Robbi Clafton

Networking (The Social Kind)

I have spent the last 8 or 9 months purposefully networking. I have sent emails to people at work who are in security roles in an effort to find out more about what they did and how they got there. I’ve been pleasantly surprised that the vast majority have positively responded and agreed to meet virtually for a chat. Most people in infosec seem really happy to give guidance and encourage me to pursue my training and pivot. There have been a few gatekeepers, but I’ve learned a lot even from them. I’ve also connected with people via LinkedIn and had some email exchanges and video chats too.

For an introvert like me, it is absolutely exhausting. I don’t like putting myself out there, and I don’t have the highest level of self-confidence. I also don’t want to appear slimy or needy.

Given my relatively high rate of success in having these chats, I think I can safely give a bit of advice. Firstly, remember that you are asking for information, not a job. I have NEVER framed the conversation to be me pitching myself for a role. It was easier in the beginning, as I had no qualifications or experience and I was simply asking about pathways. As I’ve progressed through my training it’s become a bit trickier, but without experience I can still honestly present myself as a “newbie.” I ask for advice based upon what I’ve accomplished so far and where I want to be next. I ask for suggestions on entry level or “feeder” roles into the role they hold.

One strange thing I’ve noticed is it doesn’t take too long for people to become disconnected from the entry-level stage. A few years into a specialty, people tend to give suggestions for training that isn’t feasible for a newbie. If I had a penny for every time someone suggests taking the CISSP (which requires 5 years of infosec experience) I could have a nice meal out. I also hear people talking about SANS training (which is incredibly expensive) and when I mention price they’ll say something like “get your employer to pay for it.” Yeah, cos my employer will pay $10k for me to take a SANS course when I’m not currently employed in cybersecurity….

I also have been told on numerous occasions about how they (the hiring managers) are looking for enthusiasm and someone who can be trained, not necessarily the skills themselves. Several times I’ve heard “I can teach them how to use a tool” but they need to have the soft skills and attitude. Great, does someone want to tell HR that? Because they’re the gatekeepers that won’t let my resume through without the 5 years of experience!

I’m continuing to have these conversations with people in attempt to learn more and position myself for an entry level role. I’m quickly approaching the point where I will be actively searching for that job. One thing I seem to be struggling with a bit is striking the balance on presenting my current status. I’ve had a couple conversations where the people I’m talking to are telling me to go learn a skill I already have or take a training that is a lower level that what I already have. It’s tricky, because I don’t want to send a resume or sell myself like I’m asking for a job, but I also don’t want to walk into these conversations with the person thinking I’m at a more junior level of learning than I am. I had a conversation with a manager who runs a SOC. It was a warm introduction from someone I had reached out to, so I didn’t get a chance to give too much background on myself before we talked. He generously offered to let me shadow an analyst in his SOC for an afternoon. I took him up on it and had a great experience. When we spoke again, we had a short chat about the day and then he proposed the next step was to have me shadow a different analyst. Gotta be honest, I was a bit disappointed as I thought I had made it clear I was feeling ready to start pursuing a job. But I thought, this could be the next step towards a role, so I happily agreed. The manager sent me a couple of links for resources that we had chatted about. So far, so good. Then the manager sent me a couple more links; one to learn Python and another for an entry-level training program. I was disheartened. The training program was a lower level than the SEC401 I did a couple months ago. And he obviously didn’t know (but hadn’t asked) that I already had taken Python training. Although it was really nice of him to think of me and send me those links, it obviously showed that he wasn’t thinking of me as “ready” for a role, and didn’t know how much training and non-infosec experience I could bring. I debated, but finally decided I needed to respond to him and share a bit more about my background. I replied and told him I was already comfortable with Python and that I didn’t think the entry level training would build upon what I have already taken. I said I obviously hadn’t shared my full background with him, so I attached a resume. I haven’t heard back and I may have just burned a bridge, but better to do that than let him think I’m going to continue training for months and that I’m not ready for a job now.

