cisco in 2000, and I was part of the technical assistance center. I was supporting firewalls, IPS devices, VPNs, and a lot of encryption.
From there, I shifted gears into advanced services, which is now called “CX,” or the customer experience. Along the way, I did secure implementations, a lot of network design, and architectural reviews.
At the end, I was actually doing penetration testing and ethical hacking against many large Cisco customers. I shifted gears again, and now I’m part of the product security incident response team where we specialize in vulnerability management. I also concentrate on helping industry-wide efforts. I’m the chair of several industry-wide initiatives like FIRST and OASIS.
When I started out, it wasn’t called “cybersecurity” back then. It was IT security.
The defining moment for me was when I got involved in a forensic investigation after my manager at the time asked if I wanted to shadow him and learn a few things. I was working in desktop support, and I found it fascinating. It was the catalyst for me.
From there, I made a lot of mistakes, learned a lot, and adapted. I’ve been fortunate enough to work with some really good people along the way, and I still find the work interesting.
I got onto the information security, privacy and compliance path at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare corporation.
I didn’t even realize change control was a critical information security control at the time until I started seeing the ways in which human interactions and noncompliance with procedures caused some major problems, such as down-time (loss of availability) for the entire corporation.
After I went to the IT Audit area, I performed an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created.
There, I created all the corporation’s information security and privacy policies along with their supporting procedures, and created the training program, established requirements for the firewalls and web servers, performed risk assessments, established the requirements for one of the very first online banks at a time before there were any regulatory requirements for them, and generally oversaw the program. I’ve loved working in information security and privacy, simultaneously, ever since.
At first, cybersecurity was just an interesting career path. But once I got into corporate, I realized that there was more to security than coding or networking.
My corporate job introduced me to the world of security awareness and the human aspect of security that I didn’t know existed. In that instant, my entire world changed, and my career in cybersecurity was solidified.
Instead of security being reduced to lines of code or sitting at a desk for eight hours, it became about the human brain, teaching, and authentically connecting with people.
And once I started my own business and brand, I fell deeply in love with creating a movement and tribe around security awareness and education.
Now, it’s no longer about the “right career” but about the “right calling.”
It became something much more than me and my curiosity. It became an industry where I could create massive transformation and impact.
During my very first security conference back in 2007, I saw a talk on the Julie Amero case: a teacher who faced a long prison sentence because malware on her laptop had displayed adult content to a class of minors.
It taught me how security can have an impact on people’s lives and also how different people can have very different threat models.
The latter lesson I think is relevant well beyond IT security. It could help us understand society better as a whole.
Curiosity led me to a cybersecurity career. I was that one student who always had questions to ask.
Upon obtaining my Bachelor’s Degree in Information Technology, I landed a Systems Admin role, which involved lots of routing, switching, and datacenter tasks. Truly humble beginnings, indeed.
Those late-night shifts at the datacenter were the core foundation of my career, as I learned a lot.
While at this role, I attended a lunch-and-learn session that was hosted by the Infosec team. They shared information on the latest malware trends, tactics, techniques, and procedures used by threat actors.
I was so fascinated by the knowledge shared, and I asked so many questions to the point where they offered me the opportunity to shadow the team in order to learn more. It was this opportunity that deepened my interest in security.
Later on, I was offered an opportunity to join the MIT Cybersecurity program. From the knowledge I had already attained, I knew that cybersecurity would be the future, and I wanted to be part of it.
Looking back, I am glad to have embraced every opportunity presented, for “It’s better to be prepared for an opportunity and not have one than to have an opportunity and not be prepared.” – Whitney M. Young, Jr.
As part of my engineering degree, we had to experiment with integrated circuit chips and program them to do a variety of different things. It just so happens it was around that time when the first ever PlayStation was released.
In my spare time while getting my engineering degree, I researched and “hacked” the boot sequence of the machine with a “ModChip” I programmed, and I was able to play video games from different regions around the world. (Back in those days, games were on CDs and had country regional restrictions on them. Some of the best games never came to my region!)
I was one of the first with these ModChips at that time, so my friend and I started to help others on the side. This freelance job was quite thrilling and exciting!
This was my first experience with hacking and reverse engineering. It taught me how to use root cause analysis to really dig deeper in order to understand the underlying technology and reasons for why things worked (and didn’t work).
This is a fundamental skill which I have found useful in my cybersecurity career.
I would say my eureka moment came around the end of 2015 when I went back to the drawing board and took a deep look at my career path. I felt like my career had stagnated.
I wanted to specialize in cybersecurity because by that time it was one of the fastest growing fields within the technology risk space. It was clearly the center of attention for the board of directors, regulators, customers, and even investors. Instead of spreading myself thin across every aspect of technology risk, I wanted to go deep in cybersecurity.
I realized that there was a major problem in cybersecurity: a lot of the material that I was reading was very technical in nature, but it was almost impossible for me to link cybersecurity tools to strategic business goals.
I realized that the subject of cybersecurity was confined within the corridors of IT. It was supposed to be a responsibility of everyone from the front office staff to the board of directors and cybersecurity professionals themselves. That’s when I realized there was a major gap.
After months of researching and talking to other people, I realized that I needed to develop skills that would help me translate the complex side of cybersecurity into a language that was understandable by senior business leaders.
Want to learn more about how technology propelled these experts into cybersecurity? Download our eBook: Diversity in cybersecurity: A mosaic of career possibilities today.
The post Technology as a Security Springboard: How These Experts Pivoted to Cybersecurity appeared first on Cisco Blogs.