See Yourself in Cybersecurity: How 3 Experts Transitioned into InfoSec | Security Insights Podcast, Episode 27
Want to work in cybersecurity, but not sure what you need? Ashley and Chris talk to three current cybersecurity experts on how they entered the industry – including Ivanti deputy CSO Amanda Wittern. (Also, bonus update on how Ashley pulled off her social engineering assignment from last episode!)
In this episode:
- Social engineering in the wild: Ashley reports back on her social engineering assignment at a conference [00:30]
- Deputy CSO Amanda Wittern’s journey to InfoSec from an accounting degree and her first role at Ernst & Young [05:07]
- Threat Operations Analyst Kameron Hansen’s transition to security from earth science teacher in Granite School District [09:43]
- (Yes, "Granite" really was the name of the school district for the former earth science teacher with a geology degree.)
- Cybersecurity Engineer Joshua Randall’s move to cybersecurity architecture after a career in sales and retail management [14:05]
- How to transition your non-InfoSec “soft skills” into a cybersecurity career [19:26]
- Ashley’s Social Engineering Book List
- More about our guests:
- Find the latest cybersecurity job openings at Ivanti
- Meet your hosts, Chris Goettl and Ashley Stryker
- Join the conversation!
Social engineering in the wild: Ashley reports back on her social engineering assignment at a conference [00:30]
Ashley Stryker [00:00:07] Welcome back to Ivanti's Security Insights: where best practice security meets the real world workplaces we all have to protect. I'm your host, Ashley Stryker. And with us today is the O.G. host extraordinaire Chris Goettl, along with a new series regular and a couple special guests. I'm super excited to get to introduce them here later. Chris?
Chris Goettl [00:00:30] Yeah, it's going to be a fun episode, so if you all remember the last episode, we were talking about how the marketing brain is ideally suited for social engineering. And if you guys remember where.
Ashley Stryker [00:00:42] Wait, I was trying to dodge that!
Chris Goettl [00:00:43] I never let you dodge things like that, Ashley, you know that.
Chris Goettl [00:00:46] So one of the things we talked about was actually sending Ashley out into the real world to an event and trying to put some of these tactics to use. And she did!
Chris Goettl [00:00:57] So, Ashley, you didn't get arrested. First of all, you know, props to you for that. Not getting arrested is a definite bonus. We gave you some you know, I personally gave you kind of a few like tiers of achievements. Call them badges, if you will.
Ashley Stryker [00:01:12] I got to beginner. So I did novice and I got to beginner. So the first tier...
Ashley Stryker [00:01:20] What I have decided is that marketers are, in fact, natural social engineers, and I have been accidentally doing this for my entire life. And, after reading some of the resources you guys have given me, I now have words to put why good things happen to me in social situations and apparently at a higher rate than they do for the average person.
Ashley Stryker [00:01:38] To wit: my very first night, there were... I was going to a, "Hey, meet the team if you're here early" [event]. I drag myself out of bed – was literally in pajamas, got dressed back into normal clothes to go meet these people, because I'm an honest groupie; I just love this conference.
Ashley Stryker [00:01:53] And, I'm just talking with a couple of people. I didn't realize they were bigwigs in the organization. They say, "Hey, you want to go to the secret staff-only meet and greet of the really bigwig keynote speaker that nobody knows is happening?"
Ashley Stryker [00:02:08] And I went, "Well, that's the get invited to an event you weren't supposed to be" [novice tier] off my list, and I had been in the city for about 5 hours.
Ashley Stryker [00:02:18] So that – and so that was, that was that one off the list. I have picture evidence that that happened, which was really exciting and it was really generous of them to do so.
Ashley Stryker [00:02:29] And then the other [beginner tier] was get swag, the really good swag underneath the table.
Chris Goettl [00:02:34] So for those of you who have been to events, every vendor you go to, they've got the regular swag, they've got kind of the middle tier swag that they're going to give out to a lot of people, but they keep it... Like it's the coveted things, and then they've got the super cool swag that they're really holding on to for the handful of customers that they really want to hand out, the more expensive things too. So her goal was to try to get one of the more expensive swag items.
