Unusual Journeys Into Infosec Featuring Psychtosec

In this episode of Unusual Journeys Into Infosec we analyse the human psychology of infosec and the choices we make.

Unusual Journeys Into Infosec Featuring Psychtosec

With our notepad in hand, its time for you to put your feet up, lay back and relax (in this big comfy chair), as we explore the another Unusual Journey Into Infosec and analyse the human psychology of infosec and the choices we make with Psychtosec.

This episode we are joined by @psychtosec who has had a really interesting journey into infosec and is proof that there's not a strict linear path into this wonderful industry. As you may of guessed by her handle and my introduction @psychtosec has a background in psychology, which actually has a lot of transferable skills, especially when it comes to understanding the human factors of infosec.

Without much further ado, this is Psychtosec´s Unusual Journey Into Infosec.

Cybersecstu (CSS): My vision for this series is to help break the illusion that you have to follow a certain route to have a career in Infosec. Where did your journey begin?

Pyschtosec (P2S): I feel like my journey into infosec has been a disjointed one that has been years in the making.  When I was a kid, my dad was always going on about the wonders of technology and the mechanics of the internet, as it was becoming more and more prevalent in the average person's home.

I'm not saying how old I am, but old enough to remember the sound a dial up modem makes when connecting and we were one of the first of our friends to have a computer in our home. Thanks Dad!

My dad also passed on information such as how to crimp and configure your own twisted pair ethernet cable to ensure it can transmit and receive data, and how to use ping, tracert and nslookup to troubleshoot connection issues. For years, it was nice to know but wasn't really the focus of my career.

When it came time for university studies, I knew I wanted to study psychology. The mind and how it works is fascinating. Learning about things like human motivation and behaviour fed my drive to understand what made people tick. I also worked as a personal care assistant for a young child with Autism to earn extra money.

After graduation, that interest in Autism led me to working in special education in schools with children with various disabilities. This included working in a 24/7 lockdown facility for youth offenders in New Zealand. I think I liked the chaos and unpredictability of every day.  

Eventually, as is often the case, I got a bit burnt out and did a number of jobs from working at a deli counter to leading a servicing team at a mortgage company. While working as a team lead, I started to work closely with technical support teams to resolve mortgage documentation errors and inaccuracies within the bank's various systems.

I'd work to gather information about how, when and what I thought was happening to generate the errors to support the process. Eventually, this lead to landing a job as a business systems analyst for a mainframe application processing system.    

I feel like this is when I realised my place was in technology. My analysis skills were recognised and rewarded. I was constantly challenged with researching and resolving complex production and design issues. I learned about batch processes, processing logic, data warehouses, API calls and the development lifecycle, etc.    

When I moved to England, I continued my learning as a business analyst working to analyse and implement changes in response to the General Data Protection Regulation (GDPR), which included privacy by design and technical and organisational security measures.

As I found myself advising more individuals and teams on best practices for handling and securing data, it made sense that I found a role within our Information Security team once that programme of work had transitioned into BAU.  I've now been working in infosec for 10 months. The learning curve is steep but I'm enjoying it.

CSS: Wow, this is really interesting! What was the moment that made you think, I really want to work in infosec?

P2S: That's a really good question. I think I've always had an interest since watching films or series related to hackers or hacking but always thought that was something beyond what I could do.  I feel like transitioning into infosec, as an extension of my previous role related to data protection, seemed like a natural fit and one I'd enjoy based on my interest in protecting data and supporting privacy rights for individuals.

Hearing that the potential role would involve a potentially sharp learning curve and that every day would be different is something that made me really want to apply. If I'm not challenged by my work I'm bored. I like a mentally taxing job. Plus I could see where my different perspective could bring additional strengths to the existing team.  

I also considered that as the field of infosec and cybersecurity is so expansive, it presents so much opportunity for growth and future roles. It's scary and exciting at the same time!

CSS: What challenges (if any), have you had breaking into infosec? And a follow up: What have been the most useful resources in helping you on your journey?

