Lesley Carhart on Cybersecurity, IT Careers, and Service In and Out of the Military — SolarWinds TechPod 048

Stream on:
Lesley Carhart is recognized as one of the leading voices in digital forensics and cybersecurity. But her career began – and is still firmly rooted – with her service in the Guard and Reserves. She devotes a significant amount of time to helping othermake the transition into tech, both within the armed services and as part of their transition to civilian life. Leslie sits down with Head Geek Leon Adato to discuss her professional and volunteer work and share some of her hard-won advice.  Related Links: 
Lesley Carhart

Guest | Principal Industrial Incident Responder, Dragos, Inc.

Lesley Carhart is a principal industrial incident responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20-plus… Read More
Leon Adato


Leon Adato is a Head Geek™ and technical evangelist at SolarWinds, and is a Cisco® Certified Network Associate (CCNA), MCSE and SolarWinds Certified Professional (he… Read More

Episode Transcript

Announcer: This episode of TechPod brought to you by SolarWinds® Government. Government clients use SolarWinds IT solutions everywhere: the data center, the classroom, and in the field; helping your team succeed wherever you might be. Learn more at solarwinds.com/government.

Leon: Welcome to TechPod. I’m Leon Adato and with me today is someone I’ve been hoping to speak with for years now, Lesley Carhart. Also known as hacks4pancakes on the Twitters. Lesley is a principal industrial incident responder at the industrial cybersecurity company, Dragos, Inc. She spent more than a decade over 20 plus career in IT, specializing in information security with a heavy focus on response to nation state adversary attacks. She’s recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics. Prior to joining Dragos, she was the incident response team lead at Motorola solutions. Her focus at Dragos is developing forensics and incident response tools and processes for uncharted areas of industrial systems.

Leon: She’s also a certified instructor and curriculum developer for the Dragos course, Assessing Hunting and Monitoring Industrial Control System Networks. She’s received recognition such as DefCon hacker of the year. A top woman in cybersecurity award from CyberScoop and Power Player from SC magazine. In her free time Lesley co-organizes resume and interview clinics at several cybersecurity conferences. She blogs. She tweets prolifically about InfoSec and has served for 20 years in the USA of reserves and is a youth martial arts instructor. Lesley, thank you for joining me today on TechPod.

Lesley: Thank you for having me.

Leon: So, before we dive into the real subject, the main subject, I want to give a moment for shameless self promotion. So, what’s some stuff you’re working on. Let people know who you are and where they can find you on the Twitters or on the interwebs or anything about yourself.

Lesley: Hi, my name is Lesley Carhart, otherwise known as hacks4pancakes, hacks, the number four and pancakes on most social media. I am a digital forensics and incident response professional. I currently work for a company called Dragos and we do industrial control system cybersecurity. So, we work on cybersecurity for critical infrastructure, so stuff like power, water, oil, and gas, manufacturing, medical, et cetera.

Leon: Very nice, cool. Anything that you’re working on, anything you want people to know about?

Lesley: Yeah. So, I’ve been doing a lot of research into forensics on lower level industrial devices. So, there’s not been a lot of work done in that space. There’s not a lot of pre-made forensics tools to work on those devices. And of course, in industrial cybersecurity, they’re an important element of incident response. Understanding what’s happened to those devices, their firmware, their configuration, et cetera. So, that’s kind of been an interesting space and exciting space and a really important one, because there’s a lot of health and safety life concerns involved in cybersecurity. You’re talking about water or power or natural gas getting safely to people’s homes and businesses. So, it’s really meaningful work and it matters a lot to me.

Leon: Very interesting. We might want to talk about that later. Because I used to work at Allen-Bradley with their motion control systems and that it was definitely one of those like, hmm, I wonder how this could be really unstable sometimes. Sometimes it was unstable not on purpose. On top of the security stuff that you do, one of the things that you’re well known for in the industry is working with folks who are either in the service and considering a transition out or are now in the civilian side or just people who want to move to a cybersecurity type career. And you tweeted just a week ago about I’m going to be in the resume pavilion. And I want to hear about all of this, but let’s start with the resume pavillion. What is a resume pavilion? And it sounds so formal and so friendly and so delightful.

Lesley: Yeah. So, I have to go give full credit to the person who’s developed this framework. Her handle is Ms. Bat, and she’s got a Github and she’s got this wonderful framework up on it. And it is for creating villages on hiring. So, interviews, resumes, et cetera at conferences. So, not just cybersecurity conferences, IT conferences, whatever. And so she’s developed this really put together framework that you can take and you can go to a conference somewhere and get a volunteer base and easily organize these villages. And between her and I and a few other people, we’ve been going around to cybersecurity conferences and IT conferences across the United States.