Ashley Stryker [00:02:59] Yes. And it's not like you can go up and be like, "Hey, give me your stuff." So I was just going up to a table. I happened to be a casual customer of theirs, but they never verified anything. And I certainly didn't talk about it, as, like, it was so superficial. Anyone could have used this conversation, not just me.
Ashley Stryker [00:03:21] And then they went, "Hey, do you want to come to this dinner thing?" And she reaches under the table into her purse for a little postcard giveaway. And I still have the postcard as proof – to go and get invited to this dinner because I had been mirroring her, and I had been giving her a nice time when – right before me – there was a butthead who wasn't being very nice to her.
Ashley Stryker [00:03:45] So I was kind and had nice things to say to her. And through reciprocity, she gave me something of like value, which is a social engineering thing.
Ashley Stryker [00:03:54] So lesson learned: kindness breeds kindness. And, I'm mildly terrified of people who are going to weaponize this.
Chris Goettl [00:04:02] So yes, and that's really kind of the segue into our guest speakers for today is, we've got a few people here that have come to the security world from a few different walks of life.
Chris Goettl [00:04:15] So for those of you out there who are either thinking about breaking into the security side of the technology world and maybe interested in – yeah, figuratively, yeah, don't... We don't condone actually breaking in to know that... The experiment with actually was just an experiment, please don't try that at all.
Chris Goettl [00:04:35] But you know, we did want to introduce one of our new cast members. You'll be seeing her as a regular on the show going forward, our deputy CSO, Amanda Wittern.
Chris Goettl [00:04:47] And we've got two of our security team members who are also going to be on here as guest speakers today. And each of them have kind of an interesting background. They're going to tell us a little bit about how they broke into the InfoSec or cybersecurity world.
Chris Goettl [00:05:00] So with that, let's bring in our first guest.
Deputy CSO Amanda Wittern’s journey to InfoSec from an accounting degree and her first role at Ernst & Young [05:07]
Ashley Stryker [00:05:03] Hi, Amanda.
Amanda Wittern [00:05:04] Hello. Thank you for having me here.
Ashley Stryker [00:05:08] Of course, I'm super excited – I'm going to get to talk with you on a regular basis!
Amanda Wittern [00:05:13] I'm going to try to match your energy. I'm so excited to be here.
Ashley Stryker [00:05:17] For all of our listeners at home who may just be listening and not simply frantically searching Amanda Wittern into LinkedIn. How did you get into cybersecurity? Let's start with this because I think this is an interesting story. What's your degree?
Amanda Wittern [00:05:31] Yes, actually, my bachelor's and master's is in accounting.
Ashley Stryker [00:05:38] Your master's is in accounting, too?
Amanda Wittern [00:05:39] Yes, my master's is in accounting, too. And, it has been an adventure moving into cybersecurity.
Amanda Wittern [00:05:48] I realized that there is an underutilization in academics – collegiate academics – for technology. We teach this subject or that subject, when really the medium for affecting whatever that is, is technology. And so I argued that point a little bit. I went to the University of Utah and they decided to roll out an information security branch of accounting.
Ashley Stryker [00:06:15] Oh, cool!
Amanda Wittern [00:06:16] Yes. And because I was the first one in the program, I said, "I don't need any of these accounting classes," and took my entire masters in computer science or other types of classes. I've just had, I've had a passion for it ever since. It's really what gets me up in the morning.
Ashley Stryker [00:06:32] That's a really... So, I social engineered my way into a free dinner; you social engineered your way into the fun part of your accounting degree.
Amanda Wittern [00:06:40] That is correct. And I told everyone that I ran into – I was like, "Did you know they have a new information security program in accounting? You should look into it."
Ashley Stryker [00:06:49] That's awesome. But that's info – that's [information]... That's I.T. and the technology behind it! So which part of your degree did you end up using to start your your journey into security – accounting?
Amanda Wittern [00:07:02] I did! I used my accounting degree. So I actually started my career with one of the big four accounting firms, Ernst and Young. And they told us, you know, early on in our master's degree that that's where you start. But it's so difficult because it is such a sought-after starting place, a launching pad for your career.
