Roxy Dee - Starting A Cybersecurity Career: Which Role should you pursue?

man you're good with computers do you do this for work touched a couple mags in my life computers so who here is starting out in cybersecurity raise your hand I want to see ok awesome cool alright well I'm going to I purposely made my talk so it wouldn't go too long because what I'd like to do is after I I give my presentation we'll have some Q&A time and I can help you with figuring out what branch of cybersecurity might be good for you but this is recorded so if you would rather do this more one-on-one I will be after my Linux talk which ends at 3:00 I let three o'clock I'll be wherever my

Linux talk is so you can meet up with me there as well and we can talk about it to my notes aren't actually super oh there it is it's on to things now yes so now let's try oh that is sort of let me see I think at this point I just have to show my notes there we go okay my notes aren't very long it's just I forget things okay so my talk is starting a career in cyber security which perhaps should you pursue so this is something that a lot of people struggle with because there are so many different branches to go into how do you know what to go into there's a lot of information on red team you can

find a lot of information on red team but blue team is so broad that there really is not like a blue team you know way to go so hopefully I can help you with this let me tell you about myself so this is the only picture I had with me with my speaker badge from last time I was at beside San Antonio so I know it's a weird picture but um that's what we're getting so I actually as you can see I did a lot with my career in eight years I started studying cybersecurity in 2011 I definitely did a little bit of job hopping but we'll talk about that and the reason why there is a reason yeah

let's see so that's five different jobs so I started in 2011 I have kind of been into phone phreaking if you all are familiar with that since about 2002 or so so is that my Mac oh all right we'll find out if that's a problem later so I have known about 2600 but I never actually went because honestly I was scared to go finally in 2011 a you know enough people harassed me about going I was like alright fine I'll go to 2600 and yeah it was exactly as I expected like all dude's drinking beer and it was like Oh I fit in here and there's actually a speaker here today that I can credit for

for me actually being in cybersecurity his name is Tim Shelton he's the first person that walked up to me and said hey come join us you know it's let me introduce you to everyone he introduced me to everybody he set me up with an account on on a Linux server he had I mean right then and there I had you know access to the same the same IRC server as everyone else there so I think that's really important is you know understanding that people people even if you're new to cybersecurity there's always gonna be someone newer so no matter what you know bring people in and give them resources and help them out because they're they're probably

thinking they're probably just as nervous as you are when when you first walk up to a group for the first time or first went to a conference so I started with tech support and self-studying and tech support is really good to start out with because you learn all about the troubleshooting process which i think is very important in tech you also learn about metrics and how to play the metrics that can be important as well so I was one of the top tech support agents consistently so I started self studying cyber security and Linux well I guess I'm done no I don't know why that's two bullet points I'm sorry but I was so studying cyber security and Linux then I

got a job as a network security analyst which is a level one type position where you're basically watching alerts so I was watching alerts on the network and sending emails to the client if you know if something looked weird then I started a hackerspace and I that's when I started public speaking I think this was pretty important the public speaking aspect I'm not really a public speaker believe it or not I mean technically I am now but it's not something I sought out to do but sharing information in public speaking and volunteering at conferences really put me in into into the same room as a lot of people that that I'm sure it led to

many opportunities for me so then I became a security engineer infrastructure focused on infrastructure for a large cloud provider and this was great because I could do some hands-on work i really suggest if you see an opportunity where you can do a lot of hands-on work that's the best teacher that that taught me more than any books that i ever picked up this is where i really fell in love with blue team so at this point i didn't know if i was going to do red team or blue team i had no idea so at this point I learned that I really love infrastructure I love Linux and I I just love configuring and tuning

and all that sort of you know stuff and so that that was a good opportunity for me and from that I went into vulnerability management for the same company the same thing happened I was like wow I'm actually kind of good at this and the funny thing is the reason I the reason they put me in vulnerability management is they said it had nothing to do with technical skills it was that oh you'll be really good with getting people to fix things and you can take a few guesses as to why they thought I would be good with people but I I ended up enjoying the technical aspects of it and so I went into that then I did a

