Working in Cyber Security: “Do not limit yourself to what your professor or boss instructs you to do”

What is it like to work in cyber security? We ask some of the members of the team in Symantec. Today, we hear from Torrey Umland, Leader of Engineers.

A leader should never be in their team’s way. Stock photo.

How long have you been in this role?

I started out with a four-month internship and a two-year stint as a software testing engineer; I had fun breaking things. I was promoted very quickly to my level of incompetence. I’ve been in a manager role for five years.

Saying “I’m a manager” is weak and vague. I’m wearing four or more hats at any given time and I interact with hundreds of people across the organization. Most of what I do is not written in my job description.

Torrey’s Hats:

1. Engineer — solve hard problems and build high-quality products

2. Intern program leader — hire people smarter than me

3. Mentor and teacher — help engineers be better at engineering

4. Project leader — brainstorm, plan and communicate commitments

How did you come to work in the field of cyber security?

As a bored high school student, I became fascinated with Wi-Fi security and website security. I started solving security puzzles on places like Hackthissite.org and reading publications like HackthisZine, Phrack, and 2600: The Hacker Quarterly. Later, around 2007, I got into hardware hacking projects. One of the fun projects I remember was a DIY Wi-Fi pineapple AKA Jasager (thanks Hak5.org!).

My story for getting hired is a bit unconventional. I met a Symantec engineer at an on-campus hackathon. The next year I helped organize the event and I asked Symantec for money. They came through and funded me a few hundred dollars. By getting involved with other extra-curricular engineering clubs I built relationships with students who were interning at the company. I was very close to graduation when I applied for an internship, and I was thrilled to get in. I naively had prioritized many things ahead of finding a career. Instead of waiting until summer, I quit my job in April and started the new gig immediately.

During my internship I heard about DEFCON and nagged my boss weekly to plan a trip. Symantec paid for my trip to DEFCON 19 in Las Vegas. The venue was seemingly unprepared for the madness, and all the credit card POS systems crashed. I was hooked on DEFCON and I vowed to return every single year, even if that meant paying my own way. Symantec sends me back every summer, and I bring groups of college students with me. It’s a blast!

“By storytelling and documenting what you learn, you reinforce your knowledge and allow others to grow; you contribute to a community”

What advice would you give to someone who wants a job like yours?

Do not limit yourself to what your professor or boss instructs you to do. Sign up for more and look for new ways to contribute. People who show a portfolio of work undertaken in their free time stand out from the crowd. The worst thing that can happen is nothing, and the relationships you build in the process are life-long assets.

If security is your curiosity, the barrier to entry is really low. You can download Kali Linux right now and start poking at any software. Many companies will even pay you to find real problems in their application or service. In some cases, the bounties are thousands of dollars. It’s very easy to get involved with open source projects and contribute to security tools or security research.

It only takes a few minutes to create a blog. There are tons of interesting articles on communities like /r/reverseengineering, many of them written by hobbyists. By storytelling and documenting what you learn, you reinforce your knowledge and allow others to grow; you contribute to a community. Technical writing is a skill worth practicing.

Is the course you studied at university relevant to the job you have now?

The university-practiced skills most useful to me now are technical writing, and quick learning.

When interacting with many different people in a globally-distributed team, the ability to write clearly, concisely, and persuasively is very useful. I will never stop learning how to write and communicate more effectively.

The ability to learn quickly isn’t taught, it comes from daily practice. Fast learning is crucial, especially when you work in a highly competitive, adversarial industry like cyber security. Cyber criminals are very clever and keep us on our toes. I will never stop learning how to learn more effectively.

What do you think are three qualities someone who wants to work in a role like yours needs to have?

Curiosity

Read a lot and apply or share what you learn. No one cares how many words you read; all they care about is how you apply knowledge to positively impact their world.

Ask lots of questions. When a project isn’t going well, I have found it’s usually because my team and I are not asking enough of the right questions.

Humility

I think about how not to be a bottleneck and get out of the way of my team. There’s no way an effective leader can keep ahead of a group of high-performing, really smart people.

We are all proven wrong, we all regularly make mistakes. You must be humble and admit you are wrong, in order to quickly move forward.

Empathy

To serve people effectively, you need to be able to put yourself in their shoes. If your care for someone is only an act, you reek of inauthenticity. It’s challenging to be empathetic towards diverse groups of people. You need to try to understand what they’re going through even when you’ve never experienced anything like it.

Also, when you’re building a high-quality product, you have to put yourself in the shoes of the customer. Otherwise, you build something the customer doesn’t want.

“Reflect on your failures and victories, learn from them”

Any other tips, advice or anecdotes you would like to add?

I’m always trying to get better at celebrating success and giving praise where it is due. On a daily basis, show people you appreciate their hard work. It only takes a few seconds to say thank you. Bring the joy! I have this phrase posted at my desk and set as a reminder on my phone.

Opportunities to work with people smarter than you are incredibly valuable opportunities. Many students at large universities do not receive quality feedback. Passing a few automated tests is nothing compared to having an experienced engineer coach you on writing better code. Access to ask questions of experts is a valuable resource, not to be taken for granted.

The highest performing people I know take feedback very seriously. Ask your peers for critical feedback. Take your time sharing quality feedback with your peers. Also, give yourself feedback. Reflect on your failures and victories, learn from them. Try not to repeat failures, but don’t dwell on them; try to repeat success.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.

Read more from Torrey here.

Like what you read? Give Security Response a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.