Amanda Wittern [00:07:25] And so after talking to some people, they were like, "You know, we kind of do this technology consulting and –"
Amanda Wittern [00:07:33] "What?! You have to tell me more!"
Amanda Wittern [00:07:34] And the moment they put a name to it, I put that on every email that I sent: "Oh, I'm interested in technology consulting!" Technology consulting. And because I was so focused, they were like, "Well, we don't have anybody else looking into technology consulting, so you can have the internship." And then – but even then it was very, very audit focused.
Amanda Wittern [00:07:56] And so it has been really a passion for... A passion for learning and curiosity in all things technology that I think has sort of wound my road here.
Ashley Stryker [00:08:10] Was it during your audit that you ended up experiencing and seeing people doing things they shouldn't and getting to catch them? Was that what got you interested in the security space?
Amanda Wittern [00:08:21] Kind of. It was a lot of running into things I didn't know or understand.
Amanda Wittern [00:08:28] And actually, being a woman, it's not always as easy to say, "I don't know what you're talking about." So I made this habit of frantically writing down notes as fast as I could, and then going and researching it later and then coming back with the questions that, that really...
Amanda Wittern [00:08:49] Okay, now, that being said, sometimes my questions were, "How are you getting away with this?".
Amanda Wittern [00:08:57] But the point is that really, it was just – it's just my love for all things different and new and exciting and learning, really. It's really about learning.
Ashley Stryker [00:09:12] Awesome. And, I think on a future episode, we're going to dig into that women in tech moment. But I'll let you – I'll let that skate for a second because I want to move on.
Threat Operations Analyst Kameron Hansen’s transition to security from earth science teacher in Granite School District [09:43]
Ashley Stryker [00:09:21] Kameron! Hi.
Ashley Stryker [00:09:24] Kameron Hanson. Welcome to the show.
Kameron Hansen [00:09:27] Thank you. It's good to be here.
Ashley Stryker [00:09:31] Do you want to tell everybody how we managed to pull you in today? Like, where do you work and what do you do? Yeah.
Kameron Hansen [00:09:37] So I actually work on the threat operations side of things and the InfoSec team. And so my day to day stuff is more related with incidents and alerts and things like that, as opposed to operations.
Ashley Stryker [00:09:51] Does your – This is a totally random aside, but does your computer end up looking like a Christmas tree, with all the random alerts that just pop on it on a daily basis?
Kameron Hansen [00:10:00] It can. I try not to turn it off when it looks like that, but yeah, it definitely can.
Ashley Stryker [00:10:08] I hear there's something called alarm fatigue, and I imagine somebody in your position would probably know that very well. So. So I guess I'll start with the first question I asked Amanda: what's your degree in, if you have one?
Kameron Hansen [00:10:21] Yeah. So I actually started my degree also at the University of Utah in geology, and I got all the way to student teaching. I started at Granite School District to start my student teaching and earth science education.
Kameron Hansen [00:10:37] So I got my geology degree – earth science education – passed that Praxis test, and then went to student teach, and we ended up having a child during that time. And I realized, unfortunately, Utah teachers don't make very much money. And so, I started looking for a new job.
Ashley Stryker [00:10:57] So. you were going to teach Earth Science. You were a rock dude. How did you end up in the server room?
Kameron Hansen [00:11:04] So I actually had another job for four years in between in sales, and part of what I did during calls was I moved more towards the sales engineer role. So I worked with a lot of the people who were on the tech side, and my entire time at the University of Utah, I worked in entry level I.T. roles. And so it just seemed like I kept coming back to it over and over and over again.
Kameron Hansen [00:11:30] And so once I decided I couldn't handle sales anymore, I decided I actually did enjoy I.T., and tried to make it back into that world.
Ashley Stryker [00:11:38] So you made it back into I.T., then? That seems like a hop, skip and a jump away from security. But how did you end up making that transition?
Kameron Hansen [00:11:47] I kind of already had an introduction into the security world. My family – my dad and his brother – had started a digital forensics company in Utah. And so, while I was going to college and growing up, I kind of watched them build that company and was introduced into some of those areas.
