Being Courageous, Curious, and Thoughtful in Cybersecurity
June 24, 2019 • Zane Pokorny
Our guest today is Tracy Maleeff. Before earning a position as a cyber analyst at a Fortune 500 company, she ran her own firm, providing information security and competitive intelligence research. Prior to that, she worked as a library resources manager for a major law firm.
Tracy shares the story of her unusual career journey from library science to cybersecurity, her advice for getting up to speed after a mid-career course change, as well as her thoughts on team building and the importance of diversity throughout an organization.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 113 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Our guest today is Tracy Maleeff. Before earning a position as a cybersecurity analyst at a Fortune 500 company, she ran her own firm providing information security and competitive intelligence research. Prior to that, she worked as a library resources manager for a major law firm.
Tracy shares the story of her unusual career journey from library science to cybersecurity, her advice for getting up to speed after a mid-career course change, as well as her thoughts on team building and the importance of diversity throughout an organization. Stay with us.
I decided that I had reached everything that I could accomplish in library world. I spent a total of 15 years as a librarian, mostly in law firms. I have a master’s of library and information science degree. And I was kind of sad because I’d worked so hard to reach this pinnacle of librarianship and I thought, “This is it.” I just didn’t find any opportunities that interested me, and on my commutes in and out of the city of Philadelphia on the train I read this article by Entrepreneur magazine called how to future proof your career. One of the tips they gave in the article was to think back about all the jobs you’ve had and what aspects of it did you really like the most or which really interested you, and that would be your catalyst to figure out what your next moves should be.
For me, I realized that any component of tech that was involved, especially the troubleshooting aspect of tech, is something that I really enjoyed, whether it was when I was a travel agent or when I was a librarian. That’s when I started to explore the tech world. So I went to a lot of meetups, classes, workshops, but I quickly discovered that front end was just not to my liking. No offense to anyone who was from front end, a computer person, but just learning Ruby on Rails was not my cup of tea. I actually walked out of a Ruby on Rails workshop. I paid $25, but I felt confident that I knew I never had to look at it again, and I was happy to part with that $25.
You got your money’s worth just to learn that.
Exactly. Exactly. I’d rather learn there and spend $25 then pursue it as a job and then realize two weeks into a job that it wasn’t my liking. Then a friend who was a long time IT person moved into security, saw me spinning my wheels and finally just said, “Let me tell you about the backend side of tech and security.” So I took a very librarian approach to it and I set up Google alerts for different tech issues, security issues, to track who the players are, what some of the terms meant, and I realized that I kept clicking on the articles that were security-related. Those were the ones that were most interesting to me.
So fast forward to I took some more workshops. My worn out joke at this point is they had me at port scanning. I was like, “What is this really cool thing? Where’s this been all my life?” So then I was this librarian with security as my quirky hobby, and I decided to ask the CIO of the law firm where I worked at the time, “What is the law firm doing for cybersecurity? We’re in security awareness month.” I put forward a proposal.
I had this five point plan. There were five Fridays in October that year of October 2015. I said, “Every Friday let’s send out this awareness infographic.” He said, “That’s great. You’re going to be in charge of it, and I’m going to have someone from IT and someone from marketing report to you and coordinate with this.” So that was great. November 1st rolled around, I said, “What else can I do for the firm security-wise?” And he was very nice and he said, “You know, this was great, but you can do this again next year,” and that wasn’t enough.
I needed more, so I started to formulate a plan. I created my own company, Sherpa Intelligence, and February 2016 I was finished at the law firm. I had quit my job that had the office with the floor to ceiling windows and the door and things, other trappings that mean success to some people. And for me it was, no, I need a new beginning. Two weeks after that I was on a plane to San Francisco to attend RSA with, what, 40,000 of my closest security friends. I did my own business for a year and a half. Then a company came calling and hired me, which is what I wanted to happen, and I’ve just embraced it.