Lesley: And we’ve been putting on these interview and resume clinics. And basically the purpose of them is not to replace like hiring a professional resume editor, which everybody should do if they can do. It is to put people who are considering a career move in front of a appropriate hiring manager who can then read through their resume, talk to them about their interview skills and what they plan to discuss and say, hey, this works for me, this doesn’t work for me. We think that you’re missing this in your resume. So, content stuff that is harder for general resume editors to catch.

Leon: Very cool. And also, especially if somebody has some tech skills talking to somebody who also has tech skills to say, I know what you mean is this, but this is how you want to say it. That’s-

Lesley: Exactly.

Leon: … incredibly important. And a lot of times, if you’re just submitting to a recruiter or whatever, like yeah, whatever, put it on the resume, I trust you.

Lesley: It looks like this on Google. Yeah. So, you really need to have both of those lines of filtering on your resume before you go and you start submitting it places or doing interviews. You need to have somebody who is a good like English language editor who’s able to say this grammar, the spelling is incorrect. And then you also need to have somebody who says this content is incorrect. So, you’re missing this or it’s improperly documented, or this shouldn’t be on there at all. It makes you look obsolete, whatever. That’s why you want to have that discussion.

Lesley: So, we’ve been doing these for like six, seven years now? And we get a lot of incredible feedback. Sometimes I hear about somebody’s success, like three years after the clinic or five years after the clinic. They’re like, “Hey, I’m a manager of a SOC now.” And it’s because we did this interview clinic and I don’t know if that’s really all it is. It’s probably a lot of their own personal motivation and success, but it’s very, very nice to get those messages every once in a while from folks who are like, I got an interview like three weeks after the clinic or whatever. So, it makes us really happy.

Leon: Yeah, you would get to be part of the process and part of their journey. No, a 100%. And I think that, that actually is a good way to talk about sort of the next section, which is that you decided to start donating your time to do this, to helping veterans and folks who are again in the service transitioning out of the service, et cetera. So, what made you decide to do that? I mean, it’s insanely useful, but why did you say this is a need, let’s go do this?

Lesley: I’m a reservist. I’ve been in the military for, I’m in my 21st year now. And nobody really helped me when I was starting out. I looked for mentorship. I looked for guidance in getting into somewhat of the same field that I’m in now. And I got nothing. I mean, eventually I got a break, but nobody was willing to give me that help and support, that advice. And so now I feel very motivated personally, to make sure that other people don’t face those same challenges that I did.

Leon: Very nice. I heard a quote. I can’t remember exactly where it was that, “Be the person that you wish you had had in the room when you were starting.” So, that’s absolutely what that’s like. And I can imagine what the response has been like, but it’s because we’re on a podcast, I think I’m supposed to ask. So, let me ask, how has the response been? What have you seen and heard? What has your experience been like?

Lesley: I mean, I think that, again, I’ve gotten a lot of really positive feedback over the years and just hearing that somebody was successful and they got a job or they figured out what they want to do in cybersecurity, or they didn’t quit when they were trying to get into the field. Those things make me really happy. Again, because I didn’t have that there. And I want to see other people succeed and not have to fight the same battles I had to fight.

Leon: That is amazing. Another piece, because I do a little bit of this, not to the scale or to the level, but when I’m working with somebody and they say, oh, this isn’t for me at all. Like, I don’t want any of it. And they mean it. And I find that also really satisfying. Like this is somebody who didn’t waste months of their life thinking they were supposed to like this only to arrive at some later point and realize that it really hasn’t been, it wasn’t for them in the first place. If I can help them quickly come to the realization of this is what your day is going to be like, this is what the work is like. And for them to say, yeah, no, not for me. I feel like that’s helpful too.

Lesley: Yeah, because everybody’s trying to sell you something. Universities, especially, yes, there’s some good IT programs out there. There’s a few good cybersecurity programs out there, although there’s a lot of really terrible ones too. But I mean, all those places are trying to get your money. Yes, hopefully there’s people there who want you to succeed, but ultimately they are making a sales pitch for you for a lot of money. Like to say, we’re going to sell you an education in cybersecurity and they’re not necessarily taking the time to say, hey, do you really want to do cybersecurity? This is what it entails. This is what it looks like every day. Here’s the different niches you might want to consider that might work better for your personality. There’s not as much of that going on at those training or certification or university level organizations that are selling cybersecurity education.