Kameron Hansen [00:12:15] I kept, I always wanted to go back and do that. I just never really thought I was smart enough until I went back to college and realized, "Hey, none of us are smart. I could totally do this."
Kameron Hansen [00:12:25] And so, I wanted to go into digital forensics. So, I started to get into the security world, and then I realized there was so much more than forensics. It's not just forensics. There's a whole different – there's so many different areas you can go into.
Ashley Stryker [00:12:40] What part of it do you like most, then, that keeps you in the job?
Kameron Hansen [00:12:45] Like I had mentioned before, I'm kind of on what you would call the blue team. You have the red team, with the penetration testing and hackers, I guess you would say, and I'm more on the defense side – I like that more. It might just be because most of my friends have moved into this world. So, I know a lot of people who do it and can share a lot of stories. It's just something that I enjoy doing. It was interesting to me, I guess.
Ashley Stryker [00:13:12] And it pays better than teaching about earth science in Utah.
Kameron Hansen [00:13:15] I won't even tell you how much – I don't want to make people sad.
Ashley Stryker [00:13:21] If you get nothing else from this episode today, everybody, please, let's all pay our teachers more in the United States. Just... exactly, let's just all agree that that should just be a thing. But we're glad that that forced you to come to us, though, because we really appreciate having you as part of the team. And I know you were invited on because you are!
Cybersecurity Engineer Joshua Randall’s move to cybersecurity architecture after a career in sales and retail management [14:05]
Ashley Stryker [00:13:38] And that brings me to another valued member of the team that we wanted to feature today: Josh Randall! Hey, Josh.
Josh Randall [00:13:47] Hey. Thanks for having me.
Ashley Stryker [00:13:48] Yeah, absolutely. So, I guess we'll start the same with you, then: your name, your position, and whether or not you have a degree and what it's in.
Josh Randall [00:13:58] Definitely. My name is Joshua Randall. I'm a cybersecurity engineer. I'm actually on the architecture team here [at Ivanti], so we make sure systems are designed with security in mind: run tests on them and audits on them to ensure that they do have the patch and they're compliant with what our goals are.
Josh Randall [00:14:21] And, my degree is actually in history that I got a long time ago from the University of Northern Colorado.
Ashley Stryker [00:14:28] History. Now that's a fluffy liberal arts degree. How did you end up in something so technical, sir?
Josh Randall [00:14:36] That is a long story. I'll keep it short, though.
Josh Randall [00:14:42] In a nutshell, I went to college. I loved history, so I took my history degree. And, when I graduated, it didn't take me long to realize the opportunities that come with a history degree are few and far between. So I did end up starting working in retail.
Josh Randall [00:15:02] Originally, it was just a job afterwards, but I did like it – especially logistics and systems – so I was enjoying that part of it. I worked my way up, and I was in store management in a major retailer. I would run teams 5 to 50 people, things like that. I met my wife there and we have four amazing kids now.
Josh Randall [00:15:27] But, a couple of years back, there is an incident that kind of affected our lives – probably everybody's life! – with COVID coming and all our kids had to be taught from home. Both me and my wife worked in retail. And so, we had to sit down and figure out who was going to stay home with the kids.
Josh Randall [00:15:50] And my wife said, "I think it's time for you to go after your path." And so, with her support, I was able to leave retail, and I started educating myself and taking some classes in tech while helping the kids do school learning as well.
Ashley Stryker [00:16:07] So you went back to school [at] the same time [as] you were helping the kiddos stay in school?
Josh Randall [00:16:12] Yes. That was... That was fun. We had a kindergartner doing e-learning at the time – which having a kindergartner focused on a screen for hours a day is very hard.
Ashley Stryker [00:16:27] Oh, man... I can't get my gremlin to do it right before bedtime as a treat, and he's three. So I guess that's another three years, but... Attention. Holy cow. How do you get homework done?
Josh Randall [00:16:39] Oh, mine was generally late at night afterwards. I quickly realized that I had to do mine after a while, after they were in bed, and to make sure that everything got in.
Josh Randall [00:16:50] But yeah, a little after – I actually took a boot camp course. So, it's where you partnered with a university here and did some deep dive into tech.