I went all in and I like to bring with me this special brand of viewing security through this library science lens, which means interacting with the end users differently, looking at the organization of information differently, and I’m not telling people that they’re wrong, I’m just showing them that there’s another way to do this. Again, I’ve realized it’s not everyone’s skillset, but I just want to point out that there are other ways to do things in security to borrow from library sciences, for example, but someone who comes from another industry could also bring the same thing. So, I’m just doing my part to represent library sciences and security.
Well, let’s explore that some because I think for most of us if you say someone is a librarian there’s certainly an image that pops in their minds. For me, it’s the folks who help out at my local public library, but there’s a lot more to library sciences and the sorts of skills that you bring to the table. Can you take us through and help us understand what that’s all about?
Absolutely, yeah. There’s certainly librarians that you’re aware of, like you said, at public libraries. They’re school librarians. Then there’s this whole other world of what we call special librarians, and special just means they didn’t think of a more creative name to come up with other than public or school. But obviously academic libraries have librarians, law firms have librarians, courts have librarians, and companies, government agencies have librarians.
But keep in mind, a lot of these roles that they have may not be called librarian, but the skills are information-related. So that’s another thing, there’s places you wouldn’t expect librarians would maybe be, in a marketing department because they’re very good with data. So like I said, over 15 years, I spent most of it in law firms, but I also worked for a corporation. At one point in time I did a maternity cover at QVC, that QVC, the home shopping channel. I did business-related research for them. I did work in a community college. I worked at Penn State actually while I was going to graduate school. Worked in their library while I was going to what we call library school.
So there’s many different areas, but while I was actively involved in the Special Libraries Association, a professional association for special librarians, I was most actively involved in what we called the legal division, but I interviewed, or talked to, or knew librarians who worked at the Federal Reserve, at Fortune 100 companies, not just big law firms, government agencies. There were definitely military librarians. So it’s just … Yeah, it’s not just reading books to small children. That is one skillset that I do not have, but it’s about information management and either dealing with individuals or dealing with books or dealing with databases. It’s just some sort of information management. So it’s definitely a much broader field then it gets credit for.
But yeah, you want to be friends with a librarian because we know how to find things. Even if you don’t know the answers to things, you know how to find them, and that’s more critical.
Yeah. I guess that really leads to what I suppose is a fascinating crossover between those skills and you being able to put them to good use on the security side of things.
Sure. Well, privacy has been deep rooted in librarian world for a long time. If you Google, I believe, librarians and the NSA, you’ll find articles about librarians going to great lengths to protect patrons and their privacy. So that concept, and we know that security and privacy are very closely intertwined, but there are some issues where we differ. So the concept of it wasn’t totally foreign to me, but I’ll tell you, when I was at the law firm I definitely had conversations with attorneys who said to me, “Oh, well my Lexis password is the same as my bank password,” and even though I wasn’t a security professional and before I took it on as my quirky hobby, I knew that was wrong. So, yeah, there’s definitely aspects of it that are really not that unfamiliar to library science.
What was that first year like when you set off on your own? When you left the thing that you knew, your experience at the law firm, and you decided to go out on your own, what was that like going out and finding clients and building up the skills and the confidence to do that?
It was exhilarating. There were some nights when I first started that I was just so happy and ecstatic that I couldn’t sleep. Getting to know what Twitter is like at three in the morning when it’s a different time of day in other parts of the world was very interesting. But I was just very excited, so I went ahead with full gusto. I went to every conference I could attend, either through a free ticket, or maybe I talked to a company about having me do social media for them on site to represent them, or just paid for it or just figured it out. I scrapped and scraped and I wanted to go to as many conferences as I could just to learn and to meet people and I really enjoyed going to the exhibit halls, which I know most people avoid, because I wanted to know who the players were in this industry.
I feel like you need to know who all the vendors are. Yes, I know the whole, “I don’t have purchasing power” thing. I was just very upfront with people. “Hi, I’m new here.” I tell a story, I don’t know if I want to say the vendor’s name. It’s a positive story, but I don’t know if I want to say their name. I approached their table at a well-known conference and they’re a pretty major player and I was completely oblivious and I just said, “Hi, what do you do?” And without any judgment, without any eye roll or anything, and I explained my situation. “I’m new to this, who are you? What do you do?” And again, just with the most pleasant attitude showed me their product, explained it to me. Then when I tell that story to other people and I tell them who the vendor was, usually a spit take ensues, “You asked them who they were and what they did?”
