Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organizations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo will draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts talk to Isaiah Grady, a Triage Security Engineer at Arctic Wolf about his decision to pursue cybersecurity as a career. Isaiah shares stories of his diverse work experience before joining Arctic Wolf, and the process he undertook to find his first full-time cybersecurity role. Adam and Ian also reflect on how they came to work in the cybersecurity industry and give listeners advice on what resources young professionals can leverage to help launch their own career.
Cybersecurity as a Career
Ian McShane 0:04
All right, welcome to the second episode of the Challenge Accepted podcast. My name is Ian McShane. I am the Vice President of Strategy at Arctic Wolf. Once again, today I’m joined by my favorite CISO, Adam Marrè, who’s going to join us as the co-host today as we talk about something I’m actually pretty passionate about. And that’s getting people into cybersecurity and figuring out what’s the best way to prepare to get into the industry.
And we know that there’s a pretty big shortage of either talent or an inability to fill some of the jobs that are being advertised. So you know, maybe one of the ways we can help to address some of that is encouraging youngsters, young professionals, people looking for a career change, and people of all backgrounds really to explore cybersecurity as their career and what I’m really excited today, actually, we’re going to talk to one of our newest team members in the Arctic wolf security operations center. Isiah Grady who’s a triage specialist, and he also came into us through the intern program. So I’m excited about that. But first off, Adam, Hey, how’s it going?
Adam Marrè 1:04
Hey, it’s going well, happy to be here. Love this subject. So this is exciting.
Ian McShane 1:09
Me too. So let’s focus on you first, because people are fed up with my voice already? How did you get interested in cybersecurity as a career?
Adam Marrè 1:18
Yeah, that’s an interesting question. I guess we can we can start at the beginning with me at a university. I mean, I was always interested in technology, but mainly video games, actually, it’s so at university I came out of there with an opportunity to do an internship at a video game studio. And then I kind of had my dream job as a video game designer. So it was a lot of fun. You know, I learned a lot in university but of course, was learning a lot on the job.
Ian McShane 1:50
Is there any any games that people might have had off?
Adam Marrè 1:53
So this was a studio called Avalanche Software actually still exists. And we were making kids games, so a lot of games for a publisher called THQ. And they were publishing games for Nickelodeon. So I worked on a lot of kind of kids games, and then the studio actually got bought by Disney while I was there. And so that I worked on a lot of Disney games titles like Chicken Little, Meet the Robinsons, Chicken Little 2, and the beginnings of Toy Story 3, which was a great game, also worked on a title called Tak and the Power of Juju. So just some great titles, it was a lot of fun. Like I said, dream job. But of course, this is about cybersecurity.
So the big question is, you know what happened there? Well, for me, it was 9/11. So the attacks on September 11, in the United States were kind of a big sort of formative event for me. And it caused me to want to serve in kind of a different way. And so through a brief stint in the army, I ended up in the FBI. And that’s where cybersecurity came in. I was assigned to a small office initially in the FBI, so a satellite office from a field from a main field division office, they call them resident agencies or the FBI calls them resident agencies. I was assigned there and I got to investigate a little bit of everything to include cybersecurity matters. So I started investigating, you know, both criminally motivated and nation-state sponsored cybersecurity attacks and intrusions. And that’s where I started getting my specific training because I had a technical background.
That was one of the reasons why I leaned that direction and was was pushed in that direction. And the FBI provided both internal FBI training and SANS training out of SANS courses, in addition to other classes. So yeah, and then a ton of on-the-job experience.
Ian McShane 3:49
How much of cybersecurity was going on at the FBI at the time? And the reason I ask is because it feels like over the last 20 years, cybersecurity has changed from almost, you know, a side part of network administration, right. I remember the first cybersecurity stuff I started doing was through CCNA and networking. But I’m curious to know if it’s around the time of just after 9/11 how mature was the cybersecurity stuff in the FBI?
Adam Marrè 4:15
Yeah, so there were there were definitely elements that were very, very sophisticated, but it wasn’t as emphasized back then.
In fact, it shows even in when I was looking to apply, and I was talking with the recruiters at you know, today, if I had my background, they’d be really excited about some of my background. Back then it was more like, ‘hey, go do something we care about, you know, get some more experience,’ which was, hence why I went into the army. And I was actually a counterintelligence agent in the army. So I was trying to get some intelligence experience. But today, you know, much more of an emphasis on technical background, computer science, IT things like that.
And if you have worked in cybersecurity, the FBI is very interested in candidates like that. And so I did see it mature over time, one of the maybe more interesting indicators of that is, when I was working in any case, it was, you know, the cyber agents that were even just chasing IP addresses and things like that.
