HOW TO USE YOUR TRANSFERABLE SKILLS

Kip Boyle: 

Hi, this is Your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. My name’s Kip Boyle. I’m an experienced hiring manager of cybersecurity professionals. This episode is available as an audio only recording in your favorite podcast app. So, all you have to do is search for Your Cyber Path and you should find it pretty easily.

We’re also a video on our YouTube channel and, no surprise, if you go to YouTube and you search for Your Cyber Path podcast, you should find us very, very easily. So, today I have a guest on the show, please meet Marc Menninger. Marc is a cybersecurity hiring manager, and he’s going to share with us some information about who he is, how he got into cybersecurity. He’s going to tell us about how can somebody break into cybersecurity.

He’s actually got a great story to tell us today about somebody that just joined his team, and then he’ll provide some additional insights into how people can prove that they have what it takes to the hiring managers during the interview process.

Then, we’ll wrap it up with… And I’ll ask him the question, what is the number one mistake that Marc sees job candidates make?

So, Marc, thanks for being here for very much. I’m very happy to have you on the podcast.

Marc Menninger: 

Great. Well thank you for inviting me, and I’m happy to be here.

Kip Boyle: 

Well, let’s get right to it. So, would you please tell me what’s your current job and tell us a little bit about what kind of work that you do?

Marc Menninger: 

Yeah. So I am the Director of Cybersecurity at a company called A Place for Mom, and my office is in downtown Seattle. And I lead a security team, and our whole role is to make sure that the security controls are being applied throughout our organization to make sure that our data is being protected.

Kip Boyle: 

Okay, great. So that means that you hire people, that you have hired people before. And let me just ask a couple questions about your current role. So perhaps people in our audience have never heard of the company that you work at before. Tell us a little bit about what does your company do and what are the top digital assets that you have to protect?

Marc Menninger: 

Yeah. So my company is called A Place for Mom and it is a tech company, and what we do is we provide a service for families who have seniors and they’re looking for senior living communities for their relatives to move into. So we are essentially a lead generation service for senior living communities all over the country.

Kip Boyle: 

Okay. All right. Okay, that makes sense. And I think with the demographics in the United States being what they are, you guys probably have a huge total addressable Market, is that right?

Marc Menninger:

Yeah, it is huge and that’s one of the reasons why our company is growing. And we’re the number one service that provides this information and these connections to the senior living community. So, yeah, it is a big growing business.

Kip Boyle: 

And so what kind of digital assets are you keeping your eye on?

Marc Menninger: 

Really good question. Mostly what I would describe as intellectual property, the way that we generate the leads and process the leads is very proprietary. And so we really want to protect that. Of course, we want to protect the integrity of our systems to make sure that they’re up at all times. We’re essentially a 24=hour business and so we’re working around the clock. So we need to make sure that our systems are resilient and are secured to the point that they aren’t susceptible to down time.

Kip Boyle: 

Okay, that makes sense.

What about, do you have any personal information on customers? What kind of sensitive data are you having to protect?

Marc Menninger:

We don’t have a lot of personal information. Of course, we’ve got contact information for our families and our seniors that we’re working with, and we may have some sense of information around if they have a particular condition, which means they need to go into a particular type of community. So we might have a-

Kip Boyle: 

A medical condition.

Marc Menninger: 

Yeah. Like maybe they have-

Kip Boyle: 

Alzheimer’s or something?

Marc Menninger:

Alzheimer’s, or dementia, or something like that. And so not all communities can support that, so we will take a note of that and make sure that they are given opportunities to look at communities that can support that. So we do have a little bit of sense of information about the families. And then as far as the communities, who are our direct customer, we’re supporting the communities, we mostly have contact information. And so we don’t have anything particularly sensitive related to the communities.

Kip Boyle: 

Okay. So, yeah. So not too sensitive.

And then of course, so you’ve got your proprietary data, you’ve got the availability in your systems, you’ve got some personal information on customers or people seeking a placement. And then I would imagine you also probably have payroll information for your workforce, probably [crosstalk] sensitive digital asset that you have.

Marc Menninger:

Absolutely. Yeah.

