This is a post I was encouraged to make just from the sheer amount of stories that exist out there – not every InfoSec/cybersecurity pro was phreaking or breaking open Apple II’s in the basement. Plenty were! And that’s awesome, I love those stories of the “good old days” of hacking and security, but today is a different day for certain. Everyone has a story and they’re all unique – so when I hear from people close to me, including my own wife “I wish I would’ve known about this stuff earlier” my heart breaks a little because we aren’t getting these stories and information out to EVERYONE that might benefit from them regardless of color, class, gender, or privilege. So – here’s my story – albeit circuitous, which got me to where I am today (as of writing) as a Lead Principal Information Security Engineer. I’ll put the TL;DR up top because as is natural when talking about yourself – I’m going to ramble.
TL;DR
Places: Grocery >> Best Buy >> Geek Squad >> Best Buy >> BMW >> Geek Squad >> MSP IT >> MSP Security >> Today!
Titles:
- Grocery – bagger, checker, garden center, produce
- Best Buy – CD/DVD stock, Appliances, “Operations” (aka checklanes and customer service), customer assistant – aka no department wander the whole store, PC/Home Office (PC-heyo!), and digital cameras/mobile phones/car audio. Could be more – I was here way too long
- Geek Squad – Agent (forget the exact title but worked the desk and did some cleanups), Online Support Agent (remote work in 2012)
- BMW – Sales – 6 days a week 12+ hours a day – great money, awful balance
- MSP IT – help desk, end user services (aka road warrior at client sites), dedicated support engineer (FinServ client)
- MSP Security – IT Security Administrator – totally made up but amounted to a reporting analyst, limited hands on response or IR.
- Today – Information Security Engineer, Senior Information Security Engineer, Lead Principal Information Security Engineer
Humble beginnings
exterior - Bon Aire Mobile Home Park - Iowa - early 1990's
We come upon this stories main character playing Mega Man II on the NES underneath his mother’s couch which is flipped on it’s base to make a pseudo-fort with a little overhang. The buzz of the CRT and the killer soundtrack backing the destruction of Dr. Wily’s automaton menaces underscore a lot of where my life has been – always a little on the poor side and very close to video games and technology. I was raised in a college town in Iowa that to this day is an incredible spot to raise a family – while it can be argued it’s a fun but enraging place to also be a fan of that particular college’s football team, at least we have unreal corn and tenderloins. Iowa wasn’t exactly a tech hub back in the day and at this point coding in high schools was just not a there. I always excelled at English and language courses, struggled in maths, but found concepts like economics and religion fascinating. I also had a knack for baseball and thanks to my step dad for coming in around age 9 to curate those abilities and get me into competitive baseball at an early age. Someday I’d love to share the story with you dear reader at a conference or here in Denver of an ice cold beer or nice warm tea of how we started our own team after the incumbent team in town had been around for years and were the de facto “best”.
But I digress, as my childhood surely had a lot to do with my current circumstances, it also doesn’t make great cyber content so let’s fast forward a little. Not too far though, I remember my first days playing around with something that I thought was infinitely cool, but I never really put it all together until recently that when I played my Sega Genesis and used my GameShark, I was messing with the memory on the cartridge directly. I was able to control health, ammo, and more by selecting what I wanted to load into the memory on the device, launch the game and all of a sudden nothing could stop Sonic from getting after Eggman and freeing his friends while just bathing in rings. A few years after that I’d start getting hands on end-user PC hardware that was “the family computer”. For the younger folks – that was how it was in the midwest for sure as PC’s started to proliferate – you had ONE desktop that was the computer everyone shared on a dialup modem. There were a lot of availability concerns there – someone picks up the phone, Dad needs to look something up, or someone downloads some warez from less than reputable sites and nukes the whole computer.
I never really got into exploit development or even seriously messing around on the command line for many years later – but I do remember playing some great games like Castle of the Winds which was my D&D since I was some young jock who wasn’t supposed to like that nerd stuff (I LOVED this simple game, my imagination could run wild exploring these dungeons). Unbelievably you can play this game today over at ClassicReload – but from there I ventured out into quite a few directions, everything from Nintendo classics to one of my favorite PC franchises Hitman from IoI interactive. Video games became more and more
All throughout high school I did spend a lot of time on computers but this was at the height of AOL Instant Messenger (AIM) so quite a lot of my friends and classmates essentially did their after school activities, grabbed a bite to eat, and signed on for the remainder of the night.
I like to say I “lived a former professional life” because I started way back at a grocery store in high school then said “man when I turn 18 I’m going to work at Best Buy, the coolest place in the world”. Well I did and yes it was cool for a long while – it was also like a co-ed fraternity where I met some of my longest and strongest friends I still hang out with today.
At Best Buy I thought I’d climb the ladder and work there forever on the sales floor. It was fun, I got to work around tech and I honed skills that I never used in school. After a few years and promotions though I saw a disturbing trend that I’ve come to see as near-ubiquitous in retail; get promoted, work your way up – then some new district/territory leader comes in with these new ideas that have definitely been tried before but trust me this time is different and they’ll cull some leaders that have been there for a long time. I saw a lot of friends get pushed out this way or through the (and I’m serious) annual restructuring where a swathe of positions were eliminated and everyone had to fight other qualified people internally for fewer jobs. I did learn a few very important lessons throughout my tenure at Best Buy and Geek Squad:
- Every leader is a teacher with lessons, good or bad, for you to take from them
- This should inform your leadership style should you become a leader yourself
- No one is irreplaceable
- Contributions matter
- Matching words and deeds matters
- There’s room for people who just want to do the damn job
- Process is not a dirty word
- Documentation matters
- Both for technical/process and for performance
- Know the score
After the years of trying to climb and seeing friends and colleagues fall off that ladder I decided to switch over to the Geek Squad side and go deeper into how things work and how they break. Geek Squad can get a lot of shrapnel but I did learn quite a bit from some key members of that team and value my time both in the store and as a remote agent. Geek Squad gave me the necessary spark to light a huge tech fire under me that continues to burn today in my security work – and taught me more good lessons about when to call the rabbit hole investigations and just reimage a machine, how to identify your assumptions and challenge them, and what normal looks like on a Windows or Mac endpoint. I also was fortunate to be placed on a small team that did office level support for small businesses – Geek Squad’s own MSP offering – and I got some great exposure to Active Directory and enterprise networking.
