Defending with Passion: Cultivating a Passion for Evolving as a Cyber Defender


Posted on in Podcasts

The technology we work to secure is ever evolving, as are the threat actors that are out there trying to exploit those technologies. Hence, the challenge we face today with securing and then defending those advances in technology requires people that are just as excited about learning how to defend that new technology as someone once was about creating it. There is absolutely someone out there that is passionate about hacking their way into that new technological advancement, no matter what it is. Join this podcast to learn what motivates hackers and how to help instill a passion for defending against cyber threats in the members of a security team.

Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security.

Kacy Zurkus:
Hello listeners, and welcome to this edition of our RSAC 365 podcast series. Thank you for tuning in. I'm your host, Kacy Zurkus, content strategist with RSA Conference, and today I'm joined by my guest, Tiffiny Bryant, who will be discussing how to defend with passion. But first I want to remind our listeners that here at RSAC, we host podcasts twice a month, and I encourage you to subscribe, rate, and review us on your preferred podcast app so you can be notified when new tracks are posted. Now, I'd like to ask Tiffiny to take a moment to introduce herself before we dive into today's topic. Tiffiny?

Tiffiny Bryant:
Hi Kacy, thank you so much for inviting me. I'm so excited to be here today, and hello to everyone tuning in. I'm Tiffiny Bryant, and I've been working as a cybersecurity analyst for a little over three years. Before I began my career in cybersecurity, I completed a 20 year enlistment in the United States Army, where I first worked as a personnel information system management specialist and then as an information technology specialist. I spent the bulk of my enlistment in front of a computer in some capacity, but it wasn't until the final years of my enlistment that I recognized I was profoundly interested in building my knowledge about the protection of digital information and devices. It might have just been a product of being in the Army for so long. Maybe I had built the habit of focusing on operation security, but that interest led me to pursue an opportunity to work in a cybersecurity operations center a few months after retirement, and I'm constantly amazed at the community of defenders I have encountered and the way that they work so passionately in a career field that has such a dynamic landscape.

Kacy Zurkus:
I love it, and I don't say this lightly, thank you so much for your service. Tiffiny, for the better part of this decade, the industry has been talking about the shortage of cybersecurity talent and trying to figure out how to recruit the right talent. Given that you're still fairly new to the security workforce, I wanted to get your opinion on the issue. Is a dearth of candidates the issue? What's the problem here?

Tiffiny Bryant:
Kacy, I've certainly been hearing about the shortage of cybersecurity talent since I started in this field, and I can't say that I fully agree with the sentiment. One of the reasons I believe it isn't completely the case is because when I mention I am a cyber security analyst, oftentimes the conversation shifts to a place of pure curiosity about what I do and the path I took to enter this career field.

Tiffiny Bryant:
People certainly are taking notice of career paths in cybersecurity, and they are asking questions. The technology we work to secure is ever evolving, as are the threat actors trying to exploit each of those technologies. The consequences of those exploits are all over the news, so of course, the greater society is also taking notice of those two correlations and recognizing there's an enormous amount of possibility in choosing cybersecurity as a career opportunity.

Tiffiny Bryant:
What I think is interesting is that it also means the challenge we face today with securing and then defending those technological advances requires people that are just as excited about learning how to defend that new technology as someone once was about creating it. I think that is where of the disconnection is in searching for this talent that is missing. It's not always until you become fully immersed in the field that you see just how much time and dedication is required to stay ahead of the hackers.

Tiffiny Bryant:
I recently saw that the US Bureau of Labor Statistics predicted employment of information security analysts was projected to grow 33% from 2020 to 2030. That's equating to about 16,300 opportunities for information security analysts projected each year, on average, over the decade. The field is definitely growing at a speed that could be difficult to fulfill, I just can't say it's going to be impossible task.

Tiffiny Bryant:
My experience has been that people are excited about cybersecurity and also curious about what it will take for them to fill those roles. From a current standpoint about the statement, maybe it isn't as much the dearth of candidates as it is we may not be actively shaping the passion towards the field. There's always someone out there seeking ways to hack into our defenses, and we just have to figure out a way to create the type of excitement about building those defenses to drive people to the field, despite this notion that the talent isn't available.

Kacy Zurkus:
Absolutely, I agree. It's funny because I saw this joke on LinkedIn last weekend that was, "How did the hacker escape?" Do you know the answer?

Tiffiny Bryant:
I don't.

Kacy Zurkus:
He ransomware.

Kacy Zurkus:
Which I think is hysterical. I told the joke to my sister, who's a goat farmer, and people that don't work in the industry at all, and they get it is the funny thing. When you say that people are curious and it's becoming this household name or idea or concept, cybersecurity and hacking and ransomware, it's true. The curiosity is definitely growing because the impact is so much greater. Undeniably, there will always be malicious actors and luring them to the good side could, in some people's eyes, be a fool's errand, but there are also plenty of folks who are just being curious about how things work. These are the hackers we want to focus on recruiting. Can you talk a little bit about your own passions? What aspects of hacking drew you to pursue your career?