little bit of I had two other jobs which were both engineering and now I do vulnerability management and other things at hurricane labs which is a managed service provider we but they we mostly do like managed services for Splunk but we also have managed services for vulnerability management and we do some pin testing and other stuff and other things the reason I say that is because they are always giving me an opportunity to do other things so then we like hey we're working on this can you help us with it I'll be like oh yeah sure so that's my background I I'll explain later why I moved around because that's actually very important so you might you might be wondering okay

well that's great thanks for sharing your career what am I going to do okay well you have red team yeah blue team and your purple team I'm sure everyone here has probably heard of that so far red team is offense blue team is defense and purple team is a combination of both or it involves the team's the red and blue team's working together so you're gonna find this term purple team spoken about a variety of different roles and I haven't heard any crazy debates about it but I'm guessing people have been debating and arguing about what is purple team just knowing InfoSec so I'm sure you can get into some crazy crazy debates about that if you want

so at this point if you're not sure where to go what I suggest is read as many books and blogs as you can on the topic if you're not much of a reader like I can't really focus with reading as easily I'm more of a talk kind of person I learned from talks um so I'd suggest going on YouTube and looking up DEF CON talks of course b-sides talks try to get like a variety because because I'll tell you when I started out I didn't understand half the words that they were saying I didn't and I would look at talks titles I'd look at the titles me like I don't know I don't know if I'm gonna like this and yeah maybe I

didn't understand half of it but that gave me a jumping point to say okay well there's this one little piece out of this forty minutes that I watched that I found fascinating so I'm gonna go study that and you know you might see talks that you really aren't interested in but then that tells you okay I am NOT going to go into that part of InfoSec I'm gonna stay away from it so find out you know what interests you from watching talks reading books but also talk to people about their jobs this gave me a really good idea of what I should expect from from job interviews from employers because I would hear stories about

people at work and they're working in the field and so then I would kind of understand you know this is you know expected and this is not expected or you know be really cool if I could get this benefit I'm gonna ask about that because that guy got a really cool training budget and that sounds awesome there's things that I didn't know we're available I didn't know people got paid to go to conferences I had no idea there are companies that will pay you to speak at conferences so talk to people about their jobs and kind of get to know get to know what is I guess standard or what's really cool that you might want to look for now

now we're gonna get new red team and blue team so I'm sure a lot of you familiar with red team because it's a very hot topic at conferences you might like red team if your strategic like you enjoy breaking the rules and getting away with it and finding new ways to break the rules that's always fun because the first way doesn't always work sometimes you have to get a little creative you're decent at communication now this is pretty important because you could go you could you could have a pentesting engagement or contract or whatever you call it and you can pen test all the things and you can break into everything but if you can't write a good report doesn't matter

it doesn't matter at all you need to be able to write detailed reports take notes as you go along and I would suggest doing this while you're practicing as well even though you're not going to be writing a pen test report and turning it in if you're studying red team stuff and you're doing you know an exercise like with I don't know it like with hack of a box or something like that right through all of your steps and so that way you get kind of used to documenting so that's a skill that a lot of people have to learn that's not really like a natural thing usually so start practicing if you're curious I would say curiosity in general

is good for either blue or red but if you like to know about all the different tools techniques and attacks and different ways of breaking into stuff this would be great for you you'll never be bored and also this is I would say knowing scripting and/or programming is more important on red team than blue team Blue team you can get away with it I don't I don't code I barely code if you look at my github you'll understand I barely code if I was in red team I might have to write you know scripts or I might have to do things that would make pentesting easier for me and I would have to learn how to

automate certain tasks and do certain things quicker because you know you you're on a time line so that's what I would that's what I would recommend thinking about if you're going to be on on red team definitely try to pick up something like Python or for even like a web application language like JavaScript that would be that would be fine as well now blue team this is my team I'm on the blue team you might like blue team if you like to learn about security infrastructure and how to configure and optimize so if you love getting into servers and making them work at their best I suggest security infrastructure for you and if you like setting things up

