“I reverse-engineered my way into a cyber security career.”
This series aims to demystify careers, challenge stereotypes, and inspire connections. Today we talk with Drew Nicholas, Cloud Cybersecurity Consultant at Microsoft.
Incident Response (IR) is the process by which an organization addresses and manages the aftermath of a security breach or attack. Before joining Microsoft‘s Detection And Response Team (DART), Drew Nicholas was a cloud consultant with significant experience in both Azure and Office 365 deployments. He earned his MBA and Masters in Management Information Systems, as well as his BS in Business Administration and Marketing, from the University of Alabama.
Drew, what do you do, and why?
I meet our customers in a place of chaos and help them make it better going forward.
To successfully do my job, I have to understand the customer’s environment, the systems they have in place, and their mentality. Our customers need to trust that I want to help them, not participate in their blame game. I will do whatever I can to help build that trust, which does involve a lot of travel. We could do a lot of the work remotely, but we accomplish trust more quickly by being face to face.
What a great opportunity to meet people in person and learn from different cultures!
In the past year alone, I’ve been to 14 countries. What a great opportunity to meet people in person and learn from different cultures! I am seeing places I never thought I’d visit, and making friends across our global team.
What made you interested in a career in cyber security?
I “reverse-engineered” my way into a cyber security career. One of my first consulting engagements involved helping a Fortune 100 retailer migrate to the cloud. Watching the organization mature to performing large workloads on the cloud was very cool: I had a front-row view of how governance, operations, and security models were put in place to create a culture of trust in the cloud.
One of the most difficult things for organizations moving to the cloud is trusting that things they used to own will be safe in a cloud operated by someone else — as a cloud provider, we have to fulfill that trust every day. Being curious about what happens when things are deployed securely (or not) is how I started to learn about incident response, secure architecture, and how to help DevOps develop in a secure state.
What misconceptions or “myths” do you encounter that can complicate an organization’s trust in the cloud?
There are a lot of misconceptions about how identity interacts in a cloud context. In some cases, people didn’t know what was available to them, such as Password Hash Sync (PHS) for Microsoft Azure. There is also a lot of misunderstanding about how shared responsibility works, in many cases also related to how their own identity management impacts their cloud’s security.
What qualities does it take to be good at your job?
- Curiosity. You need a strong desire to figure things out. Before working at Microsoft, I had focused on marketing and investment banking in studies, but then became interested in the cloud. It’s ok to be new to IT; you just have to want to unravel a problem and solve it to succeed. One of my mentors advised me to gravitate toward what nobody else is working on. It’s easier to be a subject matter expert if no one has done it before, but on the flipside you need to figure it out yourself. You have to be ok with failing fast!
- Humble. You need to know how to ask for help. Because the cloud landscape of cyber security and the cloud is always changing, you have to reach out to people with the knowledge and skills you may not have. As a team, we are dependent on one another to get the job done for our customers.
- Empathy. In the middle of an incident, I’ve seen customers cycle through the five stages of grief, starting with anger and then landing in a place of acceptance where we can work together. To help the customer move on, we have to empathize and understand where they are coming from to win their trust and work to prevent incidents in the future.
Working an incident response case sounds fraught with heightened emotions! How do you decompress?
I watch a lot of sports! I’m a huge college football fan, but watch everything: Baseball, football, hockey, basketball, soccer, tennis. I also golf when I have the time — not well, but I like hanging out with my friends.
On the plane, I’ll catch up on comedies and Marvel movies. I love that every superhero brings a unique power to the table. I used to identify most with Iron Man’s desire to figure things out and experiment, but I think he lost his thirst for knowledge over time.
Speaking of a thirst for knowledge, what are you excited to be learning about lately?
Zero Trust. I’m fascinated by this future of not simply trusting the idea that “this is my network and therefore safe.” In the cloud, we don’t have a network; you should be able to access anything from anywhere. But how do you secure that?
How do you learn?
I literally just click buttons. I do ask people who know more to teach me, but I personally learn best by doing.
Lastly, what advice do you have for friends looking to be more secure as consumers?
I have a lot of advice. My top three:
- Use multi-factor authentication (MFA) on all your social media accounts, where possible.
- Update everything — your software, your OS updates. Some people are worried about updating immediately because it may be “buggy”, but if you’re waiting till they fix all the bugs, your security will be five years behind.
- Update your hardware! We do so much of our work nowadays on our cell phones; buy a new one every year or so instead of lugging around your device with its cracked screen from five years ago.
For more, read Drew Nicholas’ latest blog on Password Hash Sync. Check out other profiles of people making a difference in cyber security and their career journeys here.
