The Journey from Line Cook to the Security Operations Center

Transcript

Opening

Hello, everybody and welcome to What's the Problem, the podcast that explores problems, issues, considerations, and any hot-button topic in the world of cybersecurity that is going on today.

Today, we are fortunate enough to have Derek Ireifej joining us.

Conversation

Mike Krass: Derek, would you say hello to the listeners?

Derek Ireifej: How's it going, everyone? A pleasure to be here. Mike, thank you for having me.

Mike Krass: Glad to have you here. Derek, the first question, we get into it right away is why are you qualified to talk about security?

Derek Ireifej: It's great that you use the word qualified because I am very new to cybersecurity. Even being new and having just got here, I feel that the journey that I had to go on to get here makes me feel qualified, just getting my foot in the door. I was hired as a SOC analyst about half a year ago, and I love it. It was way harder than I thought it would be to get to where I am now.

Mike Krass: Well, I think you're teasing the second question with our listeners: always let's talk and explore. We'll talk about and explore a problem in the world of security. It sounds like you were teaching yourself to talk about the problem of getting into the world of cybersecurity because it's freaking difficult. Am I right there? Or where are you going?

Derek Ireifej: 100%. I do a little foreshadowing there. It was a difficult journey trying to get in that I'm sure a lot of other people can relate to, which is definitely why I wanted to speak a little bit about my experience, and some of the things that I thought, create this huge barrier to breaking into the industry. I wouldn't say that I've been an IT expert in the field for years, and doing all these things touched all these technologies and stuff. I have some experience under my belt that I was hoping would take me to cybersecurity and inevitably did, but it wasn't as seamless as I thought it would be. I went to school for IT. I went to college for IT, which didn't start as IT, but that's where I found myself leaning towards it because I enjoyed and didn't mind it. It was pretty cool. I figured it was something I could get behind. I have my bachelor's in it. I started as an IT support technician for a hospital. And then, after staying there for three years, I finally got security plus, and months later was able to get an interview with a cybersecurity startup that I met now as a SOC analyst.

Mike Krass: Do you think the security plus certification help nudge your resume to the back of their pile? Do you have any insight?

Derek Ireifej: I thought it would. I had this layout of my trifecta of things. I had my Bachelor's. I had the IT experience, and then the cake, or the cherry on top, was going to be security plus because I just scoured the internet. You try "you start with security plus, which should help a lot.” But, nowadays, you look at all the applications, and they want every certification under the sun. It didn't help almost anything other than the practical knowledge from the knowledge I gained from taking the certification. It was very useful. But as far as bulking up my resume, I barely got any responses, whether before or after getting the certification.

Mike Krass: It's interesting that you mentioned that. We had Bob Zynga on the show a couple of months ago. He mentioned the same thing about certifications. He was saying security plus was one that got his attention. As somebody who's been in the world of cybersecurity for a couple of decades, both in the public and private sector, as well as in the military, when he was in the US Navy, I just have a hard time putting a lot of weight into this. It's nice to see, but he didn't give the details that you learned something by going through that. So sure, it wasn't a resume booster, but academically it helped develop your own security mindset.

Derek Ireifej: I liked learning all the material, especially my job at the time. While I was an IT support person, a lot of it was what I was doing. It was super interesting to find out a lot of the backend things and look at it from a much broader perspective, all the aspects of security because IT security now is anything at all in regards to security. It's all intertwined, but that was one of the most shocking things. There are so many certifications out there, and one of the many topics that I was hoping we would touch on is that there are so many certifications that you don't even know what to get for my job right now, or for SOC analyst. There are so many applications out there, job postings that will have CISSP on them to be a SOC analyst, and having the knowledge I have now, I feel that a lot of those certifications are super overkill for what's necessary for some of these positions that are within cyberspace. There's a lot of disconnect between what's required for the job. For example, HR does not know the skills and things necessary for the job.

Mike Krass: You talked about being a little bit of disconnect and certifications, job requirements; where else do you see the disconnect, some in that journey of getting into the world as a security analyst?

Derek Ireifej: There were four things that I have in mind that stood out to me on, you know, trying to break into the field, that seemed like a big issue. And the first one, I would say, is the volume of people trying to break into the field. What's the first thing you look for when trying to find a job? The first thing you'll do is what will make me money so I can live comfortably.

Cybersecurity is one of those things, and cybersecurity is even double down on that and says, “Oh, there's all these jobs in cybersecurity that are open right now. It's huge. It's growing, and it's the biggest thing.” So, you try to figure out what's the next step. How do I get into cybersecurity? And you do all your research online, and there's a bunch of people saying, “Oh, just do this, just do that. You don't need the experience to do this particular role or something like that.” And I think all you need to do is take a few minutes to go on LinkedIn and search for SOC analyst positions. Usually, I find that many people start their cybersecurity career as a SOC analyst, which is the same thing I was thinking.

There are hundreds of applicants per job; if it's remote, forget it. It's ridiculous how many people apply for these positions. It's just so flooded by the number of people that are applying to it, which I think makes it even harder for the people who do have some experience, similar to my situation, but it just gets lost in the giant pool of other applicants who don't fit every single criterion that's on the job description now, because there's just too many people they're looking for, anything they can just to whittle down the amount of applications that they have to sift through.

