Welcome to Episode 8 of the Building a Life and Career in Security Podcast.
Today’s guest is Jake Bernier. Jake has worked at everything from small consulting company to a Fortune 100 organization. A Minneapolis Twin Cities residence, he’s very active in the information community there including teaching an information security course.
Jake and I talk about moving jobs recently, moving around jobs, and teaching information security.
[powerpress] Links from the show:
[content_toggle style=”1” label=”Show%20Episode%20Transcript” hide_label=”Hide”]
Jake Bernier: You end up meeting people in the industry, and that do it, so when they’re looking for people, they come knocking on your door. Voiceover: From the JaySchulman.com studio, this is the Building a Life and Career in Security Podcast. Now, your host, Jay Schulman. Jay Schulman: Hey, thanks. It’s Jay. Welcome to another episode of Building a Life and Career in Security Podcast, the podcast that lets you see how others grew their information security careers. Today’s guest is Jake Bernier. Jake has worked at everything from small consulting company to a Fortune 100 organization. A Minneapolis Twin Cities residence, he’s very active in the information community there including teaching an information security course. Here’s Jake’s career journey in his own words. Jake Bernier: I’m relatively new to the field, about 4 years into it now. I started out, didn’t really know what I wanted to do right out of high school, so I started playing around, ended up joining a community college, and looking at the information technology program. That was pretty fun, but it still didn’t really spark my interest until we started talking about security stuff. Right? I didn’t really know what it was, but I was interested. It turns out all the times I was messing around and cheating on video games, I could take that skill set and get paid to do it, so I was really interested. I tried to find out as much as I could on my own because at the time, we didn’t really have any security classes in the area, so I did a lot of research on my own. Ended up joining a whole bunch of different security groups, and in talking and meeting people who are in the industry, I ended up getting my first gig as a security consultant doing different security engagements of penetration testing, social engineering, running vulnerability scanners, things like that. I did that for about a year while getting my bachelor’s degree, so staying busy. I ended up moving to a Fortune 100 company working in, at the time, what they called “cyber security.” I was oversold on that. I didn’t really know what it meant, trying to figure out what security looked like in the organization, so I did learn a lot there, but ended up moving on shortly after to get back into penetration testing again. I did that for almost 2 years, and then moved again more into an information security intelligence and research role. Through my time in security, I’ve also been teaching since 2–1/2, 3 years ago different penetration testing and application security courses. Actually, at the same school I graduated from as well as being still very involved in different security groups in the area. Jay Schulman: You moved pretty recently to your new job. You want to talk a little bit about the recruiting process and how you came about finding this job? Jake Bernier: I actually wasn’t actively looking at the time, but I will say I was getting hit up pretty frequently, so I don’t know if it was the time of the year or what it was, but I was getting hit by recruiters quite a bit. I wasn’t super interested, and a lot of them didn’t really fit what I wanted, but this particular role happened to be with a couple of buddies of mine that I’ve worked with in the past, so they actually reached out to me, and I bypassed the whole recruiter thing, and I’ve actually been fortunate enough to do that in every one of my roles. The information security community is pretty small, and especially if you get into a certain edge whether that’s pen-testing for myself, or you’re an application security guy, or risk guy, or whatever that is. You end up meeting people in the industry, and that do it, so when they’re looking for people, they come knocking on your door, and that’s what ended up happening to me. Jay Schulman: Is that primarily through things like conferences, or how did you grow your network? Jake Bernier: Yeah, absolutely, so conferences. We’re here in the Twin Cities. We have a whole bunch of different security groups that I attend. Honestly, it’s just to hang out with people and talk shop, “Hey, did you see that new vulnerability that came out? Hey, what do you think of this latest breach?” I get to know these guys and gals that are doing this on a day-to-day basis, and I keep in touch with them usually on a monthly basis because that’s what the meetings end up being. Jay Schulman: How did you come about? I’m a closet teacher I guess myself. I love getting in front of a classroom. How did you come about to teach? I assume since it was the same place that you went to school, how did that happen? Jake Bernier: I actually got really lucky with it in my opinion because I also really enjoy it. Quite honestly, if I could do that full-time, I might end up doing that someday, but what ended up happening is I was a teacher’s pet to put it bluntly. I was really into it. I wanted to set up labs, play with things. Even though I graduated from the school, I still found myself helping out. A teacher would call and say, “Hey, are you looking for more experience? Do you want to help set up a lab for us? Do you want to help [image all 00 = 04 = 36] our machines?” Things like that, and it was just a great place to be, so I ended up doing that for about a year, and then until finally, I said, “Hey, I’m interested in teaching.” I spoke to some different teachers there and the director, and he said, “Well, I’ll tell you what. We