Exactly.

Kip Boyle: 

Of course, you got the money, right? You don’t want anybody to scam your employer out of money with a business email compromise, or something like that.

Marc Menninger: 

Right.

Kip Boyle: 

Or a ransomware attack, right? Ransomware attack would be horrid if you guys fell for that.

Marc Menninger: 

Exactly. Yeah.

Kip Boyle: 

Okay, great. I think that gives us a really strong sense of what your landscape looks like at work. So how did you get into cybersecurity? Could you give us an understanding of your journey?

Marc Menninger: 

Yeah. Well, I’ve been doing cybersecurity for a couple decades, I kind of lost count, but started much the same way as you did, started as a career officer in the Air Force and so I was a communications and computer systems officer. And so I went through a lot of military training to learn the skills and the technologies for the military. That was basic com officer training, so BCOT. And then I went through advanced com officer training, ACOT. And so it’s just hardcore military grade knowledge of systems, com systems, networks, and how to secure those. I used to use the STU-III telephones. You probably used those.

Kip Boyle: 

I remember those. Yeah.

Marc Menninger: 

They’re the ones like… They’re like a brick. And then when you talk to the person on the other side, it’s completely garbled because it’s encrypted, so lot of hands-on experience in the military. I was a manager of a test bed for a top secret system, and so I had a top secret clearance, and did a lot of the top secret stuff related to that. So I got really a crash course in security, straight out of college. I had a degree in mathematics and was able to get into that kind of tech role.

And then after that, after the military, I had a series of IT and security roles. And in fact, I worked with you in a couple of those. I was a security consultant where I would lead penetration test for our clients or conduct security reviews for our clients. After that, I went into a security management role for a different company, and then security director role. So I sort of evolved into this security director role, and I really liked the security director leadership role, because then I get to apply all of my security experience that I’ve gathered over the last 20 some years and mold the program in the way that I think it needs to be done to achieve the level of security that the organization wants.

Kip Boyle:

Okay, great. Now, at some point you needed to make a decision, I imagine. I mean, this was a decision I needed to make, and I know a lot of other people who’ve had to do this, where you were an individual contributor and probably fairly technical to very technical, and then at some point you probably had the opportunity to transition into people management.

Marc Menninger: 

Right.

Kip Boyle: 

What was that like for you?

Marc Menninger: 

That’s a really good question. I’ve often thought about this like, “Why? Why am I here?” Like, “How did this happen?” Well, it used to be that I used to have this career aspiration to be a CISO, like you. But a while back, I’m like, “Yeah, I don’t know if I want that anymore.” I like the level that I’m at as far as being able to directly contribute to the improvement of the security for an organization. But the idea of being at the CISO level where it’s more kind of political and you’re having to go to a bunch of board meetings and stuff, I’m like, “Eh, this doesn’t sound much related to security at all.” So I’ve since changed my mind, but I do like the security director role.

And to get back to your question, it was really an evolution where I had some opportunities presented to me where I was asked, “Would you like this role?” And I said, “Sure. It’s something I can do.” And it did give me the opportunity to apply the experience that I have. But then sometimes I’ve thought, “Well, maybe I would like to go back to being an individual contributor.” And maybe I will someday. But right now-

Kip Boyle: 

Yeah, you could.

Marc Menninger: 

Yeah, maybe as I’m starting to retire, I’ll do a a halftime individual contributor type role or something.

Kip Boyle: 

Yeah.

Marc Menninger: 

But right now I like the leadership role just because I get to work with a great team and I get to mold the program the way I want to. So it sounds kind of dumb to say it kind of happened, but I don’t know that I had a specific plan that made this happen. But I would say that there’s always a demand for security leadership. And if that’s something that you want to do, then there’s tons of opportunities for you to do that.

Kip Boyle: 

Yeah, I would agree with that. I think your story pencils for, for a lot of other stories that I’ve heard people tell that like a door was just available and they felt like it was the right time to give it a try, and so they made that transition. And I’m glad that it worked out for you. I know there’s some people that make that transition and they don’t like it, and so that can lead to situations where they feel like maybe they’re trapped, that they can’t easily return to an individual contributor role.

