Forge Your Own Path: My InfoSec Origin Story
By: Nicole Hoffman
I took an unconventional path into infosec. Let's go back to the beginning. When I was little, I wanted to be what many little girls wished to be - a ballerina or a princess. That would have been ideal if I could have been a princess ballerina. I did not always have enough money to take dance classes, but that didn't stop me. I loved what I loved and would dance my heart out anyway. I joined a few competitive teams in high school and even did a short stint as a competitive ballroom dancer as a young adult. To this day, I have a special place in my heart for ballet.
While in high school, I fell in love with journalism. I was even the editor-in-chief of my high school newspaper. I loved the idea of uncovering the truth and making people smile through writing. My nickname in high school was newspaper girl, which wasn't my favorite, but I guess it was obvious because I was always interviewing students. They loved it because they got to get out of class temporarily. I was dead set on being a hard-hitting journalist uncovering corruption and crime.
However, I didn't apply to college. I didn't have the money to go. I couldn't apply for financial aid because you are not considered financially independent in the United States until you are 24 or 25. The exceptions are if you get married, emancipated, join the military, and maybe some more. It has been a while. Due to this, you can only apply for financial aid with your parents, who also fill it out and sign off. Mine would not. I didn't get too excited to run to the mailbox daily, hoping to celebrate college acceptance letters with my family. I didn't get to go shopping for dorm room furniture. When I graduated, I was thrown out into the world and told to get lost. Yup. That was my life. My childhood was not the best. I had to grow up fast.
Dropped into the world, I tried to join the military. Funny enough, I was trying to become an Intelligence Analyst in the military. However, when the time came to go to MEPS to be evaluated medically, I did not pass. I have asthma, and when I was a baby, I had open heart surgery due to a heart defect. It was a common defect, I was told, and I have never had any issues since. However, I have a gnarly scar across my back that I guess was a huge red flag.
I was able to get a job and a place to stay. When I started, I needed more money to pay my bills or food, not both. I only had my rent, cell phone bill, and bus pass. Thankfully, I worked at a restaurant, and there were always leftovers. While my friends were joining sororities and living their best Elle Woods life, I struggled to afford a blanket. I still remember when I was able to purchase my first comforter. It was a glorious and wonderful day. Before this, I wore warm pajamas and jackets to stay warm at night. To this day, blankets are my favorite gift. I can never have too many.
One of my friends I worked with was attending school to become a Medical Assistant. The school had a financing option that allowed me to attend. I was fascinated by anatomy and physiology. I learned how to draw blood, give vaccines, assist in surgery, and more. If I were to do this, I would do it my way. I made a 5- and 10-year plan. I would go to nursing school and become either a Nurse Practitioner or a Physician's Assistant. It was going to be a long road, but I was committed.
While I was in school, I had all kinds of jobs. Some worked out, and some didn't. I can never be a waitress. Not ever. Ever. There were just too many things going on. There are too many moving parts and things to remember. I did not know it at the time, but it was a stimulation overload from my ADHD. However, I was not diagnosed until I was 30. This was another reason customers would ask for extra ketchup or more napkins, and I would forget immediately. We all can't be good at everything.
However, I found out I am excellent in retail and restaurant environments because I understood the business operations side of the house. If I am going to do something, I want to be the best that I can be. I was often promoted to management positions. I was interested in how things work. I have a niche for finding inconsistencies and making them better. However, having this mindset can also be intimidating to many people. I've worked at hotels, restaurants, retail stores, fast food places, insurance firms, dance studios, and security companies. Heck, I was even a maid for a while. I worked at a daycare and quickly realized that spending time with two-year-olds all day was the most exhausting job ever.
While studying to become a registered nurse, I got married and moved to a new city because he was in the military. It was not the safest area we lived in, and I needed to start in-person labs at that point in my degree. A few traumatic experiences led me to make the sad decision to change my degree program so that I could study remotely. Since I was married, I could also happily use financial aid. Yay! My husband was already in cyber security, and he had a lot of textbooks. I wanted to do something other than what he did, but I figured I could find my niche and way. I can hear the tech bros now saying, "Women only get into tech because men tell them to." 🙄
I changed my program to Information Technology and got a minor in Cyber Security. By this time, I had A LOT of science and healthcare credits from my nursing program. Some of them transferred, but most of them did not. It was like I was starting over, but at least I was moving forward. I was working towards forging my path in the world. We had our second child shortly after my husband left the military. I was still grinding away at a part-time degree online, but I was ready to return to work. This was a challenging decision. As a parent of a toddler and a baby, I didn't want to leave my kids alone with anyone other than my husband. So, I worked nights, and my husband worked days. I got certified to be a forklift driver in a warehouse.
After doing that position for some time, I missed seeing my husband during the day. I was able to land a role working in the financial industry. After some time in that role, I became a fraud analyst. I knew I wanted to be an analyst and not an engineer. Thus far, I have been preparing educationally for an engineering role even though I was not passionate about it. Analyzing complex threats such as money laundering, kite-checking, and wire fraud fascinated me. An analytic nerd was born in this role.
When I say I have had a lot of jobs, I am not lying. Fast forward a year or so, I was trying to land an entry-level position in cyber security or a help desk. Everyone wanted years of experience. The typical avenues of applying to job openings were getting me nowhere. One day, someone reached out to me on LinkedIn to discuss my goals. I was excited because I thought it was about a job opening. This super kind individual just wanted to mentor me because he had (and still has) a passion for helping others in the field.