Mike Krass: Even though MKG Marketing is not hiring me. Analysts, and we probably never worked as a marketing agency. What you just described has been the past week for us. We open an early-stage role within the company. Somebody with a few years of experience would probably be great in this role. Between the Friday before the fourth of July, and today, which has been about six days, we had 345 applicants, and it took us an entire day to get it down to 60. And that's not me being upset that people are interested in working here. I love the interest in this role we've opened here at the agency. But it is tough to look at if we had to do that first full-day analysis of all the applicants just to get into a sub-100 range of applicants for every job position. To be frank, it would be very difficult for us to hire anything.

Derek Ireifej: I couldn't be happier that you have this amount of applicants. It's exactly what I was talking about, and it's crazy. The number of people trying to break in is applying to all these jobs, and it's just making it so much harder to find the people you want to have on your team. It makes it super difficult.

Number two was the need for already experienced employees. There is such a need, and as you mentioned before, the sum of your other podcast interviews said there is a skill gap. It's hard to find qualified people or people ready to hit the ground running as they start the job, but it's difficult to get the experience beforehand. The things that I tried to do in my quest to get into cybersecurity was trying to get experience on my own, and thank God, there's a lot of pioneers that are trying to make so much of this information free, accessible and public, so that you can learn on your own to try to get your feet wet, and get some practice and know a little bit more about what you're talking about, and just give you an edge over other applicants who may not have as much experience. Sometimes they don't even care whether you have a bachelor's or a master's, and boot camps seem to be a hit or miss. Some of them are good. I've noticed that some of them are not, and nobody wants to take the time to teach. So, that was a really big issue for me, as well, and there's a fun thing that I wanted to bring up to you. I know your thoughts on this. For example, I know a handful of nurses who seem to go through nursing school. The treacherous blood, sweat, and tears of studying for hours are tough. It takes them four or five years, maybe more, and some people even do it accelerated, even faster. They apply to whatever hospitals they can, and usually, especially nowadays, because of COVID, they get opportunities at most of the hospitals that they apply to, maybe not for the exact department that they want to be in, or maybe a different department that is in more need of registered nurses. They hire them straight out of school for medsurg or the emergency department or something. They go through an orientation for about three months of training and shadowing, and then they're officially working as registered nurses taking care of their loved ones, but in cybersecurity, it doesn't seem to be the same case.

Mike Krass: You brought up a great example because I do know quite a few people who are registered nurses and have gone through residency and placement in school and I was talking with somebody about nursing the other day, and I commented on it. I want to be clear to our listeners that this was a flippant, joking comment. I was not being serious. I very much respect her scene and the medical profession. Now, with the caveats out of the way I mentioned, it's a surprise that people go to hospitals and don't die more often. You're talking about my friend who's a gastroenterologist because everyone's a specialist now that no one's just a doctor like everyone's specialized. He works 24-hour shifts. He goes from noon to noon, three to three, seven to seven. I'm sure he's in gastro, so it's not like he's in ER, trauma, or emergency medicine. But sometimes, he does rotate over there based on schedule, and I made that comment. It's a surprise that more people don't get killed by medical professionals. And they said to me, “Yeah, but think of all the checks and balances. The registered nurse does their rounds. You're talking about redundancy, which is now we're obviously in the world of security and engineering like redundancy is a key topic.”

They don't kill people because the RN's shifts are 12 hours. They're not on 24 hours; they're on twelves. There are also support folks who aren't registered nurses, and then you've got the internist who finished med school, and they get assigned somewhere for a couple of years and start working through departments. And then you've got the doctors, you know, like my friend who is working 24-hour shifts, and then you have people who manage the doctors, like my friends who are working the 24-hour shifts.

When you think about the layers of redundancy, they're all doing different things, but there is redundancy. It's a system that's in place that supports the entire patient experience, and what you just described in your first two points has a lot of applicants in the process number one part is hard to call through. All those specialists are remote, and it's hard to get experienced if you can't get on. It's like oil and water, and it's the opposite when you're describing the field of nursing or getting into medicine versus the world of security, which makes me very interested. What's the number three thing?

Derek Ireifej: We touched on three and four; we're just the number of certifications out there. It makes it difficult to figure out which certifications and which ones you need for your specific role. And which ones overlap are just the best you need to get at this time to get this position. The fact that you'll never stop getting certifications all the time, just to be able to go from one place to the other, leaks into the fourth point, which was the disconnect with HR. You get all these certifications listed on these job descriptions, and half of them, I feel, aren't even related to the job you want. They just plug all of them in any way. You need at least one or two of all of these certifications. I've seen SOC analyst positions with CISSP on them, and it's a bit overkill for a job. Again, it goes back to the number of applicants, and they're just trying to put barriers in your way to dwindle the number of applications they have to go through because the volume is just way too much. Even the people started to cut you off. The people working these jobs probably don't even have half of the core requirements in the job descriptions.

