Information Download: InfoSec Q&A - Julie Carres

Tell me a bit about yourself, what is your current position, what are your current responsibilities, what's something interesting about yourself?

I am a career changer into infosec. I was a teacher for 18 years. I’ve lived all over the country (and also briefly in Italy), and I love this field! Currently I am a junior pentester with KPMG, and I am about to present the findings for my first pentest soon.

Some responsibilities I have are creating virtual machines and preparing physical machines to be delivered to the clients so they can plug them into their networks for us to use for an internal pentest. I also do the pentesting, help write reports (I am junior, so am still learning how things are done here), and present things to the client. I have also been interfacing with the clients a great deal to give them tech support for our testing machines. I spend lots of time studying, and recently have been writing a script to automate some manual processes.

Something interesting about me is that I have an undergraduate degree in Art History!

What got you interested in infosec? What does the path look like that lead you into your current role?

My partner career changed into infosec from auditing. When we started dating, he invited me to come to this little conference in Las Vegas called DefCon. I went—I mean, Vegas! I figured I’d learn something fun, and would eat lots of great food. I was unprepared for how it changed my life. It was more than fun, it was all I wanted to do with my life.

I went home the first night and signed up for Cybrary and a bunch of chall sites. I started watching YouTube videos by Professor Messer on Networking and Sec+. I went to conferences—so many conferences—anything I could travel to within five hours. At one of them, I won a SANS NetWars subscription, which was amazingly fun and helped me a great deal with my Linux command line skills.

I did CTFs. I got a subscription to TryHackMe and started doing their beginner track. Finally, I applied to the SANS Women’s Immersion Academy, and got accepted. It was breakneck speed, but the day after I passed my last certification exam, I started working at KPMG!

Do you think a formal (four year degree) education is recommended for getting into an infosec career?

I don’t, obviously, since I started mine without it. But I was also EXTREMEMLY fortunate to have not just fantastic mentors, but a crack at a prestigious certification program that would otherwise have been financially unavailable to me. So while I don’t think it’s necessary to have a 2-to-4 year degree, I think that classes, in whatever form they take, be they online (I did some Coursera Princeton Computer Science classes all the way through) or through a college, are important. I honestly would say that community colleges and junior colleges have some great resources.

Don’t waste big bucks getting a masters in Cybersecurity—I know a couple of people who did that, and I found myself way more knowledgeable than they were after a few more practical courses online and through SANS. On the other hand, my friend who did community college cybersecurity classes was right there with me, as far as knowledge goes. Community colleges tend to focus on more practical, get-you-into-the-workforce type skills, whereas there is more theory and management skill in a master’s degree. They assume you already work in the field and want to deepen your knowledge.

Do you think certifications are a good way to get into the field? What, if any, do you personally have? Do you think they've been beneficial in the long-run?

Yes, I think so. People like letters after your name. I have three SANS certs: GSEC (GIAC Certified Security Professional or something like that) GCIH (GIAC Certified Incident Handler), and the GWAPT (GIAC Certified Web Application Penetration Tester). The process of getting them was incredibly rewarding. I think certs help also because you do have to learn the content to be able to pass them.

What do you think is something often overlooked by people interested in entering/transitioning into the field?

Learn networking. Net+ (which I never ended up testing for) was a great learning experience, and was a foundational underpinning for so much of my other learning in the SANS academy. You have to know how a network…works. Also, Windows security. We’re all excited about the Linux command line and all that, but most machines are Windows boxes, and their software is Byzantine. Don’t neglect learning about it.

What challenges do you believe newcomers to infosec may face when starting out?

I bet everyone says “imposter syndrome” but I’m gonna say it too. It’s hard to believe you’re worthy when you have lots of job rejections, and when you have not even had a chance to prove yourself to yourself. But you have to be patient!

Asking questions. IT IS ALWAYS BETTER TO ASK! If the place you work doesn’t like the large number of questions you ask, it’s not a good place to be. I even asked questions in my interviews!

What are some common career mistakes people make, and what advice would you give them?

I…don’t know. I have not had enough time in the field to make a common career mistake. If I could hazard a guess, though, it would be languishing in your current knowledge. You have to keep learning, because this field moves fast.

What do you feel is something organizations continue to miss/ignore when implementing security practices/features?

PASSWORD POLICIES!! 8 characters is not enough! It’s stronger to have longer passwords with no capitals, numbers, symbols, or all that garbage, and people remember them better and have an easier time typing them in. ALSO, don’t make people reset their password every 3 months! It leads to stupid passwords like “Summer2022!” because folks can’t remember their new passwords when they change that much. Make the passwords expire once a year if you must, and insist on longer passPHRASES instead.

Do you find it difficult to maintain a proper work-life balance?

I used to be a teacher. For 18 years. What is this “work-life balance” you speak of? I don’t understand. Can you give me an example? In all seriousness, I probably do have problems with that, because I’m just conditioned to never stop working. I think if I really wanted to I absolutely could stand to cut back a bit. But when there’s a deadline, or something is really fun, yeah. I work lots of extra hours.

If you weren't working in infosec, what would you be doing instead?

Teaching high school math. I still love that job—I just like this one better, and it pays enough for me to actually retire someday. Financial stability for the WIN.

What advice would you give to someone looking to make the move into infosec?

Don’t give up. There are so many pathways! Every infosec transition story is different. Also, work hard. When you’re watching those videos on YouTube, take notes. Seriously. I can’t tell you how often I have gone back to my notebook full of useful info from a random hacking video.

What's a major accomplishment you've had (work related or not)?

I got to speak at The Diana Initiative and BSides Tampa last year! That process was incredibly fun and rewarding, and it played to my strengths. It was a way to show potential employers that I was more than certs, I had “soft skills.”

  What are one/two things you believe the current infosec field is missing?

More diversity. We badly need you, women and people of color! Studies show that more diverse groups make better decisions as a team.

More ways to onboard newcomers. If people want to increase the infosec workforce, they need to invest in training programs and hire promising n00bs that are hungry to learn and improve.

If you could go back 5-10 years and give yourself one piece of advice regarding your path in the infosec world, what would it be?

I would go back 10 years and tell myself to get started already! Teaching is a dead-end game.