And I said, “Well, they’re not really known outside of security. You all are kind of in your bubble,” to a general lay person like myself, they’re not … Maybe more now, but … So I just, I wasn’t afraid to ask questions and I became very active on Twitter. There’s a very, very active information security community, and I would just ask questions and people were very nice and generous with their time. And again, I prefaced it with my situation, “This is why I’m asking. I would like to know what this is.” I was just a sponge, and one of the things that I did, I actually almost forgot that I did this until someone recently asked me for some advice.
I would go to these sessions at conferences, and if I didn’t understand any of the terms that were being used I would take notes by hand, not typing because there’ve been many studies that show you retain information better if you hand write. But I would spell these terms out phonetically, then I would go up to someone in person and read it and I’ll say, “They said this,” and I’ll sound it out the way I spelled it phonetically, then someone would either correct my pronunciation or tell me how to spell it correctly, then explain to me what it meant. Then that was just more knowledge that I had.
I just kept doing that and talking to as many people as I could. Networking is key. I don’t think people understand how crucial human to human contact is and networking with people as opposed to computers is just, is absolutely crucial because you not only learn, but if there is an opportunity, someone will think of you over someone else because you’ve met them. That’s also what I wanted to do. Because I’m also genuinely curious about people. I enjoy asking people “Well what was a mistake you made and how did you recover or what did you learn from it?” And I’m not asking them to embarrass them. I’m asking them to learn from them.
What you’re describing is really fascinating to me because it contrasts with a lot of, frankly, horror stories that we hear about interactions at tradeshows, particularly interactions with women at tradeshows. So I’m wondering, what do you think made that difference for you that you consistently got this response? It sounds like people weren’t posturing, they weren’t trying to demonstrate how smart they were. You were able to switch them into a mode where they were interested in sharing what they knew with you.
Well, I don’t know if this works for everyone, but let me just say, I’m from Philadelphia and I don’t put up with a lot of nonsense. So I think that my attitude going into it … And if I felt like something was nonsense or if someone was not being respectful or truthful with me, then I’m out of there, and I may or may not speak my mind about it. I mean, I definitely experienced odd things.
One very large conference, a female friend and I noticed that we kept getting shoulder bumped constantly by men, even though those aisles are gigantic. We constantly were getting physically shoulder bumped. Again, being from Philadelphia with a tradition of the broad street bullies of the Flyers of hockey, I can throw an elbow or two, so things like that. I was aware of it. I’m not going to say that I didn’t experience it, but I have a low tolerance for nonsense. I attribute that to my upbringing of not just my parents, but just my area of where I grew up.
So I know, again, that’s not everyone’s mindset, but that was mine. You just need to go in and you just need to have your sensors ready. If something isn’t right … I can actually give you a quick example. It was not a security conference, but it was a developers conference. This was in 2015. I had purchased a ticket to it before I’d realized that security was really my passion. I went to a booth and I tried that same technique of “Hi, who are you? What does your company do? I’m new to this.” And the man who was in the booth just looked at me and said, “Everybody knows who we are and what we do.”
I was still trying to keep a little positive. And I said, “Okay, that’s great for you, but I don’t because, like I just said, I’m new to this. Can you please explain to me who your company is and what they do?” And it was just silence, like he just looked at me, through me like I wasn’t even there. Again, that’s when my Philly girl kicked in. I said, “Oh, no. This is unacceptable.” And what I did was I leaned into the booth and very loudly yelled to the other people in the booth who were further back. This was actually a rather large booth. I said, “He doesn’t want to explain your product to me. Is there someone here who’s willing to help me?” They came running, and I think one, I swear I saw somebody physically push him out of the way, and I was very loud and I was very direct. I wasn’t rude, but I was loud to make sure it was heard. Then people very nervously chatted to me and yeah, I didn’t put up with it. I could have just walked away and been sad and upset, but no, you don’t get to do that to me.