Leon: Right. Exactly. Okay, so my hope is that people who are listening to this think to themselves, wow, this is really useful. I want to do some of this too. So, what does somebody do if they have that urge right now, as they’re listening to the podcast, what would you tell them about how to get started making an impact and helping out in this way?

Lesley: Just figure out what you’re good at and what you can contribute. For me, I like to write and I like to edit and I have that kind of brain. And I look at a lot of resumes every day, of course, for a hiring manager position in a cybersecurity company. So, I see a lot of resumes and I go through a lot of them. So, that’s a natural fit for me. And also it’s something that a lot of other people don’t enjoy doing. They don’t enjoy looking at grammar on resumes.

Lesley: So, look for the places where you can fit in, because there’s so much work that needs to be done. Everywhere from developing open source tools, to doing kind of administrative stuff like this. It all needs to get done to help people succeed in cybersecurity. And you just need to do some introspection and figure out where your skills lie and what you’re comfortable doing without burning out in your free time and how you can fit that into your schedule. Just do some soul searching.

Leon: And you went right to where I was going to go next, which is people have the urge to donate their time or to give a little bit. And then the immediate next thought is, oh my gosh, what if this sucks up every ounce of time? How do you personally and how do you recommend people figure out how to set boundaries? How do you cut the line off and say, I can’t do another one this week. I can’t do another one this month. How do you find those limits without going over the line and realizing what over the line and having to drag yourself back?

Lesley: Yeah. So, learning how to set boundaries and say no to people is a tough skill to develop. And sometimes it takes some time to develop it. And when you’re young, you feel like you’re invincible, you don’t need to sleep. You don’t need to take vacations, but really you taking care of yourself and you taking time off and not burning out, it sets a great example to all the people who follow after you and also to the people who are more senior than you, that also have to deal with maybe health concerns, family concerns, et cetera. So, by doing good work-life balance and setting boundaries in your personal and professional life, you are making a better work environment for everybody.

Lesley: You are never making work life better for your business, for your professional community, for your friends by going above and beyond to extent where you are unhealthy, burning out, not being properly compensated, et cetera. All that does is make you the example for businesses, what they can get out of a person. So, always try to set a good example and build a good community, professional community by setting those boundaries. It’s okay to set them. It’s okay to say, this is how much time I have to commit. When you do that, it means that other people can do it.

Leon: So, one of the topics that is sort of hot on my mind, and it has been floating around lately is this pipeline of people coming from service into the civilian world. And I know that those two worlds are very different. I’ve said this on other podcasts. I do not have a background in military service. So, I’m speaking purely as an observer. I’m curious with your inside view, what are some of the common things you see that trip veterans up as they either are considering or making the transition to civilian work and want to do something meaningful? They want to use the skills that they picked up.

Lesley: I still have a really interesting perspective on this, because I’ve done both simultaneously as a reserve and reserve and guard have to balance like the two worlds and compartmentalize. But when you’re in the military, when you’re in a military organization, especially like a technical one, it absorbs, it creates your entire world. It is your entire universe. So, the way that people talk, the way that people associate with one another, the verbiage used, the terminology used, the culture, the time frames and schedules, all of those things that are kind of unique to the military become part of your life and your personality and who you are. So, it’s hard to kind of separate the things that are cybersecurity from the things that are military life. And what I mean by that is some problems that I see a lot. So, work-life balance is one, because the military there’s an expectation.

Lesley: You are a soldier, airman, Marine, sailor, guardian, I guess there’s guardians now. You are that 24 hours a day, seven days a week. You are that person and you have an obligation to do volunteerism and things outside of your daily technical work, like PT and stuff. And that’s not the case in the civilian world. In the civilian world, you are not serving your country. You are providing a service, a paid service for a company or organization, and that might be a nonprofit or something who you have ties to beyond simple pay. But at the same time, you are being compensated for providing a specific service that you agreed to in your employment contract. And so, again, we go back to the, you’re trying to set a good example to allow your fellow employees to have a healthy life.

Lesley: And that means when you take a vacation, you shut your phone off. When you have been working 60 hours straight for three weeks in a row, you tell your boss that you need comp time, or you need time off, et cetera. It means that you don’t do a bunch of unpaid work and not clock it on your time sheet. Because those are kinds of things that are kind of expected in the military in a lot of cases. But again, that’s a whole different lifestyle. That’s a whole different mentality. And the right thing to do in your civilian job is to establish good work-life balance. There’s also terminology. So, I have a coworker and he’s going to be mad that I tell this story. And he came out of a wonderful year of his career. He’s brilliant. He’s wonderful. But he came to a training course with me right after he transitioned from the military to my company.

