Podcasts
8th Layer Insights
Ep 22
8th Layer Insights 8.23.22
Ep 22 | 8.23.22

Finding Your Path: Mid-Career Moves into Cybersecurity

Show Notes
Transcript

Perry Carpenter: Hi. I'm Perry Carpenter, and you're listening to "8th Layer Insights." So one of the questions I get a lot is around how to get into cybersecurity. What's the onramp? I covered this a bit in Episode 4 of Season 2. That episode was titled "Bridging the Cybersecurity Skills Gap." And in general, I have received a lot of great feedback about it. But I did also get a few comments from people asking me to do a follow-up. Their observation was that most of the advice in that episode was geared towards people early in their career. And because of that, it would be great to do a part two, one that has more focus and applicability for people who are a bit older, people who may already have very well-established careers outside of cybersecurity but who are interested in exploring cybersecurity as a career path. So that's what this episode is about. And to help me explore this topic, I've invited a bunch of people. You'll hear from Tracy Maleeff, Alyssa Miller, Alethe Denis, Lisa Plaggemier, Phillip Wylie and Naomi Buckwalter. Let's dive in.

Alethe Denis: People have these very easily transferable skills that they've collected over the course of their career, and they're able to repurpose those skills within information security. 

Alyssa Miller: I see people bouncing from all sorts of different careers into cybersecurity. And honestly, within cybersecurity, we need people who've come from all sorts of different backgrounds. 

Phillip Wylie: I was competing in powerlifting my last year of high school, so my friend said, hey, you should be a pro wrestler. So I decided to pursue a pro wrestling career, wrestled for a couple years but got out of it due to getting married and needing a more stable income with benefits. 

Tracy Maleeff: I did work as a librarian for a long time, you know, 15-plus years. I read an article in Entrepreneur magazine. The title was "How to Future-Proof Your Career in 2015." 

Naomi Buckwalter: I see a lot of people not really understanding what is out there. They don't understand what they might be good at or what they might like to do. So really do your research. Really talk to people who currently do cybersecurity. 

Tracy Maleeff: When considering a future-proof career, think about all the past jobs or classes you've taken. And what element of it, what common thread really inspired you, invigorated you, made you feel whole, basically? And for me, I realized it was tech, anything tech related. 

Naomi Buckwalter: Once you know what you might want to do, then you kind of research what kind of skills or requirements and knowledge that you need in order to do that kind of role. 

Lisa Plaggemier: A little more time and thought needs to go in to job postings because we've all seen the jokes on LinkedIn about the job posting that lists so many different certifications - that you need to be 100 years old to actually have all those certs and have the experience they're looking for. 

Phillip Wylie: People would ask me, I'm 30 years old. I'm 40 years old. I'm 50 years old. Am I too old to get into the industry? 

Naomi Buckwalter: We need you, people who are thinking about moving into cybersecurity. Please come. We do need you. 

Perry Carpenter: On today's show, exploring cybersecurity as a new career path or a way to revitalize your current path. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights" Season 3, Episode 2. I'm Perry Carpenter. 

Perry Carpenter: Welcome back. Over the past several years, I've spoken to lots of people who are interested in exploring cybersecurity as a potential career path. And a decent number of those people have been what you and I might call middle-aged. These are people who, for the most part, already have established careers but in noncybersecurity capacities. And they've been from a very wide range of noncybersecurity careers, from nursing to teaching to marketing to alarm technicians, plumbers and more. So ask yourself, what beginning piece of advice would you give to someone who is in one of these professions who is interested in exploring cybersecurity as a career goal? What encouragement, what advice, what warnings would you give? And what success stories do you know? Or if you are one of those people currently in a noncybersecurity-related career and you're hoping to make the move into cybersecurity, what perceptions do you have? What's holding you back? And what are the keys that will help you unlock whatever it is that you need to finally get your chance? 

Perry Carpenter: All of those are important questions to ask, and there is no single right answer, no silver bullet. But there are several strategies which, when used in combination, can help you move in the right direction. So as I was preparing for this episode, I remembered a conversation that I had with Alethe Denis back in Season 2, Episode 8 - that was the fun and games episode where we explored things like capture the flag games, lock picking, OSINT and more. 

