7 Surprising Ways People Became Infosec Professionals

2,875 reads

If you enjoy this article, help a non-rich cybersecurity woman out… Please click on the little green heart to recommend my article!

In writing about information security since 2009 for various publications, I’ve had the privilege of meeting a lot of fascinating people in my field. A lot of us come off as paranoid. We’re all weirdos in our own ways. Some of us are very friendly, and enjoy making conversation with new people. There are a lot of white men in information security, but there are also people of a variety of races, ethnicities, and nationalities. I’ve also met a number of other women. I enjoyed interviewing some of us for Tripwire’s corporate blog. I even met one information security professional who is transgender- a nonbinary femme.

One thing that has intrigued me for a while is the plethora of interesting ways we’ve gotten into infosec. There’s no set path, and everybody’s story is different! Our various different backgrounds give each of us a unique perspective which enhances how we think about vulnerabilities, security hardening, and cybersecurity culture in general.

Kim Crawley (me!)

I started using Windows 3.1 in 1993 at nine years old. My father bought our very first IBM PC with an Intel 486 processor- a powerful PC for its time. As a little girl, I explored his PC thoroughly. I loved playing around with Windows and MS-DOS. I had a number of favourite games published by Apogee, Sierra, Broderbund, and Epic MegaGames for MS-DOS. I even learned some DOS commands.

Dad was a novelist, and he frequently had technical issues. They were usually to do with his laser printer, or general Windows problems. He let me fix his peripheral issues, and I also edited autoexec.bat so that Windows would boot quicker. It’s amazing how he recognized my computer literacy even though I was a little girl.

By 1994, the Crawley household got internet access for the first time, via Prodigy Online and a 14,400 bps modem. I surfed early webpages on the World Wide Web with the Mosaic browser. I’d look at the source code of webpages to teach myself some HTML.

Although I was interested in computers from an early age, the rest of the world seemed to try to dissuade me from a computing career. My math at school wasn’t excellent, and my teacher told me that you have to be a math whiz to work in computing. She had never pursued computer science or IT, what the hell would she know? But as a child, I didn’t question her. It also didn’t help that depictions of “computer nerds” in the media were always male.

Fast forward to my mid twenties- at that point I had experience making websites for people. I still didn’t consider myself to be good with computers for some reason. But I had a now ex-boyfriend who thought that I had a lot of potential. So I went on to get my first CompTIA certs; A+, Network+, and Security+. That enabled me to get a job in tech support.

In my tech support job, I noticed that a lot of tickets were malware related. Malware started to fascinate me. People have always told me that I’m good with words. My late father was a significant factor in my learning how to write effectively and for commercial purposes. By 2009, a friend of a friend helped me get a gig writing articles for InfoSec Institute’s InfoSec Resources website. I really cut my teeth there, and I wrote infosec articles for them for years.

Back in August 2014, Gamergate hit. It was a tiring online hate campaign that ended up targeting many women and LGBTQ people (and those who defend them), after starting with an attempt to destroy game developer Zoe Quinn. There were hundreds of targets, and they tended to be in the video game industry, in computer science and information technology, and in social justice activism. Gamergate was a nasty example of the absolute worst of human nature, that developed into a massive online attack mob. The mob largely consisted of ignorant and hateful young men, driven by reactionary rage. Slut shaming, homophobia, transphobia, Islamophobia, racism, trying to gatekeep video games as a He-Man Women Haters’ Club (fictional women like Vivian James exempted), harassing video game reviewers for giving Call of Duty games scores of less than 10 out of 10… it was a clusterfuck.

It’s a long complex story, and it was a phenomenon that was created by the same sort of nasty bigots who helped get Donald Trump elected as President of the United States. Actually, a Venn diagram of Donald Trump’s fans and Gamergaters would overlap considerably. If this is the first time you’ve heard of Gamergate and you’d really like to learn more for the sake of context, RationalWiki has an excellent, relatively concise synopsis here.

By February 2015, Gamergate was still going strong. A lot of Gamergate harassment campaigns and script kiddie grade cyberattacks were being planned on 8chan. 8chan started because 4chan stopped allowing really horrible and bigoted content. 4chan’s admins decided to stop allowing Gamergate related posts. 8chan’s founder, Frederick “Hotwheels” Brennan, had already allowed its forums to become a venue for child pornography distribution. He needed more traffic, more buzz! So he welcomed Gamergaters who were furious about being banned by 4chan with open arms.

