Unusual Journeys Into Infosec featuring @InfoSecSherpa

Part Seventeen of the Unusual Journeys Into Infosec series by CyberSecStu of The Many Hats Club, who talks to @InfosecSherpa about her journey.

Unusual Journeys Into Infosec featuring @InfoSecSherpa

Its time to put on your crampons, check those ladder bridges and have your ice axe handy as we prepare to leave base camp to ascend the mountain of knowledge with our guide InfoSecSherpa!

I've been a fan of InfoSecSherpa for quite a while, not because she created the hashtag #Ginfosec, (although I do find myself using this more and more these days), but because she is an inspiration for dedication and perseverance.
Her background, experience and knowledge are one of the reasons why I was so excited and honoured when she reached out to me on Twitter, offering to share her journey as part of the series.

You can teach a willing person the tech, you cannot easily teach them soft skills, or the transferable skills they bring with them. - InfoSecSherpa 2018
So check your harness, pack your gear and prepare to join us as we embark on InfoSecSherpa's Unusual Journey Into Infosec!


CyberSecStu (CSS): My vision for this article (or series), is to help break the illusion that you have to follow a certain route to have a career in Infosec. You mentioned that you have an usual journey, where did yours begin?

InfosecSherpa (ISS): My journey into InfoSec began on a train, and with tears. My two Liberal Arts undergraduate degrees led me to earning a Master of Library and Information Science, and I worked as a librarian for about fifteen years.

I worked as a law firm librarian for about ten of those years, and commuted into Center City Philadelphia daily. I reached a point in 2015 when I realized that I had pretty much achieved all that I wanted in that particular field.

There were more elevated positions I could pursue, but I just wasn't interested. Any mountains left to climb were of no interest to me. This made me sad as I took the train in and out of the city to a job that made me feel in a rut. Feeling I was descending into a pit of professional despair, I would shed a tear or two on my train commute home.

I would try to distract myself with reading. I found this article in Entrepreneur entitled, "Future-Proof Your Career in 2015." The article gave what I considered to be good advice and it resonated with me

To create your plan, dial into the core elements that drive your success in three steps:

1. Start by refining your vital purpose
2. Figure out what you do that nobody else can do in quite the same way.
3. What are the specific things you say and do that add distinct value and set you apart?

When I mulled over these core elements, I kept thinking to what made me happy in all my past jobs. I quickly realized that it was tech components of past jobs that made me happy. I liked troubleshooting, I liked the challenge, I liked figuring things out in order to help people. I never pursued a job in tech before, for reasons that I don't fully understand. But, way back in the day, I used to spend many hours tooling around in the computer lab and maybe getting into some things that I probably shouldn't have.

With this new-found purpose and drive, I decided to dip a toe into the tech world to see if it still created a spark that I thought was long extinguished. I attended every tech meetup, workshop, and class that I could find. I talked to people. I read many tech news items. I started to cross off areas of tech that were of no interest to me. I found myself drawn towards the headlines of the cybersecurity articles.

A friend who works in the industry told me about his job and gave me a glimpse into the world of an Information Security professional. "I think you should take a look into this further," he encouraged me, "I think you would be good at it." This friend discovered the Women's Society of Cyberjutsu booth at Black Hat and connected me with them. About a month later, I sat in their Cybersecurity Fundamentals workshop. My eyes had been opened to a whole new world I didn't know existed. They had me at port scanning.

Information Security quickly became my quirky hobby and committed to absorbing it all. I contacted the CIO of my then-employer and asked what the law firm was doing for Cybersecurity Awareness Month in October, and asked how I could help. I created a 5-point plan of ideas and how to execute them, compiled my query in an email and held my breath as I clicked the "send" button. I expected no reply. Instead, he loved my ideas and put me in charge of running a one-month awareness campaign along with the marketing department and IT.

On November 1st I inquired with that CIO what else I could do that was InfoSec-related. I was kindly advised that there was nothing for me until next year's Cybersecurity Awareness Month campaign. I wasn't satisfied with that answer. I had tasted the blood of InfoSec and I wanted more.