Last weekend I did something I never would’ve dreamed of a year ago. I went to a local security conference by myself. Unfortunately I wasn’t able to attend the whole thing, but I went on Sunday. There were a couple of talks on cloud that I was interested in, and it was a chance to network in person. I had already bought the ticket, so there was really no excuse to back out (though you better believe I thought about it.) I went in, claimed my badge and bought a t-shirt, then went to the first talk. I introduced myself to the speaker before it started (I had connected with her on LinkedIn a few months ago after the local BSides conference.) I recognized one of the volunteers as someone I had spoken to at my work, but didn’t say anything. (I had seen her a BSides in the fall but was too chicken to say anything then either.) However, she recognized me and came up to talk to me! After the talk, I made myself go talk to the 2nd presenter. We had a chat and then it was time for lunch. I made my way to the restaurant in the hotel. There was a table with several people, including the two women I knew. When I sat down at an empty table, they invited me over to sit with them! We chatted a bit. Afterward, I attended more talks. I made small talk with some people but no real connections, but I kept praising myself for not running home or hiding. This was work for me! Finally, the last talk came. It was a cloud security talk, and I found it really interesting. At the end, the presenter asked if there were any questions, even though the talk had run late and the room was filling with people for the closing ceremony. He said “Any other questions? Does anyone want to know about how to get into cloud security?” Nobody raised their hands (and the AV guy was shutting down his laptop) so he said he’d be available outside the room afterward to talk to anyone. That was my chance! I left the room and waiting in the hallway. Then the closing ceremony began, and nobody came out. I waited around for a few minutes and realized that he was staying inside for the ceremony. I needed to get home, so I decided I’d connect with him on LinkedIn. And that’s just what I did the next day. I told him I had wanted to chat with him after the talk, but missed my opportunity. He connected with me and said he’d be happy to chat. I have a call set up with him for Tuesday. At the very least, I’m hoping to get some great advice from someone in the cloud security world on how to start my career path. There’s also a possibility that it could lead to more – maybe an introduction to someone, maybe a consideration for a role in the future, who knows? All I know is that I’m proud of myself for taking the initiative and trying to make connections with people.

So many people have told me it’s not what you know but who you know that gets you job offers. Hopefully that’s true, and if I haven’t met the one that’s going to help me, I will soon!

Two Down, One to Go!

I have completed my 2nd SANS course (SEC504), and passed the GIAC Certified Incident Handler (GCIH) certification exam! Whew! That was not easy. It was a very tool & lab-intensive course. Every section was followed by a hands-on lab utilizing tool to demonstrate the vulnerability discussed. It was a deeper dive on PowerShell and Linux (way deeper) and using a variety of penetration testing/hacking tools. Very light on GUI applications. Very heavy on Metasploit, etc.

The certification exam was tough. There were 95 multiple choice questions that covered everything in the text books. Then there were 11 “live lab” questions that utilized a virtual machine to have you demonstrate your hands-on ability to solve the challenge. Unlike the labs from the coursework, when you are in the test environment there is not any guidance about what tools to use, so you have to know which tool would be the best to solve the challenge. And what commands you need to run what exploit.

No question I learned a lot from this course! Each chapter would show what hackers would attempt, and at the end there was a focus on what vulnerability management or proactive defenses you could employ to prevent or mitigate the attacks. Really good, practical guidance.

But the most important thing I learned is that this is not the part of cybersecurity that excites me. I had several classmates who were in their element. They have been building home labs for years. They participate in CTF events all the time. This is their jam! It is not mine.

Even the instructor kept hammering home the point that penetration testing is the act of constantly trying things. You try to run this tool or command, you fail. You tweak it and try again. You fail. You change it up and try again. Over and over. And over. I know people live for this, but it bored me to tears.

So now what? Well, I spent the majority of the second half of the course trying to figure out what I wanted to take for my 3rd and final course – the elective. I spoke to anyone who would speak to me. I read a ton of blogs, job descriptions, articles and watched loads of videos. All trying to see what might spark my interest and make me think “This is it!”

I had a lot of conversations with people in the industry, asking them what they did and how did they get where they are. I gathered a lot of insights on that, and I’ll probably make a separate post just about those conversations. But, for now I’ll concentrate on how I was trying to line up my elective options with possible pathways. Everyone I spoke to definitely had an opinion! But less important than their opinion was the underlying issue – did I want to do what they did? You don’t really know what a role is based on title. So by speaking to people and understanding what they did, I was able to try and see if it might be something I was interested in doing myself.

Some of the conversations were surprising. Some were fascinating, and some were quite frankly, disappointing. I managed to get time with the manager of the Vulnerability Management team at my company. Ever since I had decided that I wanted to move to cybersecurity, I had thought that was where I wanted to be. I had done some research about it, and it sounded like it might match up better with my natural strengths. I knew I wasn’t interested in Incident Response (putting out fires, working on call – the stress and unpredictability combined with lack of work/life balance did not appeal.) But VM sounded more like it was taking issues identified by others (pen testers, actual attacks, CVEs) and working to fix or mitigate them. Sounded interesting. But as the manager described how they actively pursued the issues, they did the pen testing, they did the technical deep dives to find them, I realized it wasn’t what I thought it was. It was red teaming/ethical hacker territory. Not for me after all.