Lesley: And he comes into this class and he introduces himself as I’m so-and-so from AFCERT and everybody in the room is just staring at each other, like what’s AFCERT. And to somebody who’s in the air force. That’s like top dog stuff. That’s like here in the AFCERT. That’s like, you were a cool cyber dude. Nobody in that room … and I had to gently pull him aside afterwards and like you know nobody knows what the AFCERT is in here, right? And he actually asked, he was like, no way. He’s like, “Do you guys know what the AFCERT is?” And they’re like, “What’s an AFCERT?” So, acronyms, terms, organizations, they mean so much in the military, especially like cyber organizations. Everybody in the military knows like which CBTs, like the incident response units in the military are the good ones and the bad ones.

Lesley: And it’s a big deal which one you’re assigned to. Because there’s like the ones that have an okay reputation and the ones that have a really good reputation. And you get out of the military and nobody knows what any of those are. Your experience and your skill speaks for itself. So, it’s a different culture and you really have to separate yourself from the things that are purely military. And it takes time. Just sometimes you need those reality checks from the people, especially the other former military veterans, et cetera, who are around you that, hey, nobody knows what this acronym is or this methodology or this unit, et cetera. And that’s okay.

Leon: Right. It sounds like for as with so many things, finding a good mentor that, which doesn’t necessarily have to be somebody who is your “superior” or somebody who is more expert than you in a particular skill, but just somebody who’s had more cultural experience in the environment. Somebody who’s maybe a couple of years ahead of you having made that transition out or whatever. And just using them as a gut check and saying this is-

Lesley: And you’re going to make mistakes, but let other people guide you and help you.

Leon: Right. And as somebody who’s a polyglot want to be, I love languages and just, you have to accept the fact that you are going to sound silly in certain situations until you become fluent. And that’s just a thing and it’s okay. And it’s okay.

Lesley: Yeah. When the air force people who call everybody, sir and ma’am. I was like, okay, okay, you can stop now. My name is Lesley, it’s all right. I know why you’re doing this, but you can stop now.

Leon: I love it. That’s great. Okay. So, if there were three things that you think every veteran needs to know as they’re pursuing a career outside and we’ll be specific about a technical career that they’re, what are three things that you think that they ought to just make sure they can check off their list?

Lesley: Yeah. So, make sure you get credit for the things that you did in the military. So, that means formatting them in a way that’s understandable to civilian hiring managers. So, again, avoid the acronyms and avoid the course names, et cetera, that won’t make any sense to them, but sell your experience. And it doesn’t have to just be like your cybersecurity experience, although you’d of course want to sell that. Also, talk about if you’ve taken professional military education, so you’ve gone to NCO school or whatever. And you’ve gotten some management training, that’s awesome. That’s really important. Don’t let that slide by. If you had additional duties, something that is reflective of your ability to do this job you’re applying for well. So, it could be like managing people, managing projects, et cetera, volunteerism. Those are good things to reflect upon yourself and your ability to do a job.

Lesley: So, don’t let that experience just get lost in the acronym shuffle. So, another one is people rely too much on their military medals. Again, the civilian workforce, they don’t know what those medals mean. Except for a few of them that are in movies a lot, like purple hearts and stuff. They don’t know what those military medals mean. And I see that go two directions. So, in some cases, people dump all their medals on there and it’s like, the civilian manager is like, yeah, that’s irrelevant to me. And they just ignore it. And in other cases somebody who does know what they mean, like me, reads them and they’re supposed to look really impressive. And I’m like, you just got that, because you were in for 10 years. You didn’t actually do anything. I know what that is. What are you trying to pull over on me?

Leon: You didn’t get in trouble for a whole quarter. I know what that stripe is for.

Lesley: I know what that’s for. And we all know, military folks, we all know what those are. You know what I’m talking about. It’s not as bad as in the Marines. But some branches of service really give out medals for just being around and not screwing up for a long time. So, if you’re going to put medals on your resume, I’d stick to really things you can really describe why they matter. What they mean. Describe what they mean. You got your little paper with your medal that says attention to all. And it says what you did to get that medal. And so you should be able to create a little blurb on there that says, hey, I did this cool thing, this really brave thing, whatever, in the military. And that’s why I got this. So, stick to the relevant stuff.