I began to figure out my next moves, continuing to be inspired by the "future-proofing your career" article. After over a decade in the field of librarianship, I quit my comfortable job with good salary and floor to ceiling windows in my office in February of 2016. I was at the RSA Conference in San Francisco about two weeks later. That began approximately a year and a half of me running my own business, Sherpa Intel, in order to make money as I pursued my new professional goal of becoming an Information Security professional.

What I lacked in tech knowledge, I made up for in enthusiasm and willingness to learn. I tackled networking principles as well as security topics to learn and bring myself up to speed, all the while marrying my library science skills to this new discipline.

I spoke at conferences, wrote blog posts, and appeared on podcasts to not just promote myself for getting a job, but to share the knowledge I had of research and interacting with end users to demonstrate, like the article said, "what you do that nobody else can do in quite the same way." I was sincere in my desire to bring librarian skills into InfoSec, despite a few naysayers.

I continued to learn. Continued to share. I was determined to prove that I could be a useful part of the Information Security industry and community.

After seeing many job rejection emails in my inbox over a few months' time, I one day received four rejection email in a single day. Exasperated, I lamented to a new InfoSec friend I made on Twitter, "What do I have to do to at least have the chance to explain my skill set to these people and how much I want to be in this industry?" He generously sent a Tweet out on my behalf to promote me. One of the people who contacted me is my current boss.

It's almost the one-year anniversary of me beginning my current job as a SOC Analyst for a global pharmaceutical company. I have a GSEC certification and am working on other certifications in addition to general skill building daily. I utilize my library science skills in the SOC every day, and am always looking for ways to introduce my unique perspective into the work flow.

I am tremendously grateful for the people who helped me along my InfoSec journey. Many industry and community members were more than generous and patient with their time helping me learn and explore this world they've known for years. My husband was an instrumental part of my success because my career change was a challenge to our household.

I had a plan all along in my head and I stuck with it. I set periodic time markers to not let months get away from me and find myself drifting off course. I was dedicated and focused to the goal of finding and InfoSec job. Now, I'm dedicated and focused to excelling at it and continuing to learn.

*When I can, I give a talk entitled, "Information Security 101 for Librarians" at conferences or workshops. I'm not the kind to forget from where I came. The foundation of librarianship gave me the skills to make my way into this new career that I love. I try to give back in the best way I know how.
If you are focused and dedicated, you can make things happen. Now, I only cry happy tears on public transportation
It's much better this way.

CSS: Amazing!! This is exactly the inspiration people need, especially when they are in a similar position.
What do you think are the biggest challenges for people trying to break into infosec today?

ISS: The biggest challenges for people trying to get into the InfoSec industry are:

(1) HR/Personnel departments,
(2) Companies that are unwilling to train,
(3) Applicants getting experience/certs, and how that can be cost-prohibitive for many


(1) HR departments need to communicate better with the hiring manager and/or departments on how to write better InfoSec job descriptions. A Junior Analyst position does not need a CISSP. InfoSec community needs to reach out to the HR professionals and help them understand the types of jobs our community fills.

(2) Companies need to be more proactive with bringing in people with experience in other industries or fields and teaching them the tech and processes of InfoSec. Diversity of thought solves problems and breeds success. You can teach a willing person the tech, you cannot easily teach them soft skills, or the transferable skills they bring with them.

(3) To get a cert, or to not get a cert. That is the question. It's confusing for newbies when they are told to "just get a cert" and that will solve all their problems. It can be time and cost prohibitive for newbies to commit to this, if they are working professional still holding down the job they hate while dreaming of a new InfoSec career. See my answer to number 2 about why employers need to be more dedicated to diverse recruiting and train skilled, enthusiastic, driven people who want to problem solve.

That's InfoSec at its core.

*InfoSecSherpa @ BSides Charm

CSS: I agree with all of this!

What is the best advice you've given to someone looking to get started in infosec?

ISS: Be active in the InfoSec community. Networking is also for people, not just computers. Get on social media. Have a solid LinkedIn profile, or a robust blog. Something you can link people to so they can get to know you and/or your skills and work.

Volunteer at conferences or events. Attend meetups. Be a sponge and absorb everything that you can. Know the InfoSec items in the news so that you can speak about them in 3 sentences or less in case you are asked about them on a job interview.

Be positive and contribute. Be your biggest advocate and put yourself out there to let people know your skills and your desired end goal in InfoSec. People won't know if you don't tell them.

