We're back with another personal story from the tech industry! This week we talked to Ursula Cowen (@ush1c ), and Creator of the InfosecWhiskey ( @infosecwhiskey ) Podcast - a podcast for whiskey drinkers with an infosec problem.
We find it important to share these stories because cybersecurity is a growing field with lots of potential for newcomers but many aspiring cybersecurity professionals are lacking in direction. They simply don't know where to start. Some careers have a linear path of a degree > certifications > job, and others do not.
As an industry, cybersecurity is so wide-reaching and it's growing at a rapid pace so there's lots of room for flexibility. It means that professionals from a wide range of backgrounds can enter into the field even without traditional accreditations. We hope that by sharing the stories of those in the industry, cybersecurity enthusiasts can get a better feel for what they need to focus on and find their own place in the industry tasked with defending our data. This is Ursula's story.
Ursula started her working career as a firefighter paramedic, before deciding to pursue a career in law enforcement. It was through her time in law enforcement that she was exposed to cyber crime and digital forensics and developed a keen interest in cybersecurity.
What inspired you to have a career in infosec?
My path to InfoSec was not what you would call a “traditional”. I didn’t start in IT, or any other tech-related field, for that matter. I started my career in law enforcement, first as a Police Officer and later as a Special Victims Detective. When I decided to move on from law enforcement I wanted to continue doing something that I thought would be meaningful and important.
I employed the assistance of some friends and asked what they thought my skills could do for me. I work in an area that is somewhat of a hub for tech companies, called Space Coast in Florida. We have an Air Force base, and Nasa, as well as some avionics companies, among others.
My friends suggested my current skills would go well with Cyber Security. At this point, I had already started my Master’s program in Digital Forensics. and little did I know that it also involved a large amount of Network Incident Response. It was a great fit! I eventually found and accepted a job as a Security Operations Center Analyst, defending the network for a large government contractor.
What’s something about digital forensics that you think most people don’t know?
Well, I assume the techies know, but a lot of people don't realize just how digital forensics works. They don't understand that in computer forensics, we can almost always find data unless a device has been formatted. However, in mobile forensics, it's actually the opposite because of garbage collecting and wear leveling (a process that is designed to extend the life of storage devices).
When I was a Digital Forensics (DF) Examiner with the police department I mostly examined mobile devices. Unless you're a big tech geek or hacker, you probably primarily use your phone for everything.
Phones also deal with data that other devices typically wouldn't, such as GPS. This makes cell phones extremely useful in criminal cases. Unfortunately, a lot of law enforcement agencies have not figured this out yet. However, when data is deleted off of a phone (unless it was deleted from an SD card), it's likely gone and unretrievable.
It can be attempted, and sometimes we would get data back that was deleted. But oftentimes, the phone is working so hard on making sure that the processor is running smoothly, that the processes used will overwrite the data previously written, thereby making it impossible to retrieve that data again.
Tech is always evolving and, who knows, maybe they will find a solution to this, or maybe they'd rather our data be deleted for privacy reasons.
What advice would you give for people looking to get into the field?
Apply, apply, apply! You never know what opportunities are out there if you don't look. When looking at job descriptions, look to see if you're qualified, or mostly qualified, but don't talk yourself out of applying if you're missing a few things. The job descriptions for cyber/IT Security can be quite vague.
This is by design and part of ‘opsec.’ I’ve known people, myself included, who didn’t know the entire job, but are rocking it anyway! You need most of the basics, but the rest you can learn with a decent work ethic and drive to do well.
How can aspiring infosec professionals tackle their development beyond getting a degree?
Keep studying whatever it is that interests you. There are so many free and open-source resources for people out there, that you can be self-taught and still find a job. It may not pay 6 figures right away, but you can get your foot in the door. If you work for a company that can’t or won’t pay for a SANS class, or some other type of Bootcamp, then do it on your own.
There are great free resources that you can learn a ton from. I’m in no way affiliated, but I love Cybrary. All their videos are free, and they say will stay that way. They have some great paid content too, but if you are just trying to get your foot in the door somewhere, learn as much as possible.
If you can afford to pay to take some certs, I think that it shows initiative and willingness to go the extra mile. While I personally don’t think certs show all the facets of an individual, they can go a long way to helping get a foot in the door. Especially as they are currently the industry standard.
What do you think are the biggest security threats facing the world in 2019?
The biggest security threat to our systems is uneducated users.