Lesley: And finally take advantage of all the stuff out there for veterans and prior military in the IT and cybersecurity education space. There is so much out there, especially for transitioning service members. There is like Sans has programs, there’s Microsoft programs. There’s so much free training you can get. I know a lot of people who are getting out, especially people who did cyber in the military, feel guilty about using it. They’re like, oh, I didn’t do enough. Like, I can be like that sometimes.

Lesley: Like, what did I do? I don’t deserve this, but it’s there for a reason. These companies decided that they were going to help service members or transitioning service members or guard and reserve or whatever. They made that decision. So, take advantage of those programs. Some of these certifications that they offer discounts on are like thousands of dollars. They’re really good stuff and they’re really expensive for an individual. So, really do some good research about what’s out there and don’t be embarrassed or feel like you’re not adequate about taking advantage of those programs.

Leon: Right. One of the things that I’ve heard from other folks is that it’s ironic that one of the things that people in the service have the hardest time doing is asking for help when in a actual combat situation, they would be right there throwing themselves in front of danger and things like that. They wouldn’t hesitate to help and yet asking for help for, hey, could you make an introduction for me? Hey, this course sounds interesting. Could you help me? Like those kinds of things somehow feel like a give me or whatever, and they’re not. They’re there for the exact reason, to help build the skill and to help get you where you want to go. Another thing that I have seen people do, both folks with military experience and not is rather than talk about, I did this thing is to contextualize it against a particular experience.

Leon: So, it’s not so much I have this medal or this certification, but oh, when you’re talking about troubleshooting a problem, one of the things that I did in the course of this program, or in the course of this training was I learned how to go from the back of the router all the way out to the service. And that’s how I work things. So, I start this way, this way, this way. Even if the question isn’t about how do you troubleshoot a router. It’s I have a methodical approach. This is how I have sort of digested it.

Leon: So, that’s another thing is that I think a lot of the experiences that seem irrelevant, the thing you did may not be relevant, but the way in which you did it and the skills, the non-specific skills are incredibly important for somebody who is looking for someone who can take charge, who can assess risk, who can step, I hate to say it, but step up or just try something without an assured outcome. Those kinds of things are a big deal too. We’ve been talking a lot about the movement from military into civilian, but your experience is actually slightly different. You have actually never not been in the military. So, I want to talk about the guard and reserve and that specific perspective, because that’s not something we hear a lot about.

Lesley: Yeah. So, what to say about it? Yeah. I’ve done it for a long time and it’s not for everybody. If you’re thinking about joining the guard and reserve, there’s a lot of interesting cybersecurity programs in the military. Of course, there are more stringent requirements for being in the guard and reserve, because all the military rules and regulations mostly apply to us all the time, even though we only do the military thing part-time. And if you don’t mind that kind of stringent restriction on your life, it’s a great way to get exposure into a different realm of business operations, enterprise operations, IT operations, even cybersecurity operations. It’s a wonderful way to do purple teaming. If you’re interested in maybe doing red teaming in the military and then blue teaming on your civilian job. You do have to be able to compartmentalize well.

Lesley: And you do have to be able to balance that it’s a big commitment of your time. I mean, on top of just potential deployments and things, you’re doing a weekend a month, two weeks a year, very, very minimum. And that adds up. Losing a weekend every month. That’s a lot, that’s a big commitment, especially if you have a family or a really busy time consuming job. So, there’s a lot of things to balance there. But it is a wonderful opportunity to get exposure to a lot of different things, to get training on a lot of different technical things if that’s something you’re interested in. You just have to make sure that you have the right personality type for it. You’re willing to live within the restrictions that it poses on your life, and that you’re going to be able to balance your family and your day job and the reserves or the guard together in your life and stay healthy and sane and all those things.

Lesley: So, it’s something to consider. And I think a lot of people who join the military don’t even realize that the guard and reserve exist. And that’s a wonderful option if you’re not sure. If you’re on the fence, if you’re a young person and you’re in your 20s and you’re going to college and you’re like, hey, maybe this military thing will work for me, but I’m not sure. That’ll give you a few years of experience part-time with it to see if it’s something you want to pursue further, or you just want to get out. And in terms of, for people who are currently guard and reserve, and I know there’s a lot of them, there’s probably some listening to this podcast right now, again, take advantage of the military programs that are available to you. But also remember that the ESGR, the Employers for Guard and Reserve organization is there for you.

