Robbi Clafton

The deeper I dive into cybersecurity, the more I realize I do not know. I started out thinking there were a few roles in the field and that I could align with one and make my move. But as I dug deeper, I realized just how vast the field is – there are so many areas to choose from. And each area has many sub-disciplines with many roles within. It’s HUGE! Which has made it overwhelming.

So this present two challenges to my next move. Challenge #1) finding my place Challenge #2) gaining enough credibility to have someone take a chance on me for my first role

Challenge #1 is more time-consuming that anything else. I am the Queen of Research. Anyone who knows me, knows that I never make a decision without thoroughly investigating all options, weighing the pros & cons (probably creating a spreadsheet), and deciding based upon the logic. I excel at this. However, it’s a major time suck. I fall down rabbit holes looking at different roles. I read tweets and blog posts from people about their roles in cybersecurity. Then I watch YouTube videos. I check out articles online. Groups and organizations like Women in CyberSecurity (WiCys) and Women’s Cyberjutsu, even Women Who Code and GirlGeekX. I’ve connected with people on LinkedIn, and even reached out to people at my work who are in the InfoSec teams to ask about their roles and advice on entry. It’s both exhilarating and exhausting. I’m an introvert, so the people contact is draining. But I’m learning so much and have a much clearer idea of where I want to be. The most freeing part of this research has been the realization that once you get past the velvet rope, you can move into a different area. Within the field, people move all the time. They get into a role and realize which parts of their job they love and which ones they don’t like. With that knowledge, they move into another role. It’s understood within the industry that people move around, so it’s accepted. This means that even if I choose a role and realize it’s not what I really want, I’m not trapped. That has taken a weight off because I now know the entry role will not define my career.

So on to Challenge #2. How in the heck do I get in? Returning to college for a new degree is not feasible. And I really don’t want to do that. I’m “seasoned” (read: lots of years of experience) in other roles, and everyone I have spoken to in the field says I have loads of transferrable skills. That’s great – nobody has to teach me about data analytics or project management. I don’t have to be shown how to work as part of an interdisciplinary team. I already have great communication skills. I have experience writing reports and creating presentations for upper management. I’ve proven I can work independently and meet target deadlines. There’s so many skills I have that someone straight out of college won’t. I’ve also spent the last couple of years learning programming languages, operating systems and networking. What I need is proof that I understand the basics of cybersecurity and someone willing to take a chance on me. In an effort to make that happen, I have been pursuing certifications.

In September, I saw that ISC2 had just released a new entry-level certificate aimed to help get more people into InfoSec called the Certified in Cybersecurity program. They were offering it free to qualified students for the initial launch, so I signed up. I studied the coursework (self paced) and completed the program. I then sat the certification test and passed!

I was very excited, but that was a bit short lived. The cert is so new, that hardly anyone had heard of it. So it wasn’t exactly setting my resume on fire. Okay, what can I do? I then heard about a Cyber Security Bootcamp for Women being offered by the ICTTF (International Cyber Threat Task Force) – an organization that offers training to companies. Again, it was free so I applied. I was accepted and started that training in October. It lasted about a month. The training consisted of modules from their existing training programs, combined to give a high-level overview. Most of their training is aimed at CISOs and risk-management type roles, so the bulk of the training was regarding frameworks like NIST and creating security policies for organizations. It was helpful, but not quite what I had been hoping for. I completed the training and passed the test, receiving a certificate of completion.

Around this time, one of the contacts I made at work suggested that I attend the BSides conference local to us. In addition to some great talks, they also had a Career Village where you could sign up to have a resume review. I did that, and had a fabulous conversation with one of the volunteers. She said my resume was great, and if she had a role she’d hire me today! That made me feel so good. She said with my past skills and enthusiasm, I would be an excellent candidate. She encouraged me to start applying for jobs now, rather than waiting until I took more training. She also mentioned that SANS training would be the best, but since it was so expensive I should try to get hired somewhere and have my employer pay for it. I took her advice and applied for a role with my current employer. However, I was immediately rejected as they have a policy that you must be in your current role for 1 year before applying for a new role.

Shortly after that, I saw a tweet where someone was talking about free training through SANS. Really??? It must be fate. It was for the Women’s Immersion Program. It’s a 6-month program where you get to take 3 SANS courses in preparation for the GIAC certifications. All free!! I saw this about 2 days before the deadline to apply. I was hesitant – it was a 6-month commitment. It would be demanding, meaning my nights and weekends would be devoted to this program. There were also requirements to meet that I didn’t think I could. I drug my heels for a day before showing the webpage to my husband. He was so enthusiastic. He said I had to apply! If I didn’t get it, no harm, but if I did it would change my life. So with his encouragement I went ahead and submitted my application. A day later I received the link to complete an online assessment. It was much harder than I thought it would be, a lot of questions about networking protocols, operating systems, IP addresses, and hacking tools. After that, I needed to complete the other requirements – college transcripts (really? from 20 years ago?) and letters of recommendation. That was the hardest – how do I get a recommendation? I’m not in the field. I decided to ask my manager at work and another co-worker. I had been at the company for about 9 months, so I felt weird asking, but I didn’t have anyone else to ask. Thankfully both said yes and completed the forms. Then I waited. And waited. And waited. They had not given an exact date that they would announce the results, but with the program due to start in mid-December I had expected to be notified by Thanksgiving. Nope. My husband kept telling me to email them and ask, but I kept waiting. Finally, the first week of December I decided to email. Obviously I had not been accepted, but I was annoyed they hadn’t told me. So I emailed and asked. A day later, I received an email telling me I had been accepted! Did my email jog something? Was it a coincidence? I’ll never know, but at least I was in!