Marc Menninger:

Right.

Kip Boyle: 

And I’ve noticed that, that kind of depends on the organization that you work at.

So, but now that you are in a leadership role, you’re really relying on your team, right?

Marc Menninger: 

Right.

Kip Boyle:

You’ve got to kind of work through your team in order to achieve your program objectives.

Marc Menninger: 

Right.

Kip Boyle: 

And so let’s talk about that, so let’s say somebody in the audience is wondering like, “Oh, wow, I’d love to get a cybersecurity analyst job as a first job in cybersecurity.” And what kind of experience do you think somebody would need to accumulate before you’d start to see them as being irresistible, that you would want them on your team?

Marc Menninger: 

Yeah. Well, that’s a really good question. And I can give you a specific example from my team today, where about six months ago, we had an opening for a security analyst. And so the function of the security analyst is to analyze the gigantic mountains of data that we’re compiling with all of our security monitoring systems and our vulnerability management systems, and help us prioritize what we need to do. And so it involves a lot of crunching of numbers and analysis of the data, drawing lots of graphs, and charts, and spreadsheets, and things like that. So we had a job opening for a security analyst to help us with that. And of course, we got lots of resumes, but one really stood out.

And it was interesting because this particular person did not have a direct security function at the time when they applied, but they had an IT background, really strong IT background. And he was working in a role that was more like IT support. So he was doing a lot of work around monitoring of systems, so he worked with a SIM. He worked with the vulnerability management system. And so he was doing a lot of the work that we were looking to have done, but he didn’t have security in his title. And so, but the way he wrote his resume, I was like, “This guy might be a fit.” Because he included a lot of the key elements that we were looking for, like the experience with these systems. And so we interviewed him. He did really well on the interview and we ended up hiring him. So we took a person who didn’t have a security background and pulled him into a security role. And he’s been here more than 90 days now, and he’s been doing great.

So I think it’s a good example for somebody who doesn’t have a security role today, but they’re actually performing security functions and they are doing maybe more IT, so that you can actually get a security job if you have the right security background.

Kip Boyle: 

Okay, great.

So I’ve talked with many people who are currently in a traditional IT role, like IT help desk, or something like that, or maybe a systems administrator, or a network administrator. And one of the things that often comes up in the conversation where they say, “Well, I want to get a cybersecurity job, but I’m concerned that I don’t have the right kind of experience.” And then I say to them, I go, “Well, if you’re on the help desk, do you reset passwords? Do you take incident reports? Well, guess what, you already have been doing security work.”

Marc Menninger: 

Exactly. Yeah.

Kip Boyle: 

And same for systems administrator, network administrator, because they’re setting permissions, they’re creating user accounts, and that sort of thing. So they already kind of have a part-time responsibility for security functionality. And so I just tell them lean into that a little bit more and accumulate additional experience. Or, maybe you already have enough and you just don’t realize it, so let’s kind of take inventory. And it sounds like that’s what was going on in the case of your team member. Is that right?

Marc Menninger:

Yeah, exactly. And I’m really glad that he recognized that he did have that type of experience and he felt that he could be qualified for our role, and he applied for it. And so that’s another lesson where don’t be intimidated by the fact that you don’t have a security title today if-

Kip Boyle: 

Or a special cert.

Marc Menninger: 

Or a special cert. He doesn’t [inaudible] cert. So yeah, I think he’s going for Security+, or something right now.

Kip Boyle: 

Okay.

Marc Menninger: 

So yeah, that was not a disqualifier for us. Of course, we were asking for it, we were looking for it, but it wasn’t a disqualifier.

Kip Boyle: 

That’s great.

So now I’d like to ask you a related question which is, let’s say somebody says to themselves, “Well, gosh, that’s me. I work in IT. And now that you mention it, yeah, I’ve been doing some security stuff as part of my larger IT job.” And now they might be asking themselves, “Well, I don’t have a cybersecurity certification, but I’m just kind of wondering how do I prove to the hiring manager that, yeah, I’m not a full-time cybersecurity personnel, but you should take a chance on me.” Right? So they’re selling their ability to do this job even though they’ve never done it before. So what are the things that you’re looking for as you make that judgment call where you’re saying like, I think this person can be successful, even though they’ve never done this job before? What are you looking for?

