EPISODE 64
 
How I Got My First Cybersecurity Analyst Job with Sebastian Whiting
 

How I Got My First Cybersecurity Analyst Job with Sebastian Whiting

About this episode

In this episode, our special guest, Sebastian Whiting will talk about his mid-career transition into the cybersecurity industry. In his previous career, he was in the Navy working on nuclear submarines, and now he is working as a cybersecurity analyst. Together with Kip and Jason, Sebastian covers the step-by-step process of what he did to transition from one career field to another. If you are like Sebastian was and working in a career that you aren’t passionate about, you will learn how to shift your passion into the world of cybersecurity and gain motivation to continue to learn and grow during your transition. Jason and Kip also discuss the importance (or lack of importance) placed on a college degree during this transition, as well as the right time to get either a bachelor’s degree or a master’s degree, since those can affect the hiring process for certain roles with certain organizations. Understanding which organization’s value a degree can help put you on the path to college, or allow you to bypass it completely while saving you a lot of time and money.

What you’ll learn

  • How to transition from your current into the cybersecurity industry
  • Whether a bachelor’s degree or master’s degree is relevant and required for a position
  • When certifications may be important in the hiring process

Relevant websites for this episode

Episode Transcript

Announcer:
                        Welcome to Your Cyber Path, the podcast that helps you get your dream cybersecurity job by sharing the secrets of experienced hiring managers and top cybersecurity professionals with you. Now, onto the show.

Kip Boyle:
                        Hi, I’m Kip Boyle and I’m here with my co-host, Jason Dion. Today we’re here with a guest. His name is Sebastian Whiting, and we’re going to talk with him today about his transition into cybersecurity. Believe it or not, he came into cybersecurity recently from his work in the Navy on nuclear submarines. I think that’s a pretty exciting transition to make. 

I’m not sure which is the more exciting transition, going into cybersecurity or getting out of nuclear submarines, but we’re going to find out today. Sebastian, welcome to the show.

Sebastian Whiting:
                        Thanks Kip.

Kip Boyle:
                        Listen, I hope everybody’s going to be paying close attention because you and I, Sebastian, have been working together now for … Gosh, it’s been over a year, right? Since we first started working with each other, hasn’t it?

Sebastian Whiting:
                        I think we’re coming up right about two years.

Kip Boyle:
                        Oh, wow. Even more.

Sebastian Whiting:
                        I think about this spring it’ll be two years. Two years ago, I think is when I first planted the proverbial flag in the ground and said, “I’m going to do this. I’m going to change career fields, look into something new.” I remember I was on LinkedIn, and I’m not a huge social media person, but I figured it was good to make a LinkedIn post and assert my intentions. Then people hold you accountable because now you’ve made it public and it helps you to stay motivated.

Kip Boyle:
                        Exactly.

Sebastian Whiting:
                        I was looking at posts and things. I was in a comment section and you were sharing about having spots in your course that you were launching. I said, “Well, I’ve got nothing to lose, so let me see what this guy has to say.” I signed up and that course actually turned out to be a big part of helping me develop my strategy, keep myself organized. That’s how I got to know you, Kip. I mean, the rest is history, but that’s what we’re going to go through.

Kip Boyle:
                        Yeah. Yeah. That’s exactly right. That is what we’re going to go through. Now, I can’t believe it’s been two years already, but I want to say something to the audience here. I know a lot of people are very excited about transitioning into cybersecurity from wherever you happen to be right now, or maybe you’re already strongly in an IT role. Maybe you even have an entry-level so-called cybersecurity job and now you feel like you’re ready to be promoted. 

I know you want to have that happen right away, but it rarely does happen as quickly as you’d like it to. It takes intention and effort and time. I think Sebastian’s story is going to be instructive because it took him a couple of years from the time that he really solidified his intention to do this until he’s gotten to the point now where he’s actually made that transition, and so that’s exactly what we want to talk about. 

I also know that you got a lot of other help along the way. You made this really amazing LinkedIn post relatively recently, where you said, “Hey, everybody, wanted to give you an update.” And you walked through what the transition’s been like, which we want to hear that in just a moment. Then you went and I thought very graciously named off several people who had helped you make your transition.