installing things find some tutorials like find out how to set up you know something like my sequel and then move on to like finding out how to set up something like snort and just look for these tutorials that give you step-by-step guides and learn how to set up and then go in there and see what you can do to configure and optimize it if you enjoy planning for a variety of scenarios that's that's a great blue team quality to have so I personally am a planner I plan everything and that doesn't mean that I'm always on time I did make it here right on time but but I love planning so for me planning for certain attacks or certain

events to happen because it's not all about attacks on security infrastructure one of the I forgot the word for it in security plus you'll learn confidentiality integrity and availability and availability means that the information is available it's online it's there if it's not available doesn't matter how secure it is nobody can use it so if you enjoy planning for a variety of different circumstances blue team would be great for you and have an interest in building systems and networks I love building I love building stuff so if you're into that that's good as well if you like analyzing techniques and tools used by attackers in order to prevent and/or detect malicious activity so that's kind of the flip side of

routine you're doing the exact opposite you're learning about what they're doing to try to get in and how to prevent it so you're learning like how to write rules how to tune how to detect stuff like that that's always fun for me and I think it kind of has to do with the fact that I started out as a network security analyst but I love network security so what are some things that you can do so if you like red team there's exploit writing which I'm actually not too familiar with but I know that it has to be essential for Red Team Network pentesting and there's also social engineering and physical pen testing this is a skill that people have

that they don't really realize so if you've ever tried to get into something that you weren't supposed to be in that's that's either and it could be both social engineering or physical pen testing like when I was a kid I loved exploring and sometimes breaking into things so I remember when when I was ages 10 to 13 we moved overseas we moved to Indonesia and we got to stay for the first few months in this huge hotel and it had two towers and we lived like at the top it had like a nice apartment up there and they had like several buildings scattered throughout the area and I would just look I would go into

every building that was unlocked and I found all sorts of stuff and it was cool and then I would get on the roof and one time my mom caught me on the roof and she was like don't you ever do that again so a few days later I did it again and it was funny because I got up on the roof and I looked down and there was my mom right below me and so I like ducked down and she never caught me and she still doesn't know unless she views this video but stuff like that if you love doing that as a kid you'd be great at physical pentesting and there's also OSINT open-source intelligence so for

the ladies in the room and non-binary people this is probably something we're really good at because I know at least for me I have to find out everything about my date before I go out with him I have all the information I know everything my boyfriend is here I knew his entire career before he even said it to me but I pretended like I didn't know it's like oh that's cool that's a skill that I know a lot of us have just for safety reasons right know me a blue team I talked a lot about blue team because I love blue team infrastructure like I was saying building systems protecting systems there's Incident Response so if

you're one of those people that likes planning and likes carrying out plans incident response is great as soon as the breach happens or as soon as something a big event happens it's your responsibility or even small events it's your responsibility it becomes your responsibility to handle the whole situation so that can be really fun there's malware analysis compliance and what I do vulnerability management I scan things and I tell people to fix them so that's something that's something that if you're really interested in vulnerability management I can talk to you at length about that so there's other things you can do too so InfoSec is not all about being super super technical or super in the weeds

there's a lot of other jobs that really require security journalism being one of them there's there's a good market in having security knowledge as a journalist there's a lot of issues around privacy and around new technology something that I think about a lot is how new technology affects us and the things the unforeseen things that we we didn't understand at the time you know like you're like these privacy issues that come up with the Internet of Things devices that we have that would be a really good thing to be knowledgeable about in journalism you know and they started putting electricity in homes they didn't even know that they had to insulate the wires so things were catching fire yes

the technology has always been really important to you know report on and and investigate and figure out even new technology is not perfect or especially new technology digital forensics this is a really fun one this is where they give you a computer and they say find the evidence or find the clues or find out you know we're looking to see looking to get as much information as we can out of this computer when you delete something it isn't necessarily deleted so digital forensics is fun to go into if you like those detective shows where you have to find out who did it a developer of security software or a developer with a focus on secure coding

this is really important a lot of the vulnerabilities in web applications are really really old the new ones they don't really get you as much as the really old ones because the new ones you know the attackers are also getting to know the new vulnerabilities but the older vulnerabilities like sequel injection or SQL injection that's one that's been around for a while there's a lot of info on that one so anybody could almost anybody could do it so having a focus on secure coding is pretty important open source contributions if you're really interested in open source there's a lot on github that you can contribute to and I would suggest Oktoberfest which is every October on github