Josh Randall [00:16:59] [It] worked really well to get me freshened up on some tech stuff and landed my first tech support role at a company working with Arcsight [ECM] SIEM right there, which is just another company. And then I – [a] few months into [working] there, I was working with Lennox a lot, which is a great intro.
Josh Randall [00:17:24] But then Ivanti reached out for tech support for me, so then I jumped in with Ivanti.
Ashley Stryker [00:17:28] And then how did you make the move then? Because Ivanti recruited you for tech support and you got an internal promotion transition to the security team. So how did that come about?
Josh Randall [00:17:40] Yeah, well, while I was in tech support, I continued to educate myself. I got my first certification, so my security plus, there. And then, honestly, just when I was looking around at LinkedIn and I saw there is a cybersecurity position open with Ivanti and I put my hat in!
Josh Randall [00:18:04] I didn't really expect it to go far. There is always a running joke when you're looking for a cybersecurity job intro position: "Five years experience required."
Josh Randall [00:18:17] So, I put in and what was great was in the interview, you know, I was very honest [in my] lack of professional cybersecurity experience. But, I've got a passion to learn. I've got skills that can be beneficial and I can do it. And, they felt I would be a good fit for the team.
Josh Randall [00:18:38] So they brought me on, and I really respect them for that.
Ashley Stryker [00:18:42] So, is it what you expected?
Josh Randall [00:18:45] Cybersecurity as a whole – and Kameron kind of alluded to this – is bigger than I realized. I kind of came in knowing about, you know, pen testers or hackers, the red team and the blue team. But, once you get involved in it and you see that there's architecture in there, there's analysts going through there, there's auditors doing it, there's people doing worrying about governance and compliance and all sorts of things and positions in there that a lot of people don't know about.
Josh Randall [00:19:21] So it's a lot bigger and even cooler than I realized.
How to transition your non-InfoSec “soft skills” into a cybersecurity career [19:26]
Ashley Stryker [00:19:26] And a lot more opportunity to use other types of skills instead of just the leet hacker. (Sorry, #CoolKid moment there.) But, it's not just writing code that can do crazy things. It's other skills too, right?
Josh Randall [00:19:43] Yeah, definitely. Some of the things I learned working in retail management have come off great. Being able to communicate, manage projects – these kind of things that people will call "soft skills," you'll hear that term – they do wonders for you when you're working as a team and figuring things out. When I have to design a system for Kameron to make sure he can use it correctly or help anybody out, those kind of skills go a long way in a career here.
Ashley Stryker [00:20:20] Kameron, then – have you found that some of your previous career iterations or expectations and some of those skills that you had at previous expectations in your career? Have they served you well in cyber, in ways you weren't expecting?
Kameron Hansen [00:20:34] Yeah, I think it's a lot like Josh just said. I never thought getting into cybersecurity that my sales job or my teaching job would have any impact at all. But that's, I mean, that cybersecurity is – it's always changing. There's different things that we have to continue to learn and learn and learn.
Kameron Hansen [00:20:54] And as you're learning this, you're going to be working with people where you have to... When I was teaching, you have to be able to teach them why this happened, how it happened, what's going on.
Kameron Hansen [00:21:03] And, depending on what the incident is or the vulnerability or the actors that are coming after you, you have to pull in people from different departments. It's not always the same people. It may be people who might not be as experienced in technology.
Kameron Hansen [00:21:18] And so, just being able to work with anybody at any level is really useful, especially because I've been there at the level where I didn't know what I was talking about... To the level where I still don't know what I'm talking about, but at least I know a little bit more. But yeah, there's so much that we do every single day that it's impossible to come into this job not using skills that you've had previously.
Ashley Stryker [00:21:44] So, Amanda, as somebody who is the bigwig – one of them anyway, at Ivanti – you are one of the people who is at the top of the ladder. You do see people and candidates and have an influence in building a team and the kind of skills you expect and the kind of culture and those kind of soft skill applications.
Ashley Stryker [00:22:09] What do you think cybersecurity needs more of, and what have you tried to build or have been excited to see built at Ivanti's team?