Marc Menninger: 

Well, I think, first thing you need to make sure that you do have the right experience. It’s one thing to try to prove that you have the experience, but if you don’t have the experience in the first place, there’s nothing really to prove. So you have to have that experience.

Kip Boyle: 

So don’t lie your way through it, is I think what you’re saying.

Marc Menninger:

Exactly, don’t try to bluff your way through something. And you probably don’t want to try to apply for a role that has certain skills that it’s looking for that you don’t have, or not even close. But if you do feel you have those skills, the next step is to be able to articulate those skills and the fact that you have that experience. In fact, that gets to probably one of the number one things that I see candidates do, that they make mistakes during the hiring process is, they haven’t through what I would consider to be some of the obvious questions that might come up during an interview. So for instance, in the job listing, job description, usually there’ll be a section where it lists all the responsibilities for the role. A lot of times it’s a bullet list. And you should be able to have a solid answer for why you have experience that would qualify you to perform those responsibilities, or you have something close to the right experience.

And so what I encourage candidates to do is to flip those responsibilities around, turn them into a question that is more than likely to come up during an interview, and ask yourself that question, and then be able to answer it in a succinct way, in a short paragraph or so of how you could perform that responsibility. Because a lot of times I’ll ask a candidate, “Give me an example of when you’ve run a vulnerability management system.” Or, “Just give me an example of when you’ve done this.” And they won’t be able to articulate it very well. Even if they’ve done it, they won’t be able to explain their experience related to that and how that could apply to the role that we’re looking to get filled. So they’re missing the opportunity to express how they would be a really good fit for our opening, for our role. And so because of that-

Kip Boyle: 

That’s kind of tragic. That’s kind of tragic, isn’t it? Right?

Marc Menninger: 

Yeah, I know.

Kip Boyle: Because they have all this information in their head, they have all this experience, but they just can’t say it in a way that’s understandable to you, that actually increases your confidence in them.

Marc Menninger:

Exactly. Like sometimes I’ll ask somebody, “Do you have this experience? Can you give me an example?” And they’re like, “Yeah. Yeah, I’ve done that before.” I’m like, “Well, yeah, tell me more.” You need to explain not only that you’ve done it, but how you’ve done it, and how it improved the organization that you were working for, and how it might improve my organization. And so if you don’t have that skillset, or something that’s even close, then you just have to say, “I don’t know that.”

Kip Boyle: 

Right.

Marc Menninger: 

But then if you answer quite a few of those that way, then the question is why are you interviewing for this role?

Kip Boyle: 

That’s right. Yeah. It’s like, well, you showed me a great resume, but in the interview, I’m not being convinced that you’re as good as your resume said that you were.

Marc Menninger: 

Right. Yeah. And I wouldn’t say that I see that a lot. But to me, it’s just a lack of preparation, a failure to think through what the likely questions will be. And it’s as easy as looking at the job description, looking at the listing, and just reversing most of it. And if somebody asked me this question, how would I answer?

Kip Boyle: 

Right.

I think it’s a great technique that you’re talking about, like take this skill, must know how to run Qualys vulnerability scanner or something like that, and then turn that into question.

Marc Menninger: 

Right.

Kip Boyle:

So then for me, in terms of prep, I would then use that by saying, “Tell me how you, Kip, run the Qualys vulnerability scanner?” Or, “Tell me about the experience that you’ve had using the Qualys vulnerability scanner.” I think that’s a great technique. And at this point, I want to share with you what I tell people, which is whatever question you’re preparing yourself to answer, it could be a hard skill question, it could be more of a soft skills or a human relations type of question, or a behavioral question, you should practice saying it out loud.

Marc Menninger: 

Yep.

Kip Boyle: 

Because I’ve seen people struggle where they’ve said it in their head, so they’ve got this inner monologue where they’re sure they know how to answer that question, but the words have never come out of their mouth before. And just like you’re saying, they get surprised when they get in the interview and they cannot articulate something that they actually know, and know deeply. Right?