But now, there’s actually quite a bit of cyber education that is given to every single agent, so that every agent has the ability to do things like search warrants on various types of logs, from other big internet providers, so your Facebooks, your Googles, all that kind of stuff. And also just to chase IP addresses and try to get attribution that way just on regular cases, because it’s so frequent. And the sophistication of tracking cell phones, and all of that was, was also something I saw increase over time.
And now, the cyber squads in the FBI are very sophisticated. They’re very technical, filled with people who, you know, forensic certifications and things like that. And then every agent is expected to know something about computers and cyber. So watching that change, the 12 years I was there was pretty interesting.
Ian McShane 6:09
Very pervasive, like, when you joined, was there like a cohort of folks that you started with? And did you all have a similar kind of backgrounds, like technical background? Or was it a mixture of military service as well as technical folk?
Adam Marrè 6:22
Yeah, when you go to the academy, it kind of doesn’t really matter where you came from, you’re all in an academy class together. So we had people literally like a nuclear physicist, we had high school teachers, elevator repairman, a lot of people from the military, there was me with kind of my mixed background. So we had people from all walks of life, all types, all colors, all socio-economic backgrounds, all in one big academy class together. And then we all go through the same training.
Once you get out to the field, that’s when you know, your background can can start to shine through, like if we had someone who had experience in museum curation. And of course, they went, like down sort of the art crimes, and things like that.
Ian McShane 7:06
Thomas Crown Affair as well.
Adam Marrè 7:07
So yeah, your your specialization could come out later. But you know, in the academy, everyone gets the same training and goes through the same thing.
Ian McShane 7:15
That’s cool. But it’s interesting to hear that you’ve got so much outside training as well, from SANS, because SANS is one of those things everyone knows is crazy expensive. And there are very few organizations that are willing to fund a lot of SANS training, let alone people that can do it of their own back. How would you compare like the on-the-job training versus SANS? Like, if you went back in again, and had to fund SANS yourself? Would you do it still?
Adam Marrè 7:41
Yeah, that’s a great question. I have a lot of high esteem for SANS, and mainly the instructors. And I think that’s one of the secrets to their success is that their instructors are practitioners, these are people who are passionate, and the courses that they design are really hands on so you have a lot of those modules and labs that they have are pretty latest and greatest and very hands on.
I think that’s one of the secrets, it’s not one of these certifications you get, just by reading books and things like that, you’ve got to really get into, get on your machine and, and start working at whatever it is, going through logs or coding or whatever, forensics, whatever technical domain it is. But they are crazy expensive. That is the big but, of course, this was being funded by the federal government. And DOD, I know, funds this for a lot of military occupational specialties in the various branches of the government. So that’s how you get a lot of that training.
If you can get the funding, I think they’re great. And so would I would I find it case by case, if we really needed the specific skill set that it sounds course, provides? Yeah, I think I would fund it but it’s really difficult given the expense to fund it for like an entire team. So yeah, you can replicate a lot of that with on-the-job training, if you take the time, have good people that can create curriculum.
That’s another thing I did I haven’t talked too much about on the podcast, but I have created curriculum myself, and was an adjunct professor for the FBI and went, literally around the world teaching law enforcement officers, various techniques, including forensics and things like that. So I do have some experience in creating curriculum. And I know that of course, we do that here at Arctic Wolf, we have our own training.
So I think if you can take the time, and you have something like this, where we see attacks across tons of different customers, thousands of customers, we can create that curriculum and have real world experience provided to our analysts that start like Isaiah we’re going to talk to in a minute here. And so, yes, I think you can replicate what that gives you. And then, of course, if you make it for your business or your organization, and you can replicate it well then, of course, you can get a lot of use out of that time you’ve used rather than just paying for one person to go to a course.
Ian McShane 10:07
Yeah, absolutely. I took the opportunity to take one SANS course a year ago, actually, it was my second week at Arctic Wolf. They were like, ‘Hey, do you want to take a SANS course?’ I’m like, ‘yeah.’ Because it was the first time I had the opportunity to do it off of someone else’s diamond. Yeah, 100% really enjoyed it. The content is great. The presenter, super knowledgeable.
I think what was the best part about it for me was the ability to do the hands on stuff and follow that through without having to keep pausing YouTube or keep trying to research something, because it was all laid out, the curriculum is really well done. I found it found it super valuable to get more hands on activity than just sitting in a class or sitting listening to a podcast going on.