"You're braver than you believe, and stronger than you seem, and smarter than you think." - A. A. Milne

CSS: Although you've covered some of this earlier, what is it that you most love about Infosec?

ISS: What I loved about being a librarian is the same thing I love about Information Security - connecting people with information and problem solving. Whether it is directly interacting with end users or just my fellow SOC team, I like to be a catalyst for troubleshooting and fixing things.

I like the challenges of learning something new. I like the rewards of successful blue team defense. I like the InfoSec community. There are so many people who are generous with their time and knowledge.

I lovingly refer to the InfoSec community as an island of misfit toys. Sure, there are bad apples in every bunch, but I have been delighted by making connections with the people who share themselves in an effort to educate and support others.

**CSS: Thank you so much for sharing your valuable exp. Is there anyone you'd like to thank or mention…( soapbox moment)?

ISS: I have so very many people to thank for my InfoSec journey. They are all very dear to me. Here are a few who were (and continue to be) integral to my success. @macairej and @DougBarbin for being early adopters of supporting and encouraging me to make this crazy career change from librarianship to InfoSec.

The Women's Society of Cyberjutsu for having me at port scanning with their classes and workshops. @marcelle_fsg @marigalloway and Lisa Jiggets. @WebBreacher, @JasonDion, and @BryanOnSecurity for being great, patient instructors. @jwinbow, @cblitz27, and @SecHubb for taking a chance on a librarian and helping me thrive. Last, but not least, my husband and dogs for giving me roots and wings.

CSS: Also I forgot to ask, why Infosecsherpa?

ISS: I was an early-ish adopter of Twitter back in 2006 or 2007. My boss at the time, in a law firm library, told me that I couldn't blog or be on social media with my real name because of how it would reflect on the law firm.

Rather than fight this, I simply came up with an alias. I wanted a name that reflected my professional goal of helping people. One way you help people is to guide them, and LibrarySherpa popped into my head.

Later, when I made my career change into Information Security, I merely created what I thought was going to be a creeper account to dip a toe into the community. I kept my branding and called myself InfoSecSherpa and I now have almost 10k followers. So, that whole creeping thing didn't last very long, lol. I call myself, "Your guide up a mountain of information," and that is my professional motivation and essence.

CSS: Excellent!! Love that.. I knew there was a story behind it! And of course now I have to ask about #Ginfosec!!!

ISS: The #ginfosec origin story: Back in my librarian days, it was not uncommon for librarians to talk about their love of Gin & Tonic. I had tried them before, but never found them to be satisfying. Well, that is because I was doing them all wrong, as the British librarians informed me. On a trip to London, a British librarian schooled me in a proper G&T and my life was changed.

Soon after, I coined the phrase #GinformationProfessional, or #GinfoPro to describe librarians who like to chat about library stuff whilst enjoying a properly made Gin & Tonic. Once I moved over to Information Security, it was a no brainer to adjust it to #ginfosec.

Similarly, the term for security people who care to enjoy a well-made G&T over discussions of our industry. I hosted a #ginfosec meetup in Las Vegas this year, and plan to have some more in the future. I know it has been frowned up lately to encourage alcoholic events within the industry.

This is something that I enjoy and anyone is welcome. No consumption of gin or even alcohol is required. It is a little sort-of hobby of mine and I enjoy connecting with InfoSec pros who are also fans of gin.

CSS: Awesome!! Thank you ever so much for sharing!

In summary InfoSecSherpa (ISS) has covered so much its really hard to summarise, but there are a couple of excellent points I really wanted to highlight.

The importance of the Twitter community cannot be underestimated, as this resulted in ISS getting her first infosec role, so put yourself out there and get involved!

Also its never too late or impossible for a career change, ISS has proven this, and there are many other success stories out there that prove that transferable skills vs are not a barrier to entry. Of course soft skills are important, but so is the desire and aptitude to learn!

But what really for me stood out as the key advice - don't give up, push hard, learn, go to meet ups, talks, read "all the infosec news" and be a sponge. But DON'T GIVE UP!!! Half of getting a job is timing (and luck), but if you are not pushing hard enough, you'll miss your opportunity to be in the right time and place!

The artwork used for this article is called 'Mountain Climbing' and it was created by Garrett Anderson.