The SANS program consists of 2 classes with correlating GIAC certification attempts that are set by the program, and one elective. SEC401 (Security Essentials) sets you up for the GIAC GSEC certification. SEC504 (Hacker Tools, Techniques & Incident Handling) sets you up for the GIAC GCIH (Certified Incident Handler) certification. The last course is your choice of elective (they give you 7 classes to choose from) with the correlating GIAC cert. Classes started the week before Christmas. The SEC401 course itself covers A LOT of material. It is definitely an inch deep and a mile wide. It touches everything from cybersecurity frameworks to penetration testing to Windows and Linux OS. At times it was completely overwhelming, but I made it. I took my GSEC certification exam on February 14th. I passed, and am now GSEC certified!

I am now mid-way through the SEC504 class. It is a very different class. It is mainly geared towards hacking, combined with risk mitigation and remediation techniques. It uses a ton of tools and commands, so I’m intrigued how the exam will look. It’s interesting, but it definitely has proven to me that I am not at all interested in penetration testing. I see myself more as a blue-teamer, defending and protecting.

Which leads me to my recap of where I am on Challenge #1. I still don’t have a definitive answer. I am really intrigued by threat intel and threat hunting. It aligns well to my researcher personality. I’m also interested in learning more about cloud security. There’s so much scope there, and that sounds like it would be constant learning. So, no answer yet. I’m still researching, still connecting with people to learn more about different roles. I have another month before this class is finished and I need to decide on the final elective. Stay tuned, and I’ll let you know where I go from here!

I remember when I was a child, time seemed to move so slowly. The school year creeped by. From the start of the school year until Christmas took forever. And then heading back in New Year, the spring break seemed so far away. Winter dragged on for ages.

As I got older, obviously my perspective changed some. But time definitely did not fly by. In my twenties, the seasons still seemed to drag on. I’m not quite sure when all that changed, but it definitely has. Weeks and months fly by now. Even the hot, sticky summers don’t seem to last as long as they used to and I know that the weather will soon turn cool as the leaves start to change color.

Just over one year ago I was let go from my job. My position was eliminated, and I was given my notice. I was in shock. Though I hated my job, I had felt very secure. Some months earlier (spurred on my a lackluster annual raise and lack of advancement potential) I had decided that I hated it enough to make some real changes in my life. I started to pursue options for a new career. But given the luxury of a stable (or so I thought) job, I was in no hurry and did not feel any pressure. Then I was let go. The timing was not great, as I was nowhere near prepared for a new career. I gamely tried to find an entry level developer role, but my skills were not sufficient and entry level roles are like unicorns.

So, I had to make the decision to continue pursuing a new vocation whilst looking for a new job that was the same as my old role. It was a little depressing, but I told myself it wasn’t forever. Unfortunately, it took a bit longer to get a new job than I thought it would. It knocked my confidence. And when I did finally get an offer, I was conflicted by my feelings. I didn’t really feel happy about it, but I was relieved not to be unemployed. The disappointment of the role was tempered by the fact that it was with a very large tech company. At least I would be in the industry, if in a non-technical role. Maybe I could even transition within the company once I was qualified.

I started my new role about the same time I started the full stack web development boot camp. I didn’t really think I wanted to be a web developer, but I did want the structure of a boot camp and I wanted to have the full stack experience so I understood both front and back end. While I do not regret that decision, it has not turned out quite as I had planned. Well before the boot camp was over, I knew I had no desire to work in web development. I also realized I wasn’t interested in front end development. I started to question if software development was really what I wanted after all. So I started to dabble. Knowing how to code can be beneficial to any number or roles, so maybe I should start looking at some other options. I did some research into QA and testing. I had a background in QA, so it seemed like it might be a good fit. However, I just didn’t feel passionate about it. Every time I would take some training on testing software, I just felt no enthusiasm. And I quickly realized there was so much to learn before I would be employable. With no drive to make me learn more, I drifted away from the training. Now what?

I started to look at other options for roles in tech. However, most were things that I had no interest in or didn’t feel I had an aptitude for. I had no interest in sales. Having worked in marketing, I knew that was not anything that would make me happy. Recruiting? Hard no. Product management? Meh. I had done project management for years and knew that type of work was not something that would make me fulfilled. Too much time sitting in meetings with people trying to make everyone happy.