Adam Marrè 10:46
Yeah, absolutely totally agree. And this is kind of a theme of me, with all the different types of learning, I’m never gonna say no to them. But they all have their time in place. And you’ve all you’ve got to weigh the risk reward or cost reward for each one. And so you know, I love SANS, it has its place, I think, on the job training is really great. And then like you said, just having that passion and looking at tutorials on YouTube, or whatever. I mean, all of it, if it moves you forward, and your knowledge and your experience, it’s all really good. And I had to do all of those things throughout my my FBI career.
And then later, when I joined the private sector, I’ve had to do all of those things all through my career, formal classes, teaching myself reading documentation, just trying stuff on my home lab, all of those things are important. And so that’s usually what I tell people when they say, ‘you know, what’s the best thing to do?’ I say, ‘like, it’s all the best, just depends on what you’re trying to do, what kind of time you have, how much money you’ve got,’ all those things go into the equation of what should you do here? You know?
Ian McShane 11:44
Yeah. All right. Last question I got for you. So after you came out of into the into the private sector, did you find it hard to find a job? Or was it relatively easy given your background? And the reason I ask is because I know, there are a lot of well qualified people that are still struggling to find the right job right now. So I’m just curious how you found it when you came out of into the private sector.
Adam Marrè 12:03
Yeah, I just was really fortunate, lucky, blessed, whatever you want to say, I was really fortunate when, as part of my duties at the FBI, I got to know a lot of people and a lot of businesses, pretty closely for some, some of them because, you know, breach investigation. Others just because we did a lot of outreach.
And because of that I was able to use those connections to get interviews, even just interview people, ‘hey, if I was coming into the private sector, what would you be looking for,’ and I was able to prepare myself, so I had some of the things I needed to be ready.
And then, let’s face it, someone took a chance on me because I hadn’t spent years in the private sector. And, the good people at Qualtrics, one of my mentors, David Kali who I reported to, he took a chance on me and they brought me in, and we’re able to do a lot together over there. So, like anything, it’s a lot of who you know. So that’s another great thing is, is getting out there, and getting into communities that meet together, try things together. Any of those meetup type groups, it’s all really good, because those connections can really help you when it comes time for you to start looking for your job.
Ian McShane 13:18
Yeah, as much as I hate that. I was gonna say hate the phrase like networking, but I also hate networking. Right. But it’s one of those things that definitely definitely helps. I mean, in general, I hate people. So it’s tough for me to try and join those things. But it definitely it definitely helps. You’re totally right.
Adam Marrè 13:33
Well, let me let me turn the tables on on you here Ian. And let me ask you, how did you get your start in cybersecurity?
Ian McShane 13:40
The first time I thought about security, oh, first time I can remember thinking about security, my memory is terrible, is watching the best hacker movie ever. Sneakers. Right?
And I remember like Robert Redford and all those folks breaking into that lab right now. The thing that sticks in my head is the guy saying that, ‘my voice is my passport verify me.’ And it’s funny because now one of my banks, I called it the other day to activate a card and I had to say ‘my voice is my password.’ I’m like, this is like straight from that movie.
But yeah, so that was what mid ’90s maybe early ’90s. And so that was the first time I thought about it. But I didn’t really get into it until kind of after after 9/11. Not for the same reasons as you, just because I was a lazy bum and ended up working of all places in a Mexican restaurant in the UK for like five years.
So I left school, didn’t go to college university because I was attracted to having a pay packet at the end of the week. So I was doing 70 or 80 hours in a steaming hot kitchen for three pounds 25 an hour, which at the time was terrible and now sounds even more ridiculous. But I guess like I was fortunate enough to be able to do that I continued having that passion for IT.
And so I ended up working essentially as a I was gonna say office assistant, but that makes it sound too glamorous. I was like the dog’s body in this small office. Like where I would be the person that would reboot a server a exchanged small business server addition thing that was running in the corner like some some really early version of small business server anyway, and ultimately was very, very lucky, very well aware of a white guy, like a middle aged now very privileged wherever you want to call it and was just in the right place at the right time for a lot of occasions going from like that office job to a call center to ending up being a sysadmin for an ISP, and then breaking into this world of software vendors. And then Gartner, which opens so many doors, and so many opportunities for me something that I really try and pay back when I can.
Adam Marrè 15:38
So for you going through that process, was it just sort of learning by doing? Did you do any formal security instruction?
Ian McShane 15:47
This is a funny thing is like back when I started, there was no outside like SANS wasn’t big in the UK. I don’t know if they had a presence there. But I don’t remember there being much outside of the MCSE and the MCSA certifications. So one of my employers would pay for the the exam costs for MCSA and so I did like four or five of these, these Microsoft ones. But the only real security training I had was like a company called F-Secure. And it was because the ISP I was at at the time.