I think that’s another really important aspect about people who want to make these career changes or get promoted, is that you rarely do it alone and you really should be open to having help. Let’s go ahead and rewind. Sebastian, take us back to two years ago when you first had this idea, “Hey, I’m leaving the Navy and what am I going to do next?” How did you decide on cybersecurity as something to do next?

Sebastian Whiting:
                        Well, the first thing I sat on was, what do I not want to do? I wanted to get away from shift work and being up all night, which that exists. There’s 24-hour SOCs out there where people are working shift work and all that, but it’s not all the time. The way my future was going, I was looking at probably working at a power plant, something to that effect, and shift work is-

Kip Boyle:
                        Something nuclear.

Sebastian Whiting:
                        Yeah. Or at least power generation of some sort, and shift work is just the name of the game. You’re going to be working shift work no matter what. I said, “I don’t really want to do that anymore. It’s hard on me. It’s hard on my family.” I wanted something with a little more flexibility. I can’t really take too much credit for the idea because one of my best friends from the Navy was the same job. In the Navy, it’s called a rating, MOS, and the other in the Army and such.

But we had the same rating and we got to know each other through the training pipeline and all that. He actually made the jump before me. He had already been out of the Navy for about four years went through a couple of jobs, went back to school and then ended up in cybersecurity, haphazardly maybe is the wrong word, but it just happened. He-

Kip Boyle:
                        Lots of people just back into it.

Sebastian Whiting:
                        Yeah. It just happened. Then he started talking to me about it and he said, “Hey, Sebastian, you really got to look at this. It fits really well with what we did in an abstract sense. You just got to learn some new technical skills and then after that, it’s a really solid fit. I think you’ll really enjoy it because you’ve always enjoyed computers.” I gave him a hard time. 

I said, “It’s funny that you’re doing this IT work now, because I remember when we met, you barely knew anything about a computer.” I remember going to Best Buy with him to get his first real computer when we had first met.

Kip Boyle:
                        Wow. Wow.

Sebastian Whiting:
                        It was an interesting transition, but that gave me that roadmap and it gave me something to follow and that’s really how I got started. He said, “Go get your Security+. It’s going to be a whole lot to learn all at once, but it’s going to give you a good idea of where you want to go.” He said, “And then from there just take it.” After that, it was hours of research and reading and that’s when I applied for school and really got moving with it.

Jason Dion:
                        Yeah. I think it’s interesting that you were a Navy nuke because as I’ve told Kip before, I was a Navy nuke as well. I did my first four years in the Navy as a nuclear ET, which is a reactor operator. The one thing that we learn as nukes is how to study and retain information very, very quickly. We call it drinking from the fire hose because the way the Navy works is they take somebody off the streets who has no nuclear experience whatsoever.

They give them two years of training where they’re basically putting a four-year college degree in nuclear engineering into about an 18-month timeline. You are just working 50 to 60 hours a week trying to learn as much as you can to be able to run these nuclear reactors.

What I found is any nuke who is getting out, even if they’re not going to stay in the nuclear world, they do really well in organizations and places where they have to learn a lot of information in a very short period of time. Cybersecurity is one of those areas because we have a lot of certification exams. We have a lot of this changing world that we’re always having to learn from.

Did you feel that your nuke background made it a little bit easier for you when you went to go do these certifications and go back to college?

Sebastian Whiting:
                        Oh, absolutely. I finished my bachelor’s degree at Prototype, which for those of you that don’t know is one of the training facilities for the Navy’s nuclear propulsion program. I was an instructor there for my last three and a half years in the Navy. I finished my bachelor’s there and that’s when I applied for my master’s degree program to get that started. Yeah. Absolutely, right?

The certifications made a lot of sense to me coming out of that program because everything is qualification-based. You study for something, you take a test and now you’re allowed to do this new job function and you just do this all the time. 

You just keep moving forward and there’s a constant pressure and that translates really well into the IT world and the cybersecurity realm specifically, like you said, Jason, where you’re always being pushed to get these next certs and to move up. Especially looking like the CompTIA certs, right?

Jason Dion:
                        Yeah.

Sebastian Whiting:
                        When I’m faced with the idea of renewing a certification by retaking the same test or doing continuing education or I can do something higher, it’s a very easy decision for me to just go for the higher one. It just flows. I don’t know that I’ll ever be able to stop trying to up my certification game, even if it’s just for my own personal gratification. 