Perry Carpenter: Now, Alethe came to cybersecurity late in life. She had been in marketing and had developed a fascination with social engineering while attending Def Con with her husband. It was at that conference when she stepped into the back of the social engineering village and started watching a social engineering capture the flag. After standing there for a few minutes, those few minutes turned into a few hours. Those few hours turned into the next couple of days as she was completely fascinated and felt an entire new world of life goals and career possibilities open up. During that interview with Alethe, I asked this question. 

Perry Carpenter: You talked a little bit about the fact that were in a completely different industry, completely different skill set. Somehow, it clicked that you realized that you would be good at this social engineering stuff. Describe that journey a little bit. Because it is interesting. There's been a couple other folks who've made these really big career leaps, like you and Rachel Tobac and a couple of others that I'm aware of that have changed the entire focus of their life. 

Alethe Denis: So it's kind of a weird, weird thing. Tracy, who is also InfoSec Sherpa on Twitter, she was a librarian. And she is now in information security. And I think that that is just the most crazy, amazing story to share because, you know, you have people that are coming in from so many different roles in completely different industries that you would think were never well suited for information security. And I think that what we're seeing now is that people have these very easily transferable skills that they've collected over the course of their career, which spans maybe a decade or two or three. And they're able to repurpose those skills within information security and not necessarily have to be, you know, technical geniuses when it comes to what we think of as leet hacking or pen testing and coding and development and things like that. 

Perry Carpenter: And it was this line that stuck into my mind and came forward as I was planning for this episode. 

(SOUNDBITE OF TAPE REWINDING) 

Alethe Denis: Tracy, who is also InfoSec Sherpa on Twitter, she was a librarian. And she is now in information security. And I think that that is just the most crazy, amazing story to share. 

Perry Carpenter: So I figured we'd start there. 

(SOUNDBITE OF PHONE RINGING) 

Tracy Maleeff: Hello? 

Perry Carpenter: Hey, this is Perry. Do you have time to talk? 

Tracy Maleeff: Absolutely. 

Perry Carpenter: Tracy Maleeff is a security researcher with the Krebs Stamos Group. And as Alethe mentioned, you probably know her better as the InfoSec Sherpa. I wanted to hear Tracy's story about where she was when she started her journey into cybersecurity and what kicked off the desire to move from library sciences into this entirely new career. 

Tracy Maleeff: I definitely have a non-traditional background as compared to many others in this industry. I mean, for starters, I have two undergraduate liberal arts degrees. And then I have a master's degree in library and information science, which means I did work as a librarian for a long time, you know, 15-plus years. And it was about - I guess it was about six years ago by now, I just really decided that I was restless in the library world, and there wasn't really much more upward mobility for me. And I wanted something to do about it, but I wasn't sure what to do. So just taking sad train rides, commuting in and out of Philadelphia to the suburbs, where I lived, I read an article in Entrepreneur magazine, which the title was "How to Future-Proof Your Career in 2015." 

Tracy Maleeff: And the futureproofing is what really appealed to me, because I didn't want to change careers, only to have to scramble to another one as well. So longevity was what appealed to me. The gist of it is it listed three points to consider, and one of them was, when considering a futureproof career, think about all the past jobs - or maybe if you don't have a long work record, classes 

Tracy Maleeff: you've taken and what element of it, what common thread really inspired you, invigorated you, made you feel whole, basically, you know, doing this job or taking this class. And for me, I realized it was tech, anything tech-related, anything basic from fixing the copier to - one job I had, I accidentally discovered some sort of back-channel email system... 

Perry Carpenter: Nice. 

Tracy Maleeff: ...That nobody seemed to know existed. And I realized that, but because of lack of representation of women in computer science, I really think that that just deterred me. And I don't think I'd realized that I could have a career in tech. I didn't really see anyone who looked like me. And I know that comes with a lot of privilege, as a white woman saying that, but I'm older then... 

Perry Carpenter: Yeah. 

Tracy Maleeff: ...Then some folks in this industry, and, you know, you have to understand in the late '80s, early '90s, it wasn't very common to see a lot of women in cybersecurity - or, sorry, in computers, even - not even cyber, you know, security. 

Perry Carpenter: Yeah. 