Actually, no, that’s not true. I come back, the ISP I was at a time we’re using F-Secure as part of their security. So we went through some training through them. And then there was a Trend Micro one when we started to get into some and endpoint security stuff. But it wasn’t really training. Right. It was more about a certification. It was multiple choice like and it was pretty basic. It just didn’t seem like there was the organized cybersecurity stuff in the UK at the time. Or if it was I wasn’t a part of that scene.
Adam Marrè 16:42
Yeah, that’s fascinating that it seems like so many folks of our vintage if I can say that are self taught or had to kind of cobbled together an education. And this is one of the things that I I do tell young people that ask me about this, but you really got to have a passion for security, there has to be that, that you got to care, deep level of interest, or you know, just outright desire to learn this stuff. Where do you think that? When did you discover that about yourself? And, how did you come to that passionate desire to learn about this?
Ian McShane 17:17
So after Sneakers, I remember getting into like the bulletin board scene with a few of my friends and one of my friends got a modem we had to like, I’d say was an Amiga or something, maybe an Atari? And so we would we were trying to figure out how do we connect to the single the internet, we’d like find these phone numbers, but we wouldn’t have credentials for it, which, you know, just couldn’t figure out our way through it.
But we found like the bulletin board scene, and just wanted to know how it worked and then wanted to host my own. And I think that’s kind of been the underlying thing for me is like, I want to sound like the expert. I want to know how these things work. And so when someone asks a question, I don’t want to be embarrassed.
Like I said, I’m not a people person, I’ve got a huge anxiety about not having an answer to every single question that might pop up in someone’s mind, like, I’m going through in my head, like, what are they going to ask me? How do I prepare? What do I need to know? And so having that, especially in the world of security, like when I was in the call center doing customer support, I’d want to know exactly why it was broken, not just follow the script that said, ‘Yeah, you know, you need to reset your password, reset your password, and then reboot your machine.’
I want to understand what happens when you reboot it? What’s the difference between the state it’s in now and the state that it comes back up in? And then that kind of progressed into things? Like how does Exchange work? And how do you know how the public folders appear on everyone’s Outlook Client versus just my mailbox appearing on my one, and then getting down into the nitty gritty. And I was fortunate enough, again, to be like in that sysadmin team, and the continuous learning journey has really never stopped, like, every single day, I learned something new about IT, or security. And it just keeps things interesting.
Adam Marrè 18:49
Yeah, absolutely. And I found that to be a common denominator too, people just really want to deeply understand how things work. That always seems to be part of it. Well, yeah, that’s super fascinating. Well, you know, probably enough about you and me. Do we want to turn our attention over to our guests?
Ian McShane 19:08
Yeah, well, no. Hey Isaiah, how’s it going?
Isaiah Grady 19:11
Hey, I’m doing pretty well, how are you guys?
Ian McShane 19:13
Pretty great. Really great, man. Thanks for joining us today. So your journey is a really interesting one, because you started out as an intern. And there’s been a lot of stuff in pop culture in the last four or five years about the intern programs being really labor intensive and you know, not necessarily a good use of anyone’s time. So I’m curious to know, number one is like, what do you do at Arctic Wolf today, and how did you end up here?
Isaiah Grady 19:39
So today, I guess starting this week, I’m a triage security engineer, and we’re pretty much that and the role right before me at TSA and analyst were pretty much the same thing. And we’re kind of just like the frontline. I wouldn’t say it’s grunt because I wanted to say, I want to say we’re treated a treat badly at all. And so it’s very much a good solid position. And it’s a lot of exposure.
So we call it the frontline. And mainly we monitor incident boards, alert accordingly. Or also I’d say, half the time, if we’re doing ticket work where like security advisor for customers, that’d be like a fancy way of saying it. And the other half the time we’re escalating it to people a little smarter than us. They handled incident response.
Ian McShane 20:25
That’s great. I’m really envious. I remember when I first started working in that call center, it was very similar thing. You’re dealing with frontline questions, almost like the basic and you’re escalating things up. And again, I wanted to know, when things were being escalated, why can’t I fix that? Why couldn’t I fix that? So super interested in that if you’ve always been interested in cybersecurity, or is it just something that happened as a career choice?
Isaiah Grady 20:52
It was, it was definitely something that happened over time at first. I said like background with family, we’re not any IT people at all, that my parents are in the medical field. And so just not ever was a thing. And then I got into gaming, like little escaping as a teenager. And eventually, I was like, ‘I want to build my own computer.’ So I eventually did that. And I was like, 17, I think at the time. And so that’s kind of think what piqued it. And it definitely where it started at one point.
