Recently I was extended an opportunity to speak at an undergraduate class of computer science. The topic I was to speak on was how I got into cybersecurity and my experience of different roles within the public and private sector of cybersecurity. I outlined what I would go over for the class so I thought I'd share my story here as well.
My name is Michael Banks and I am a practicing cybersecurity professional. I am currently a Security Engineer at Amazon Web Services (AWS) on the Security Operations Team. If you are not familiar with AWS offers an extensive array of reliable, scalable, and inexpensive cloud computing services. I am also a Signal Officer in the United States Army Reserve. I graduated from Augusta University (AU) in 2015 with a Bachelors of Science in Applied Information Systems & Technology with a Minor in Military Science. In December 2019, I graduated with a Masters of Science in Information Security Management.
First off, I want to thank you for taking the time today and allowing me to share my experiences in the cybersecurity industry. Today I plan to go over how I discovered and got started in cybersecurity. I will go over the roles and experiences that I have had in the industry. Lastly, I will give you some tips that I believe will make you successful in the industry.
How I started in cybersecurity
I was always savvy and interested in technology and computers since my family got a Compaq Presario with Windows 95. I would play things like Carmen San Diego, Math Blaster, and Reading Blaster. When I would go to one of my Aunt’s houses, they happened to have Oregon Tail on 5 ½ floppies, and I enjoyed that game. Internet wasn’t that mainstream yet, so when I got a break from the games, I would tinker with the other programs and even play around with the command prompt and figure out the commands and what they did. I say all of this to say that when it was time to choose a major, I knew it would be something like Computer Science or Information Technology (IT). I knew I wanted to do something with computers, but I didn’t know what I wanted to do with computers. I always say to this day that I am willing to do anything but create video games. The game would never be completed because it would still be something I wanted to change or make look better.
When in the junior year of my undergraduate degree, I was in a system administration class for Linux. You would all the time here about events and different things related to computer science that you would get extra credit for attending, and I would not miss one of them because if it’s free, it’s for me and free credit for a class something you don’t pass up. Not to mention a lot of the events had free food. The opportunity that was shared was a BSides. For those not aware, as stolen from their web page, “BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.” The school was assisting sponsoring a BSides conference called BSides Augusta.
It was the 2nd annual one that was hosted at our school at the time. One of the things my school required to graduate at the time was a requirement to complete either an internship or a senior capstone. Doing an internship was already on my mind that year. It just so happened that there was a speaker presented at the conference at this conference. At the end of his presentation, he mentioned he was looking for interns. I thought that was convenient, so I went up to him after his talk and told him I was looking for an internship. The only thing he asked me was could I code. Luckily at the time, I had experience with Java and C Sharp, so I told him yes, and turned out he was the owner of a cybersecurity consulting firm and a former soldier and reverse engineer for the National Security Agency (NSA).
When I started my internship I didn’t know what to expect, but I got to do some fantastic things like penetration tests for companies and organizations in many public and private sectors. I got to sideload custom firmware on wifi routers that are still used today. I even got the opportunity social engineer my way into corporate and retail locations for companies I know you’ve heard of. My internship was how I discovered a love for and got into cybersecurity.
My Career Path
Information Security Consultant
Fast-forwarding a bit, even though my internship as far as the school’s requirement for it was over, I continued to intern with that organization until I graduated. That work turned into my first job as an Information Security Consultant.
As a consultant, it’s a broad position, which is a gift and a curse. What you do is dependent on the client and the case you’re given. I have done many different things from penetration testing. Ransomware recovery, digital forensics, insider threat cases, network build outs, Siem monitoring, phishing, and even auditing. Sometimes and most of the time, I’d haven’t done it before, but one thing about me is I am determined to figure it out, and when you have a good base of the fundamentals, at the end of the day when computers are concerned everything is 1’s and 0’s.
Often, you have to go to the client to do the work, so there was quite a bit of travel that came along with the job. I recall one year, I traveled 100 of the 365 days that year. Luckily for me, I love to travel, so it was amazing to see all of the places. An average week at one point was flying out on Sunday afternoon, working from the client site that week, flying back home Friday and enjoying the Saturday, and flying out the next day to do it all over again. On top of doing the job and the technical aspects, It required to write reports and documenting aspects of your work. So if you thought after school, you’re done writing papers. I will go ahead and burst your bubble now. You will always be writing.