Gamergate’s primary weapon was the internet. They used computer technology to try to ruin people’s lives. Many of their actions were cyber attacks, however amateur and script driven. SWATing is when a prank phone call, email, or other sort of communication is sent to a police department in an attempt to send a SWAT team to a target’s home and terrorize them. SWATing was a popular activity amongst some Gamergaters. Other ‘gaters liked doxxing. That’s when sensitive information about targets, such as phone numbers, home addresses, credit card numbers, and SSN numbers, are distributed online to facillitate an attack. All of that bullshit falls under the umbrella of information security.

So that month, I wrote an article about Gamergate and 8chan for InfoSec Resources. They published it. Within hours, Gamergaters found my article and were outraged. They organized a harassment campaign to get my article offline. They couldn’t find my email address (as an information security journalist, I know how to make myself difficult to dox) or phone number. But they found various email addresses connected to InfoSec Resources. They organized on 8chan and Reddit, and hundreds of harassing emails were sent to InfoSec Institute employees, including my cowardly former editor Robert Rodriguez. I soon received an email from him that informed me that my article was taken offline. (Here’s a web cache if you’re curious and want to read my article. Thank you, archive.is!) Then they took all of my articles offline, because obviously angry 8channers are a primary market for InfoSec Institute’s training programs.

Robert Rodriguez and InfoSec Institute deserve my calling them cowardly. Already media corporations like newspapers and television networks are being purchased by a smaller number of ever growing big corporations. Journalism professors are bemoaning that too much journalism is becoming glorified PR and advertising because of growing corporate influence. Investigative journalism is a crucial public service in the Information Age. How are people supposed to learn about problems in society and the world at large if not for investigative journalists and various whistleblowers? A lot of the best information security journalism is investigative and controversial.

I wrote about Gamergate as an information security problem, and InfoSec Institute decided to let the blackhats that cybersecurity professionals are supposed to help protect people from win. I also contributed content to their CISSP and Certified Ethical Hacker training programs without ever having either certification. Seriously, if you’re in infosec and need a training program, try SANS Institute because their good reputation is deserved. Don’t waste your money with InfoSec Institute.

Anyway, during the years I wrote for InfoSec Resources, Rodriguez got me opportunities to write for IDG publications CSO, CIO, and Computerworld. I also got to write for SC Magazine. Feel free to check out the links to read more of my work.

I’m really proud of my article that was published in 2600 Magazine’s Winter 2014/2015 issue. It’s titled “What Do Ordinary People Think A Hacker Is?” Unlike my articles for other publications, I wasn’t paid with money. But being in 2600 is prestigious in some tech circles and I enjoyed my free one year subscription. I think I’ll write something else for 2600 in 2017. Here’s some interesting trivia. I was born in January 1984, the month that 2600 Magazine debuted.

Being a Gamergate target took a tremendous emotional toll on me. It felt like my infosec writing career was over, and I was only 31 at the time. I fell into a deep depression that lasted for months. There were weeks when I only left my bed to use the toilet and shower.

But like the almighty Phoenix, I rose from my ashes. I made a lot of friends in the infosec community, and there were people out there who liked my writing. Thanks to connections I made over the years with infosec people on Twitter, new opportunites came my way. I made friends with other infosec publication editors who saw potential in me.

Joe Pettit of Tripwire got me published, starting with my Women in Information Security interview series, which debuted in October 2016. I went on to write articles for Tripwire’s blog on quantum networking, and personal data in consumer devices. There are more Tripwire articles to come!

Kate Brew of Alienvault enjoyed my writing for Tripwire, and asked me to contribute to their corporate blog. My first article for Alienvault is about how poor UX design is a growing information security problem. She’s excited about some of my other ideas for Alienvault blog articles, so I’m working on them!

I’m also proud of having presented at my first infosec convention last year, BSides Toronto 2016. I keep my t-shirt with pride.

Follow me on Twitter: @kim_crawley

Brian Krebs

Well known security researcher Brian Krebs’ story stands out in my mind. His background wasn’t in computing. He worked for The Washington Post as a reporter since 1995. He describes how he got into infosec as an accident. In 2001, his home LAN was hit with the Lion Worm.