So you reached the point where you are building a collection of clients on your own, but it sounds like you really had your sights set on ultimately being with a larger organization.
I did. The hustle can be exhausting, and I also didn’t feel like I had enough of a skillset to run my own business that was security related. I jokingly called my business security adjacent while I did have security vendors as clients, I was doing research for them, not really security things. So I knew in order to get more of a solid foundation in the security skills itself, I knew that would come with full time employment. So I was fine with that. That was all part of my plan, I knew I needed to get exposure to it through my business, but then I wanted to find that just right job to get into to give me all the other knowledge that I want to have or that I need to have to be a security professional.
How has that experience been? Has it provided you with those opportunities to explore the things you want to check out?
Yes. Between just daily work in the security operations center and training that I’ve been fortunate to receive, I did pass the GSEC certification, which I think is a five hour exam. I just know that I felt like I gave birth to a SOC analyst after I was finished with that. But yeah, it was the foundation that I needed. Then I’m able to put my own spin on it and use that to propel myself to look into other things going forward.
I want to dig in and talk about threat intelligence with you. What part does threat intelligence play in the work that you do day-to-day?
Unfortunately it’s not a large part, but the time that I am able to spend on it, it’s keeping an eye on basically the headlines. It’s more the OSINT, open source intelligence type of threat intelligence. I like to keep an eye out for articles that will bring to light a situation that could possibly affect my organization, or trends, or things like that. So keep an eye for that. I have discovered, I guess because of years of doing this, also through the law firm, that I think I’m quicker at it than a lot of people, and I just feel like I have this sense of just really quickly looking through things. I say this just because the times I’ve been out of the office, say, on vacation and I’ve asked people to cover, people usually say like, “Oh, thank God you’re back.”
That’s nice job security, isn’t it?
Exactly. One of the best compliments I ever received was the first time I was on vacation since I started doing it. So this was two years ago by now, but one of the higher up executives sent me an email after I had … Sent it out after I returned. And yeah, he just replied to the newsletters that, “I’m so glad you’re back.” And I don’t know, it’s just, over the years I’ve just perfected this ability to really have a feel for what I’m looking for, where to look for it. That is just, it’s covering data.
Now, I do understand that in the grand scheme of threat intelligence that’s the equivalent of the kiddy pool, but just in my current position I haven’t really had the opportunity to go that far in depth, and that’s something that I do want to explore more in the future going forward. But I feel like between social media and news stories and also just publications, I feel like I have a good sense of pulling things together that could be useful to an organization so that they can understand what’s going on in the world around them.
I think it really speaks to the importance of diversity of backgrounds and styles of thinking and styles of problem solving when you’re assembling a team in an organization. Because I wonder, just as people look to you, because you have a very specific set of skills that you bring with you, partly, certainly from your background in library sciences, but I wonder as you look around to the other members of your team, do they have approaches to things that are different from yours that they bring to the table where they have strengths in areas where you might not be as strong?
Absolutely. And in a SOC environment that usually means more of a hardcore tech skill. But what also tends to come with that is perhaps a lack of empathy for end users because they may not genuinely understand why a user may click on something or why they did something a certain way. I always try to be the balance there of explaining, “Well, I totally understand why someone clicked on this,” and I would give the reasons.
So, yeah, there’s definitely people who have more of a tech mindset and that’s great and that’s fine, but yeah, you need that balance. You need other ways to look at things. There’s definitely problems that came up that I can’t really get into the specifics, but I definitely know my liberal arts library science point of view turned on some light bulbs when I made comments or observations about things that I don’t think would have come naturally to someone who has hardcore tech skills. That’s just because that’s their wheelhouse and I have mine. The important thing is to speak up about it though.