have a …” At the time, they wanted to roll out a wireless hacking course, and I said, “That’s a terrible idea because wireless is very small, right? Why don’t we just do a more encompassing, just introduction to penetration testing hacking?” He said, “Okay, build it,” so I built the course, and this is all … I didn’t sign anything. I wasn’t getting paid for anything. I ended up doing all of this work, and he said, “Okay. Well, do you want the job?” I said, “Yes,” so I ended up teaching at that fall semester. Jay Schulman: Building the class on spec in the hopes that you’d eventually get to teach it. Jake Bernier: Exactly. Jay Schulman: For those students, what do you tell them about growing their information security career? What advice do you give those guys? Jake Bernier: I tell them that they can jump right into security if that’s their end goal. Right? I was told by a lot of different teachers and professionals that I have to work the help desk angle, right? Jump in, work help desk, do some sysadmin work, and then move over to security over a 5 to 10-year timeline, and I just wasn’t willing to wait for that, so I think … A lot of the students, I tell them like, “Hey, a lot of these requirements they have for these job postings is really a wish list. If you can meet most of them and they know you’re entry-level, they’ll probably find a spot for you.” Right? If you’re passionate and you want to do this, there’s definitely a spot for you in the field, so just stick with it. Jay Schulman: That is fantastic advice because I think a lot of people do look at the listings and say, “Gosh, I don’t … I’m missing 6, 7 things on there. I’m missing a cert that they’re looking for, and I’ll never get the job,” but your suggestion will be just go ahead, and apply, and prove that you have the energy to do it. Jake Bernier: Absolutely. Jay Schulman: You brought up a really interesting thing that I think has happened over the last couple of years. You used the description quite a bit of building things, and getting your hands dirty, and even talking about growing up at security where you start as an administrator and move forward. That hands-on thing, I think you even said you’ve gotten to security by cheating on video games. Where do you think the hands-on experience comes into this field of information security? Jake Bernier: I think it’s incredibly important, at least for my end of the security field, right? I have to know how things work and how they interact. I’m a very hands-on learner anyway, so for me to look at an environment and understand, “What are the different attack factors? How can we secure this infrastructure, this application, whatever it might be?” If I’ve built it before, even if it was in a lab environment, I can get it fully functional, I can better understand how it works. On the flip side of that, if I find something that we need to fix or I recommend fixing, I can sometimes understand the pain that some of these sysadmins or engineers have to go through. It’s not as simple as just clicking “Update” anymore, right? I’ve gone through some of those pains, even in a lab environment. I can maybe recommend quick ways to do it. I can think of alternative solutions, that sort of thing. Jay Schulman: It’s somewhere between credibility and apathy, right? [Inaudible 00 = 07 = 43]. Jake Bernier: Exactly. Jay Schulman: I ask everybody on the podcast here 2 questions. The first one is, thinking back to your career and some of the job changes you made, and it might not even be about a job change, but thinking back to something that you really agonized over, a decision that was really tough for you, but man, it really turned out well in the end, do you have one of those? Jake Bernier: Yeah, absolutely. Probably more than I’d like to admit, but the first one that comes to mind is when I was first starting out. When I first graduated, I already had a paid internship set up. It was with a Fortune 100 company. I was super excited. It was a chance to work in multiple different areas of information security, so be an intern, learn about different things. I was all set up. It was a yearlong internship, and then I ended up getting an interview from a guy I met at a conference for a small consulting company to work as a security consultant. I went in, somehow nailed the interview, right? Ended up getting the offer, so now I was torn. Do I go with this small security shop where I consult and move around, or do I go learn from a more corporate environment and learn about information security? Looking back now, it’s obvious that I made the right decision to go for a smaller consulting company, but at the time, I didn’t really know, and the reason I think I made the right decision is because I got to wear so many hats in that small consulting agency. Not only was I helping different consultants, learning from them, doing different security engagements, but I was also the IT admin since they were so small, so I was managing our own firewall and things like that. It turned out great for me. Jay Schulman: Yeah. I think a lot of people look at the brand name on the wall versus the actual opportunity in front of you, and you went on to work for a number of Fortune 100 companies anyway, so what was it like? Was it vastly different experience when you moved from the small consulting company to the big Fortune 100 company? Jake Bernier: Absolutely. My only experience was being around rock-solid security professionals, and we went and spoke to mostly small financial institutions. A lot of these folks, they might not be good at security, but we’re consulting them. They’ve dealt with us before, right? They’re financial institutions. They understand they have something to protect, so articulating risk or why we have to fix something and even at a technical level, it wasn’t that difficult, but I do get to learn a lot. When I moved over to corporate culture, it was just a culture shock