InfoSec Career Podcast – Episode 11

Carrie Roberts shares some incredible experiences that she has had moving into security. She has gone from being a mechanical engineer for HP to now working for Walmart on their blue team. The changes that she has made have had a huge impact on her and her family. You will definitely want to listen to this episode.

iTunes
Google Play Music
Stitcher

Jason’s Notes

All I can say is that Carrie is a Force of Nature! I wish I had half the focus, determination, and dedication that she talks about during this episode. The impact her decisions and efforts have had on her, her family, and those around her is huge! Check this out.

Time at HP

Her first interest in software development sounds like it came when she was a mechanical engineer. She would be ahead of her project timeline, but was dependent on the developers to code the movements of what she had designed. They would get behind and force her to be behind. She made the comment that she was interested in doing it all and not being dependent on the development team.

When faced with an uncertain future at HP as a mechanical engineer, she took advantage of opportunities that the company offered her. She was one of two people on her team to take a programming class at the expense of HP to broaden her background.

Because she liked the programming, she head of a fellowship at HP that would allow her to go back to school full time for a masters degree. HP would pay for her schooling, pay 75% of her salary, and she didn’t have to work during this period. She finished a Masters Degree of Computer Science via an online program at University of California, Chico. It’s really rare to see companies offer this kind of opportunity.

The degree program was very difficult because she was on her own with no immediate support around her and very slow support from her professors. It required her to learn a lot, but it was painful. In spite of this, she stayed focused and earned her degree in 15 months. (amazing)

Starting Into Security

Carrie says that she is an “all or nothing type of person.”

She had a web application she wrote get beat up by a vulnerability assessment. This made her want to learn about security because none of her schooling had prepared her for this.

She applied again to HP to earn another masters degree; this time at the SANS Technology Institute. Carrie kept taking opportunities and putting in a ton of work to make them happen.

She found ways to do security projects at HP to demonstrate what she had learned to others. She also did CTFs, blog posts, and wrote papers. She kept finding a way to make things happen.

Carrie really put herself out there to meet people and ask questions. She did this with her classes at SANS and showed her interest to her instructors. This lead to an introduction to John Strand at Black Hills Information Security. She became a penetration tester at BHIS.

Penetration Testing and Red Teaming

Carrie really liked red teaming over the more regular penetration testing. They are harder to argue against because the of the realism involved in them. The scope is more open, the information is less available, and no access is provided. This was extremely enjoyable for her.

After a few years at BHIS, Carrie went to Walmart to be on their dedicated red team. There was a lot more time available to the team to figure out how to do their attacks than she had as a consultant. This experience let to questions about why some attacks were caught and others were not.

This experience led her to decide to join the blue team at Walmart. Now she can really dive into why some attacks fail and others work. She stated that she wants to be on blue team to become a better red teamer.

On Learning

The conversation keeps going back to Carrie’s desire to learn more and take the opportunities that allow her to grow.

She tries to spend 80% of her time learning and 20% applying what she has learned. This is a huge bar to meet! She doesn’t try to really track this, but uses it as a general guideline she tries to follow.

Carrie keeps a list of things she wants to learn. That way when something sounds interesting, she can put it on the list and stay focused on what she needs to work on at that time. Later, when she finds herself looking for something to learn, she can go back to the list and find something that she is interested in. Great idea.

Being a Woman in Security

Personal note. I hope I handled this part well, but I was really interested in what Carrie’s experience has been. There is a lot of debate over the topic of diversity in STEM and information security. To me, it’s in people’s stories that we can understand what they are going through. Carrie’s experience is a positive one, but I know of others who would tell a different story. End note.

Carrie has spent a lot of time in her life as one of the only females in a group. As a child, she played with the boys at recess playing the same games. This gives her a good comfort level in being in groups where she is the only woman. That has spread into her experience in security.

It isn’t all perfect though. Some of the conferences she has attended have not been enjoyable due to the lack of professionalism she has observed. One of her statements is that she would not be comfortable bringing her children into those environments. She said it was not all conferences, but definitely at some of them.

Carrie likes the idea of providing women opportunities to try technology out and get some personal experience with it. It’s one thing to say that something is fun or enjoyable to do. It’s another when someone gets to experience that themselves. She has put this into action in her family.

Carries two oldest daughters have decided to be web developers. One is currently working in the field and the other is finishing school for her degree. These daughters are also teaching her younger daughters programming. Her son has also become involved in programming and developing code in Python.

Technology is a family affair in the Roberts family. Her son is has helped write code for a tool she started called Domain Password Audit Tool (DPAT). She has done presentations on this tool with her husband and her son.

Domain Password Audit Tool

One thing she wanted to make clear was that going into security has changed her family in a major positive way. One of these is that by Carrie and her husband changing their careers to infosec, they have doubled their family income! That is life changing!

Her husband followed her into information security. At first he was very hesitant to make this kind of change, due to his age and professional background. But they figured out a plan, he started getting training, and is now a penetration tester for Black Hills Information Security.

Physical Health

One thing Carrie didn’t like about working from home and at a computer all the time was the impact on her physical health. She followed the same pattern that she has already show and figured out how to fix the issue. She built a walking desk and walks 4 miles each day while at work. You can check out her desk build by reading Healthy Hacking on the BHIS blog.