they have this this thing where you do five pull requests and you get a t-shirt but the cool thing is everybody is on alert that hey during October there's going to be a bunch of new people doing PRS so it's a lot easier to search and find them security awareness training this can be pretty fun this is one where you have to like public speaking though so I'm not sure I could do it I love being here and speaking but you would be speaking a lot and then there's cyber security law which if you're if you're into law that would be a great field to get into as well because there's not a whole lot of cyber security lawyers

that's the specialization there's even cybersecurity insurance which some people you know I I didn't put it on the slide because I'm not really sure about cybersecurity insurance to be honest okay so so this is where I'm gonna go into why I changed jobs so much so I already talked about share your experiences as you learn oh I didn't talk about that okay so I was saying if you're doing red team work you can start documenting but even if you're doing blue team work you can document and share your knowledge and what's great about this the talk actually did in San Antonio was about how to set up the MH in which is a honeypot network

type thing and I'll be honest when I submitted that talk I knew nothing about it so the person I was co-presenting with was you know helped me a lot on learning that and so then I wrote a blog post about it because I knew about it at that point and so I you know what actually it was the DFW besides that I did first so I didn't know anything about it then but I did know when I came to San Antonio to do it minor correction there anyway I wrote a blog post on it and it's one of my most viewed blog posts on medium because people are always looking for information and I get DM s about honey

pots you know on Twitter so I have I have become the expert even though it's not really totally my thing in a way I have become an expert on the topic so as you are learning share your knowledge you become the expert ask for help because everyone started where you did and most people want to help the way I feel about it is if somebody thinks that I asked a stupid question I'm just never going to ask them a question again like that tells me more about them than it does reflect it doesn't reflect on me as much as it does on them so don't be afraid to ask questions if they treat you like you don't know anything don't

ever talk to them again you're saving yourself a lot of energy don't let your career get stagnant and seek opportunities that provides important to help you grow so this is why I change jobs so much in two of the cases it was clear discrimination in one of the cases my manager was just weird weird he he was talking about my project behind my back and telling me that telling other people that it was terrible and then people would come to me and be like but you're doing a great job I don't know why he's saying that and I'm like he's saying what so here's the thing if you notice that you're not getting opportunities it's okay at a job hop

it's absolutely okay because the first time I did it I went from making $30,000 to $65,000 that's one job change and the reason is because they didn't give me a raise and they gave all the guys raises which I found out by accident my they were talking about their raises I was like what raises oh you didn't get one no so yeah I mean if the thing is we we underrepresented folks get stuck in this trap of like always trying to prove ourselves like we just have to be perfect and we just have to try hard them and maybe they'll see maybe they'll see that we know what we're doing if you know what you're doing somebody else is

going to pay you more so stop proving yourself and and I'm not saying fail at your job definitely don't feel at your job until you have another job what I'm saying is your energy can go towards finding other opportunities because there are places that will give you training and they will you know and that's a good question as during an interview what is my training budget what types of things will you send me to training for because if they say Microsoft Word I'm not gonna work there if they think I need Microsoft Word training like one of the places I worked at I'm not gonna work there I was security engineer not an administrative assistant and that's that's fine if you

are but that's not me also become a part of the communities if you feel comfortable doing so because this is not something that's comfortable for everyone but there are online communities as well so become part of the community for me that was volunteering and starting a hackerspace I do recommend volunteering I do not recommend starting a non-profit it's a lot and I am not with them anymore so kind of trust your gut judgement if you see some toxic tippity don't feel obligated you're not obligated to stay and volunteer and help it's it's really important to preserve your health and your sanity first before bending over backwards to help people that are going to be ungrateful so

that's all I'm going to say about that but yeah the the opportunities that really matter are the ones that provide sponsorship and training and by sponsorship when I mean is for example my company sponsored me to come to this conference they paid for me to come here and those are the opportunities that really help you grow because if you don't have the financial income when you're starting out to go to DEFCON or to go to some big conference that's gonna help you the company helping you out is huge it means that they first of all they value you as an employee they value keeping you and it also means that they are willing to put their money into