Amanda Wittern [00:22:16] Frequently, it has been soft skills that I think every industry everywhere has been looking for. There was such a strong emphasis on specialization and know the most about one thing and that that would be your "in."
Amanda Wittern [00:22:35] But anymore, there is an opportunity to learn many things about all kinds of different things. It can be a lot more about applying what you know. So, I would echo with both what Joshua and Kameron said, that the biggest component of cybersecurity is a desire to learn, to continue learning.
Amanda Wittern [00:22:55] And on top of that, be curious, have that be your motivator to continue learning, because the skills that you need to be able to do this job – the hard skills – are out there, they're available. You can learn them through boot camps. You can learn them through connections. You can learn them through Googling. I would be careful at some of the websites you might search for hacking...!
Amanda Wittern [00:23:18] But, what really matters is being curious and wanting to learn.
Ashley Stryker [00:23:26] So how can – and this will be the last question, I think because because we're coming up on time here – but in your opinion, how can you best... how can employers best identify the candidates who are willing and eager to learn?
Amanda Wittern [00:23:42] That is the golden question, isn't it? If I knew the answer to that, I would be doing something much different and being paid much more.
Amanda Wittern [00:23:52] But I think I think our our CSO, Daniel [Spicer], has done an incredible job with assembling a team of individuals from various backgrounds. It's become very clear from this conversation, right? I think he is focused much more on asking the practical questions that make people stop, think, assess and then respond.
Amanda Wittern [00:24:21] So sometimes it's about... You have to have the background knowledge, right? Even though you might be a history major, you still have to have progressed to the point where Joshua did become passionate, you know, with I.T.
Amanda Wittern [00:24:34] And then, ultimately, you do have to have the technical background, but what you really need to be successful in this career is a critical thinking set. So when someone presents you with a problem or you're able to see a problem – which is even better! – you can stop, think and apply that knowledge-driven ambition, that curiosity that you have.
Ashley Stryker [00:24:57] Oh, man. Now I kind of want to apply because it sounds like fun.
Amanda Wittern [00:25:06] I would say that it is!
Ashley Stryker [00:25:09] Well, thank you, Amanda, Kameron and Josh for joining us. Thank you, Chris, for lurking in the shadows for most of –
Chris Goettl [00:25:17] Before we before we wrap up, I came up with this great new joke–
Ashley Stryker [00:25:20] Oh, God.
Chris Goettl [00:25:21] – based on today's episode –
Amanda Wittern [00:25:22] Oh no.
Chris Goettl [00:25:23] An accountant, a geologist and a historian walked into the SOC... that is all the farther I got.
Chris Goettl [00:25:31] But it sounds like the start of a really good show. We're gonna have to finish that one somehow. But that's all right. That's our mission now. Doesn't that sound great?
Ashley Stryker [00:25:38] That is....
Amanda Wittern [00:25:39] I mean, I understand this... This podcast is recurring, right? So, Chris, you have now committed yourself to finishing that joke for next time.
Chris Goettl [00:25:49] All right. Fair enough. I'll see if I can pull that off.
Ashley Stryker [00:25:52] You made me go break into places at the conference. You can at least finish a silly joke.
Ashley Stryker [00:25:58] So – and with that tantalizing nugget for next time – thanks everybody so much again for tuning in today. Thanks again to Amanda, Kameron and Josh for joining us. Thank you, Chris, for contributing, as well.
Ashley Stryker [00:26:15] If you'd like to continue today's conversation – and I would be especially curious, because I was not expecting any of those degrees from any three of you, how... Do you want to get into security? What is your degree?
Ashley Stryker [00:26:30] Please follow us at Twitter @GoIvanti. And links for today's materials and shownotes will, of course, be on your podcasting platform of choice. So please feel free to peruse there.
Ashley Stryker [00:26:48] And as always, if you found our conversation amusing, interesting, or at least mildly entertaining, please share this with your teammates and friends. The more you share and the more people who listen, the more the algorithm likes us. As your token marketer, I must remind.
Ashley Stryker [00:27:05] And with that, we're signing off for this episode. Stay safe, everybody. We'll talk soon. Bye!