Marc Menninger:

Right.

Kip Boyle: 

So that’s a fantastic tip for you to give to help people get ready to prove to the hiring managers that they have what it takes to be successful. Any other thoughts about, from the interviews that you’re doing, can you think of what’s the number one mistake that you see job candidates making in the process of getting hired?

Marc Menninger: 

Yeah. I think it’s really just that lack of preparation, just not being ready for those types of questions that would be likely to be asked, not doing the practice like you described. I think that’s a great suggestion, practice out loud, talk to yourself in the mirror, or whatever it takes, to-

Kip Boyle: 

You can even write it, right?

Marc Menninger: 

Yeah. I recommend that too.

Kip Boyle: 

You could even… I think it would be reasonable to write it out. Absolutely.

Marc Menninger: 

Yeah, write it out. Yeah, pretty much script it. Of course, you would have to memorize it before doing it. You don’t want to be like, “Uh, my answer is…”

Kip Boyle: 

[crosstalk].

Marc Menninger:

Yeah.

So, yeah, I think that’s probably the number one thing. I think that we do run into cases where people aren’t really qualified even though their resume looks like they might be qualified. So yeah, I would recommend just applying for roles that you think you can do, you feel pretty confident, like 80% level of confidence. It’s not about like shotgunning your resume all around the world, those get weeded out pretty quickly. So that’s what I recommend.

Kip Boyle: 

Yeah. So when I talk to candidates about that, I say something very similar. I say, look, if you look at the job description and you see all the requirements in there, if you can do between 50% and 80% of those things… Because most people can’t do a 100%. Otherwise, you’re looking for a more challenging job.

Marc Menninger:

Right.

Kip Boyle:

But if you can do between 50% and 80% of what they’re asking for, then you should go ahead and you should apply for that job. So it sounds like that we’re on the same page.

Marc Menninger:

Yeah.

Kip Boyle: 

But I want to share one thing that I’ve learned and that I’ve heard from other people about what puts people off, or keeps them from applying for jobs. And I was kind of surprised when I found this out, but it turns out that some people read a job description kind of the same way that they read the systems requirements for a game that they want to load on their computer, where they look at everything, and if they don’t have a 100% of what’s being requested, they assume that they can not possibly get that job.

Marc Menninger: 

Right.

Kip Boyle: 

Just like if you tried to load this new video game onto a system that doesn’t have enough RAM, it’s like, “Well, the thing’s never going to run. I’ve got a great video card. I’ve got all the hard drive space, I’ve got the broadband and connection, but I don’t have enough RAM, so this thing’s never going to work.” And so that’s something that I learned somewhat recently that candidates kind of have that filter, which I don’t think is very helpful. So I’m really glad you brought that up because that is such an important thing for job seekers to… If you’re thinking that way, stop it. It’s not a yes, no ,black, white world here.

Marc Menninger: 

Right.

Kip Boyle: 

So I appreciate that you mentioned that, Marc.

Well, as we come to the end of the episode, was there anything else that you wanted to share that you think would be helpful to our audience in terms of how do you get your first cybersecurity job? Is there anything else that’s occurring to you?

Marc Menninger:

Yeah, I get a lot of people… So I have a course up on LinkedIn Learning. I have a couple courses actually related to starting your cybersecurity career. And I get a lot of folks connecting with me on LinkedIn and they’ll say, “How do I start my cybersecurity career? I’m an accountant.” And it’s like, “So where do I begin?” And I’m always flipping it around and saying, “Well, what do you want to do? Because there are a lot of possibilities in cybersecurity as far as what you can do.” And most of the time they’re like, “I don’t know. I watched Mr. Robot and now I want to be a hacker.” And it’s like, well… It’s like, “Yeah, but now you’re talking about being a penetration tester or something like that, which is probably the most technical in-depth type of security role you could possibly pick.” And so it’s like, “And if you’re an accountant, you’ve got a long path ahead of you.”