Lesley: They are there for a couple purposes. So, first of all, they’re there to, if there’s a problem with your employer, if you get deployed or sent to an involuntary order somewhere, they are there to make sure that your boss doesn’t fire you, that your job is there. According to the law, they’re waiting for you when you come back. And the other protections that are afforded military people are properly followed for you. So, they’re there for the negative situations, but they’re also there for positive situations. You can always nominate your employer for an ESGR award. And then the nice ESGR volunteers are wonderful. Mostly older veterans will come out to your office and give your boss and award, a pretty plaque that says, hey, my boss is really good at supporting the guard and reserve. They’ve done good things for the US military. Feel good experience all around.

Lesley: It’s a nice thing they can hang on the wall. And it just builds those ties between the guard and reserve and civilian employers, because realistically it is an imposition on your employer to be in the guard and reserve. You might be deployed all of a sudden and they’ll have to figure out who’s going to do your job duties. It’s an important thing to do. And it matters a lot. But your employer is perhaps going above and beyond to make sure that your pay stays the same and there’s somebody takes care of your work and make sure somebody checks in with your family. All those things should be recognized. So, be aware of that organization and what they do and how they can help you.

Leon: So, that’s a lot about the work that you do with veterans and the work that you do with people in that veteran or service to civilian pipeline and things like that. But you are also hacks4pancakes. You are also a InfoSec luminary and someone who routinely makes sort of the top 10 lists of people to follow on social media about InfoSec stuff. And you’re just really darn smart. I mean, just the stuff that I have learned just watching, reading your tweets and things like that. So, I want to talk a little bit about your insights and we’ll stick with the career and the general IT stuff for a minute. This is a question that I really love asking all of the experts who come on to TechPod, if you were starting out in IT today, where would you gravitate to, what would you be doing to kickstart your career if it was today was day one of IT?

Lesley: Yeah. So, it’d be really different than the path that I took. If I could get in a time machine and go back and wack myself up the head at 15 years old, I might do that, but I really wouldn’t change a lot, because I got where I wanted to be. But today the avenues into cybersecurity are very different than the ones in the before times that I used, but some things stay the same. So, having that natural curiosity about how things work and how to take them apart, that’s really, really important. I was actually talking to a psychologist about that this morning who’s doing some research studies on cybersecurity people and the inherent trait of curiosity that we tend to have about how things can be broken and how they can be misused and secured and stuff.

Lesley: So, that’s a really important skillset. You don’t have to have it. You can just do the job for the money. That’s fine. But to enjoy it, to really gain a lot of enjoyment out of your work, I think that’s a trait you need to have. And so yeah, having that innate interest in cybersecurity and taking things apart. But then you also need to have good foundations in technology. So, to understand how to take something apart, to make it do something different, to break it, et cetera, you need to know how it works. And that means not just delving into computer hacking on day one. It means you need to understand kind of how computers work. The best hackers and the best people in cybersecurity know how things work at a low level. They know how something like code works or hard drives or memory or applications on the web.

Lesley: They know how those work well. So, they know how to manipulate them. They know where the vulnerabilities are. They know how people misconfigure them. So, start with the basics in technology and then move from there. Pick an area. It’s a broad space. It’s the same with cybersecurity. You really have to pick a niche these days, because you can’t learn everything. So, pick an area of technology and start exploring it, like whether that’s code or hardware or what. And just start understanding how things learn, because that’s going to teach you as you expound your knowledge in cybersecurity, how to break those things and how to prevent them from being broken.

Leon: So, some folks will say that before you pivot into cybersecurity, you should try to be the non cybersecurity version of it. So, if you want to be focused in cybersecurity with code and things like that, then you should learn to program, just learn how to be a dev or learn how to be a sys admin or learn how to be a network engineer or stuff like that. Do you ascribe to that? Or do you think that it’s possible to start to learn enough about that topic area as you go, but always be focused on the cybersecurity side of it?

Lesley: So, I hate gate keeping. So, I hate people saying you have to do this one thing to get into cybersecurity or be successful at it. Do I think it gives you, just like I said about the personality type, like you can do InfoSec cybersecurity for living with the satisfaction of knowing that you’re going to make a good living and be able to feed your kids and nothing else. Like have no interest in it at all. That’s fine. As long as you get satisfaction out of doing a good job every day, that’s fine.