Yeah, at one point, when I was starting out with college, I had done all my core classes. And at that point, you have to choose something. And so I talked to my advisor, and I just was like, ‘yeah, I like computers.’ And she’s like, ‘Okay, well, here’s what we got. ‘And I was like, ‘Well, which one requires the least amount of math’ and she’s like ‘cybersecurity.’ I said, ‘Okay, we’ll do that one.’ And then that’s how that started.
Ian McShane 21:46
That’s such a such a funny comment, because I think, personally, just from my experience, is that there’s a lot of math in cybersecurity.
Isaiah Grady 21:54
Right. Yeah. Well, yeah, for sure. I mean, I see some of the R&D people and I’m like, ‘Yeah, okay, I’m glad I didn’t choose that path. But to each their own’ like, no, no hate there. I can’t look at that much numbers all day long.
Ian McShane 22:07
How much math do you have to do Adam in your in your role as a CISO how much math is involved in that role?
Adam Marrè 22:11
At this point? There’s not a lot of math, most of its budgeting. So pretty simple accounting type math. But I do remember studying a lot of encryption early on. And there’s some lovely math involved there, which I actually like a lot.
Ian McShane 22:24
Oh, yeah. That was what fascinated me. So one of the things I enjoyed most about the CISSP,I know people slate that exam for being like a mile wide and you know, a millimeter deep. But going through the explanation of how Diffie-Hellman encryption works and public key encryption and seeing how you can work that out by hand and see how it worked blew my mind. I was like, ‘Oh, my God, I want to know more about encryption.’ That is amazing. And math is just fascinating.
Isaiah Grady 22:51
It’s a big cert. It’s a big cert. But yeah, I think it’s been interesting, for sure. And they grew after that. Because at that point, I was like, ‘okay, I like computers.’ I like security stuff, like when I played around as a kid, you know, cops and robbers and things like that. So I’ve always wanted to do something that had to do with security, I just wasn’t sure if it’d be digital, or, you know, out there in the world. So it was just definitely an interesting way it came about, but I’m definitely happy I chose it because I love it.
Adam Marrè 23:25
Well, that’s interesting to hear. So I’m curious. Oftentimes, I know there’s kind of a rough transition between, going to school or taking classes, what have you, and then actually getting the job and, you sometimes feels like there’s a bait and switch between, what you thought the job was going to be or what they told you it was going to be what it actually is, and then your day to day is like, ‘I don’t know if I can do this.’
So I’m just curious, how did that transition go for you studied this for however long months, years that you studied it, and then you finally got the job? What was it like when you started?
Isaiah Grady 24:03
So I had, I’d say one internship before this, and I think that was the internship where I realize that I could either hate the job I eventually get or whatever company I work for, or really enjoy it. Because I kind of met both worlds there.
But I did like two years, my friends who did their four years and so on, but I just did a community college degree and then after that, it wasn’t too bad, they’re pretty easy, but they want you to get an internship at the one I go to ,so they help you get something.
So I end up going and working for a company for a spring and it was one of those things where it was like okay, I could be doing this as an analyst and pretty much what I was doing most of the time I was doing a lot of IPs and just adding deny lists for printers and yeah, all that fun stuff hundreds of those a day. And I realized that I was like, ‘Okay, this, this could be very well, I could end up with something.’
Yeah, I was an intern, right. So you know, it’s a little different responsibility. But I could end up with something similar as a full-time position, like, depending where I go. And so that did dawn on me. I definitely was, I feel like, yeah, I have that I had that. Like, when I was in school, I was one of those YouTubing. So we were talking about the different ways to learn, I was a YouTube kid.
When we used to do like a Cisco simulator for network, I would YouTube outside of my assignments, and figure out how to make this entire thing and then I’d name it after my own devices to replicate my house. But I definitely would say a fantasy phase, and then when you wouldn’t have definitely got my first internship.
And again, very different things, internship and full time, as I’ve been through two internships, and then the full time here, and I’d say it’s definitely different, but it definitely knocks you, you’re like, ‘okay, there is a chance that I could be in a cubicle, you know, all day long, then typing in, deny lists and things like that.’ And that that could be the extent of my job for a couple years, depending how long it takes you to get somewhere else.
So definitely, say daunted, and then, got Arctic Wolf. And it’s very different exposure. And, kind of reinvited me a little bit of like, okay, no, actually, I might enjoy, you know, a lot more than I thought. Because I will say, I’m kind of stubborn in that way. Even if I didn’t like it at first, I’d eventually end up somewhere where I liked. But I would say it’s definitely sometimes, as long as you just don’t let it knock you down, you can get an internship or first-time position, and you could be a little unexcited for your even less, depending on how long it takes you to move. So it just depends. I really think.