I know it’s always a controversial topic when you talk about certifications and I’ve listened to you guys talk about it on the show. Trying to stay focused is definitely the big thing with that. But it’s easy for me to pursue them because it just fits with what I’ve been doing for so long.

Jason Dion:
                        Definitely. For those in the audience who don’t know, in the Navy nuclear pipeline, you really don’t have an opportunity to do a lot of IT work necessarily. The most IT-related of the skill sets, the ratings as he called them, is the ETs, which are electronic technicians. Even there, we’re not really doing IT in the sense that you do in a normal corporation.

It’s much more of the OT, the operational technology. Things like SCADA and ICS systems that run these nuclear reactor plants. It is not a directly transferable skill, but you can take some of those skills with you and bring them with you into the new world.

Sebastian Whiting:
                        [crosstalk]-

Kip Boyle:
                        There’s definitely a need. I just want to point out there’s definitely a need, right? In the cybersecurity domain for people who have skills with operational technology because SCADA and PLCs and all that stuff. I mean, just go read anything about Stuxnet if you want to understand what’s at risk here, right?

Sebastian Whiting:
                        Absolutely. In fact, Stuxnet when I first read about that, that was a motivator for me because I was like, “Here’s the world I’m in, here’s the world I want to go into and here’s where they’re merging. I can straddle this.” That’s the big thing. Having a friend that had done it before me and could talk to me about it, and then going through your course, Kip, that’s where I really was able to take my skills that I learned in the Navy and translate them over. 

Looking through, I had to look at I’ve been taking logs. I’ve been doing trend analysis. I’ve been doing asset manage in the sense of we had to handle radioactive material and be accountable for that, as well as just parts in general. I’ve been handling audits year after year. I mean, as Jason can attest to you, the nuclear propulsion world is full of audits. 

I mean, you’re probably getting audited in something every three to six months especially on an operational vessel. That’s really stressful because you constantly have people coming in and picking at your stuff and telling you where you’re messing up. It can also be constructive because you get to identify those problems.

The entire audit process and how to handle it, how to remediate deficiencies, track deficiencies, implement new policies to prevent them from recurring, these are all things I picked up in the Navy and translate very well into my current job. It’s just the lingo that’s different. Now it’s computer systems instead of propulsion systems.

Kip Boyle:
                        Yeah. I love that. You’re … Go ahead, Jason.

Jason Dion:
                        You’re right. I mean, when you talk about something like an operational reactor safeguard exam that you do in the Navy, that is very much similar to what we do in the GRC world, the governance risk and compliance world, inside of cybersecurity. Like you said, the difference is instead of looking at nuclear reactor parts and pieces, we’re now looking at computers and parts and pieces and how they’re done and different configurations to be secured.

Kip Boyle:
                        Yeah. I really love this last segment here, listening to you talk Sebastian, because just in my mind right now, I’m just like, “Yes. This is what Jason and I talk about quite a bit.” Is this idea of transferable skills, right? Is just being able to connect the dots between what you’re doing now or what you’ve done in the recent past and how that actually translates both conceptually and sometimes actually pretty mechanically to the kinds of duties that you’re going to pick up in a new cybersecurity career.

I think you’ve done a fabulous job of actually laying that out. I think the challenge for people who aren’t in cybersecurity though, is just, they really can’t see that. It’s murky. It’s a little foggy. It’s like they can’t actually … It’s hard to actually look into a career field that you’ve never been a part of and to be able to connect those dots. 

So I think that’s one of the big insights that you’re bringing to the audience today, is the fact that if you can connect those kinds of dots between working in the nuclear world and then working in just IT security, if you can do that, well, gosh those connections must exist for a lot of different careers then.

Jason Dion:
                        Yeah. The other thing is, as you’re moving out of the military, a lot of people in the military have some skill sets that don’t necessarily translate directly to other civilian jobs. I spend a lot of time with the military and there’s a lot of guys that come out after 20 years of driving ships as a surface warfare officer. Unless they’re going to go drive container ships around the world, that is not going to be something they’re going to do for the next 20 years of their life when they retire. 

They have to figure out, “What are those skills I had that are going to be directly transferable?” I’ve seen a people go from being commanding officers of a ship to being the mayor of a town or a business administrator for a town or working in business operations and things like that, that they could take the management skills and things like that, that they’ve learned and apply those to other careers.