Tracy Maleeff: Wasn't really a thing yet, was it? So I dipped a toe in the tech world. I still kept my job as a librarian, started going to tech meetups - you know, conferences, classes - but it just never really gelled. Everybody I met in tech was just looking for the next Facebook idea or wanted to know if you had money to invest, and it just seemed very superficial. Or every woman that I ran into was doing front-end, like, UI type of stuff. Nobody was really doing anything significant - that I met, anyway. Let me clarify that. 

Perry Carpenter: Yeah. 

Tracy Maleeff: The people that I met. And basically it was, you know, a family friend who saw me spinning my wheels and said, let me tell you about, you know, back-end of tech and then the adjacent cybersecurity. And that really just resonated with me. And I took a course, a two-day workshop, Introduction to Cybersecurity with the Women's Society of Cyberjutsu, in 2015, that was. And next thing I know, I was approaching the CIO of the law firm where I worked, explaining that security was my quirky hobby. And that Cybersecurity Awareness Month in October, I was selected, chosen, asked to lead an awareness program, and that was pretty much it. I was off and running. 

Tracy Maleeff: And specifically what made me decide to make the full leap into a career in cybersecurity was that when I asked the CIO what else I could do security-related at the firm, his response was, well, you can do the awareness piece again next year. And I was like, oh, I can't wait a whole other year for this. So I started formulating a plan. I created a company which is still technically in existence called Sherpa Intelligence. My plan was to do freelance work using my library skills and my social media management skills to earn money while I studied and networked and just got to understand and immerse myself in this new industry. And I did that for a year and a half before I got my first full-time cybersecurity job as a SOC analyst, a security operations center analyst, for a global pharmaceutical company. And the rest is history. 

Perry Carpenter: Another interesting story that came to mind as I was preparing for this episode was from Phillip Wylie. 

Phillip Wylie: I'm Phillip Wylie. I've spent the past 10 years in the offensive security side of cybersecurity, a little over 18 years in the industry altogether. Prior to that, I worked as a sysadmin for six years. I've also been an adjunct instructor, teaching pen testing and web app pen testing at Dallas College. I'm a published author and the concept creator and co-author of "The Pentester BluePrint," which is a book on guiding people on how to become a penetration tester. 

Perry Carpenter: Tell us a little bit of your backstory. How did you get into security? 

Phillip Wylie: Yeah, how I got into security was through being a sysadmin when I first - years ago I was an AutoCAD drafter, and I got interested in IT 'cause prior to that I had no exposure to IT. And I got interested in that, found out that I had more of a knack for IT, and I moved into being a sysadmin. And through being a sysadmin, I found out about security 'cause when I got started in '97, although information security was around, it just wasn't that common of a role. So I was in that area for about six, 6 1/2 years, and I'd kind of learned of information security the last couple of years that I was in a sysadmin role. 

Perry Carpenter: And then prior to that, were you doing some wrestling or something like that that I read about? 

Phillip Wylie: Yes. Whenever I graduated high school, I had no idea what I'd want to to do for a career. I'd graduate high school. There's no doubt that I was going to do that, but I just really didn't take it serious enough. My grade-point average wasn't high enough for one of the local universities in my hometown. I would have had to go back and take the college entrance exams over to get a higher score. Either that or get eight letters of recommendation from my high school teachers. And so I really wasn't interested in that. And so my friends kind of told me, hey, you should be a pro wrestler because I started lifting weights back before high school and I was competing in powerlifting my last year of high school. So my friend said, hey, you should be a pro wrestler. So I decided to pursue a pro wrestling career, spent a little time in a couple different wrestling schools and then got started and wrestled for a couple years but got out of it due to getting married and needing a more stable income with benefits. One of the things I did learn marketing wise was to share my wrestling past, and also during that past, I wrestled a bear. 

Perry Carpenter: Wow. 

Phillip Wylie: And so these are things I share, especially for those people wanting to get into the industry because I sit there and, you know, paint them a picture, say, hey, you know, I was just out of high school. I was this meathead powerlifter pro wrestler. And if I'm able to start a career in information security, then you can too if you want to. So I use it for motivation and brand awareness because once I show people the picture of me wrestling a bear, they usually don't forget who I am. 

Perry Carpenter: I can imagine. 