Mike Krass: You mentioned that I had spoken to another guest on the podcast, and he was talking about the requirements for new hires and how drastically different they are, for this is my language for folks who have been there and who is grandfather or grandmother then, it's like, do you want to be a SOC and just make it want to be a SOC analyst at Citigroup that's up in New York City such as financial services, firm institutional bank? If you've been at Citi, you're good. You don't need to worry about this whole CISSP thing, or do you want these new up-to-date Amazon certifications like you don't have that problem? That is what this guest was telling me. But if you're new in the company, coming from the outside, or if it's your first role with the company, they seem to care a lot about that. I'll throw something out here as we round out this part of the conversation. It seems to be like there is no continuing education that is mandated. You must do X CPE hours every year if you're an attorney. It's non-negotiable. There are entire businesses in this country built up on just cranking educational content to practicing lawyers, and you're required to do it. But you don't have that with the world. As a security analyst or security engineer, you're in once you're in, and that's just the way the rules are written. I'm not sure if you agree with that disprove that would love your opinion.

Derek Ireifej: Knowledge is power. I can see how that would be a standard, and it makes some sense. It goes back to training your employees; they're giving them the tools they need to do the job better. Although it is mandatory or necessary, if it's right or wrong, there should be something similar to that, and cybersecurity would help worlds, but I think that idea is just too new; there's too much, and it's too broad. I don't know if we would ever actually be able to have some sort of standard of material that everyone was had to do to keep up with stuff.

Mike Krass: It'll be interesting. My last comment there, before we go to our final question, is that being a security analyst is, I just gave an example where I'm talking about people have been practicing law for 1000s of years; that's not even a fair call that I made and no one can stop us. We just said security becomes something that is more top of mind, similar to lawyers, attorneys, or barristers, as they call it in Australia, which is an exciting word. I can see that world where, hundreds of years down the line, the concept of CEE comes into the world of security. And now, who determines what you have to learn? Who knows in the legal world? You just have to take X amount of hours, you could be taking whale law in Antarctica, and they don't care. They just want to see ours. And so it'll be interesting to see if, as the field matures, just like the legal profession did 1000s of years ago, that becomes a thing.

Derek Ireifej: I definitely can. I can agree with that, It has to find some solution, and the only thing I could think of right now, or my parting words on the topic, would just be to be more lenient with the people that are applying just the passion that people have for the subject, I feel that it’s the most important factor to it, especially it's cybersecurity. It's constantly changing, there are new attacks left and right, and you got to stay on top of your stuff. If you're not interested in it, you could care less about it, and you're just in it for the money or something; it's just not for you. Even though you may not have the years of experience or be able to do cybersecurity before, if you do the research, you practice, you do what you can, especially to get your foot in the door and some support role or helpdesk, it makes a world of a difference just to get yourself in the environment. If you could prove that this is something you want to do and where you want to be, then I think you should be rewarded with a chance and an interview that will get your foot in the door and get you into the field.

Mike Krass: I love it. I usually keep better track of time here, but this conversation went into these rich and exciting areas. So for the listeners nipping at my proverbial heels, I hope you enjoyed us having a little bit longer episode than normal. We promise to make it up here on the back end. Derek, could you tell us briefly about a terrible haircut you've had at some point in life?

Derek Ireifej: A few years ago, my barber told me about his problems. He was out for a few days when I needed a haircut. I waited for him to return, and I think he felt bad. He was dealing with some issues with his house upstate that he was renting. It affects people from whatever this place, and he was cleaning it out. He spent all weekend doing it, barely slept. So I come into the shop, and he tells me all this: "I only got three to four hours asleep the past few days, but it's fine. Don't worry about it.” I could see it in his eyes. He was so tired, and I was so nervous. I was shaking in my boots in that chair. He made so many mistakes, just in my hair and beard. I was so nervous. I wore so many hats. After that, I just ended up having to come home that day and completely try to redo my beard and to some weird, like thin chin strap or something. Because I was just trying to preserve what was left of it, like the nicks, and it was patchy. It was a mess.

Mike Krass: Oh, man, that is awesome. Not for you, but more for the story for the listeners. Thanks for sharing.

Derek Ireifej: Hopefully, it doesn't happen again anytime soon.

Mike Krass: Definitely. As we wrap up here, it's very common for our listeners to say, “Hey, I heard that episode with Derek or XYZ person on the show. I enjoy their perspective with love talking about security. So Derek, if somebody writes in, what's the best way for them to get in touch with you?

Derek Ireifej: Reach out to me on LinkedIn. I try to be on it as much as possible, and that's the easiest way to find me; you should just be able to search my name. I'm sure it will probably be in this podcast's name, so that should be the easiest way.

Mike Krass: Perfect! And to the listeners, we will include Derek's LinkedIn profile so that you can reach out to him directly if you have any questions or want to take around some security discussions. Thank you for tuning into What's the Problem, the show that explores problems, issues, considerations, and anything that's a hot button topic or maybe a cold button topic. We talk about all topics here in the world of cybersecurity. Thanks for tuning in, and we'll see you next time.