So it really depends on what the role is that you’re going for. And so I’ve got the course, it’s called IT Security Careers and Certifications up on LinkedIn learning, and it breaks down all the common careers in security. And it talks about the different certifications that you can get that kind of align to those careers. And so I recommend people take a look at that to help them get an understanding of what path they could take, maybe something that’s in line with their experience or their personality, and then use that to get the appropriate experience. And I talk about that a bit in the course too.

So it’s really about having clarity of what you want to do, and not this nebulous, “I would love to do something in cybersecurity. How do I do that?” It’s like, “Well, until you know exactly what you’re going for, you’re just going to be kind of wandering at the desert.”

Kip Boyle: 

That’s absolutely the case. I’m so glad that you kind of opened up the doors for us to talk about this because not only do you have a couple of courses on LinkedIn Learning that people can gain access to… I’m going to add this, which is, I tell people all the time, who come to me in the very same way that you just described, I tell them, look, you need to have a job title. And not only that, but I want you to go out and I want you to start looking at the job descriptions for the kinds of companies you want to work for. So go on to LinkedIn, there’s a massive job section on LinkedIn, and go up there and start searching for jobs by title and start looking at job descriptions because that is the key to knowing what you have to be prepared to do.

And it’s daunting, it absolutely is daunting because there’s so many different places that you could work, there’s so many different sizes of companies, so many different types of industries. And at this stage of the game, people are just like, “Well, I just want a cybersecurity job.” And it’s like, “I get it, but you have to winnow it down quite a bit.” Now, I actually made something to help people with this problem. So if you go onto… We’ve actually got a Twitter account, so it’s called CyberPathMaker, right?

Marc Menninger: 

Cool.

Kip Boyle: 

So if you go up there and you search for that account, CyberPathMaker, pinned at the top of our feed is a visual map that you can grab. And it lays out… And it’s this high vis very large graphic, and it actually lays all out the different types of roles that are available, both technical and non-technical, supervisory as well as individual contributors. And then it also maps out what kinds of organizations you might choose to work at. So it shows up by industry, it shows up by size of company, because it really matters. Like your job that you talked about that you just hired some for a cybersecurity analyst, well, that job at your organization, at A Place for Mom, is going to be very, very different than the same job with that title at like Bank of America.

Marc Menninger: 

Yep.

Kip Boyle: 

Very different job.

Marc Menninger: 

Yep.

Kip Boyle: 

And so that’s something that you have to start to understand.

So anyway, so for those of you who are watching, if you didn’t know about Marc’s course, I absolutely recommend you go and access it. And if you didn’t know about that visual, it’s actually a relationship diagram. So you should go get, that’s free. Just go to @CyberPathMaker and grab yourself a copy. It’s a mind map actually.

And if you have any questions, just shoot me an email, I’ll be happy to help you with that.

Marc Menninger:

Cool.

Kip Boyle: 

So, Marc, thank you so much for being here on the podcast today.

Marc Menninger: 

Yeah.

Kip Boyle: 

Hey, everybody, if you like our podcast, then we’ve made a free guide for you. Not only can you go out and get that mind map that tells you about all those different jobs that we made. You grab it for free. We’ve that actually got a bigger guide for you, it’s called Play to Win: Getting Your Dream Cybersecurity Job, and it fully encapsulates the conversation that Marc and I have had today, that I’m pleased that you’ve had a chance to listen in on. And what the guides kind of says is, if you’ve been playing Capture The Flag, if you know what that’s the like, well, you can take that skillset, that approach, and you can apply it to your job hunt.

So it’s a 20-page visual guide and you can get it for free. All you have to do is go to yourcyberpath.com/pdf, yourcyberpath.com/pdf. Grab a copy of the guide, take a look at it. And if you think it’s lacking in any way, then that’s fine, but you need to tell me how it’s lacking so that I can fix it up for you and for everybody else. And if you like the guide, hey, I’d love to hear from you. You can tell me that you like it. Tell me what you like about it. When I revise it, maybe I’ll add some more information in there.

So anyway, thanks very much everybody for being with us. And I want you to remember that you’re just one path away from your dream cybersecurity job. So thanks very much. And we’ll see you next time.