Krebs did some computer programming as a kid, and has always been interested in computing, even though he didn’t pursue it professionally at the time. His natural curiousity led him to explore what the worm did to his computer and his network. That triggered an ongoing fascination with information security.

He went on to write the Security Fix blog for The Washington Post. That venture evolved into his current Krebs On Security blog. All of his research and writing through the years has made Krebs a sought after information security expert.

Follow Krebs on Twitter: @briankrebs

Rick McElroy

McElroy’s love of computing started as a child. He took apart an Atari video game console to explore its inner workings. As a teenager, he was in a high school program called NORSTAR which was all about robotics and computing. An experiment he worked on in NORSTAR ended up on a space shuttle thanks to a partnership with NASA! Those experiences fueled his love of technology ever further.

At only 17, he enlisted in the United States Marine Corps. He wasn’t in a computer technician role, he describes his position then as being a “grunt.” There were few computer tech job opportunities in the Marines, so eventually he decided to start an IT career as a civillian.

He attended Coleman University to pursue his dreams. While there, he learned everything from networking to how to build servers from hardware components.

After graduating, he found employment with a company that sells computer hardware and services to businesses. They also employed some cybersecurity professionals whom he learned a lot from. They taught him about penetration testing, security hardening, and how to sell those services to business, explaining the importance of information security to those clients.

That’s what kickstarted his infosec career, which has been growing strong for over seventeen years. He wrote an excellent article on why military veterans make excellent cybersecurity professionals for ITSP Magazine.

Follow McElroy on Twitter: @InfoSecRick

Kat Sweet

Military veterans have unique knowledge and experience that can enhance an information security career. But so can… women and gender studies students? Yep!

That’s what Sweet studied. Her experience sharpened her critical thinking skills, and gave her an in-depth understanding of how power structures work in society.

A cybersecurity professional I once knew said, “Amateurs hack systems. Professionals hack people.” STEM (science, technology, engineering, and mathematics) backgrounds relate to infosec in an obvious way. But people often overlook how psychology, sociology, and other social sciences are crucial to infosec. Most cyberattacks involve social engineering at some level- fooling people. Also, end user ignorance is often a security vulnerability, as are factors such as how poor corporate culture and worker exploitation drive internal attacks, and poor UX design.

Sweet went from school to working in politics. She worked on political campaigns, as a page, and then as a legislative aide. She learned that politics can be an unstable field to work in, even if you aren’t a politician who depends on re-election to keep their job. People who work for politicians can also have unreliable job security. Staffers often lose their jobs when the politican they work for loses an election, too.

Wanting to leave politics, Sweet’s natural curiosity led to her teach herself computer programming. Secure software engineering and design is a key area of infosec. Security fascinated her, so she explored it further. She went on to attend infosec conventions, volunteer for them, and speak at them. She didn’t entirely feel like she belonged in the infosec world, but watching a presentation at DerbyCon 2014 about how people can enter security from areas outside of computer science and information technology convinced her otherwise.

Last year, she got her first proper infosec job, and the industry is all the better for her contributions.

Read her fascinating story on her blog here, and here. I also had the honour of interviewing her for my Women in Information Security series.

Follow Sweet on Twitter: @TheSweetKat

Claus Cramon Houmann

Houmann studied Business Adminstration and Information Technology at a college in his native Denmark. While in business college, he worked for Denmark’s largest ISP as an ADSL hotline supporter. When he graduated, he was hired as a process consultant at TDC Hosting.

That got him lots of experience interfacing with datacentres. Learning on the job by working with firewall configuration, and physical access controls for server rooms got his feet wet for infosec, even while his focus was on availability and logging.

Datacentre metrics back then may have focused on uptime and accurate data collection, but those ends are dependent on security. The CIA triad of infosec applied to Houmann’s work, even if he was unaware of it. Especially the Integrity and Availability components. Datacentres like the environments where he worked in are connected to networks, a means of accessing and distributing data from some computers to other computers. Often the networks datacentres are connected to include the public internet. Cyberattacks like DDoS attacks compromise availibility, and cyberattacks like man-in-the-middle attacks compromise integrity. Networking facillitates those sorts of attacks, and you don’t even need an internet connection. A rogue, disgruntled employee can attack their employer’s server within a WAN that’s closed to the internet, or an outside attacker can penetrate a workplace’s building to acquire the same physical WAN access an employee may have.