Something that did sound interesting was cyber security. I had been intrigued by that in the past, but figured it was something I did not have the type of skills or background for – it was out of my league. I remember over a year ago when I was on a virtual job fair, there was a woman in a company’s booth that had mentioned she has a certification in cyber security. The recruiter nearly bit her hand off trying to get her to give him her details. He said they really needed people, especially women in that field. I remember thinking “lucky her!” But that felt like something that was completely foreign and unattainable. I wasn’t a “hacker” type, so that ruled that out. However, I had the chance to learn more about different types of roles in security. And it turns out, there’s a lot more to it than hackers. There’s roles that need people like me who enjoy puzzles, and sifting through lots of data to find answers. There’s roles that need people who are excited about the prospect of setting up rules and making sure companies are adhering to them. There’s loads of roles that require technical know-how but not a desire to crack a system and steal data. So there might actually be a role for me.

A year ago, I was lost. I had no idea how things were going to pan out or how I was going to make a transition into a new vocation. And I felt a bit of panic thinking I needed to have all the answers and make it work within a couple of months. I didn’t. I still don’t. But I know all I need is time. And that time is going to fly by just as the past year did. I can’t wait to see where I go from here.

Self taught developers have a distinct disadvantage when it comes to learning: lack of structure. Those who have taken a traditional route and gone to college to earn a Computer Science degree have a strict curriculum that they follow. It’s a clear path.

When I started into the world of tech, I had no idea what I didn’t know. I mean, I knew I didn’t know anything. But the specifics of what I needed to learn were not clear. And they won’t be for anyone. There’s so many paths, so many languages, so many niches, that it’s overwhelming. Trying to figure out what you want to study is extremely difficult, since you haven’t been exposed to a lot of these areas. I found when I first started, I thought I knew what I wanted to do but as I discovered more things it was like cracks in a windowpane, appearing and leading off in a million different directions. I quickly became overwhelmed. One day I’d think: “I’m going to specialize in SQL” then the next “I’m going to learn Python” and so on. I would read something that would send me down a rabbit hole and next thing I knew it was 4 hours later and I had bookmarked dozens of websites to return to and investigate.

I read a post on Twitter the other day that really resonated with me: don’t collect materials. Don’t bookmark a million things thinking you’re going to come back to it. Don’t think “I’ll read this later” but click on the hyperlinks to new sources to check out, then repeat. It’s a dark hole. And chances are, you won’t come back to those links anytime soon.

Some of the investigative coursework and reading I did earlier on was helpful. I purposely stepped back at one point and did some entry-level computing courses on LinkedIn learning. I did a course on object-oriented programming which was not language-specific but introduced theory. These gave me a good overview of the basics (What is the internet, how does it work?) and I would recommend anyone do that first.

But then once you get an idea of what path you want to take, map it out and stick to it. Do not get distracted by the pretty, shiny things out there that you’ll hear about on Twitter and LinkedIn or in forums. Stick to your path, learn it well. Those other things will be out there once you complete your entry level work, but trying to do everything at once will leave you exhausted and defeated. In fact, I would go as far to say that once you have decided on a path, do not even click on those Tweets that are threads of “resources for new developers” or “learning paths” – everyone has their own opinion and you can’t keep jumping from path to path if you’re going to get anywhere.

This does bring up one sticking point: how do you know which path to choose to learn? My best advice is to pay attention to what works for you when you are doing your investigative learning. Are you finding videos to be most helpful? Maybe Udemy or Coursera is best for you. Or are you more of a reader? Odin Project is awesome. Perhaps a more hands on approach works best for you. Try Scrimba.

The point is, find out your learning style and THEN find the training materials to help. Then stick with it. After the initial rush of energy to try something new, you will feel as though it’s a slog. Just stick with it. Push through and remain committed. Do not jump tracks. Deepen and refine the skills on that path before you consider moving on to something else. You do NOT want to be “jack of all trades, master of none” when it comes to tech. Companies want to hire you because you are competent in a skill they need. Even if they hire you to learn a different language on the job, the fact that you have deep knowledge with one language will make it much easier to learn the next and shows them that you have tenacity and focus.

Bottom line: choose a path, then go deep, not wide.

A few days ago, the instructor of our bootcamp told us to announce to the world we were software developers specializing in front end web development. As it turns out, that was easy for some of us but very hard for others. There’s been a few of us that took our time and tip-toed into that announcement. But I’m starting to trust the process a bit more and am gaining confidence with the public part.

Quite frankly, I don’t think anyone else really cares if I say that or not. Even if there’s someone who mocks us as code newbies who are a bit above their station, does it matter? The vast majority of people who see me or anyone else on social media say something like that will just keep reading and not really take any notice.

The instructor has repeatedly said that thought he boot camp is free, the “cost” will be that we are expected to help pull people through into tech. He says once we’ve made it, we should help 3 more people get into tech. This is something I feel very passionate about! My focus will be women like me. I would love to help more “mature” women realize their potential. I know there are so many like me who have been told “no” enough times in their lives that they believe it, and I want to help fix that. I’ve started to get more active on social media, and to comment more on some of the gatekeeping I have seen and been subjected to. I really want to call that out and be part of the change to make sure it is not normalized.

Right now my primary focus is on me making this transition to tech, but I can definitely see where I plan to make a difference in the future.