Another conversation surprised me too. I reached out to a person on LinkedIn who had completed the same SANS program I’m in a couple of years ago. I wanted to talk to her about what happened when she completed the program and how she found a role. I didn’t know if I’d be interested in her job, but I did want to know how it worked out for someone who did this same program. But, I was pleasantly surprised to realize that I WAS interested in her career. She had taken the Cloud Security Essentials (SEC488) and the GIAC GCLD cert. She got a role as a junior cloud security engineer, worked there for a while and had recently taken a promotion to cloud security engineer at another company. She talked about what she did, and I was fascinated. She was also very honest and real with me – she did not get a job right away after completing the program. She had the certifications, but no experience. Doors did not swing automatically open to flood her with offers. She actually continued learning, gaining her AWS certifications. She worked on a portfolio to share on her resume to show she had hands-on experience even if it wasn’t paid. Eventually, she landed the first entry-level jobs. It wasn’t easy, but she did it!

I was inspired. I started reading about and researching cloud security roles. SANS lets you do a preview of some of their courses. I watched the previews for the cloud course as well as a few of the others. It didn’t take long for me to decide that the cloud course was the one for me. I did have a last-minute wobble, just as the decision was due, that maybe I should take the forensics course instead. Maybe it would be less limiting and open a few more doors. But in the end I went with my heart and signed up for SEC488.

I’m now on week #2. So far, I am loving it! It’s a little scary, setting up the AWS and Azure environments and launching the resources. I keep remembering all the horror stories I’ve read about people accidentally racking up $20k in bills in a month…. But so far, so good.

I now have several things I need to achieve to make this dream a reality. My employer offered AWS Cloud Practitioner training, so I was able to complete that (while on the clock!) this past month. Now I just need to study up and take the certification exam for that. I will definitely need to do the AWS Security Architect cert as well, probably next month. Then I think I will also need to consider the CCSK too once I’m done with my SANS training. Included in the SANS course is Cloud Wars, which is their hands-on lab work. For something outside of the class to show employers, I need to look at something like Cloud Guru to set up something for projects. There is so much to do! But at least I feel like I’m heading in the right direction. Finally.

I am certified…

The deeper I dive into cybersecurity, the more I realize I do not know. I started out thinking there were a few roles in the field and that I could align with one and make my move. But as I dug deeper, I realized just how vast the field is – there are so many areas to choose from. And each area has many sub-disciplines with many roles within. It’s HUGE! Which has made it overwhelming.

So this present two challenges to my next move. Challenge #1) finding my place Challenge #2) gaining enough credibility to have someone take a chance on me for my first role

Challenge #1 is more time-consuming that anything else. I am the Queen of Research. Anyone who knows me, knows that I never make a decision without thoroughly investigating all options, weighing the pros & cons (probably creating a spreadsheet), and deciding based upon the logic. I excel at this. However, it’s a major time suck. I fall down rabbit holes looking at different roles. I read tweets and blog posts from people about their roles in cybersecurity. Then I watch YouTube videos. I check out articles online. Groups and organizations like Women in CyberSecurity (WiCys) and Women’s Cyberjutsu, even Women Who Code and GirlGeekX. I’ve connected with people on LinkedIn, and even reached out to people at my work who are in the InfoSec teams to ask about their roles and advice on entry. It’s both exhilarating and exhausting. I’m an introvert, so the people contact is draining. But I’m learning so much and have a much clearer idea of where I want to be. The most freeing part of this research has been the realization that once you get past the velvet rope, you can move into a different area. Within the field, people move all the time. They get into a role and realize which parts of their job they love and which ones they don’t like. With that knowledge, they move into another role. It’s understood within the industry that people move around, so it’s accepted. This means that even if I choose a role and realize it’s not what I really want, I’m not trapped. That has taken a weight off because I now know the entry role will not define my career.

So on to Challenge #2. How in the heck do I get in? Returning to college for a new degree is not feasible. And I really don’t want to do that. I’m “seasoned” (read: lots of years of experience) in other roles, and everyone I have spoken to in the field says I have loads of transferrable skills. That’s great – nobody has to teach me about data analytics or project management. I don’t have to be shown how to work as part of an interdisciplinary team. I already have great communication skills. I have experience writing reports and creating presentations for upper management. I’ve proven I can work independently and meet target deadlines. There’s so many skills I have that someone straight out of college won’t. I’ve also spent the last couple of years learning programming languages, operating systems and networking. What I need is proof that I understand the basics of cybersecurity and someone willing to take a chance on me. In an effort to make that happen, I have been pursuing certifications.