I think it’s really important for us when we’re applying for jobs in the cybersecurity world, to be able to make that link easier for hiring managers. Because as a hiring manager, if I came across Sebastian’s resume and I saw he was a nuclear person in the Navy, I know what that means, but Kip probably has no idea because he never did it. He hasn’t been dealing with that.

It’s important that as Sebastian writes his resume, he’s writing it for that person like Kip and not that person like me, who already knows the lingo, who already understands what that experience represents. That said, if you can find somebody like me who’s hiring and you happen to have that background and I understand it, I’m going to grab you out because I know what that’s worth. 

There are those things you have to think about as you start using that networking function to figure out, who are these other people who went through this nuclear pipeline and understand it that can help give me a leg into a company?

Kip Boyle:
                        Yeah. As a former Air Force person, as I’m listening to Sebastian talk, I don’t know anything about the nukes, but I can tell you that working in the Air Force with … It doesn’t matter. I worked in some air-to-air weapons testing squadrons. Okay. Well, guess what? We had assets, we had operational readiness inspections. We had all that stuff and it all completely translates over in just the same way that Sebastian was describing. 

I just think it’s really cool that here’s three guys who had military experience, didn’t join the military to learn anything about cybersecurity, but ultimately all three of us found our way to the cybersecurity career for field. I hope that inspires people, gives you a vision for what’s possible. Maybe you’re in the military right now, or maybe you’re in a situation early in life where you’re not sure what you want to do yet. 

If you qualify for military service, then maybe go in and get cybersecurity expertise. But even if you’re unable to get a cybersecurity job right off the bat, know that all this experience that you would accumulate in other career fields is still going to provide you with a transition. You might be thinking at this point about a two-step process. Jason, you’ve talked about that a lot in previous episodes. This whole idea of two-stepping into cybersecurity. 

Anyway, I just find these patterns just repeat, repeat, repeat. Sebastian, I want to ask you now about some of the specific things that were really helpful to you, and you’ve already mentioned several. You’ve mentioned how important it was to have somebody, a friend who had already made the transition, who could help you, sort of explain to you how that transition works, where the points of commonality are. 

You had some other mentors. What about things like you had mentioned to me Hack The Box was really important. Tell us about that. Tell us about really any other things that you found were particularly useful.

Sebastian Whiting:
                        Okay. When I got started, I realized too, I needed a multi-pronged approach. I knew one thing wouldn’t do it. You hear that all the time. You can’t just get certifications. You can’t just go to school. I said, “Well, I’m going to have to do all of it.” Which is a balancing act for sure. I got started on my master’s degree. I was very particular when I chose it. 

I made a point of finding a technical program because I knew I already had some of those … the transferable skills were going to come over. I didn’t want to go to school to have somebody tell me how to do management. I wanted to learn the technical. I was able to find a technical program that was going to help bring me up to speed.

It added five classes to the program, but I took courses in data structures, computer systems, programming. I think that was the big one, and distributed systems before I even started into the core of the coursework.

Kip Boyle:
                        Would you mind mentioning the program? Do you feel okay telling people where you-

Sebastian Whiting:
                        Absolutely. Yes. I’m going to DePaul University out of Chicago. It’s a private university, going on my GI Bill, which a fantastic benefit. The other one I would mention is my friend went to NYU and they have the bridge program which is a similar idea where you apply for this bridge program if you’re a non-technical person coming from outside IT, and they bring you up to speed, and then that supports you entering into the technical graduate program.

Jason Dion:
                        Now, Sebastian, you had mentioned you had your bachelor’s degree from when you were in the Navy as an instructor. What was your degree that you got at a bachelor’s level?

Sebastian Whiting:
                        It’s in nuclear energy engineering technology. It’s a pretty standard degree a lot of nukes. We get a lot of credit for it, just from going through the program. As Jason mentioned, it’s a bachelor’s degree in 18 months. They do give you credit for that. All you really have to do is take … It’s really a lot of gen eds and some polishing classes.

Jason Dion:
                        Yeah. Yeah. The reason I bring that up is because for our audience, one of the things I usually recommend is people don’t go for their master’s degree when they’re trying to get into cybersecurity because what you can find is that once you have your master’s degree, people will say, “Oh, you have this master’s degree, you’ve got maybe Security+, and PenTest+ or whatever certifications, but you have no experience.” 