He encouraged me to network. Specifically, he recommended I invite managers out for coffee, ask companies if I could shadow anyone for a day, and see if I could interview managers for a school project. Anything to get my foot in the door. He even told me about a few local spots I should check out. It was weird and scary to reach out to total strangers. Honestly, I thought it would be considered annoying. The issue is I had these managers up on a frightening pedestal. They are just people like you and me. I knew this when I was in retail and the food industry, but for some odd reason, tech is scary. Imposter syndrome began early for me.
But! People were super kind when I reached out to them. They were excited to see a blossoming cyber newbie eager to join the market. They were happy to take the time to meet with me and give me great advice. One of them was looking for cybersecurity interns and hired me! I had an excellent recommendation from my mentor and got my foot in the door. I was a Cyber Security Analyst Intern working with a threat emulation team focusing on the MITRE ATT&CK framework. This is where my love of ATT&CK began. If you follow me, you may know I am a vast ATT&CK nerd, so much so that I may have screamed when I met someone from the ATT&CK team at Defcon 29. I scared him a bit. 😂 In my defense, it was my first social outing since the beginning of the pandemic, and I love ATT&CK, so meeting someone from the team was very exciting.
Figure 3 My first conference talk at GRIMMcon is on the new speaker's track. Matt was a fantastic coach!
The framework has done much for the field and is a big part of my infosec origin story. My first tech job was an internship that required me to familiarize myself with the ATT&CK framework. One of the first tech conferences I attended was ATT&CKcon in 2018, although it was virtual. I have yet to participate in person. Roberto Rodriguez (@Cyb3rWard0g) and his brother Jose Rodriguez (@Cyb3rPandaH) gave a fantastic talk at this conference titled Hunters ATT&CKing with the Data. I had performed some threat hunting as a fraud analyst, so I was somewhat familiar with the idea. However, it was at this time I was introduced to cyber threat hunting. I loved it even though I was a total noob at the time.
Another of my favorite talks from this conference was titled Analyzing Targeted Intrusions Through the Lens of the ATT&CK Framework, presented by Karl Scheuerman( @KarlScheuerman). The presentation got into the weeds of analyzing intrusions while utilizing the ATT&CK framework. Moreover, Karl went over the work he was doing at Crowdstrike. I had never heard of the company and did some research. This is how I found cyber threat intelligence.
During this conference, I also discovered Katie Nickels (@likethecoins) and all of her awesomeness. After the first ATT&CKcon, I followed ATT&CK's blog, which has a lot of great pieces by Katie. Some honorable mentions:
The second ATT&CKcon was even better than the first. I know there have only been two, but this is still one of my favorite conferences ever, alongside GRIMMcon and Def Con. When the pandemic hit, I was finishing my degree, but the stress of it all forced me to take a short break. It took so long to finish my degree because I was working full-time and raising kids while studying remotely on nights and weekends.
Like many others, I was worried my job wouldn't make it through all the shutdowns. I was worried about unemployment, so I started my blog to market my skills. I gave my first conference talk on a whim at GRIMMcon in 2020. It was a blast, so I kept doing more. What started as an extension of my resume and professional portfolio quickly became a personal brand. More than that, it turned into a hobby that I am very passionate about. One of the best things about having a blog is that it is mine. I can publish what I want when I want. I do not have to run the ideas by anyone. I like to do these in-depth research projects and share my findings. Sometimes, I go a year without posting anything, but that is the joy of it. I have no deadlines when it's a hobby. I cannot be fired. It is empowering on a whole other level.
Figure 4 My graduation party in 2021.
Also, in 2020, I was diagnosed with ADHD. I started taking medication, which allowed me to focus and grow my passion for information security and threat intelligence. In late 2020, I wanted to write a blog about analytic tradecraft. I wasn't super happy with the information I found, so I wanted to expand my search into other industries. I ended up studying how many different fields perform analysis. It was fascinating. I started collecting my favorite steps from each and created my analytic framework, the Cognitive Stairways of Analysis. It was not my intention to make it, but I am so proud that I did. The best part was that it was mine. It was not something I created for an employer, so I can continue expanding it no matter where I work.
My marketing plan worked out because I was in the middle of the pandemic without a job. I contacted everyone I knew and told them I was looking for work. I landed a role at a fantastic intelligence firm and have been there ever since. 2021 was a great year, even though there were a lot of challenges with the pandemic. I went to my first Def Con, and I know many people say this, but I finally felt like these are my people.
For the first time, I finally feel I am right where I am meant to be. I finally finished my degree!! I quickly ran away from my personal laptop, which I had slaved over on nights and weekends on homework for so long. It took me six years, but I did it, and I am proud.
Nothing can top Def Con because it was pretty impressive, but my kids inspired me to write a children's book. Becoming an author has been a dream of mine since my journalism days in high school. I have had several ideas but have yet to see them through. With my ADHD, it can be challenging to finish projects I have started. So, when I do, I am very prideful and overjoyed. I am happy to say The Mighty Threat Intelligence Warrior is complete and will be published on March 1, 2022.
Alongside the children's book, I formed my own publishing company. Once again, I wanted to rely on something other than another person or company to accomplish my goal of becoming an author. I was tired of jumping through hoops. I never thought I would own a business, but someone wise once told me that to be successful, you have to get comfortable with being uncomfortable.
Figure 5 This is my success story.
The path to success is not straight but a windy road with many turns, hills, detours, and construction. The important thing is that you forge your path. Do what makes you happy. It is ok if this changes several times. There is no one way into infosec or any field. Your experience, technical or not, makes you who you are. The field could use more lateral thinking if you ask me. We need more well-rounded people to help solve complex problems from new creative perspectives.
Whether you are just starting out in infosec or someone who is already in the field dealing with imposter syndrome, I am here to tell you that you are not alone. The best advice I could give was given to me when I started. I remind myself of this regularly.
Own what you know and what you do not. Just own it. Be your authentic self.