In September, I saw that ISC2 had just released a new entry-level certificate aimed to help get more people into InfoSec called the Certified in Cybersecurity program. They were offering it free to qualified students for the initial launch, so I signed up. I studied the coursework (self paced) and completed the program. I then sat the certification test and passed!

I was very excited, but that was a bit short lived. The cert is so new, that hardly anyone had heard of it. So it wasn’t exactly setting my resume on fire. Okay, what can I do? I then heard about a Cyber Security Bootcamp for Women being offered by the ICTTF (International Cyber Threat Task Force) – an organization that offers training to companies. Again, it was free so I applied. I was accepted and started that training in October. It lasted about a month. The training consisted of modules from their existing training programs, combined to give a high-level overview. Most of their training is aimed at CISOs and risk-management type roles, so the bulk of the training was regarding frameworks like NIST and creating security policies for organizations. It was helpful, but not quite what I had been hoping for. I completed the training and passed the test, receiving a certificate of completion.

Around this time, one of the contacts I made at work suggested that I attend the BSides conference local to us. In addition to some great talks, they also had a Career Village where you could sign up to have a resume review. I did that, and had a fabulous conversation with one of the volunteers. She said my resume was great, and if she had a role she’d hire me today! That made me feel so good. She said with my past skills and enthusiasm, I would be an excellent candidate. She encouraged me to start applying for jobs now, rather than waiting until I took more training. She also mentioned that SANS training would be the best, but since it was so expensive I should try to get hired somewhere and have my employer pay for it. I took her advice and applied for a role with my current employer. However, I was immediately rejected as they have a policy that you must be in your current role for 1 year before applying for a new role.

Shortly after that, I saw a tweet where someone was talking about free training through SANS. Really??? It must be fate. It was for the Women’s Immersion Program. It’s a 6-month program where you get to take 3 SANS courses in preparation for the GIAC certifications. All free!! I saw this about 2 days before the deadline to apply. I was hesitant – it was a 6-month commitment. It would be demanding, meaning my nights and weekends would be devoted to this program. There were also requirements to meet that I didn’t think I could. I drug my heels for a day before showing the webpage to my husband. He was so enthusiastic. He said I had to apply! If I didn’t get it, no harm, but if I did it would change my life. So with his encouragement I went ahead and submitted my application. A day later I received the link to complete an online assessment. It was much harder than I thought it would be, a lot of questions about networking protocols, operating systems, IP addresses, and hacking tools. After that, I needed to complete the other requirements – college transcripts (really? from 20 years ago?) and letters of recommendation. That was the hardest – how do I get a recommendation? I’m not in the field. I decided to ask my manager at work and another co-worker. I had been at the company for about 9 months, so I felt weird asking, but I didn’t have anyone else to ask. Thankfully both said yes and completed the forms. Then I waited. And waited. And waited. They had not given an exact date that they would announce the results, but with the program due to start in mid-December I had expected to be notified by Thanksgiving. Nope. My husband kept telling me to email them and ask, but I kept waiting. Finally, the first week of December I decided to email. Obviously I had not been accepted, but I was annoyed they hadn’t told me. So I emailed and asked. A day later, I received an email telling me I had been accepted! Did my email jog something? Was it a coincidence? I’ll never know, but at least I was in!

The SANS program consists of 2 classes with correlating GIAC certification attempts that are set by the program, and one elective. SEC401 (Security Essentials) sets you up for the GIAC GSEC certification. SEC504 (Hacker Tools, Techniques & Incident Handling) sets you up for the GIAC GCIH (Certified Incident Handler) certification. The last course is your choice of elective (they give you 7 classes to choose from) with the correlating GIAC cert. Classes started the week before Christmas. The SEC401 course itself covers A LOT of material. It is definitely an inch deep and a mile wide. It touches everything from cybersecurity frameworks to penetration testing to Windows and Linux OS. At times it was completely overwhelming, but I made it. I took my GSEC certification exam on February 14th. I passed, and am now GSEC certified!

I am now mid-way through the SEC504 class. It is a very different class. It is mainly geared towards hacking, combined with risk mitigation and remediation techniques. It uses a ton of tools and commands, so I’m intrigued how the exam will look. It’s interesting, but it definitely has proven to me that I am not at all interested in penetration testing. I see myself more as a blue-teamer, defending and protecting.