They’re starting to think, “Oh, you want this high, high pay band because you have a master’s degree.” You start pricing yourself out of the market. It’s something that can be very dangerous for folks. In your case, you haven’t finished the degree yet so I think you’re okay and you already have gotten your first job and kind of working right through it.

It is one of the things I usually tell people, wait on their master’s degree until they get their foot in the door with getting some experience under their belt as well to pair it up with that master’s degree. I just wanted to point that out for the audience to make sure people don’t get the wrong message there.

Kip Boyle:
                        Thank you.

Sebastian Whiting:
                        Yeah. Absolutely. That makes a lot of sense. That was actually something I did think about, but for me, I realized like you said, being in progress to me, that was the message I wanted to send. I’m in the process of doing this, so I’m pursuing this. Yeah, definitely never thought that the master’s degree alone would do it and I’m glad I got a job before I finished. I think that could have been an awkward conversation later on down the road.

Jason Dion:
                        I think the other thing in your case is that you were getting out of the military and you had your GI Bill to use. For those who don’t know, when somebody gets out of the military and they’re using their GI Bill, the GI Bill covers their schooling. It covers their books a hundred percent. It also gives them a stipend, a housing allowance for them to pay basically their mortgage or their rent. A lot of people do that when they get out.

They’ll go to college, even if they already have a job and they don’t need the college because they’re getting that extra benefit from Uncle Sam being able to give them some money. It does make a lot of sense for military folks to use that. But it is something you have to be careful about. Even if you had your degree finished, it may be something where you think about, “Okay. For this job, I’m going to list it on my resume, for this other job, I’m not.” Because based on the job you’re applying for, it can be a detractor. 

Sebastian Whiting:
                        Right. Absolutely.

Jason Dion:
                        Just like certifications, I have 20/25 certifications. I don’t list all of them on a job application. I list the ones that are relevant and the same thing with a master’s degree, I think is important.

Sebastian Whiting:
                        Yeah. Absolutely. You’re right, that-

Kip Boyle:
                        Hey, Sebastian, [crosstalk]-

Sebastian Whiting:
                        Oh, go ahead.

Kip Boyle:
                        I’m sorry, go ahead and respond to Jason. I had another question.

Sebastian Whiting:
                        That’s okay. No. You’re absolutely right, that extra … I do consider going to school kind of my side hustle. People talk about all the time, “What do you do for a side hustle?” Well, I go to school. I’m collecting that GI Bill money and if I don’t go to school, it just goes to waste.

Jason Dion:
                        Yep.

Kip Boyle:
                        The question I wanted to ask you, Sebastian, is you said that you searched for a master’s degree program that had a technical component to it. Would you talk a little bit about, how did you know to do that? Then how were you actually able to choose to know which master’s degree programs had the technical aspects that you wanted?

Sebastian Whiting:
                        Well, at first I don’t think I did know to look for that. I just started looking at schools. Probably looked at probably about a dozen programs. I talked to a few admissions counselors. I started applications at a few and talking to one, I realized like … This is what helped me realize how broad cybersecurity was, especially when you get into terms like some people still call it information security, which is related but slightly different. 

I realized some of the programs were information security programs. They were very GRC-focused, which isn’t a bad thing at all, but for me, I wanted to get that technical skill set built up and fill in those holes in my knowledge. Then I talked to a couple where I could tell they were technical because they said, “Well, you’re going to need experience. You’re going to need coursework and X, Y, and Z from your undergrad to get admitted to this program.”

I said, “Oh, I don’t have that.” You know? It was things like data structures and algorithms [inaudible] towards the classes. That I think was what keyed me in. I was like, “Well, I want to learn that stuff. That stuff interests me.” I like programming. I always have. Just never had the time to dig into it. Funny enough, DePaul is where I was going to go to school before I joined the Navy so it was kind of a natural thing for me to look at. 

I actually avoided it at first, because I didn’t want to go there out of some nostalgia type of thing. Then it ended up being the program that made the most sense for me and where I was and they were going to help me do what I wanted to do. I have to say I’ve been pretty pleased with the coursework so far.

Jason Dion:
                        I’m curious, when you got out of the military, you left the Navy, you had about 10 years in, you’re kind of a mid-career person. You said you got a job. What was that first job that you got getting out of the military?