Perry Carpenter: Welcome back. So before the break, we heard from three people who made complete career shifts into cybersecurity. Alethe transitioned from marketing and is now a full-time social engineer and security assessor. Phillip transitioned from wrestling to computer-aided design, then into system administration and ultimately into the technical side of cyber. And you also heard from Tracy, who moved from library science and being a librarian for over 15 years. The key was focusing on their passion for cybersecurity as a subject, leveraging the transferable skills that they had and then acquiring new skills as needed. Let's now hear from another person who moved into cybersecurity later in life. Meet Lisa Plaggemier. 

Lisa Plaggemier: I'm Lisa Plaggemier, the executive director of the National Cybersecurity Alliance. 

Perry Carpenter: You switched into security a little bit later in life. I'd like to... 

Lisa Plaggemier: Oh, yeah. 

Perry Carpenter: ...Kind of understand your path into security and then use that as kind of an example on what may or may not work in today's environment for others that want to do the same. 

Lisa Plaggemier: Yeah, I mean, I started out as a marketing and sales bozo. I started out wholesaling vehicle inventory to car dealers. Ford gave me a map of eastern North Carolina and said, go get them. And car dealers will eat you alive if you let them. Then I worked on, like, lemon law buybacks and warranty claims and things like that with dealers. And I honestly think that's where I learned not to trust anybody. That was where I learned how to have a healthy suspicion. If - you know, I mean, there's gray-area situations where there might be something that it's gray on whether or not it should be a warranty claim - right? - and it should be paid for by Ford Motor Company. Or should this be - was this an unskilled technician and the dealer didn't follow the book with the repair, and it cost the dealer more time or more parts than it should have? You know, should Ford Motor Company pay for that? Should that come out of the dealer's pocket? You have these grey-area situations that a dealer will bring you all day long just because they need eyeballs on them, right? 

Perry Carpenter: Right. 

Lisa Plaggemier: And so to be 22 years old, right out of school, I had 16 weeks of a rigorous training program that included engine and transmission training. And after that, you were on your own. And, you know, these are very shrewd businesspeople. And you're right out of school trying to make a judgment call and do the right thing with the company's resources. And some of them have better business ethics than others. And so I think, honestly, that's where I learned, like, just to, yeah, always be skeptical. And that paid off later in life when I got bit by the security bug. So I was doing marketing and merchandising for Ford in strange corners of the world - Africa and the Middle East and Eastern Europe. 

Lisa Plaggemier: And then I went to work for an automotive technology company that had half a billion consumer records. And that's when I got approached by the security team to do thought leadership on cybersecurity issues when the Jeep hack happened that year around Black Hat time. And a few manufacturers had data breaches. And so that's when I started working with the security team. And that was it. Then there was no looking back after that. I was bought in. 

Perry Carpenter: So for people that are a little bit older, that have not traditionally been cybersecurity professionals, like, if I've set my career for the past 15, 20 years selling X widget and now I decide that I want to get into cybersecurity, what's my chance and what's my path? 

Lisa Plaggemier: I think you have to be willing to figure out how your skills are transferable. Or, like I did, I went from marketing to security awareness to risk and then back into marketing but at a more advanced position and in the vendor space, right? 

Perry Carpenter: Right. 

Lisa Plaggemier: You and I both went to the dark side at some point and went to work for a vendor. So I think you just have to be willing to pivot here and there. 

Perry Carpenter: Right. 

Lisa Plaggemier: And that can just be hard for some people. There's a comfort level you have staying at the same place for a little while, and it can feel more secure. And sometimes you have to force yourself to be a little uncomfortable here and there and make some changes. 

Perry Carpenter: So over and over again, our guests keep coming back to the point that it's important to understand what your leverageable skillset is or might be. And that's super-important to keep in mind because if you're in marketing, guess what? Security vendors need marketing professionals. Or if you don't want to work for a vendor, you might be able to leverage your marketing and communication skills to move into a security awareness role or even a social engineering role. If you are technically skilled, then there might be an immediate fit across a wide variety of technical roles in security. Or even if you're a project manager, guess what? Security teams, security projects - they all need good project managers. 

Perry Carpenter: But what if just moving your current skillset into the security equivalent isn't what you're hoping to do? What if you're hoping to do a completely different cybersecurity-related job? Well, my advice would be to move into that position where you can leverage your current skillset in a cybersecurity context. And then what that does is it gives you the opportunity to work in a cybersecurity environment and learn more about the field. And at that point, you can use that new knowledge that you're gaining as your next pivot point. And many employers will help you level up your skills in those other areas so that you can grow into the position that you actually want to have, that dream job that you're hoping for. So in addition to leveraging your current skillset as a pivot point and then being dedicated to learn and upskill in areas where you don't yet have what you need, there are a couple other things that can help - mentorship and networking. 