I currently work for a large company that does a lot of good work in the way of user education. However, users are still clicking links and downloading bad stuff, circumventing security controls because they think they know best. The biggest problem is either users not understanding how dangerous these links are, or users not understanding the dangers that face us.
I can talk about different Advanced Persistent Threat (APT) groups, and what their tactics, techniques, and procedures (TTP) are and who they are focusing on. But at the end of the day, the users will likely never know what APT group is associated with Iran, Russia, China, etc, and it really doesn’t matter. What matters is that if they work for a targeted infrastructure, they could easily let APT into their network by simply thinking they are filling out a survey. It doesn’t matter who the threat is at that point. What matters is that the network has been breached.
Cyber bad actors are getting more and more advanced with their phishing attempts. Even non-APT actors are becoming more advanced. Our home users need to be educated just as much as corporate users. Where we used to have people making phone calls to the elderly to scam them out of money, we now have older people using computers and getting phishing attempts on them as well. They are falling for it. We need more education to get out to those types of users as well.
How does it feel to be a woman in a male-dominated field and what do you think can be done to encourage more women to join?
This is perhaps my most favorite question I get asked. Personally, I’ve been blessed to work in environments where women were respected for the most part. I come from the fire service and law enforcement backgrounds before moving to tech. I’ve been working with men my entire adult life and I never felt out of place.
There were rumors at earlier careers that certain people didn’t like women in those careers. But I never much cared what others thought about my choices of where to work. I was ok with proving my worth in the places I’ve worked. Not because I’m a woman, but because I was a person working there and wanted others to know I knew my stuff.
I’ve often pondered the reasons why there aren’t a lot of women in STEM fields. I’m not sure if it’s because they weren’t encouraged to pursue whatever job they were interested in, or not. I was lucky to have a family support system that never allowed me to think there was something that I couldn’t do.
As I grew as an adult and went through open doors to find myself and where I was meant to be in the world, I eventually found myself here. I’m absolutely thrilled that I followed the opportunities and didn’t allow the fact that I am a female to determine whether or not I could do something.
I believe that we are in a place and time where the emphasis on “female” in the tech workplace is starting to fade away. We are individuals who bring with us our own experiences and views. This is such a good thing because when everyone sees the same thing we miss important holes that need to be filled. We now have a growing diverse community of not just women, but other minorities as well, filling tech positions and moving upwards.
How do you see the industry changing over the next decade?
I hope that we can stop putting so much energy into being diverse because we just will be. I’d like to see everyone regardless of their gender, race, sexual orientation, etc, be considered equally for job opportunities. If we focus on getting the best candidates for the position, we are going to see that we will naturally diversify, AND we will have the best people in the industry.
Your podcast sounds exciting, tell us more about it
As I mentioned previously, we often get ingrained in us that we can't do certain things as women, and honestly as humans in general. Imposter syndrome is a very real and prevalent thing.
When I started using Twitter it was to get the tech info and not much else. What I found was an amazing community. As I started to find myself in the infosec space of twitter, I started becoming myself. The amazing community allowed me to voice things into cyberspace and sometimes supported things that I was unsure about. This is where our podcast was born.
We've finished recording and almost finished editing the podcast. It's a podcast where we will discuss different relevant cybersecurity-related topics while we share my favorite alcoholic beverage, whiskey! My vision is an atmosphere where we are relaxed, and hanging out, much like the after-hours at a conference.
We will share ideas. There aren't a lot of podcasts hosted by women, let alone one that incorporates a traditionally "masculine" drink like whiskey. I think it's going to be a ton of fun! Our first episode has myself and two guest hosts discussing our unusual paths to infosec! Our twitter handle is @InfosecWhiskey and will have all the details once the podcast is aired.
Any last thoughts?
As a final thought, I’d like to say this. To get women into these positions we need to show them how enjoyable the positions are. For me, I care more about my enjoyment of my work every day than anything else. I want to enjoy the work and the people that I work alongside. Tech work is like a puzzle.
So if we want to get more girls into STEM, we need to introduce them to problem/puzzle solving early in life. We need to let go of stigmas that certain jobs are meant for certain types of people. When I say “we” I mean as parents and teachers who are raising our future women.
We don’t suddenly become adults and realize “oh…I (think I) can’t do that as a woman.” That’s likely ingrained. The world is already headed that way, and I think we are going to see some very exciting developments. But let’s also not forget the amazing women who came before us that forged the path, but didn’t get recognized.