Ian McShane 26:46
I think another another common trait in our industry is stubbornness as well. So I can definitely, definitely appreciate that, I think a bit less of stubbornness and more in commitment how about that.
Isaiah Grady 26:54
Yeah, that’s a better word.
Ian McShane 26:57
Say, so how did you how did you get the job here? Like, where did you see the internship advertised? Or was it something that we, Arctic Wolf worked with the college you were at.
Isaiah Grady 27:06
So I did the college, I went to the first internship I had, and then that ended, it was like a four month thing. It was, you work 20 hours a week, and it’s a max of 200 hours. So whatever that equates to, eventually. And I ended that, and one of my past jobs was fast food. So I ended up doing that for a little bit.
And I went on Google, and you know, the usual right applied to everything. Even the stuff that said minimal of four years, I didn’t have four years. So just kind of applied to everything. And there’s a buddy I was going to church with. And he worked for Arctic Wolf. And he knew he kind of would help me and he was like, ‘we do referrals here.’ So he’s like, ‘I’ll refer you in’ but he’s like, ‘past that. It’s all on you.’ He’s like, ‘I can’t help you pass that.’
So he ended up referring me in and we got a I got a phone interview. And then eventually, not too long after that, the behavioral and then the technical interview, and ended up going good. It was it was good. Well, as much as I thought I expected, but first time interview, I was a nervous wreck, so I can’t really gauge that, unfortunately. But I think it was alright. And I actually didn’t hear back for a little bit. It was it was a good like, it was a good minute, but I think I sent out like, I was a little persistent or annoying either one.
But I sent out a couple of emails and to the recruiter, and she eventually responded, it was just like one of those things where I think we’re finishing up a quarter here. And you know, positions were kind of filled for the time being, but she was like, ‘Hey, we got an internship program. If you really want to I can get you an interview.’ So I was like, ‘Okay, let’s do that.’ So we ended up pushing to our senior manager here, Ben Clark, who was the interviewer at the time for the internship program. So I ended up doing an interview with him. And then by the end of the interview, he pushed my papers through and I ended up starting like a month after that.
Ian McShane 29:04
That was awesome. So raises another interesting question, Adam, all three of us so far have said, it’s, I’m gonna paraphrase everyone, it’s who we knew. That’s how we managed to get a good opportunity. So Adam, what can people like you and I do to widen that blanket, or what can we do to encourage people to get beyond the it’s not what you know, it’s who you know.
Advice on Finding a Career in Cybersecurity
Adam Marrè 29:28
Yeah, I think the good news about that is it’s never been easier, quote, unquote, to get to know people just because of the nature of the internet, social media, all of that there’s just a lot more ways than back in the olden times when when I was a younger fellow to get to know people.
So one thing is to really try to get active I think all the places that you live online, to try to figure out who are the people in the industry just so you wouldn’t be afraid. That’s another thing. Just be confident, be daring. Don’t be afraid to reach out to people, many, many of us and I think Ian you include yourself in this, we’re willing to talk to people, especially younger people, we’re looking to break in, I will make time I do that frequently for people.
But yeah, I think it does behoove us to also make ourselves available in that way. And, you know, help sponsor different organizations to try to reach out to young people, not just young people, anybody who’s looking to break in, some people are doing a career change. And so to also make it open to them, that’s why I love ,you know, various security meetup groups and things like that, I think that’s a great way to break in to learn things, but then I think it also, you and I, and people like us should get involved in those and make sure that we’re there. And we’re available for people in heaven forbid, in the real world if you have real world meetups, you know?
Ian McShane 30:57
Yeah, yeah, absolutely. As much of a hellscape, as Twitter can be, from time to time, there’s a really good community of security professionals on there that regularly post job links that they know for things they know, give you the opportunity at some conferences like DEFCON, and maybe Blackhat, where people will do resume reviews for you.
So there’s definitely the opportunity to do it. But I can tell you just from my own experience, that I can appreciate how daunting it is reaching out to anyone, whether you know them like I would, I would feel nervous, Adam about calling you up. And I know you a little bit and say, ‘Hey, Adam, if you’ve got a job for me, I would feel nervous about that. And I fully realize I’m in a very privileged position. So I can understand folks kind of trying to push back or say, ‘You know what, I don’t want to apply for that, because it sounds out of my out of my out of my ballpark.’
Adam Marrè 31:47
Yeah, that’s very true. And I think studies have shown I believe that women especially have a hard time applying for jobs, where they don’t, fit the bill like Isaiah, you mentioned, like, ‘hey, was asking for four years, I didn’t have four years.’ That is much more common for men to do than women, where they just want to feel like they they match every single point on the job description.