Sebastian Whiting:
                        Yeah. I am working at a open source software company right now as a cybersecurity analyst, is the title. However, I would say the job roles are quite a bit more varied. The job became aware to me through somebody I knew. They sent me the post and said, “Hey, you should apply for this.” I made my way through the interview process. I actually called Kip and I said, “Kip, I need you to help me get ready for this final interview round.”

Because I went through the HR round. I went through the technical round and everything went well. They had given me almost a day-long interview process. I would say it was very culturally-focused at the end of the day. But as part of that, I had to give a 30-minute presentation on projects, things I had been doing, what I had been working on and basically why I was qualified for the job. I talked to Kip about that and he helped me come up with a few things to look into as well as to help formulate my ideas.

I think that presentation was actually a good thing. It was very intimidating at first. I have to do this very long interview. I have to talk in front of quite a few people, which isn’t a problem. I’ve been an instructor for four years. Talking in front of people doesn’t bother me. I’ve lectured to a hundred people at a time before. But it gave me a chance to highlight everything I had been doing. I took the time to highlight those transferable skills. 

I actually said things like, “In the Navy, I managed radioactive material inventory. Okay. Well, that’s the same as asset management. In the Navy, I took logs on things and I looked for trends and I did trend analysis and I conducted incident response. Well, that’s the same as looking at firewall logs and IDS logs and doing incident response. These are the same things. 

While my technical skills need polishing, I can do this. This is the same thing I’ve been doing.” I actually got a compliment after the interview on that. One person said, “I really liked how you laid those things out and drew those parallels.”

Jason Dion:
                        Awesome. You said you had somebody who pointed that out to you. Was that person already working at that company or is this just that you saw this job and-

Sebastian Whiting:
                        Yes.

Jason Dion:
                        Okay. See, that also helps. That’s one of the things that Kip and I-

Sebastian Whiting:
                        Absolutely.

Jason Dion:
                        … we talk about this a lot, is networking and building your network of people really does help because somebody could say, “Hey, I’ve got this job opening in my company. I can’t guarantee you the job because I’m not the hiring manager, but I could put a good word in and get you out of the big stack of resumes to be considered, to at least get to the interview.” Now it’s on you to impress them through those three interviews.

That’s probably what ended up happening in your case. You got out of the thousand-person stack of entries into the small stack that the hiring manager actually looked at because your friend said, “Hey, I know this guy’s applying and he’s good.”

Kip Boyle:
                        Yeah. I call that having an internal champion. You might hear that. Other people talk about that. That actually is a common thing in just sales, right?

Sales and marketing, is if you’re trying to figure out how you can meet somebody who could buy something that you’ve got to sell, having an internal champion, somebody on the inside who knows you, trusts you, likes you, believes that you’ve got something to offer that will help the company do better and they can open the door that you can’t even see.

You don’t even know there was a door there. All of a sudden, there’s a hole in the wall and you can walk through it, right? It’s like magic, right?

Sebastian Whiting:
                        Absolutely. I would say the other big thing, I know you guys have brought this up before, is I did get to leverage my security clearance. That was an added bonus. I think that’s also part of why they … They actually gave me the job fairly far out from my separation date from the Navy, which for anyone that’s been through a military separation, it’s not like quitting a normal job.


You don’t have the luxury of hunting for the right job while you still work the one you want to leave. You have to stay, “Well, I’m going to get out.” You get a 30 to 60-day window to do that. That’s kind of stressful.

Jason Dion:
                        Yeah. Generally you have to tell the Navy a year ahead of time, “Hey, I’m planning on leaving.” They have to approve you to leave. Then once they finally say you can leave, then that starts that year out process. But most companies won’t talk to you. They don’t want to listen to you because until you are out of the Navy or within 30 days of getting out, they’re not bothering to interview you a year out and saying, “Yeah. We have a job lined up for you in 2023.”

They’re not thinking that far out. It does become a very difficult thing and a difficult process to go through as you’re trying to separate out of the military.

Sebastian Whiting:
                        Absolutely.

Kip Boyle:
                        Any idea why your current employer felt comfortable waiting for you?

Sebastian Whiting:
                        If I had to guess, although no one’s ever said, references and I would say the security clearance if you’ve got a … I’m just thinking from my perspective here. If I was hiring two people and one has a clearance and can start work in three months and the other doesn’t, and I know it takes at least six months for them to get a clearance, well, I’m still better off hiring the one I have to wait for.