P2S: That's a great question. I've been fortunate in that my workplace and team is quite supportive of my transition into Infosec and my asking a LOT of questions.

I still have the occasional situation where a third party has questioned my presence in the room or prefers to talk a male colleague, but generally this is where I see support from my colleagues and an opportunity to demonstrate why I am in the room. Where there are areas where I feel I don't know enough and want to learn, I normally go looking for a course or resources to become more confident in my knowledge.

I still battle imposter syndrome on a weekly basis, feeling like I'm not "technical enough," or not seeing myself as having the same amount of authority as others who are at my same level within the organisation. While the ratios are getting better, I am still looking out at a room full of predominantly men at infosec conferences, security vendor meetings and technical review meetings.

With both of these things, they are observations and it's been important to share these with my manager and for myself, to think about how I can encourage change.

When it comes to useful resources, since the beginning I've read as much as I can using a news reader app to see the latest Infosec news, data breaches and disclosed vulnerabilities which gave me a feel for the terminology, current threat landscape and started to build some of that technical knowledge at a basic level.

Same with following a number of individuals on my Infosec Twitter. I've started to obtain and work on different certifications starting with CISMP, but I've also found the cybersecurity community in London and local events like Ladies of London Hacking Society (LLHS), ISSA- UK, OWASP, OWASP WIA and others to be useful (and often free) learning opportunities. Plus it's led to my meeting a number of individuals who are also willing to share their knowledge of Infosec and cyber security. Every little bit builds on existing knowledge.

CSS: How do you think your background of Psychology has helped you in infosec?

P2S: Someday this will be an entire talk haha! Not my own experience but how I see the fields relating to one another. In terms of my background of Psychology I think it has helped me in a number of ways in Infosec:    

  • Understanding human behaviour and motivation both from a user perspective and a potential attacker perspective. Why do they do what they do? What are they trying to achieve with their actions?  I don't have all the answers but I think it helps me better understand one piece of a problem and think about how to approach a solution.  
  • Influencing, both at a senior leadership level and cultural level. What are the challenges to change? What is each leader concerned with when making a decision? Why is there pushback or resistance in a particular area or to a particular security control? How can we overcome those challenges? What personal and business benefits can we tie to Infosec practices and good security hygiene?    
  • Engagement. A lot of my day to day job is talking to people and helping them to find secure solutions to their business (and sometimes personal) data protection issues. I feel in order to do this well, I need to be seen as approachable and non-judgmental. I need to be willing to have an open-minded discussion to better understand their challenges and find the ways I can help. This is the same when it comes to more serious issues such as data breaches and security events, it's important that both are reported as soon as possible and that's not going to happen if people are fearful of the Infosec team or feel they will be judged for their actions.

I think it's likely why I tend to be more relationship focused in my infosec work than technology focused. Even though the technology is there to support and advise the work I do.

CSS: Okay final question what advice would you give those wanting to start a career in Infosec?

P2S: Just go for it! If you're interested in Infosec and don't know where to start, look into your local Infosec communities. If you're currently working somewhere with an Infosec team, engage with them, have discussions, and see how you can help -it may lead to your first Infosec role or gaining some relevant experience. Lastly, don't forget there's also tons of communities and resources online.

There are some valuable lessons I want to highlight from this interview with @psychtosec, firstly imposter syndrome was mentioned again in this article, something we have seen a lot in the series, overcoming it is difficult and in some cases we have to just cope with it as best as we can.

Secondly, I've said this before in a previous article but its so relevant here; learning is a skill and an attitude! It doesn’t matter if you don’t have the required technical baseline skills, what matters is you have the positive attitude to pushing through those barriers of fear and doubt to learn! And what has been proven here is that transferable skills are valuable, especially those that focus on analytics, critical thinking, and human behaviour

Finally, get actively involved in the Infosec community, go to meet ups, reach out to people on Twitter, because you’ll be surprised how helpful this community is, especially those willing to learn and push themselves!

The Awesome image in this article is Knitting a Brain by Evgenia Chuvardina.