Which leads me to my recap of where I am on Challenge #1. I still don’t have a definitive answer. I am really intrigued by threat intel and threat hunting. It aligns well to my researcher personality. I’m also interested in learning more about cloud security. There’s so much scope there, and that sounds like it would be constant learning. So, no answer yet. I’m still researching, still connecting with people to learn more about different roles. I have another month before this class is finished and I need to decide on the final elective. Stay tuned, and I’ll let you know where I go from here!

Perspective

I remember when I was a child, time seemed to move so slowly. The school year creeped by. From the start of the school year until Christmas took forever. And then heading back in New Year, the spring break seemed so far away. Winter dragged on for ages.

As I got older, obviously my perspective changed some. But time definitely did not fly by. In my twenties, the seasons still seemed to drag on. I’m not quite sure when all that changed, but it definitely has. Weeks and months fly by now. Even the hot, sticky summers don’t seem to last as long as they used to and I know that the weather will soon turn cool as the leaves start to change color.

Just over one year ago I was let go from my job. My position was eliminated, and I was given my notice. I was in shock. Though I hated my job, I had felt very secure. Some months earlier (spurred on my a lackluster annual raise and lack of advancement potential) I had decided that I hated it enough to make some real changes in my life. I started to pursue options for a new career. But given the luxury of a stable (or so I thought) job, I was in no hurry and did not feel any pressure. Then I was let go. The timing was not great, as I was nowhere near prepared for a new career. I gamely tried to find an entry level developer role, but my skills were not sufficient and entry level roles are like unicorns.

So, I had to make the decision to continue pursuing a new vocation whilst looking for a new job that was the same as my old role. It was a little depressing, but I told myself it wasn’t forever. Unfortunately, it took a bit longer to get a new job than I thought it would. It knocked my confidence. And when I did finally get an offer, I was conflicted by my feelings. I didn’t really feel happy about it, but I was relieved not to be unemployed. The disappointment of the role was tempered by the fact that it was with a very large tech company. At least I would be in the industry, if in a non-technical role. Maybe I could even transition within the company once I was qualified.

I started my new role about the same time I started the full stack web development boot camp. I didn’t really think I wanted to be a web developer, but I did want the structure of a boot camp and I wanted to have the full stack experience so I understood both front and back end. While I do not regret that decision, it has not turned out quite as I had planned. Well before the boot camp was over, I knew I had no desire to work in web development. I also realized I wasn’t interested in front end development. I started to question if software development was really what I wanted after all. So I started to dabble. Knowing how to code can be beneficial to any number or roles, so maybe I should start looking at some other options. I did some research into QA and testing. I had a background in QA, so it seemed like it might be a good fit. However, I just didn’t feel passionate about it. Every time I would take some training on testing software, I just felt no enthusiasm. And I quickly realized there was so much to learn before I would be employable. With no drive to make me learn more, I drifted away from the training. Now what?

I started to look at other options for roles in tech. However, most were things that I had no interest in or didn’t feel I had an aptitude for. I had no interest in sales. Having worked in marketing, I knew that was not anything that would make me happy. Recruiting? Hard no. Product management? Meh. I had done project management for years and knew that type of work was not something that would make me fulfilled. Too much time sitting in meetings with people trying to make everyone happy.

Something that did sound interesting was cyber security. I had been intrigued by that in the past, but figured it was something I did not have the type of skills or background for – it was out of my league. I remember over a year ago when I was on a virtual job fair, there was a woman in a company’s booth that had mentioned she has a certification in cyber security. The recruiter nearly bit her hand off trying to get her to give him her details. He said they really needed people, especially women in that field. I remember thinking “lucky her!” But that felt like something that was completely foreign and unattainable. I wasn’t a “hacker” type, so that ruled that out. However, I had the chance to learn more about different types of roles in security. And it turns out, there’s a lot more to it than hackers. There’s roles that need people like me who enjoy puzzles, and sifting through lots of data to find answers. There’s roles that need people who are excited about the prospect of setting up rules and making sure companies are adhering to them. There’s loads of roles that require technical know-how but not a desire to crack a system and steal data. So there might actually be a role for me.

A year ago, I was lost. I had no idea how things were going to pan out or how I was going to make a transition into a new vocation. And I felt a bit of panic thinking I needed to have all the answers and make it work within a couple of months. I didn’t. I still don’t. But I know all I need is time. And that time is going to fly by just as the past year did. I can’t wait to see where I go from here.