Unusual Journeys Into Infosec featuring @Phreck

Wow, we are half way into our adventure, performing recon on our courageous targets to understand their Unusual Journeys into Infosec: I might stop calling it Unusual soon, because in writing this series, I’m finding that what one person may call unusual- the vast majority of infosec call the norm! In previous stories, we’ve become versed in the perspectives of getting into infosec from students, academics, recruiters, graphic designers, artists, amongst many others.

Finding the right person with the an open minded perspective to talk to me was not as difficult as first anticipated, luckily I had quite a few seasoned Infosec Professionals willing to share their experience, and the one that stood out was Phreck. This is his Unusual Journey into infosec, and a hiring manager’s thoughts and perspective!

CyberSecStu (CSS): Ok let’s do this. So as you know I’m writing about journeys into infosec- what’s your story?

Phreck: Essentially I’m the standard troubled kid I guess. The more I think about it the more vanilla I feel

Found computers around 11–12, dropped out of high school at 16, began wasting most of my time on BBS, IRC. Involved in early years of internet flame wars in the late 90s. Ended up participating in some fun things, but nothing that got me a job.
Ended up joining the military at 23, for lack of other things to do.
Trained as a comms guy, but never did any of that. Ended up being sent to a grunt unit and deployed to Iraq, got out in 2010 and began consulting at help desk positions, eventually worked my way into *nix sysadmin work. Jumped on an opportunity at livenation to do more nix admin, which is when Tinder popped up and grabbed me in 2013.

Ended up being one of the first DevOps folk at tinder, which I used to bootstrap their security program.

Which is how I officially got into infosec =P Now I’m director of security engineering at a Cisco company.

CSS: That’s pretty impressive!!

Phreck: Always knew I wanted to be here. just a long road. No college or formal training.

CSS: Now your in infosec what do you most enjoy about your work and our industry?

Phreck: Now I kind of make a point to find people who want to get in, and hire them. Its a moving target- infosec is not a static thing.

Its also an exciting time in the industry as companies have really begun to invest and think about solving problems at a high level. Its fun seeing our industry go through similar transformations that sysadmins and developers went through years ago with DevOps etc.

But at the end of the day, its all about the chase. Breaking, fixing, being ahead of the attackers.

CSS: Exactly! Couldn’t agree more. Let’s talk about your perspective as an employer. What do you look for when you hire people?

Phreck: Basic knowledge, curiosity, problem solving approaches, but ahead of all that, hunger. The rest can be taught, we aren’t magicians, much of what we do is basic logic:

Should everyone have access to everything without a need? No.

Should we have a thorough understanding of what our applications and infrastructures do? Yes.

Nailing the basics gets you a long way.

CSS: A lot of people talk about a talent shortage, do you agree with this?

Phreck: Hiring is hard. People also don’t know how to hire. Also, looking for “infosec” people is the wrong approach in my opinion. You look for people who care about security and bring them in and mature them.

There’s definitely a shortage if you write your requirements such as it de-scopes the majority of talent!

CSS: I fully subscribe to this. I hire for attitude and work ethic because it’s hard to train these attributes you either have them or you don’t. Skills can be taught.

Phreck: Absolutely

CSS: Ok- so what advice would you give to people that are starting out and want to break into infosec?

Phreck: Be hungry. get involved in the community, find mentors, build champions, get into adjacent positions, go do bullshit IT work (like i did) essentially- just to get near the folks you want to be like or work with.
You’ll be worth more than any “cyber sec” graduate in a year or two!

CSS: What’s your thoughts on Cyber sec degrees?

Phreck: Great starting points. There are disciplines that need a good educational foundation — like cryptography

I hired a guy out of college who just got his masters, he’s a crypto wizard but still needs the basics uploaded! Great baseline.

But this by no means influence how I hire etc. I guess I’m mostly meh about degrees, probably because I don’t have one =P

CSS: Haha.. well I studied ceramics (pottery), so I can’t talk!

Phreck: Haha that’s awesome

That’s also why I was a bit bummed when the Equifax CISO got literally shamed for having a music degree. None of us are formally trained.

CSS: I used to be embarrassed by my background- now it’s an icebreaker.

Phreck: The formal training itself has only existed for a decade or so- especially Cyber Security Degrees.

CSS: Indeed there wasn’t a degree when we started!!

Phreck: Exactly

CSS: So the market is extremely competitive for talent, how do retain your talent?

Phreck: Ensure they are engaged and happy. consistently challenge them, understand what they want to do, and try to build my program and projects to compliment

And of course, free soda and chips. And cons and training budget per employee, to be used at their discretion. But retaining in general is more about knowing your team, and letting them get to know you.

Effective leaders expose their bellies, and are humans in the eyes of their team members. Lead from the front as well, never ask someone to do something you wouldn’t.

CSS: Great advice. Ok finally is there anything else you want to raise? This is your soapbox moment!

Phreck: Oh don’t let me get ranty- you'll get the flavor of the day.
Just being more inclusive and open with each other. we tend to be very competitive and even cruel to each other within the industry, but what makes us great as a whole is our diverse views which drive creative solutions.

CSS: Amazing!! Is there anyone you want mention or give a shout out to?

Phreck: Macallan, for making life bearable :p

There are some really good lessons Phreck shared that I wanted to elaborate on. Firstly, excelling at the basics are key, when people try to get into infosec, they skim over the basics to try and get to the exciting stuff. This foundational knowledge is vital, because it provides context to everything in infosec. Strong Devops or networking is key if you want to be a great infosec professional.

Contradiction Trigger In some cases these are not always completely necessary, as these skills can always be learnt if you have the right attitude and aptitude- but in today's competitive market having a strong grasp of these will no doubt make you a more attractive candidate.

Secondly, there is no shame in doing “bullshit IT work” -to quote Phreck, as there is no shortcut into infosec. However I’d add if you do go down the academic route, get as much experience as you can whilst at Uni.

Finally, as pointed out by previous people in this series the best way to get into infosec is to jump to feet first and participate in the community as much as you can. Many people have found jobs after sharing work on Twitter or by creating blogs that really showcase their work and knowledge.

So in summary get out and make it happen, you’ll be surprised by the results.