career development for you which a lot of companies are scared to do because they think I'll put money in them and they'll leave but honestly like I'm not just saying that because they paid for me to be here but I don't wanna leave my company because you know they're sponsoring me on all these cool things that I want to do so look for those things the thing about community work though a lot of underrepresented folks are in community work and where I find odd is that underrepresented folks become qualified to lead conferences but not to lead teams at work so there's a little bit you know there's a little bit of a I don't know what the word is but it's

kind of odd we've seen underrepresented people leading at conferences but you know they find it hard to get promotions so that's something to consider if if you hire people if they're leading conferences they can lead teams conferences are very hard to pull off so here are some resources there's things there's this thing called an awesome list if you look on github and you just type like awesome Python or awesome you know whatever topic people make these entire lists of resources so look for like awesome red team awesome blue team and get a bunch of resources that way cyber e is a great great tool as well it's a one of those course websites they offer courses for free a wasp is a great

resource as well because they have on their wiki an entire section about attacks and types of attacks so you can learn a lot just from looking through the different types of attacks and learning about them and humble bundles are great you get for $15 you get like 20 PDFs of books like ebooks that are really nice books I have an entire library on my computer of humble bundles so that was it I hope that was really helpful and I think we have 15 minutes what what time do I does it end fifteen minutes okay so if you all have any questions we'll do questions first and thoughts maybe later if we have time or you can actually did I not put my

handle on here so weird okay well I will put it on here right now let's edit this live we're doing it live alright so you can DM me or we're gonna go off a slide here a little I think always happy to help folks

with questions career questions let's see if I can fix this oh there we go that's so perfect I'm so good at this [Music] I'm kidding because marketing makes the slides and they make them look awesome and I just provide the words these awesome slides are not all me anyway there you go does anyone have any questions those interview techniques and it helps you get those next oh that's a good question so one of the biggest things is finding out how their culture is they they use this word culture fit to describe anybody that they they don't want working there but they don't want to admit that they just don't want you working there so they say

you don't fit you're not a culture fit what that really means is we don't have a good reason to deny you huh so something you can ask something that I love asking is do you have culture fit here what it what does your culture look like and if they describe something very specific it's like okay I may not may not want to take this opportunity and also ask about training ask about if you if you get an opportunity to talk to other people are working there that's huge like using Twitter to to DM people and say hey I noticed you worked at such-and-such company I'm thinking of working there what do you think and of

course people are going to say oh yeah it's great but you'll be surprised little nuggets of information you get where you're like oh maybe I don't want to work there and another thing you can do is go to these conferences and these meetings as much as you can if you can handle social situations as an introvert sometimes I have to just leave that's understandable but just talk to people like I was saying talk to people about their jobs and learn about their jobs that gives you a little insight as well and it also gives you someone to go to if if that company is hiring so you can say hey I really learned a lot about such and such

company and you work there you know do you think I should apply see what they say sometimes they even need to get your application passed HR which which is an important step there there are times when I've had to pull people's resumes and hand them to my manager you know because it would not have passed the HR check so yeah oh did you have okay does anyone else have any questions okay no I'm done thanks for sure and this is not an interview question but interested so where do you want to be in the next five years so really what's your your career progression um I really like where I am right now because I get all these

opportunities and you know because I do have an illness that at times leaves me bed bound and they're very understanding about that I can work from home I mean I'm really happy where I am if something happens to this job if they wake up one day and decide to fire me which I hope doesn't happen that would be weird I really see myself going into like consultant work or like working for myself really because I can't really work in an office with my condition and I think that's kind of a natural progression after you've been in the in the business or a certain I mean I'm going on almost ten years now at some point you just need to work for yourself

or deal with you know working for someone else I don't suggest doing it early in your career but later on if you can work for yourself you know then you get to set the rules it's a lot easier if you have the privilege to do that