Jason Dion:
                        Yeah. Yeah.

Kip Boyle:
                        Now, does the job that you have now require you to use your security clearance?

Sebastian Whiting:
                        Yes.

Jason Dion:
                        Yeah. Security clearances are a big deal, right? Because it can take anywhere from … I’ve seen them as fast as three months to as long as 18 to 24 months for a secret or top secret clearance. Having that already means that I, as an employer, can hire you and put you to work on Monday and not hire you, start paying you for the next six to nine to 12 months while I’m waiting for your clearance.

Big companies, things like Booz Allen Hamilton, General Dynamics, Deloitte, they may hire you without a clearance because they have enough internal work they can have you work on in a non-cleared environment until your clearance comes through. But if you’re working for a smaller company, for instance, I’m working with a local SOC here that they’re working on the security clearance process and they might have 50 people. 

With 50 people, I can’t afford to have five of them waiting for clearances. That’s 10% of my staff that I’m not getting paid for, because until they’re cleared, I can’t get paid on my government contract. Clearances are a big deal. You’re right. I would also say I’m willing to bet that your internal champion probably made them realize, “Hey, this is the guy we want. He’s really good.” 

Put in some good words, and so because of their recommendation, that internal referral, that probably helped your case as well.

Sebastian Whiting:
                        Absolutely. Yeah. It was definitely a multi-facet thing. I was so very grateful. It was huge. I was moving at the time into a new house and life was crazy. You add into that the entire pandemic issue and I’m questioning my sanity for getting out of the military in the first place and to have them call and say, “Hey, you got the job.” It was a great feeling.

To be honest, it was far enough out that I hadn’t even been seriously looking for jobs yet. I had applied to maybe two others at that point, but like Kip said, people usually won’t talk to you. Right now the going number is about 60 to 90 days from separation is when people will take you seriously.

Kip Boyle:
                        What about something like Hack The Box? You had mentioned that. Was there any other tools around hard skills that you thought were really helpful to you?

Sebastian Whiting:
                        Yeah. I love Hack The Box. I’m now a big fan of TryHackMe. I think they’ve come a long way as a platform. Even if you’re not going to get into hardcore pen testing, one, those platforms help you learn a lot of the tools that are out there for both red team and blue team. It’s a really cool way I think, to get hands on with technology. Sometimes I see people give the advice, “Just set up a home lab.” But if you’re just coming in to IT, that advice is very overwhelming.

Whereas something like TryHackMe or Hack The Box where they’re going to help you step through these processes, well, maybe that helps you understand what Samba shares are. Whereas if somebody tells you to just set up a Samba share, well, you’re like, “I don’t even know what that is, let alone how to set one up.”

Kip Boyle:
                        Yeah. Is there dancing involved? I don’t know.

Sebastian Whiting:
                        Exactly. That’s another thing I always poke fun of in IT is all the funny names people give things. I was working on a project with somebody and we were doing it in Python and he’s like, “Oh, well we’re going to put this in a Pickle and then we’re going to use it with Pandas and then we’re going to do this.” I said, “So we’re going to feed the Pickles to the Pandas and that’s how we’re going to get what we want?” He was like, “Exactly.” I was like, “Cool.”

Kip Boyle:
                        Don’t forget to drop the Panda in a container.

Sebastian Whiting:
                        Absolutely. Right? When you’re first getting started, there’s this entire new language you have to learn. I think those platforms by being a little bit smaller scope, it’s you versus one thing, or looking at one thing, it really helped me get familiar with protocols and terms. Then from there, I did set up a simple home lab at first, once I understood more.

I spent a lot of time digging through networking information, trying to figure out how to set the right network interfaces and all that. That was all great experience. Now my home lab setup today is much more involved than it was then, more like a real network rather than just a couple of machines plugged into a dummy switch. I did all those things and it was really just helping me get a holistic view of everything I think.

I would really recommend those platforms to people. Like I said, even if you’re not going to go into red teaming. Well, one, you have to figure out if that’s what you want to do. Also, it’s just a really fun way to learn. Very hands-on so you can learn a lot.