One thing I say to that is, please just apply, just put your name in the hat. Because if you don’t, you don’t even get the chance to interview and if you don’t do well in the interview, that’s okay. It’s an experience, you gain experience from it, you know what interviews are like.
So if you’re applying, just apply. But the other thing is, be a little bit bold and reaching out to people or accepting the help when it’s offered, like you said, if someone says, ‘Hey, I’m going to review resumes,’ pick people up on it, if you don’t even really think your resume needs to be or your resume needs to be reviewed, then you can take someone up on it, it’s just a chance to meet someone.
One piece of advice I have when people are trying to break in is obviously just just be confident, be bold, get yourself out there, meet people, and all the various ways you can. And then on the flip side, we need to start making ourselves more available to others, even you Isaiah, you’re in the community now. So you need to turn around and reach out to those who who are outside and aren’t in. And I actually just responded to someone, who messaged me on LinkedIn a little earlier today, who said, ‘hey, I want to break into security. ‘And I said, ‘Hey, let’s let’s set up some time to talk.’ I just think it’s something that we need to do and make ourselves available like you intimated there.
Ian McShane 33:33
Yeah, absolutely. And you know I think LinkedIn is a great tool for doing that as well as finding not necessarily companies you might want to work for, but conversations that are interesting, and as much as I hate those posts, which just have a hashtag every other word, right? You can use some pretty good searches to find like, cybersecurity discussion or something that’s happening in the news and find someone that sounds like they’re not a jackass, and maybe send them a message and say, ‘hey, look, I’m looking into looking to get into the industry. How can you help? Or how can you, you know, what advice can you give me?’
Adam Marrè 34:00
Yeah, just a real quick cap on on this part of the conversation. I think a lot of times people, they want a silver bullet or a panacea, or something that’s going to just like the answer, you do this one thing. And I think we can’t let the perfect be the enemy of the good. And this just tried to do, maybe not all the things, but try to do many of the things that we’ve talked about and others talk about, to get yourself out there and to just be patient. The industry needs to get better at this. We do. And there are many of us who are working on it.
Bear with that, please don’t get discouraged. Be confident. There’s so many positions out there. We’re trying to learn how to fill them better. But just come out there and participate. That’s what one of the pieces of advice that I would would throw out there to everyone.
Ian McShane 34:45
Absolutely. Last question for you. Is sorry, Isaiah, Isaiah. I’m gonna say that again, because I forgot your name. I’m sorry. Hold on. That’s all good. Last question for you. Isaiah is where do you where do you want to go in your career ,like you’re relatively new to if you actually start to think what the next few roles, or the next few years might look for look like for you or where you want to be in, like, 10 years, that’s that classic interview question.
Isaiah Grady 35:10
Man, (laughs) that’s the big one, I think, just honestly, right now, just continuing up the ladder in general, I like progressing.
And I mean, as Adam said a second ago, you know, it’s not even about like, being perfect, I think is what you said. But it’s like, definitely, especially for me, a lot of my stuff has been like YouTube and stuff. So I think the base is just continuing on progressing as much as I can. And there’s a cap, obviously, to how high I want to go for just my own quality of life. But just until then, just keep pushing up, keep learning, keep learning from the smarter guys like you guys, and just get in there. And look at you networking ready? Right there.
To add to that, and a huge thing is a lot of people forget that this is a thing, but even in a community college, like in San Antonio, they have clubs, and UTSA has a lot. And they’re a huge thing. I have a couple of co-workers who have go to UTSA. And then we’ll have chapters started by students. And even Arctic Wolf will hire heavily out of there. So I pushed for those two, because those are huge. And then you don’t even have to reach out to somebody specifically to with those. There’s a lot of times it’s a signup. So it’s a lot easier to do.
Because even I don’t like confronting people. But the I think just continuing up the ladder, and incident response has always intrigued me. I like I like that chase, so maybe something in there.
Ian McShane 36:39
Yeah, yeah, I think for me like that. Taking that like thirst for knowledge. I think the important thing for me and not getting bored in this industry is that I keep learning and there’s so many domains here you can start to branch across like I’ve talked about how interesting I found encryption. I’ve never worked on encryption.
I’m not a mathematic mathematician, kind of insane mathematician, like be a mathematician. But I find it interesting enough to want to stay involved. And I think having that kind of thirst for knowledge is is great. And that’s what I look for when I’m interviewing people really, for this industry. It’s like, ‘Are you like, willing to learn more? Do you want to learn more? Or is it just about the paycheck?’ And if it’s about the paycheck, you know what, that’s probably the right thing.