The opposite is true for me. If I’m problem solving, with my skillset, someone may jump in and say, “Okay, well it’s really this complex technical issue that you may not be able to recognize. So I take it as a learning moment and then move on with my life and understand that. Okay. So yeah, I didn’t see this because it was something beyond my grasp. That goes both directions for whatever your concentration or interest or specialty is.
What is your advice for that person out there who’s thinking about getting into security? Who may be considering a mid-career direction change like you did. Do you have any words of wisdom there?
Be courageous, be curious, and be thoughtful. What I mean by that is you need to be able to put yourself out there and be vulnerable, at a conference, in an exhibit hall, or just putting yourself out there by diving into a bunch of reading material that seems scary and unfamiliar to you.
You need to … if you have transferable skills, if you’re coming from another industry, another vertical, know that your skills have value, but you need to be able to explain them to people. You need to have what’s often called an elevator pitch. You need to be bold, be brief, and be gone. You need to be able to get in front of someone and succinctly in three sentences, explain what it is that you do, what your skill set is.
That was something that I adapted to very quickly because I ran into some people who just dismissed me as soon as they heard that the L word of library. I’m very glad to say that that was in the minority, but I had to be ready to explain my skillset, and you need to be able to do that. You need to have confidence, and you need to be bold enough to go up to someone and say, “Hi, I have some questions. I’m really curious about the work that you do.” Most people enjoy talking about themselves, even security people who are a little private. Maybe don’t ask any probing questions about what their real name is or where they work, but, “Oh, I know that you do reverse engineering. I’d like to learn more about that. May I have five minutes to ask you some questions?” If they say no, then, “May I follow up with you online? May I ping you on Twitter?” You’re selling yourself, so you need to be your best salesperson and your best advocate. But you need to be polite about it, but be curious, absorb everything.
I was serious, write down things phonetically if you don’t know what people are saying and then just find out later what that is. Look it up, ask someone what something means. So you really need to be your own advocate, and you need to be curious, but you still need to have confidence that your skill set has value. You just need to be able to articulate how it fits into security, because some people won’t understand unless you tell them or they may not be able to figure it out. So you need to be clear about that.
Yeah. I think for me, personally, it was an important lesson for me to learn that saying, “I don’t know,” or, “Can you help me understand something?” Is not a sign of weakness, it’s a sign of strength.
Indeed it is. I do want to add the asterisk, though. Do your best to narrow down a question. One thing that frustrates me is … I do enjoy helping people in the community, but what I really honestly don’t have time for is if someone asks such a broad question of, “So how do you do security?” I’ve actually had that question asked of me. I set up a phone call with someone that wanted to get into the industry, and that was their first question, “So how do you do security?” And I shut the call down. I wasn’t trying to be rude, but I said, “I just, I don’t have this much time. Like, I need you to be prepared for this.” So value the other person’s time and really narrow down your questions, do your research, do your homework. It’s fine to ask questions, but again, just be respectful of the other person’s time and don’t ask know really open-ended questions.
Some of the questions that I see on Twitter, for example, are things that have already been covered ad nauseam. So do a little bit of …
Two times earlier in the thread.
Yeah, exactly. Exactly. Again, maybe it’s because of my library science skills. I’m inclined to do research first before I actually talk to someone. Others feel like that hashtag lazy Twitter perspective of, I’m going to put this out there. It’s really to your benefit to do some research first and then pose more pointed questions either online or to a person, because you’re likely to get some better answers rather than just asking these broad questions because chances are the answers to the broad questions are online. You just need to find them.
I just want to encourage people to have open minds, especially as hiring managers, have an open mind when it comes to diversity. That means many different things. That means looking at liberal arts majors, that means looking at people who have experience in another industry who are making a career change. All of these people have something of value to contribute, and that pours over to the community. Diversity and inclusion it’s not enough to say that you’re open to diversity, but you actually need to include people. Does your conference seem very homogenous? Then make some steps to include people. There’s a famous saying that diversity is inviting someone to a party. Inclusion is asking them to dance, so ask more people to dance.
Our thanks to Tracy Maleeff for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Zane Pokorny, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.