Naomi Buckwalter: We need you. People who are thinking about moving into cybersecurity, please come. We do need you. 

Perry Carpenter: That new voice that you just heard is Naomi Buckwalter. Naomi is a director of product security at Contrast Security. She's also a very prominent cybersecurity personality on LinkedIn. She has a passion for helping new people enter the field and also helping hiring managers and recruiters understand how to better identify, cultivate and support new talent. 

Naomi Buckwalter: I see a lot of people not really understanding what is out there. They don't understand what they might be good at or what they might like to do. So really do your research. Really talk to people who currently do cybersecurity and ask them what their day to day is like. You know, maybe ask to shadow them for a little bit. Hey; tell me about your day. And just talk to people and try to understand what their day to day is because then you're armed with information on what you might want to do in cybersecurity. So once you know what you might want to do, then you kind of research what kind of skills or requirements and knowledge that you need in order to do that kind of role. And then what you want to do is really level up your knowledge and get to understand how things work and why things work a certain way. And you might think, Perry, that's a contradiction that, you know, you can't have work experience and knowledge. Like, it doesn't - like, you can't have the knowledge without the work experience, right? I will say you could actually get the book knowledge and then find ways to apply it. You don't need the full-time work experience to do that. 

Naomi Buckwalter: And here is very simply why. It's because security is everyone's responsibility. Everyone's doing security already. So what you do is in your current job, if you're a career changer, you take a look at the security things that you do. And I promise you they're there. You're doing good basic security hygiene. You're using unique passwords for all your different websites and all your different accounts. You're using a password manager. You've got UFA turned on. You're using a VPN. You're doing security things. You might just not recognize it. So start thinking about the things that you do, and list some down. If you work with a security team at all, those are things that you want to highlight on your resume. You say, hey; I help the security team with this. I do security activities during this process. I do this for my job every single day, and I'm used to working with security products. Like, those are the things you want to highlight on your resume if you are a career changer looking to move into security. That way, you're not a completely blank slate, which won't help you because let me tell you, resumes are, like - what? You spend 10, 15 seconds - you get 30 seconds to make an impression or something like that, and... 

Perry Carpenter: Yeah. 

Naomi Buckwalter: ...There you go - back into the pile. So you want to stand out right away. You want to try to get that interview right away. Tell all the truth that you can. You say, these are the security things that I do in my current job - right? - because security's everyone's responsibility. 

Phillip Wylie: It doesn't matter where you are in your career. People that are absolute beginners or people that are trying to get in the industry or just broke into the industry - there's a lot of valuable knowledge you can share because you take someone that's been in the industry a long time. It's been a while since they broke in. Unless they're doing a lot of mentoring, they may not understand some of the caveats of trying to get in the industry, some of the resources that someone is newer may know. So don't ever discount your amount of experience. If you're only a month into your career, you're a month ahead of someone else. So make sure - you know, it's a good way to share. It's, you know, a good feeling to help others. And if you believe in karma, it's like, you do these things. You help other people. It seems like a lot of more positive things come your way, and I've experienced that from the things I've done. I've got job opportunities and all sorts of other opportunities from, you know, creating content with a focus on trying to help other people. 

Perry Carpenter: As I was preparing for this episode, there were a number of people that I wanted to speak to, and you've been hearing from them. One of those people was also Alyssa Miller, who is our next guest. And I wanted to hear from her because she's so great at online networking and engaging people in conversation, which I think is super, super important. As I reached out to her, I also found out that she just released a new book called The Cybersecurity Career Guide, and it covers exactly the things that we're talking about on this show today. So for this last few minutes before we cap off, I want to have Alyssa come in and tell us a little bit more about the book. 

Alyssa Miller: My name is Alyssa Miller. I'm a hacker, cybersecurity researcher and a cybersecurity executive. 

Perry Carpenter: What was the story behind the book? What made you decide to do that? Walk through some of the major content points that you wanted to make sure to cover. 