Enter the Enterprise…IT world
The skills I gained in the Geek Squad and Best Buy times served me very well and helped land my first corporate IT job at a Managed Service Provider as a help desk tech. This means I was grabbing tickets, calls, and emails and flexing those problem solving muscles. What helped me be successful in this role was a few key things;
- A desire to understand problems and how to make sure they don’t resurface
- A desire to leave things better than I found them via documentation and process improvement
- A passion for teaching/showing others cool stuff
This all worked out great because I got moved to a customer facing end user services (field support) role relatively quickly. I was traveling around the Denver metro visiting customer sites and getting their on-site needs taken care of. This usually amounted to some desk moves or other work that couldn’t be done remotely and some running around checking in on folks which also lent itself to my service-oriented approach to IT. After this I was tapped to be a dedicated engineer for one specific client in the Financial Services realm which was new to me.
I loved this role, this team, and this opportunity because I was mostly set free to be a SysAdmin, Network Admin, and Security guy but was also treated as part of the client team by the wonderful team there. I learned a ton by immersion and was able to be exposed to business processes and conversations that I never would have been able to if I were in a different spot at a different time. After 2 years in this role I got exposed by a friend in the same MSP I worked at to the security realm – with all the challenges and upside along with it. He convinced me that the CISM was a great certification, that Security was worth going into, and that I was suited for it. Thank goodness he did because I also had the realization that if I stayed at this FinServ company as a utility player (incredibly underpaid at that) that I would be there forever – which for some would be fine, but for me as a young gun, I wanted impact.
Now you’re cybersecurity-ing
One day a role opened up on the MSP’s customer facing security team, which at that point was just one person and a director focused on service catalog and what they could offer as a security service. I wanted to apply but was also being courted by the project management team as a potential associate project manager. Talking it through with my wife, she made some excellent points – primarily that I am not an organized person by nature, and PM’s MUST be hyper-organized.
I applied, interviewed, and got the position – but what is important and a very common theme in my entire career – a huge facet to my acceptance was my ability to communicate across function, role, and hierarchy. This is why I stress that any skill is a skill that’s applicable in security. I also use that to my advantage when discussing “why me” in that I know these are my strengths – there are infinitely smarter, more technical, and more experienced security engineers out there. But for more than a few roles I’ve held I need to be able to not only say “here’s what we’re going to do” but say that to varying audiences from IT and Engineers to HR, Accounting, and the C-suite. My time in this role was a great experience but as we grew the offerings, it turned to me writing Nessus reports, sending emails about SIEM alerts, and configuring KnowBe4 Email Phishing campaigns. As I started to feel burnt out in this role, it amounted to a few things;
- Knowing I was vastly underpaid
- No challenge in the work
- No victories and a never ending pile of reports that will never diminish
- no indication of team expansion or help coming even though bandwidth was zero
With that in mind I started looking – and I’ll surely do a whole other job hunting post – but I applied to quite a few jobs, landed less interviews, and ended up with 2 offers. I gave a talk about the cardinal sin that I committed here – verbally accepting an offer and then going back on that word (to be fair it was an invitation to counter, but in my mind they were never going to meet the perks of the second offer) and I went with my current employers offer and have never looked back.
Cybersecurity and Information Security Now and Next
These days I’m leading a team of engineers and helping direct a larger team of analysts toward maturing the security posture of a great company. We’re getting progress on a lot of items, seeing things get implemented, and enjoying the process of building a program. I wouldn’t be able to do the things I do today at another organization and I tell my team regularly that our contributions matter. I’ve done things I didn’t think I’d be able to do like implement a brand new EDR, SIEM, and policy stack. I’ve written the IR and IM plans, stopped incidents before they get out of hand, watched our security posture go from “eek” to “better” and that’s what it’s all about.
What’s next for me? Well my plan for now is to keep the day job humming and keep growing my team, enabling their success and careers while ensuring we continue getting those wins and contributions we so love. I’d like to continue to write here or more publicly, do some talks here or there, but more importantly get more “out there” in the community. I’ll be looking to attend some more conferences and networking events, make myself more available on social media (Twitter probably fastest but if you find me on LinkedIn that works too!) and generally try to do what I can to enable more to feel welcome in this field. I’m proud of the team I’ve built full of diverse lived experiences and hope that I can bring that to the larger industry, as well as get some in-person high fives and learn from some other teams and companies about what they’re doing or what they did at our stage.
And finally, thank you
If you made it this far, thank you for taking the time to read most of my story – at least the professional side of it. I’m proud of where I’ve come from and where I’m at now and the family that I’ve built and work hard to give lives we love. If you’re reading this and want to talk more or we’re going to be in the same city please feel free to reach out and we’ll get together – and until then, take care and stay vigilant!
