Life in Cybersecurity: From Law Firm Librarian to Senior Cybersecurity Analyst with Tracy Z. Maleeff
We often interview InfoSec professionals who came to the profession from other areas of technology. Many network engineers, system administrators, and developers found it easy to make the transition to information security. The previous skills were easily applied to cybersecurity. However, in rare instances, an individual can connect a seemingly unrelated specialty to the world of InfoSec. This is the path that Tracy Z. Maleeff, the InfoSecSherpa, carved for herself with great results. We recently had the opportunity to speak with Tracy about her unique journey into cybersecurity.
What was your previous career?
My previous career was as a law firm librarian. I did that for a long time, overseeing a lot of the collections and performing research. I was very active in a professional association for librarians, and I thought that was going to be my career for life.
When the economy turned and law firms started to downsize and even close, I realized that I didn’t want to be one of many librarians out on the street looking for a job. I found an article about how to future-proof your career and I really started to look into ways that I could translate my library science skills into another industry, and I looked towards technology and then eventually found cybersecurity.
Can you recall any particular moment that brought you to technology?
Since I had my eye set on tech, I did everything that I could in the tech space to really get a feel for it. So I went to a lot of professional meetups. I went to a coding class, but I walked out after 15 to 20 minutes because I had the realization that coding was not my real interest. Even though I didn’t stay with it, I still saw that as an investment in myself because I knew that I could check that off the list, and I didn’t have to keep chasing coding. I recommend that to people when I give advice; don’t look at any experiences as lost money. You’re saving yourself some money in the long run because you’re not chasing something that you don’t really like.
My early experiences were not positive. I would go to meetups and so many of the other attendees just wanted to know if I had any money to invest or if I had the next great social networking idea. Since I was not there for that, they would literally just walk away. I was discouraged, and I thought that the people in the industry were not very nice.
It was a male friend who was an ally to women in the tech space who introduced me to the Women’s Society of Cyberjutsu. Along with that, he was explaining backend security to me. He said, “I think you’re spinning your wheels with this tech stuff. I think you should look at server side technologies.” I wasn’t sure what that was, and he helped to educate me. Once I connected with Women’s Society of Cyberjutsu, I was hooked, “They had me at port scanning.”
One of the other things I did was to set up a lot of Google alerts for tech stories and different keywords in cybersecurity. I found that I was clicking more on the cybersecurity news items than the tech news items. So that’s also something I recommend to folks. Find out where your curiosity is naturally taking you. For me, it was the breaches and the ramifications of data loss and other security topics that were more interesting.
What were the key challenges when transitioning to cybersecurity? What helped you navigate those?
The biggest challenge was going from a predominantly female career to a very male dominated environment. Librarianship is easily 80% or more women. Also just going from being a big fish in a librarian pond to this kind of wonky looking fish in this InfoSec ocean. I somehow instinctively knew that I belonged here, but having to convince people that I belong there because of my skills was the other challenge. After I quit my job at the law firm I spent a year and a half just networking, going to conferences, going to sessions, meetups, just being a sponge to absorb everything, and I had my elevator pitch of what my library science skills could do for information security, and I built my path that way.
It was unchartered territory. I was just out there trying to get through and, along the way, trying to bring other librarians with me. That’s kind of how I did it. It was just grit and determination, and eventually, a post on Twitter is what got me my first real InfoSec interview, that turned into my first InfoSec job as a SOC analyst. I wanted to still have a career and use all the skills that I had, and I saw more of a career opportunity in InfoSec than I did in law firm libraries.
Did you have to go through any specific education for your role now?
Overall, the way things happened, I don’t think anyone was expecting certifications from me. They were more looking for what knowledge I did have, and perhaps the fact that I already had a master’s degree held some weight for some folks because it showed that I did have advanced education. Now, when I did get my first job in a Security Operations Center (SOC), the first thing they did was ship me off to SANS for the GIAC Security Essentials class. People often ask me how I got a SOC job without any certifications. Even though it was not that long ago, 2017 was also a really vastly different time for our community.
I was also able to show what transferable skills I had and my ability to learn. I had a SOC manager who was very much looking for outside the box solutions to get good SOC analysts. So, I think some of it was just fate timing preparedness. I still immersed myself in InfoSec so I could speak about all of these issues. I just didn’t have the piece of paper to back it up.
The day that I had my SOC interview was the same day as WannaCry. We didn’t even know it was called WannaCry yet since it was still the early hours of it developing. I remember thinking to myself, “if I was interviewing me on a day like today, I would ask questions about what’s going on, even though it was still early on. I grabbed whatever information I could, and I remember thinking that a good first question would be, “how would you remediate the situation knowing all the information that we have?” And that was exactly the first question they asked me.
Because I practiced my response, I said what I would do, and I remember all the panel all looked at each other with surprise because they didn’t think of that. I approached the problem more from a human perspective, not a technical perspective, and as happens with a lot of technical minded folks, they tend to forget the human aspect. I wound up getting the job and did that for almost two years until they had a massive layoff. But yeah, that’s what it was. It was just through my own self-education and knowing that being able to articulate and express the news items and these concepts were serving me better than just the certification.
Can you tell me more about your time in InfoSec? What do you love most about it?
I just knew from all my research skills and my own personal interests in global matters, that threat intelligence was really what I wanted to do. I knew all along, even when I was in the SOC. What I didn’t realize and was not explained to me was that a lot of companies want their threat analysts to be very technical and not so much interpreting the results. I was very much spinning my wheels trying to get into InfoSec without all the certs for all the hard technical skills that they wanted. That’s when eventually I found out about the softer side of threat intel. I feel like that’s really missing, that everyone’s really good at finding the hard information and the raw data, but few are good about trying to tell a story about it or understand why it makes sense. I’m really good at helping to connect the dots for people where you think there might not be a connection.
I knew that library science has a place in InfoSec. That’s what I’ve been trying to do with library science; make more people aware of these principles that we don’t have to from scratch. Library science has been around a long time. Why don’t we just borrow some things from them?
Based on your experience, what advice would you give to others who are thinking about the change?
This is so important – Be very aware of the news. Be aware of what’s happening. You need to absorb, you need to be curious, and you need to have initiative because so much of this role is research, whether you realize it or not. And don’t discount the people skills. Recruiters really need to look at people who have had customer-facing service roles. We need to hire more people who have experience with accounts receivable because they’re the ones getting all the phishing invoices, and they know what these things look like. I think we would be better served if we further diversified the InfoSec workforce by including career changers. We still need a lot of the traditional technical roles, but we really need to start looking at career changers and things like that, like myself, who can bring other aspects into the field that can really move us further forward.
Tracy exemplifies so much of the importance of the non-technical side of information security. It is a huge field, and it will grow not only with technical professionals but also with progressive thinkers such as her to make the true advances that we need to succeed.