Alyssa Miller: Sure. We've had all this conversation about the supposed cybersecurity skills gap. And I was looking at that and seeing all the stories that were saying, oh, my goodness, we're going to have 3 million open cybersecurity jobs. Oh, my goodness, there's all these cybersecurity jobs we can't fill. Hey, people don't have enough cybersecurity skills. And then on the other hand, I'm talking to all these people who want to start careers in cybersecurity. They're coming out of, you know, university programs. They're in other technology roles. Or sometimes they're just in completely unrelated fields, but they have a real desire to do this. And, you know, there's a certain dissonance there. Like, how can you tell me we have a skill shortage when there's all these people who want jobs that you're not hiring? 

Alyssa Miller: And so that's why I started doing some research on it. And I did a TEDx Talk on this not too long ago. And that's what I - I said in there, like, my initial thought was, as I did this research, that I was going to figure out what job seekers were doing wrong, and I was going to help them fix it. When I started figuring out was what you said at the very beginning - most of our problems are self-inflicted. Our cybersecurity workforce model - well, first of all, it doesn't really even exist. But the way we approach hiring in cybersecurity is really flawed. And so then the book idea came up, and it was really my chance to reach out to people who are trying to start a career in cybersecurity, use all that research that I did and help them overcome some of those problems that exist in cybersecurity hiring. And that was really the goal of the book, was to give people a comprehensive guide on how to get your career started and then how to position it for long-term success. 

Perry Carpenter: OK, so describe the structure of the book. As I look at it, it looks very, very intentionally set up like - well, like it's titled, a guide. 

Alyssa Miller: It's nine chapters broken into three parts. The first part is really just describing the industry and the challenges. What are all the various roles in cybersecurity? That was a big thing that was really important to me in writing this book, was that, you know, I went out, and I looked at other books that were available on cybersecurity careers, and what you see is that a lot of the books out there are really focused on two things. Either they're focused on a very specific role - in most cases, being a pen tester. Or they're very focused on - here's the technical skills you need to get into cybersecurity. And that's it. So my goal was to really create a guide that was more encompassing, more comprehensive, focused much, much less on technical skills - in fact, not at all, quite bluntly. It's really introducing the industry, helping people understand - here's all the roles. And by the way, those roles include things like GRC and sales and other - those are all security-related roles, too, that are part of the cybersecurity industry. 

Alyssa Miller: And so I wanted people to see that and then, you know, really define that for them, define - here's the history. Here's where cybersecurity even came from. Is it even an industry? What should it be? And then help them understand the breadth of it and then some of the problems that I found in my research. So that's all in that first section that - the first three chapters. The next three is really about self-discovery and, you know, kind of getting that job. So Chapter 4, there's actual exercises for people to figure out what it is that they want to do in cybersecurity because it is so broad, and there's so many different options. 

Alyssa Miller: Probably the most frustrating thing to me as, you know, a mentor to others is when people ask me if I can help them learn about cybersecurity and I ask them what they're interested in. Well, all of it. I want to learn it all. And it's like - it's frustrating because how do I redirect that? And so I have to kind of get people to think about, OK, how do you figure out what you're actually interested in? And so that's a part of that. How to overcome the obstacles in the hiring process. How to recognize problems in job descriptions. How to overcome those. How to figure out what you're qualified for and what you're not. How to structure your resume - things like that. And then even how to handle the interview and even the offer negotiation. So all the way through that, that's section - that's the second part. 

Alyssa Miller: And then the third part is really long-term success. So we talk about how to position yourself, networking, mentorship - all those things. How to leverage those in your career. How to overcome things like imposter syndrome. And then really, have your own personal career plan for where you're headed, setting goals that are realistic and then how to pivot even, because one of the great things in cybersecurity - and this is a theme throughout the blog - is once you get here, you can pivot anywhere in cybersecurity. You're not locked in. So if you do all this, the self-analysis that I tell them to do and they find a, you know, a direction they're going to go and they get a job and then they find out two years later that, yeah, that's not really the thing you want to do or they don't want to do it anymore, well, great. Now you're in and you can pivot really easy into one of these other roles. 

Perry Carpenter: Do you think - because I know you talked earlier on - in section two of this that you're saying, all right, it's time to figure out which piece of cybersecurity you really want to tackle, that seems like an argument against generalism. But at the same time, some of generalism is what allows you to pivot, right? So how do you balance that? 

