Testing, testing. May I have your attention, please. *Ahem* Allow me to introduce myself and this new series of articles for The Ethical Hacker Network. My name is Stephanie, better known as Steph or InfoSteph in the community. I have been working as a security professional for the past year and a half, but I have been in the security industry for 3 and a half years. I’ve been in tech for 6.5 years. In that time, I held two different security positions, but both were corporate security roles with a lot of responsibility and steep learning curves. It has been a wild ride, one with failures and errors galore. However, I wouldn’t change my past for anything. As for my future… spoiler alert… I want to be a CISO, and I have a plan to get there. But before I get into the weeds of all of that, it’s only right that we start from the beginning.
Before I Ever Knew What a CISO Was
“Hello. I’m here to declare my major?” I stood nervously in the extremely small office belonging to the Dean’s administrative assistant. I had just gone through several different offices to accomplish different tasks and this was my last stop for the day. After three years in a journalism program and deciding that journalism was not for me, I hoped that this new declaration would bring me the happiness and fulfillment I needed. I was taking a leap of faith and fighting against my insecurities by choosing Computer Science as my major. I thought it would be too complicated or that I wouldn’t be able to understand what was being taught. However, a lack of an alternative had me in a bit of a corner.
“Yes, sure. Please, sit,” the administrative assistant said. Once I was sitting down, she pulled up my student profile and asked me, “So, what concentration are you thinking of choosing?”
I stared blankly back at her.
“There are three options. You can do the standard Computer Science concentration, Software Programming or you can choose Digital Forensics/Information Assurance.”
Digital forensics, I thought. That sounds like some CSI stuff!
“I think I will go with Digital Forensics!” I exclaimed. That was the beginning of a 6.5 year journey to where I am now, security analyst extraordinaire at your service!
Security, Security… Anything to Get into Security
Before getting my Security Analyst role, I spent 5 years attempting to get into security. I did Linux administration, networking, web hosting administration, customer service, Help Desk, you name it. Every role, except for one, was a chance to get into security. When I did web hosting tech support (twice), I was hoping to work my way up to Security Admin. When I was a network analyst/customer support specialist, I was hoping to get promoted into the SOC. I faced so many barriers: knowledge gaps, lack of experience, lack of jobs, office politics, etc.
At a certain point, after a series of unfortunate events, I decided that I was moving in too many different directions. It wasn’t bad, per se, but it wasn’t great. And when anyone asked me what my goals were, I was stumped. Sure, I knew I wanted to get into security, but what I would do when I got there was yet to be determined. I struggled with creating a plan, because at my young age I’d already known that my plans would most certainly change. I thought there was no purpose in planning something when you knew the plan would shift.
I often use this analogy: I felt like I was at a four-way stoplight. I could go in any direction, so my ability and capability didn’t automatically cancel any direction out. I had never been down any of the paths, so prior knowledge and experience didn’t cancel out any directions either. When I asked for directions, everyone had a different answer. And, as a result, I stood at the light, frozen and unsure of which path to take. Finally, I decided I would just start driving down one direction and just see where it takes me or what I learn.
That brings us to what I now call the Bad Bitch Plan AKA “BBP.” My BBP is basically a mental picture of where I am going to go in life, before I retire from security. My apologies if the name offends anyone, but it keeps me pumped. YMMV, so feel free to create your own inspirational plan name. I highly encourage it!
Before I got to the BBP, I considered quitting. I actually started to consider a career in psychology. I volunteered at a Crisis Hotline and even applied to be a research assistant. But before I completely turned my back on security, I gave it one last chance. But this time, I knew I needed help. I reached out to a black woman who had a longer career in security, and I asked to speak with her about the industry. We ended up having a two-hour conversation about her experience, and she encouraged me to try again – just in a different way. She told me I needed to blog, learn how to use Splunk, join Twitter and go to HouSecCon. Armed with an action plan that was more than what I’d historically been told, I decided to give it a second chance and stop BSing.
My first goal? Get a security job. I would blog, attend conferences, read, study, go back to school after two years off, obtain any relevant certs I could afford and ultimately dedicate time and resources to getting into security. I stopped watching as much TV, I stopped going out as much, and I began a long journey of figuring out my brain chemistry, so that I could make sure it was constantly operating at its best. I started StephandSec.com, my website. I planned on attending HouSecCon and DEF CON. I joined some online communities that were supportive. And in the fall of 2018, after a very low period in my personal life and finally securing a security role, I created the BBP. The BBP contains five different domains, one of which is career. While the rest of the BBP is outside of the scope of this series, Phase 1 of the career domain is definitely in scope and what I will be focusing on in this series.
The BBP states that I will spend the next 7 years doing technical security work of any type. The next two years will be spent exploring, and the last five years will be spent actually specializing in one thing I’m most passionate about. After I’ve had my fill, I would switch to management and climb my way up to CISO in 10-15 years. I’ll spend 5 years as a CISO, and then retire from Security. That completes Phase 1 of the BBP and launches me into Phase 2. Here’s a reminder that at this point – I am still just picking a direction and sticking it out until I hit a roadblock or a reason to choose another direction. This just means I’m winging it, like we all are. I have no idea how hard or easy it is to do any of the things on the BBP, but I do know that I want to do it and can adjust based on new information.
Put on Your Safety Harnesses
This series is a way for me to document my progress along the way. I’ll be discussing technical skills I am developing, things I’m learning and ultimately seeing if I can stick with this version of the BBP for the next 20-something years. I finished 2019 working out the last two weeks at my old employer and am starting 2020 off with a new job, a new outlook and new opportunities.
Thank you for joining me on this rollercoaster ride. I’m sure there will be ups and downs, twists and turns, and there might even be a need for a puke bag every now and then. One thing I can guarantee – it won’t be boring! See you next time.
Stephanie Ihezukwu has been working in the tech industry for almost 7 years. She has a pretty diverse background at this point having worked in web hosting/server management for two years, worked in help desk for a year, currently working in security. Her ultimate goal? To have a successful career in the Cyber Security sector and eventually becoming a CISO. She will be documenting her attempts at achieving this goal, and listing what she is doing in order to get to where she wants to be. Follow her @StephandSec and check out her blog.
She is currently working on completing her Bachelor’s, being a delegate for Security Field Day 2, being a lead for the WISP DEFCON Scholars, chapter Lead for WoSEC Houston, co-hosting a weekly podcast and speaking at various conferences. In her spare time, she likes to read up on pop culture, watch trash TV, hang out with friends and loved ones, and talk tech with friends. She also loves to travel, and hope to one day adopt a dog.
All articles by StephTags: blue team career ciso highlight steph