Isaiah Grady 37:17
Yeah, there’s something every day, like even here in this job, there’s a threat meeting once a month and it’s like even outside of that there’s a vulnerability every single day, you scroll through threatpost. I love that site, by the way, you scroll through threatpost, there’s something every day, like couple things every day. I mean, there’s this in this industry: I don’t know what position you’d have to be in where your bored when it comes to cybersecurity. There’s always something out there.
Adam Marrè 37:48
That’s a that’s a really good point. I kind of have one follow up question for you, Isaiah, which is you just got this great job. You just got a promotion from triage security analyst to triage security engineer, which is incredible. Congratulations. Definitely not a gimme, that’s definitely earned. So great work there. But what advice would you give to folks who are in school and is just totally daunted by this process of trying to get a job, or maybe someone who’s been in another career and they want to move over? What advice would you give to them? I know we’ve said things, but we’ve been here a while you just got here.
Isaiah Grady 38:29
Including just the process of adding to that is a lot of people feel like people or companies are looking for more paper. And if I’m not a testimony to that with an associate’s and no certs, I think the biggest thing is just like if you really want to be in cybersecurity, like this is truly what you want to do. Just talk to other people sucks, like we all said, like none of us are introverts here. But it is so huge to just even if you can make or you have some friends, because I feel like typically you make at least one or two friends if like in your classes if your community college or this is just that community.
Even if you’re on like you said there’s even just like fairs and conventions you can go with or like I said most of them have chapters, I mean, UTSA, I have some friends who are more shot like me who are from UTSA, I’ve never gone to UTSA but I know that they go to UTSA. And I would study with them on campus because you run into them.
Basically, I would say it’s just like what we’re kind of continuing off of earlier is just don’t be don’t be worried about if you’re gonna get a PhD in cybersecurity or, a security plus cert and a CISA cert, whether it’s those two or a master’s, it doesn’t matter.
As long as you have something and then push for just meeting people getting connections. That’s how I got here. And I was able to prove myself after the fact. So I’d say definitely stuff like that. And like I said there’s there’s all kinds of stuff in San Antonio, there’s a couple of conventions, we have them up Austin to big tech thing. And just like I said, cybersecurity and UTSA, for instance, where I went to Community College of all places, there’s clubs, where people are doing capture the flag for fun. And they’re being able to get that promoted.
Companies look at those things, too. So I’d say definitely, just make sure you get connected somewhere, you don’t have to walk up to somebody and shake their hand right away, because that’s scary as heck. But, you know, put an application in the club, they’re not going to kick you out, especially if you’re in cybersecurity. So join something get in there.
Ian McShane 40:38
I will say the majority of cybersecurity folks I know are pretty welcoming, and pretty decent people. And there’s always the the bad egg or the rotten apple here and there. But for the most part, everyone I’ve always met in cybersecurity seems to be cool enough.
Isaiah Grady 40:50
Yeah. I mean, we’re all a bunch of nerds, or we’re converting other people into a bunch of nerds. Like it’s either those two, there’s nobody in here who’s not
Ian McShane 40:59
We’re all a bunch of nerds.
Isaiah Grady 41:02
Exactly. So I’d say yes. Get out there, man. Get out there, join a club, you don’t have to shake someone’s hand right away. But get out there and just start doing it.
Ian McShane 41:11
I think that’s a pretty good way to wrap it up. We’re all a bunch of nerds. So Adam, like you’ve already already said, don’t be afraid to reach out. What’s the best way for people to get in touch with you if they have any questions about getting into cybersecurity?
Adam Marrè 41:22
Yeah, if you don’t have any other connections with me, I am on LinkedIn. It is the only social I do. So reach out to me there. And like I said, I like to make time for people. The other means, like St. Con is one of the conventions here in Utah coming up. We’ll be there. We like to go to a lot of those things with Arctic Wolf so I’ll be around RSA, things like that. If you see me, cool. Don’t hesitate to come up with the LinkedIn is a good way for just about everybody reach out.
Ian McShane 41:53
Yeah, same with me. I’m on LinkedIn, you can find me with my stupid name, Ian McShane. Also, I’m also on Twitter at Ian McShane as well. It was just pretty coincidental, but it’s just been great. I’ve enjoyed talking to the both of you. So this has been cool. Hopefully everyone got some kind of insight into how to break into cybersecurity. Isaiah thanks, man. Appreciate you joining us today. It’s a pleasure. Thanks so much, and everyone else. Thanks for listening. We’ll be back in a few weeks with some other cool stuff about cybersecurity.
Transcribed by https://otter.ai