to be quite honest. Now, all of a sudden, I’m dealing with these small exponent projects that have a bigger budget than the entire companies that I was helping consult, so the decisions have more weight. Also, your job is security, but everyone else doesn’t really care about it, so I have to sit there, and try, and articulate why we might want to do something, so it’s really challenging for me. I had the technical stuff figured out, but it was a social and culture aspect that I had to work through. Jay Schulman: Yeah. I think that’s a fantastic point too because I think people do forget about the communications element of the job, especially when they’re so good at the technology point. Everything we’ve heard to this point has been fantastic, all cookies and ice cream. I’m sure at some point, you did something that if you had the option, you’d do it differently, so is there a do-over at some point in the story? Jake Bernier: I think there’d probably be 2 things I can think of. One is not as exciting, and that is I wish I would’ve spent more time learning the development side of things, right? All the classes, and training, and even most of my work experience at very early odd was related to networking and infrastructure, “How does this TCP/IP, in fact, affect all that fun stuff?” When I started to look at different applications, whether that’s a web app or a mobile application, whatever, I was really lost, and I didn’t understand really at all how a developer worked through anything, and so I had to spend a whole lot of time on the job. Actually, after the job, trying to catch up and understand what that process looks like and why they’re developing things the way they’re developing some of their pain points, et cetera, so I could better assimilate myself into their environment. The second thing that comes to mind is moving different jobs so frequently. I’ve worked at 1, 2, 3, 4, 5 different places. One of those was teaching, so 4 different places for each year. Sometimes, I look back, and I go, “Gosh, I wish I would’ve rounded off and finished that one project or tried a little harder instead of just jumping to that next opportunity.” In a way, that’s the reason I am where I am today, but at the same time, I feel like I missed out quite a bit. Jay Schulman: Yeah, that’s tough. Not to get on a soapbox here, but your first do-over is so passionate for me because I look at so many security people come up through the infrastructure ranks and think like network engineers and not like application developers that … I personally think that application security is so difficult because it’s a whole bunch of infrastructure people trying to figure out how to develop code, and fix code, and do all of that stuff. Certainly, it hit it on the head for me. Jake Bernier: I couldn’t agree more, and I figured it out right away. Just the attitude that the developers had towards security professionals, you could tell they’re like, “Yeah, you guys have no idea what you’re talking about. You couldn’t do my job.” Jay Schulman: Yeah. “You have no idea what I’m doing. Why should I take your advice on how to change my code?” Jake Bernier: Exactly. Jay Schulman: In your final move, you moved from the penetration testing role to more the intelligence role. Was that a big transition, or did it flow naturally for you? Jake Bernier: It was a hard transition just because penetration testing is near and dear to my heart, but to be honest, the reason I ended up getting into information security in the first place is I love to learn. I love something different, and pen-testing can give you that, but at the same time, it can get in this wheelhouse. For those that aren’t too familiar, you’re testing things, looking for different problems, but a lot of times, you see the same things over, and over, and over again, and you have this toolkit and these tricks that you run. It’s like, “Yeah, keep playing the same cards.” Moving over to intelligence in a research role allows me to … It’s honestly just an excuse to dig deeper and not have a scope anymore, so I can do similar work, right? I have the technical capabilities, I have the toolkit, and I have all that in front of me, and now, I can take it one step further and dive a little deeper. Do some of that research I’ve always wanted to do. Jay Schulman: That’s a great comparison because I had never thought about the differences and, in fact, the similarities between the 2 roles, so thank you for framing it up in that light. That is the end of the questions, and I greatly appreciate you coming on today. If what you said today resonated with people and they want to reach out to you, where can they connect with you? Where can they find you? Jake Bernier: Yeah. They can feel free to send me an email at jbernier, B-E-R-N-I-E-R, email@example.com, or if you’re in the Twin Cities area, you can come look up the different security groups and come find me. I’ll probably be there. Jay Schulman: It sounds great. Thanks for joining us today. Jake Bernier: All right. Thanks for having me. Jay Schulman: Thanks to Jake for joining us today. I hope you heard Jake emphasized his network in the conversation today. Even if you aren’t looking to make a career change, you should always be trying to build your network. If you do reach out to Jake, make sure he knows you heard him here on the podcast. If you have any comments or questions about today’s podcast or want to join me to talk about your career journey, shoot me an email at firstname.lastname@example.org. If you found this podcast valuable, let me know by leaving a comment in iTunes, and thanks for listening to this episode of Building a Life and Career in Security Podcast. Please subscribe to this podcast on iTunes or at JaySchulman.com/podcast. Voiceover: Thank you for listening to the Building a Life and Career in Security Podcast with Jay Schulman. For more information and to subscribe, go to JaySchulman.com.