While being a consultant, one of the things unique to the organization that I was at was that they wanted you to do at least two public presentations a year. I think it was good publicity for the firm, but it was also a method to build up your communication skills, and with such a customer-facing role as a consultant, it was a way to get you comfortable with getting your name out there. I got to do some BSides conferences and speaking at some other conferences around the country. Another goal I set for myself was doing two industry certifications a year. So far, to this day, I have been able to continue that goal. I currently have about a dozen active industry certifications.
My next opportunity happened pretty interestingly and out of the blue. I always maintained a social presence, as mentioned before, with my previous job. One day a technical recruiter reached out to me on LinkedIn or “slid in my DM” as we say it nowadays. He mentioned a position for a Security Engineer in the D.C. Metro area in Northern Virginia. I expressed that I’d like to hear more about the job. I sent him my resume, and about five days had gone by and hadn’t heard from him; it turned out there was a typo on my resume for the email. THANKFULLY no one with that email didn’t take the job I was going for now. I gave the recruiter another email and got set up to do a couple of phone screens to test my technical knowledge. They flew me out or “got flewed out” to their offices in Northern Virginia to examine my technical knowledge again but this time to also see if it was the right fit for the company. About a week later, they sent me an offer to be a Security Engineer on the Security Operations team.
The AWS Security team is responsible for the security of all of the services offered by AWS. As a Security Engineer on the Security Operations team, I work cross-functionally to assess risk and help deliver countermeasures that protect customers and company data. I operate more in a leadership role in responding to security issues across the world’s largest cloud provider, which is pretty rewarding in an experience within itself to solve security problems at such a large scale.
My day to day job responsibilities include:
- Analyzing massive data sets to perform risk assessments
- Develop tooling and security controls to mitigate risks
- Support design reviews for developer tools to ensure that security objectives are met
- Work across teams at AWS to refine your plans and obtain buy-in.
In parallel with my cybersecurity career. I’ve had a career in the United States Army Reserve. I enlisted back in 2011 at the beginning of my sophomore year in undergrad as a private first class. I did basic training or boot camp, along with some advanced individual training, and resumed school. I continued my Army Reserve experience with a Military Intelligence Unit in various roles until I graduated and commissioned as a Signal Officer in a Theater Tactical Signal Brigade. For those not aware of Signal, it’s the equivalent of the communications infrastructure that connect soldiers on the battlefield to one another and the Department of Defense Information Network (DODIN). I have recently moved to a Cyber Protection Team to do more cyber-related things for the Army Reserve.
I have had the unique opportunity to work at a private security firm out of college, a Fortune #2 public company, and serve in the federal government for almost ten years. If I can leave you with any advice on what I would want to know if I were starting my freshman year would be the following:
- Get/Keep your writing game up! All organizations write reports, articles, documentation and you will never get out of it.
- Learn in-depth and as much as you can around the fundamental principles of computer science. Everything from the networking protocols, how packets work, to the makeup of computers, assembly, and the operating systems like Mac, Windows, and Linux. All of the jobs, companies, and vertices that exist in the industry build on top of that. No matter what job you do or position you’re in, the more knowledge you have on the fundamentals will only propel you further because remember, at the end of the day in the computer world, it’s all just 1’s and 0’s.
- Get as much experience as you can before you graduate, whether it’s personal projects, research, patents, work studies, or projects. I had my own virtualized lab by my junior year with an extra PC, but you can get experience by doing it yourself. Try to get internships because it’s a great way to have a job before you even start looking for one. It will set you apart from your peers that don’t have it, and organizations are looking for people with experience.
- Network! Network! Network! Get your name out there. I am sure you all know that sometimes it’s not what you know but who you know will get you ahead in life. It’s how you get noticed and build relationships. Visit some conferences, start submitting talks to them. Keep a blog around the things you are doing. You never know who will be “sliding in your DM” offering a job.
Thank you for the opportunity to share my story. I hope this information helps, and I hope my experience gives you some idea of some of the options you have in the cybersecurity industry. I’ll be happy to take any questions you might have for me around anything in the cybersecurity realm or the military sphere. Also, feel free to connect with me on Twitter or Instagram at @4MikeBanks. Also, here’s my LinkedIn https://www.linkedin.com/in/mrmikebanks/.