Tiffiny Bryant:
Absolutely, Kacy. Interestingly enough, as I mentioned before, one of the things that drew me to pursue my career was a constant requirement to maintain operation security as a part of my time in the Army. However, even before that, I always had this incessant need to answer the question. If this device or this program can already do this thing, can I also make it do this additional thing? Can I change it in some way?

Tiffiny Bryant:
For some reason, I've been like that since I was a young lady using cassette players and Discmans and Walkmans, things that people probably now don't even know what they are. I always wanted to know how something functioned so that I could find a way to make it perform in a way that benefited my personal specifications or my desires as I got older. As you could imagine, that led me to breaking a lot of software programs, but there was a young man that was assigned to my unit who would always have to come and repair my computer. We were friends, so I would peek over his shoulders watching his every move, and with every click of the mouse that he used to restore my computer back to normal, it just made me want to know even more about computers so I could be sitting in that seat.

Tiffiny Bryant:
Eventually, I changed career fields in the Army to become an information technology specialist and it was while I performed in that role that I became more aware of the concept of hacking. When I found out there were roles that existed and people who were making a legitimate career of hacking, let me tell you, Kacy, I wanted in. When people ask me what I do as I continue to grow in this industry, I instantly want to respond with, "Oh, I want to break things," but as you know, that causes a lot of alarms to go off in a professional environment, but ultimately it is my truth.

Tiffiny Bryant:
I want to wake up in the morning knowing that each action I take will be in preparation to hack into a device or a network in a way that provides more value than just proving to myself that I can do it. I'm excited about hacking because the goal of breaking things for me now will be about helping people build a more secure product or environment that functions in all the new and interesting ways that we can imagine while still protecting our most valuable information.

Kacy Zurkus:
I love that, and I love the passion with which you deliver that truth. You can feel that this is what drives you, and I'm sure that some of that... You speak about the gentleman that you were friends with that fixed your computer, I'm sure there are others legends of the hacking industry that you learned from them or admired them, or were even inspired by them. Can you talk a little bit about who those people were?

Tiffiny Bryant:
Absolutely. One of the most well known hackers that I learned about pretty quickly was Kevin Mitnick. Here was a guy that was wanted by the FBI, but at the end of the day, there was an overwhelming amount of reporting that stated that his motivations weren't particularly to cause detrimental harm as much as it was to gain information. Then Kevin Mitnick, in his own testimony to the US Senate Committee on Governmental Affairs, stated that his motivation for hacking was the quest for knowledge or the intellectual challenge, the thrill, and also the escape from reality. As many of us know, that quest led him to being considered arguably the most notorious computer hacker in the world.

Tiffiny Bryant:
I think his story is one of the most interesting for me because it shows that hackers are quickly labeled as a bad actor, and we have to find a way to change the narrative a bit as members of this community. Kevin is a trusted security consultant to the Fortune 500 and many government organizations worldwide. He's even now using his own passion for that quest for knowledge to train employees to better manage the urgent IT security problems encountered in our organizations now.

Tiffiny Bryant:
If you look back even further to Joe Engressia Jr., or Joybubbles, there was a young man who stumbled upon an ability to control ordinary telephones by whistling simply because of a relentless curiosity about the world around him. Joybubbles was described by the New York Times as the Peter Pan of phone hackers. He may have been the first telephone hacker in a long line of phone phreakers that includes names like Apple founders Steve Jobs and Steve Wozniak.

Tiffiny Bryant:
These gentlemen made a business out of manufacturing and selling phone phreaking gear before they founded Apple Computer in 1976, and here we are, Kacy, in 2022, and Steve Jobs and Steve Wozniak are still two of the biggest names in the tech industry. So for me, those are some of the influential hackers, if you must call them that, that inspired me to never stop asking what is possible, because I believe that a continued pursuit of knowledge is what it's going to take to be great at protecting our networks against the new age of hackers and threats.

Kacy Zurkus:
So much of that relies on the ability to cultivate the sense of passion. As an industry, how can we do that? How do we cultivate a relentless curiosity or quest for knowledge within our career field and within the greater society?

Tiffiny Bryant:
That's a great question, Kacy, and one that I think we have to answer as a community, because it's going to take the community to build the type of interest that goes beyond the workday and beyond the workplace. However, I think we can get off to a good start by being vocal about how passionate we are about defending networks when you speak with people that aren't a part of the cybersecurity communities that we're in. That's one way to help the greater society start to engage in conversations that lead them into pursuing positions in cybersecurity.