After working at TDC Hosting for a few years, Houmann’s employer got him into working with ITIL- AXELOS’ proprietary Information Technology Infrastructure Library system for IT service management. TDC Hosting provided him with specific training and certification study and exams. By the release of ITIL v3 in May 2007, security became a curriculum component, although Houmann says infosec has changed a lot since then. But having to learn ITIL v3 helped introduce Houmann to some security formalities.

Imagine how many more brilliant minds there would be in infosec if countries like Canada, the United States, and the United Kingdom were more like Denmark? Houmann benefitted from a Danish public service which allows Danish citizens to attend college and university tuition-free. Then he had an employer who was ready and willing to invest in his further education into specific information technology domains. There are probably millions of Canadians, Americans, and Britons with Houmann’s potential who’ll never work in infosec because they cannot afford the required education, and employers insist on $50,000 worth of education for apparently entry level positions.

Houmann then fell in love and got married. His wife found a job in Luxembourg, so he quit his Danish job to move with her. He started his own IT service management business in Luxembourg, ImproveIT Consulting. His largest client was a small banking institution which he realized was in great need of security management. Financial data is highly sensitive, and every developed nation on Earth has strict government regulations for keeping data secure in that industry!

Realizing how crucial security is, Houmann started attending infosec conferences. He was amazed by how much there was to learn. Being a consummate professional and a studious mind, he’s learned a lot about infosec. And he’s always learning more.

He went on to leave ImproveIT Consulting and enter cybersecurity full time by working for Peerlyst. And the rest is history.

Follow Houmann on Twitter: @ClausHoumann

Giovanni Natale (Johnny Xmas)

Hackers are natural potential infosec pros. I’m referring to hackers in the Steven Levy, Richard Stallman sense, not the colloquial, Hollywood-driven “hackers are all bad people and blackhats” sense. Having an innate curiousity about technology and experimenting with it to explore what it can do is all that it takes to make a hacker. Johnny Xmas has always had that type of mind, and he never let his circumstances dissuade him.

Johnny Xmas’ fascination with computers started early on. While working at Best Buy and without formal IT training, he was able to assemble his very first PC from parts he was able to acquire from his employer’s dumpster. He was later fired for being caught, even when police acknowledged that he did nothing illegal. It’s a crying shame how many good products retailers throw away all the time, just because they think if they gave away what couldn’t be sold it’d make consumers less likely to buy stuff. Thus is the wastefulness of Capitalism.

2600 Magazine got him into hacker culture and showed him that there are other people out there who are just like him.

While at college, Johnny Xmas used his hacker mind to expose something that was going on. He’s mum about the details for legal reasons, but he says a lack of understanding of ethical disclosure was a factor in his being expelled from the school. Oh well. As Alanis Morissette once sang, you live, you learn.

Exploring computer systems and networks, however legally or illegally, taught him the skills of a sysadmin. Unfortunately, most employers won’t hire people in that role without formal, professional experience. So with sysadmin dreams, Johnny Xmas started working at a PC repair shop. Driven by ambition, he got his CompTIA A+, Network+, and a Cisco CCNA. But that still wasn’t enough for sysadmin employers!

Curiousity led him to explore printer devices, and he also acquired vendor certifications in that area. A friend noticed his printer expertise and got him a lucrative job in repairing them. That employer was poorly managed and he was afraid of the company going out of business. So he did everything he could to make their work more efficient, including streamling their auditing process. In doing so, Johnny Xmas learned a lot about Linux, networking, and databases.

Having taught himself a lot about hacking, and having read a lot about cyberattacks, he did a great deal of security hardening which he thinks may have been overzealous in hindsight. But his employer was impressed with his knowledge and how he went above and beyond the call of duty.

His sysadmin dream came true, and eventually he was in charge of all of the IT work in a newly opened second warehouse. But then the inevitable happened. His employer’s poor managemt led to them going out of business and he was out of a job. Like when Gamergate and InfoSec Institute’s cowardly reaction temporarily haulted my infosec writing career, Johnny Xmas fell into a depression.