Alyssa Miller: Yeah, I don't think it's an argument against generalism necessarily, because, yeah, there are a lot of rules in cybersecurity that require more of a general knowledge set. It's more identifying, is that the kind of role that you're interested in? Some people will look at the news around cybersecurity and they'll hear about people who are doing threat intel work, and that sounds really interesting to them because they like that investigation thing, right? Or, you know, they might like the challenge of responding in a fast-paced environment to lots of things that are coming at them at once. So maybe they're better suited for a SOC environment. Or maybe they do truly like the idea of pen testing where you're breaking things down and deconstructing it and trying to figure out how to manipulate things. Or maybe they like doing that with people, so they're better suited for social engineering. 

Alyssa Miller: But there's also those ones where maybe what they like doing is looking at the holistic program of an organization and trying to understand how that organization can be better. Maybe they like looking at, you know, a problem set across a particular group and trying to solution for that. And so, yeah, it's definitely not specific to saying, hey, you know, yes, you should be a social engineer. This is not like those weird tests that we took in grade school and high school. It's always, you should be a doctor, you should be a nurse, you should be a construction worker. No, it's not that. It's really understanding yourself. And that's the difference. Nothing in those exercises that I give anyone is going to say, you answered this, therefore you should be this. It's not that style. It's, here, use this exercise to really analyze what you're interested in. Now here's how you connect those interests to roles that fit in cybersecurity. 

Perry Carpenter: Well, it looks like we're about out of time for today's show. I'm going to give Tracy Maleeff the last word, and then I'll be back to wrap up with a few closing thoughts. 

Tracy Maleeff: I always say networking is crucial. The other thing I'm going to mention strongly is be aware of the news. Be able to explain the news story in the most simplest of terms, not condescending terms, just the most simplistic of terms. And you might be thinking, well, why is that important? Well, one, it'll help you explain to your family who may inevitably ask you. But also, you may find yourself speaking to a board of directors or a CFO who is the one who stands between you and approving your security budget. 

Perry Carpenter: The world of cybersecurity can seem intimidating and impenetrable to people on the outside wanting to get in. But I hope hearing these stories from people who made mid-career transitions was encouraging. And I also hope that if you are an aspiring cybersecurity professional, you'll benefit from the stories and the advice offered. And for those of us already in the career, I think we need to challenge ourselves. We need to challenge ourselves to be more welcoming and encouraging to those who are interested. I mean, we've all been talking about the cyber skills shortage for years. Let's each do our part to help someone come in so that we can begin closing that gap by lifting others up. 

Perry Carpenter: And with that, thanks so much for listening. And thank you to my guests - Tracy Maleeff, Alyssa Miller, Alethe Denis, Lisa Plaggemier, Phillip Wylie and Naomi Buckwalter. As usual, you can check the show notes for all the relevant links and references to the topics that we covered today, our guests' social media accounts and everything related to them. 

Perry Carpenter: If you've been enjoying "8th Layer Insights" and you want to know how you can help make the show successful, I've got an easy ask for you. Just tell a friend to listen. Seriously, that would be an amazing help for me as I continue to build the "8th Layer" audience and community. So if you would, recommend the show to at least one person this week, or maybe even just take your cellphone out right now and send them a message. And, of course, if you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. If you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. 

Perry Carpenter: The show was written, recorded, sound designed and edited by me, Perry Carpenter. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.

8th Layer Insights
Podcast Info
HOST(S):
Perry Carpenter
Perry Carpenter currently serves as Chief Evangelist and Strategy Officer for KnowBe4, the world's most popular security awareness and simulated phishing platform. He's an award-winning author, security researcher, and behavior science enthusiast. Previously, Perry led security awareness, security culture management, and anti-phishing behavior management research at Gartner, in addition to covering areas of IAM strategy, CISO Program Management mentoring, and Technology Service Provider success strategies.
Schedule: Tuesdays (biweekly)
Creator: Perry Carpenter
ADVERTISEMENT
KnowBe4
KnowBe4

What really makes a “strong” password? And why are your end-users tortured with them in the first place? How do hackers crack your passwords with ease? And what can/should you do about your authentication methods? Password complexity, length, and rotation requirements are the bane of your end-user experience and literally the cause of thousands of data breaches. But it doesn't have to be that way! Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for a live webinar to find out what your password policy should be and learn about the common mistakes organizations make when creating password policy. Register today.