so this is a really good question because honestly it varies for people and I'm not gonna sugarcoat anything and and and I'll tell you there is discrimination in this field so if you're a person of color or if you're you know a woman or if you're non-binary i really suggest certifications like certifications are great and I know a lot of women of color that have like master's degrees in cybersecurity I didn't have to do that you know I'm light-skinned and I didn't know that that was like super important for people of color I had no idea but getting a master's degree it's it's that's like extremely like you're really devoted to it so if you if you have a

lot of passion for the field and you're really really interested you know try to go for that master's degree because it will help open doors for you but for me personally um I knew a lot of people and I was kind of networking a lot and so my first cybersecurity job that I got I took a quiz and they actually accused me of cheating because I got them all correct but they said okay you have the job but you just need to get a security plus within six months so those are those are good opportunities if you can find them and and you can even if if you feel like the the interview is not going

too well you know that's something that you can throw out there and say I'll get this certification within six months I just need you know a little bit of support with it you know something something like that and then you'll find out like are they going to pay from certification how much or how interested are they in having me here so does that help yeah what are you what are you looking to get into see that's that's another thing is like you can be a graduate and you've gone through all the academic process but you don't know where to start right so I think I think starting with the going to conferences that's a great first step I would

suggest looking up like do you know like blue or red or you're still kind of blue okay so what you might want to do is look for like a larger company that has that has a bunch of either support type roles or like level one security analyst because what's going to happen is you're going to get into that role and that's not where you're going to stay so there's gonna be other opportunities that come up and with a larger company you have more opportunity so if if you're if you're if you have a degree and you have that on your resume that looks really good at larger companies you might be able to to do that find

like a level one or a support and then work your way up and you'll you'll probably worked your way up pretty quickly

I've that's been my observation I I don't know because I'm half white so people just assume I'm white I couldn't really say but if if you talk to other people of color I'm sure they have way more details because it really didn't occur to me but when I started to get on Twitter and I started to see the people that people that were saying I'm just looking for an entry-level job and I click on their bio and it says they have a master's degree in cyber security after a while you kind of see the similarities and I was like wait a minute these are all women of color like that was that was a wake-up call for me

like I had it so easy like I basically walked into this place and was like I don't have a cert but I'm gonna get one in three months and they were like cool so I think I think there's there's a there's a there's a lot of people of color and cyber security that probably have a lot of resources for you

I just got here so I don't know yeah if anyone does anybody have any suggestions for him if someone that's here in person of color that can you know well you know me

yeah and I'm better yeah so I was going to say that the military probably innocent I would probably talk to them too I think that's probably a good place even start now even for the folks that dis graduate I think that's probably okay oh oh I'm sorry I just want to say real quick for the recording what he said was look into NSA government and military Oh NSA is here okay hopefully they're not here for me all right I didn't do it so it kind of depends where you're going so for red team so I can sum it up by saying the quizzes that are multiple-choice they're the easiest to get right but the ones that you want to

go towards are the ones like what is it called for red team LLC P yeah OSC P and the Red Hat cert I think is also more interactive those sorts look a lot better on your resume and also I'm just gonna suggest if you're in blue team I'm gonna suggest Linux certs because I love Linux but also a lot of companies in cybersecurity use Linux so that's really important to be able to to to to know when to understand okay so I hope I didn't make a whole lot of people uncomfortable with with my talk about discrimination it's not something that people like to talk about but it happens [Music] yeah thank you yeah I I just don't want

anyone to be misled because honestly when I started like I was like oh as long as you get certs and you know you network with people you'll get a job and yeah that's not true so hope so do look for those opportunities because they're out there and there are people that will respect you so so are there I can maybe take one more quick question so I don't know about that because I'm in Dallas I know in San Antonio it's a big deal in Virginia maybe you do you do you know you were talking about it okay there's no way they're gonna go through that background check for you or if you're a contractor that's supported the

government they're gonna probably for you soon okay we have to find a job in hopefully your record clean okay so you need to find the opportunity that's going to basically go through the process right okay that's a very good tip thank you so she's saying that NSA is here recruiting actually for next summer so you have plenty of time to get your clearance if you look for opportunities in the future and they do advertise those so you're welcome

yay thank you everyone