Lesley: And then I’m not going to say that you absolutely have to have done another IT job before you get into cybersecurity. You have to have gained those fundamentals of systems somehow. And that could be formal education, certifications, self-learning, whatever or experience at another job. You have to have those fundamental understandings of how computers work, how admins operate computers, how they configure them, how they work in an enterprise, et cetera. But there’s a lot of different avenues to gain that knowledge. It’s just that a really convenient, effective way, efficient way to do that is to do another job in IT in a similar field before you get into cybersecurity.

Leon: And I think we’re dangerously close to the question I want to ask. And so I’m going to ask it, which is what is the worst piece of career advice that you see out there that people keep on pushing around? What’s the thing that you just wish people would just stop saying?

Lesley: Actually it has to do with being a woman or non binary person in cybersecurity. A piece of advice that I’ve heard before is that you have to act more masculine to be successful. And I hear it a lot. I hear it from women. I hear it from luminaries in the field that dress more like a man, make your voice lower pitched. Don’t use euphemisms and slang and vocal fry, which I’m guilty of. I use vocal fry all the time. They tell you to go see a voice coach and stuff. And while, there is potentially a place for that in business if you’re going to go be like a startup founder or something who has to present in front of venture capitalists or something, I don’t think it serves a purpose in cybersecurity or technology today.

Lesley: I think that you can have whatever color hair you want and whatever tattoos you want. I think that you can present yourself as any gender you wish. I think that you can be feminine, be masculine, whatever you choose and be successful and present yourself as a professional in this field. And it’s very, very frustrating. And actually infuriating to me when I hear, especially women, tell feminine presenting people to do these things, to change themselves, to appear more masculine, just to succeed. It’s absurd and you shouldn’t be fixing yourself. Our industry should be fixing itself.

Leon: Right. Okay. So, first preach. And second of all, you’d think that we got enough of that in high school that we would have realized that, that was … Okay. So, that’s great. So, let’s pivot to a much better thing. What’s the best piece of advice that you see out there? What’s the thing that every time see it, it’s like, oh yeah a thousand times, this is what you should be paying attention to.

Lesley: Yeah. So, just learn how things work. Explore things, learn how they work, learn how they come apart. Don’t be afraid to take things apart if they belong to you, at least. Don’t be afraid to think about how things you own could work differently, function differently, even if it’s not computer stuff. Think about things outside of their functional purpose. What could this device be used for if it wasn’t doing what it’s sold as on Amazon or eBay or whatever. Take things apart, figure out how they work, understand how the world works, understand how processes work. That’s why I love my job at industrial cybersecurity.

Lesley: Because I get to go learn like how tuna is canned. Things like that. I get to learn about a new process that runs society every week. And it’s a lot of fun. And have that inquisitive exploratory mind, never let that go. Go learn something this weekend. Go to a museum or something. Learn how things work. It’s going to benefit your ability to figure out how to hack them. Take them apart. Cybersecurity is everywhere today. So, it all matters.

Leon: Yeah. The how things work book, the thing explainer book, all of those. That is the spirit in which it sounds like you’re saying we should at least be comfortable and enjoy and to be perfectly honest-

Lesley: Yeah, that’s the fun part. Don’t let that go because you’re old and curmudgeonly like me. Don’t. Just keep having that child like inquisitive mind.

Leon: Yes, absolutely. Okay. So, because we have hacks4pancakes on TechPod, I need to ask, what is your nuclear, surface of the sun, hottest of hot takes right now?

Lesley: That IT cybersecurity and incident response is different than OT or industrial cybersecurity and incident response. And that they require different skill sets and different professionals. There can be overlap. You can specialize in both, but they require learning different skill sets. There’s a lot of companies out there right now that are selling services to industrial companies in like the digital forensics incident response, malware reversing space. And they say, it’s just the same as doing IT cybersecurity. And it’s not. There are so many different health and safety process and operational concerns that it makes it almost an entirely different industry. And yes, there’s similar tools and processes and procedures. We still use [inaudible 00:38:06]. We still use some of the familiar forensics tools, but operationally, triage wise and risk management wise, my job is so different than it was when I was doing IT incident response.

Leon: Okay. So, one more sort of career oriented question. What is something that you see missing from people’s resumes just generally as IT folks, that you see missing that would be an easy add, but people just, again, they never think about it? They never think, oh, nobody wants to hear about the fact that I knitted my way across Europe or the picture of my cat. What’s one of those things that it should be there?