He joined a group who played board games once a month in order to motivate himself to leave his house. At some point, one of the group members emailed his roommate, asking him if he knew anyone with infosec skills. The group member was hiring for a Fortune 500 company.

You know where this is going. Due to his honest nature and 1337 hum0ur in his job interview, Johnny Xmas got the Security Engineer position over other candidates with more formal qualifications.

When he wasn’t engaged in assigned tasks, he got hands on experience with penetration testing and vulnerability validation. During industry events, he met someone who worked in Red Teaming (penetration testing) with a credit card company. They talked about testing, and shared knowledge with each other. At a new employer, his infosec friend was tasked with helping compile a new Red Team. Johnny Xmas was recommended, as his friend was aware that he was being laid off due to a corporate merger. Yep, he got the job.

Johnny Xmas describes his current penetration testing career as “legally robbing banks and federal agencies.” Sounds like fun!

Follow Johnny Xmas on Twitter: @J0hnnyXm4s

Cheryl Biswas (3ncr1pt3d)

Cheryl Biswas studied political science in school. Having been a political journalist before I became an infosec journalist, I envy the opportunity that she had.

Governments and elections have a crucial impact on our everyday lives. As we’ve been burdened with ever more bizarre and scary political leaders and candidates lately in North America, Europe, and the Philippines, hopefully people are appreciating that more.

But instead of becoming a political journalist, or a political worker like Kat Sweet, Biswas entered IT as a Help Desk agent. Well, there’s something else that we have in common.

But instead of working for an outsourcer for an American ISP as I did, she got a good job at Canada’s storied Canadian Pacific Railway. The company was previously known as CP Rail, and it started operations all the way back in 1881!

CPR’s IT department has an excellent reputation. Biswas said it was an excellent opportunity to learn from some of the best. Mentoring is a part of their corporate culture. She’s still in contact with some of her former colleagues to this very day.

She had to take a ten year absence from her career for motherhood. Corporations can be very judgmental of women who may need to take breaks from employment for pregnancy and childrearing. That and outrageous child care costs probably hurt society, even here in supposedly more progressive Canada.

But Biswas was fortunate. She had the communication skills, interpersonal skills, and technical knowledge that a managed service provider was looking for. They employed her part time, which helped her balance career and motherhood.

A Kaspersky newsletter was available in her workplace as Stuxnet hit in 2010. She was fascinated. Stuxnet is fascinating. It’s really complex malware. It contains a worm, a link file, and a rootkit that targets programmable logic controllers. Its development may have been the most expensive ever for malware- it would take a nation state to create. It was rumoured to have been a joint American and Israeli operation against Iran’s nuclear infrastructure. The rumour was later confirmed. Biswas researched Stuxnet and wrote a report about it for her boss, driven by curiousity.

When her company decided to start a Twitter presence, she was handed the responsibility of operating it. That helped further her exploration of infosec. She loved researching cyberwarfare, social engineering, malware, and everything connected to those areas.

Biswas loved sharing her research with her colleagues. Even though her colleagues would rather fix immediate problems than think about longterm solutions and the big picture.

But then September 2014 hearlded the first discovery of a Shellshock bug, one of many. It affects the Bash shell that’s used in many UNIX systems. Lots of internet services worldwide use the program, so the security implications of those bugs are massive. Biswas’ coworkers sought her for help. She was involved in weekly security meetings and customer advisories.

She soon worked on the corporate website, and her own security blog.

Her employer helped her attend her first infosec convention, Circle City. It was a great experience for her to learn and network. BSides Las Vegas has a program called Proving Grounds. It gives new infosec convention speakers the opportunity to be mentored. Biswas got that opportunity, and she flourished. She’s gone on to give more infosec con talks, contribute to more security blogs, and mentor others as she has been mentored.

Last year, she got a cybersecurity position with KPMG. She’s glad that she decided to pursue infosec professionally, and her CyberWatch blog is always a worthwile read.

Follow Cheryl Biswas on Twitter: @3ncr1pt3d

— -

If you enjoy my information security writing, help me buy groceries. Please support my Patreon. Thank you.

If you enjoy this article, help a non-rich cybersecurity woman out… Please click on the little green heart to recommend my article!

Tags