Kip Boyle:
                        Yeah. I want to affirm something here. As a hiring manager, even if I’m going to put somebody on a blue team, the fact that they’ve spent some time sort of operating as a red team, or even a red teamer with training wheels, however you want to say it, that’s going to put in your head at least this idea of, “Okay. That’s the kind of adversary that I can expect is going to make trouble for me as a blue teamer.” Right?

Sebastian Whiting:
                        Right.

Kip Boyle:
                        I think that that is super helpful to people. I want to completely agree with you, Sebastian, about that particular point. Yeah. Even if you’re like, “Hey, blue team all the way.” Know you will not waste your time doing any of this red team training and just trying to understand what it’s all about. Okay. We have been going on for quite some time now and I want to change the topic here a little bit and start wrapping up the episode.

Sebastian, what’s next for you? Congratulations. You’ve got your dream cybersecurity job. I mean, it’s phenomenal. That’s why I wanted you to come and be our guest today, to share your story with us and with our audience to inspire them. Since you are person who has all this side hustle mentality, what are you doing now? What’s next for you over the next 12 months?

Sebastian Whiting:
                        Well, school’s a big part of that. It takes a lot of time and energy. If you’re going to go that route, you’ve got to be ready to commit that even if you are getting a nice paycheck as part of it, it still eats up a lot of your energy. Aside from that, I’ll probably try and pick up another certification or two. I tend to try to do that on my breaks just to keep busy. 

Long term though, I would like to move more into a security engineer type of position, I think is the way I’m headed with some of the projects I’ve taken on board and what I’m doing now in my current role. Aside from that, long term, I would like to get back into the training side of things in the future. I really enjoyed that as an instructor in the Navy. I like watching people grow.

I like mentoring people and seeing things click for them. That’s really satisfying for me. It makes a lot of sense now to me why Jason has a training business after being the same type of instructor I was. Yeah. It’s a lot. It’s always hard. I think if you ask me on a different day, my answer could change because cybersecurity is such a broad field, and trying to keep yourself focused and narrow it down it’s a challenge every day, I think.

Kip Boyle:
                        Yeah. I definitely have shiny object syndrome. Every time I see a new research paper come in or a cool new article somebody’s written or whatever and I’m just like, “Oh, I’m going to go check that out.”

Sebastian Whiting:
                        Absolutely. Absolutely.

Jason Dion:
                        Never enough hours in the day, Kip.

Kip Boyle:
                        No. Absolutely not. No, but I enjoy it. I consider myself to be an infinite learner. I think you guys do as well. I’m always interested in something new and interesting. It’s like candy for my brain. Then once I figure stuff out, just like you guys, I enjoy sharing how I see things with other people, with the idea that it’ll help them get traction and let them accomplish the goals that they want to accomplish. 

Anyway, super happy for you, Sebastian, and what you’ve been able to accomplish and where you’re at and the fact that you can even contemplate like, “Okay. Now what? I’ve made the transition. Now what am I going to do? How am I going to build on it?” I think that’s fantastic. I just want to invite any final comments from you, Sebastian, and then Jason, maybe you could wrap up the episode for us.

Jason Dion:
                        Yeah.

Sebastian Whiting:
                        I just want to say if you’re out there working on this, keep going, keep grinding away at it. It’s a challenge. I think the biggest thing though, if I could say one thing is find somebody in security that came from the world that you’re leaving. I think that’s the biggest thing because that’s going to give you the best roadmap to follow initially. 

The other thing is, thanks, Kip. You’ve been a big part of this journey all this time and Jason has too. Normally when he’s on the screen, I’m not talking to him, he’s just talking to me so it’s fun to have this going both ways now. It’s been good. I really appreciate you having me on the show.

Jason Dion:
                        Thank you Sebastian, for joining us today. It’s been great to have you as a student in my certification courses, as a student of Kip’s Hired program, helping people get hired and get into their dream jobs. It’s great to see where you’ve come. I want to thank everybody for joining us today for this episode of Your Cyber Path. 

If you love the podcast, we’d really like it if you could take a moment and leave a review on iTunes or your favorite podcast player. It does help the show get found by others who need this content. Until next time, we’ll see you then.

Kip Boyle:
                        Bye.

Announcer: Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode. Press the subscribe button now. If you would like to learn more about how to get your dream cybersecurity job, then be sure to visit yourcyberpath.com, where you can access the show notes, search the archive of our top tips and tricks and discover some fantastic bonus content.

 

 

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!