Kat Sweet

Now with a catchy tagline!

Being an Infosec Latecomer, Part 2: Election Bugaloo

2016 was a milestone year for me: I landed my first job in infosec. A real live security internship. A new world opened up for me, and at the same time, as I started to settle into my brand new role, I couldn’t help but get the feeling, “Hey, I’ve done this before”.

As I mentioned in Part 1, and in my un-talk at CircleCityCon, broadcasting the fact that there are countless paths to a security career will help bring in more people with a wide variety of life experiences. This is glossed over way too much in the way hackers are presented to the world -- prevailing narratives frame us as having special l33t skillz that no one else has. Some of it I’m sure is internally-generated -- I think that some people who have only worked in one field perceive their job’s processes and learning curves to be unique to their industry. But those of us who started in other fields bring knowledge and skills from our “past lives” that are not only incredibly transferrable to infosec, but often lacking in the current infosec workforce.

So where did I come from? Hi, my name is Kat, and I’m a recovering political staffer.

When I graduated from college, I wanted to work in politics, having already put in a lot of thankless volunteer work during previous elections. I brought a solid writing background, a knack for doing independent research, and a healthy dose of cynicism -- plus, it was an election year and it seemed like a good idea at the time. Over the course of the next few years, I worked both on the campaign side (finance and fundraising, more specifically) and the legislative side, working my way from page to legislative aide. However, in addition to it not being a great fit for my personality, the job market was limited and incredibly volatile. After my and several others’ jobs disappeared as a result of an election, I decided that politics and I should see other people.

It was a couple more years before I got the idea to learn how to code (if you’re curious, it was Ruby, and there was a lot of nervous crying), which led me to “I’m not a dev, but this tech stuff is interesting. Hey, this security stuff is really interesting. But all of the security people have been hacking since childhood, so I guess maybe I’ll try to get a non-tech job at a tech company.” I had gone to a few security cons, speaking and volunteering but feeling like I didn’t have a real claim to be there. I was legitimately embarrassed by my resume. A turning point was watching Eve Adams’ and Johnny Xmas’ presentation at DerbyCon in 2014 -- all about how to break into infosec from other fields. As I re-watched that presentation, and as I started to meet more people in security, it started to sink in that I was not a blank slate.

Though most of my technical knowledge is a few years old at most, I -- without realizing it at the time -- built up an arsenal of skills during my days as a political staffer. Among them are:

Communication with diverse populations: I wrote a lot of words, and I spent a lot of time on the phone with strangers whose lives were vastly different than mine, many of whom hated everything I stood for. Being a legislative staffer is simultaneously behind-the-scenes and very public-facing: I made thousands of constituent contacts without having my name attached to any of the correspondence. Security work can be similarly invisible-yet-impactful, and the sheer amount of communication that security work requires can’t be overlooked. Whether you’re a pentester writing a report, an analyst responding to a user, or a manager justifying your budget to the C-suite, we are tasked with communicating security to those who are not in a security state of mind. The ability to understand the viewpoints and values of others and get our message across accordingly is a vital skill for promoting better security.

Staying current: This is a skill that often gets downplayed compared to other non-tech like writing, teamwork, time management, etc. I don't think it even fully occurred to me to label it a job skill until I started interviewing for tech positions, when the question of how I kept up with infosec news reliably came up. Political staffers would religiously read feeds like WisPolitics and the Wheeler Report the way security professionals would with threat intelligence feeds. Twitter wasn’t very big yet when I left, but I’d imagine that nowadays every legislative and campaign team has eyes trained on Twitter as much as any security team. Working in politics got me into the mindset of seeing a news release, evaluating how it affected our environment, and figuring out what actions to take as a result.

Working under pressure: I would invite anyone who thinks that “soft skills” come easily to spend a day answering the phones for democratic leadership in a conservative state during budget season. Or work on a campaign when you know that the political winds are not in your favor. Being able to keep a clear head and triage when it feels like everything is imploding is not an innate skill -- it takes practice, as well as a fair amount of desensitization. And it’s a vital infosec skill, particularly for those in areas like incident response. As they say, it’s not a matter of if your organization gets breached, it’s a matter of when. My political work wasn’t glamorous, but it prepared me well for keeping calm and carrying on in security. (Well, most of the time.)

Politics to infosec may seem an odd path, but many others have found ways to connect their past work to their practice of security. If we hope to move forward as an industry, we need to make more of these connections. Security affects everyone in the world, therefore we need to bring in perspectives from all kinds. Homogeneity does not serve us well.

Coming into security with a background in another industry doesn’t show that we’re indecisive or lacking dedication -- it shows that we’re adaptable, and that even if we didn’t get it quite right on the first try, we’ll keep hacking harder.