Tiffiny Bryant:
I think internally, though, it's going to be a matter of dedication to career development and being willing to offer cyber opportunities to candidates that may not meet every one of the specifications we were looking for on paper, but are generally interested and extremely passionate about learning as they work. Is the talent that we're looking for only people with four year degrees coupled with a five year minimum of work experience?

Tiffiny Bryant:
We're excluding people that may not have had the opportunity to attend a college, but who figured out how to build a lab at home while watching YouTube videos and participating in online training programs like TryHackMe, The Cyber Mentor Security Academy, Hack the Box, or any of the other programs that provide a wealth of training and valid certifications at a fraction of the cost and the time it takes to complete those college programs.

Tiffiny Bryant:
Before I get too far off topic, I think the key element is recognizing that skills like great communication, leadership, and motivation to learn are critical to our field, and I think investing in each candidate at their current level of knowledge is something we can do to create a culture of passionate learners and defenders. Organizations can provide mentorship and develop programs that allow us to encourage and reward the talent we have with opportunities to advance into those positions we're trying to recruit for.

Kacy Zurkus:
I love that, and I think you're so right about the training and how we define job description and what we're looking for and what we actually need, and this idea that there's only one path to become educated. We need to evolve, certainly, on that thinking as a society. That is probably in part answer to my next question, but what are some of the obstacles to bringing new talent into this industry?

Tiffiny Bryant:
You're absolutely right, we have objectives that we're trying to meet when we recruit for a talent, but sometimes I think we have to look outside of those requirements and, again, recognize that people come from different places and that diversity is going to be something that carries us into the next generation of defending against the next cyber threats that are coming in our career field. It's also tough for me to pin down the greatest obstacles of bringing in new talent in the industry, and I also haven't been particularly active in this field for too long, but long enough to participate in some of that process, though.

Tiffiny Bryant:
I'll move on to speak to some of the concerns I've heard from peers about taking action and trying things that haven't specifically been taught to them in the roles. One of the things I hear the most, and something I even struggled with in the beginning as an information technology specialist, or even a cybersecurity analyst, was that fear of breaking something or being the one that causes the harm.

Tiffiny Bryant:
In this field, I think we can also overcome that fear by having open discussions in the workplace about creating and maintain lab environments that can be used to foster a culture of continuous learning, that can go beyond those fears of getting something wrong. Another interesting topic that comes up is the uncertainties that knowledge transfers across career fields and being able to have communications, open engagement with friends and family, that allow us to say things like, "Mechanics understand vulnerabilities of an entire vehicle, and that knowledge can help to improve the defenses." The obstacles that we are facing, as we talk to each other as a community, we'll be able to battle them no matter what they are.

Kacy Zurkus:
I love that. Tiffiny, I really appreciate your perspective here, particularly because you are new to the industry, and you are the talent that organizations want to keep. We can hear your passion in your voice, and this dedication that you have to learning. I love it, I'm so inspired by it. Hearing your voice will hopefully help security teams think differently about how they can attract and retain qualified candidates before their flames of passion are diminished by burnout or other circumstances that might lead people to leave the industry.

Kacy Zurkus:
Before you close, do you have any words of final wisdom for our listeners, maybe to speak to how to hold onto that passion in the face of an industry that is clouded by that threat of burnout?

Tiffiny Bryant:
Kacy, excitement is contagious. Expressing your passion for cyber security can motivate teams and drive engagement. Speaking, we have to speak to people, not just in the cyber security community, but we have to speak to people in the greater society and explain why we enjoy being the defender and how our role provides with teams that encourage them to become more comfortable with speaking fluently about what they're doing and why they're learning, and how what we're doing can improve our safety, our privacy, and our lives. Be out there, be an advocate for cyber security, be an advocate for defending the networks, and never stop talking to the community and the people around you.

Kacy Zurkus:
I love that, and I hope that you do inspire people to do that because I think that will help to change the narrative. I know that you and I had talked about this idea of the way the industry is presented in the news, and there's all this focus on the click bait, the hack, the bad thing that happened, but there are far more stories about the defenders that are doing amazing work and stopping those threats before they get into the network and cause great harm. I think that more voices being heard about the love that they have for doing that and the success that they have at doing that will really help to inspire more people. I love it. Thank you so much.

Kacy Zurkus:
Tiffiny, thank you for joining us. Listeners, thank you for tuning in. To find products and solutions related to hackers and threats or professional and workforce development, we invite you to visit RSAconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist you with your specific needs. Please keep the conversation going on your social channels using the hashtag RSAC and be sure to visit RSAconference.com for new content posted year round. Tiffiny, thanks again so much.

Tiffiny Bryant:
Thank you, Kacy.

 


Participants
Tiffiny Bryant

Information Security Analyst, Shipt Inc.

Kacy Zurkus

Senior Content Manager, RSA Conference

Hackers & Threats

hackers & threats professional development & workforce risk management security awareness security education security jobs


Share With Your Community