Lesley: Yeah. Please don’t put pictures of your cat or pictures of you on your resume ever, ever, ever, ever, no pictures, no pictures on your resume. Do you not do it in the United States. Don’t do it. Don’t do it. Some people will throw out your resume. But anyway, stuff that I would like to see. So, work experience, work experience. It should never read like a posting for your job. If you look at your resume right now, and your work experience reads like the posting on the website for your job, you have a big, big problem. So, every one of your bullets, it should have numbers in it. It should have impact and quantification.

Lesley: So, not just the action, not just what you did, but why did it matter to the company and how well did you do in a numeric representation? How many tickets did you close? How much money did you save? How many people were on your team, give me some scope for your organization and what you did. Numbers, numbers, numbers. Prove to me that you did a good job better than other people who did that potentially that same role. So, make sure your job posting has numbers, has impact in it.

Leon: All right. I like that. Tell me the importance of what you did, because what I’m looking for is what you’re going to do for my company. Could you replicate that here? Or is it just a one-off or like you said, is it like, yes, I know you showed up for work everyday on time wearing clothes. Great.

Lesley: So, how does that make you stand out from the eleven other people who have held that position? Yeah.

Leon: Exactly. Okay. So, I want to talk a little bit about just the industry and InfoSec and the industry and things like that. And let’s start off with a very similar question to the career things that we were talking about, what do companies, organizations, routinely get wrong about InfoSec that would be an easy fix that they could just do, but they just don’t?

Lesley: Yeah. So, one of them is understanding their process and what they’re actually doing and the consequences that could go wrong in their organization. And that’s something I’ve learned from OT people. So, operational technology, industrial people. They are very good at risk modeling based on, hey, what am I trying to do as an organization? And then what would be a catastrophic consequence that I would not want to happen that would really hurt my business, hurt my employees, something I really want to avoid? And then modeling risk down from there. I think that there’s a lot of people in IT, cybersecurity who aren’t really conscious of the mission of their organization at all.

Lesley: They’re just a cog in the wheel. And if you want to do security really, really well, you really have to understand where your crown jewels lie and what is your mission? What would a really bad day be? What are you trying to prevent? And I think that OT is a lot better at that than IT. And I think we can learn a lot from process engineers who have been doing like safety and risk modeling for decades and decades. We should be doing the same things in IT. We should have the same awareness of what could go wrong and what we’re trying to prevent at a very high level and a comprehensive level across our organizations.

Leon: It sounds like this is very close to the next question I had for you, which is something you end up explaining to every new client or company sort of every time you walk in. Not quite the elevator pitch, but the first meeting pitch where you sit them down and like, let me educate you now. So, is there anything left from that, from what you just said?

Lesley: That’s definitely a component of it, but just doing the basics, doing the basics first, before you try to jump into anything else. Everybody wants to sell you something in 2021, they want to sell you pen tests. They want to sell you magic blinking boxes. They want to sell you the magical snake oil thing that’s going to fix cybersecurity for you forever. It’s not. And I just have to add, it’s not just in case the sound bite gets taken out of context or something, but do the basics start there. Security can be overwhelming. A lot of organizations, especially municipal ones I work with are incredibly under-resourced. Start with the basics. They matter a lot in terms of your cybersecurity. And they will matter a lot if you have to do incident response in the future.

Lesley: So, things like having decent network maps, having decent asset inventories, trying to get a handle on the ingress and egress points in your network, your access control, multi-factor, things like that. They are a lot of bang for your buck. So, if you’re feeling overwhelmed, don’t just jump into, oh, I need a pen test tomorrow. What are you going to get out of that if you don’t even know what computers are in your network? Start with the architecture of use. Start with understanding your topology. Start with understanding like I was talking about before, those consequences and risk, your crown jewels.

Lesley: You need to understand a lot of that before you can move on to the more mature levels of cybersecurity. So, things like building in-house incident response. When I come into an environment that doesn’t have those things in place, as an incident responder, I oftentimes have to do them for an organization at incident responder hourly rates. You don’t have an asset inventory, I guess I’m spending a day instead of doing incident response and building an asset inventory for you. And now I’m having to do that at my hourly rates. My team’s hourly rates. So, that stuff needs to be in place. And that is a huge boon to your cybersecurity. So, I know it doesn’t seem sexy and it’s not the magic black box that’s supposed to fix everything, but start with those basics. They matter.

Leon: Lesley, this has really been a delight and a privilege. Thank you so much for joining me today. We at SolarWinds know you have a choice of podcasts and we appreciate you taking time out of your day to listen to ours. If you like this episode, please take a moment to click that like button. We hope to see you again on the next episode of SolarWinds, TechPod.