GIAC Certifications: Trust Me I'm Certified
GIAC Certifications: Trust Me I'm Certified
Exploring Imposter Syndrome through Experience, Education, and Gatekeeping with Lesley Carhart
Lesley Carhart, principal threat analyst at a leading cybersecurity company, was brought up on a farm with an "old-school hacker" (her dad). She shares how her experiences as a high school coder and military avionics technician ultimately led her to a successful cyber security career.
Despite all her success, like most of us Carhart is no stranger to imposter syndrome. She discusses the barriers she's faced to being perceived as an equal and the steps individuals can take, including training and certification, towards trying to overcome imposter syndrome in the workplace.
Jason Nickola: 0:00
This is “Trust Me, I'm Certified,” brought to you by GIAC
Certifications, a podcast exploring how to conquer imposter syndrome. I'm your
host, Jason Nickola. And on this episode, we're joined by Lesley Carhart, Principal
Industrial Incident Responder at Dragos. Despite achieving success and relative
fame in the infosec world, Lesley remains one of the more accessible and
consistently positive figures that we have in the industry. In this
conversation, we explore imposter syndrome: the ways that it can affect your
career and some mechanisms for coping when you're struggling with it, in
addition to lots of other tips and stories from Lesley’s background. So, with
that said, please enjoy our first episode and an interview that I really had a
lot of fun recording. We hope you like it.
Jason Nickola: 0:00
Lesley, it's an absolute pleasure to have you
here with us.
Leslie Carhart: 1:12
Thanks so much for inviting me.
Jason Nickola: 0:00
So, you do a ton of work around career building and a lot
around enabling the community. But before we dig into some of that stuff, when
did you start getting interested in technology? How did it - what do you
consider your origin story in the industry?
Leslie Carhart: 1:12
My origin story? Oh, gosh, see mine is so atypical, it's
very stereotypical, and, uh, really a lot of people have - there's a million ways
to get into security. But mine was a very prototypical story of I was a little
kid, you know, like seven or eight. And I grew up on a farm, and there wasn't a
whole lot around at the time. And, you know, not a lot of people to talk to and
stuff. And my dad bought a computer when I was tiny to do accounting and
bookkeeping for the farm, and my choices were go keep myself entertained with
that computer or go pull weeds on the farm. And I realized really quickly that,
well, I don't have anything against farming. I would rather not do that for the
rest of my life.
Jason Nickola: 1:59
Easy choice.
Leslie Carhart: 2:00
Um I mean, it's not for everybody, but for me, that was the
choice. So, at the time, it was really cool, and I really feel badly for kids
today because, you know, they get exposed tablets and things that are super
locked down. They don't have the exposure I had to like my math text book of the
time had basic programs in it.
Jason Nickola: 2:18
Sure.
Leslie Carhart: 2:18
You know, and then you buy your magazines like your Popular Electronics or something and it
would have hobby programming and at the time you really had to build anything
wanted into a computer, because what was there was so limited and so
architectural that you really had to learn how to build your own stuff and make
the computers do what you wanted.
Jason Nickola: 2:37
Yeah. So, you have this computer at your dad's farm, and
you're kind of just hacking away at it and figuring things out. At what point
did it become more than just you by yourself trying to figure out how to bend
this computer to your will?
Leslie Carhart: 2:51
When I was about 14 I was friends with all the
nerds, you know, that’s what you do when you’re a nerd.
Jason Nickola: 0:00
Right
Leslie Carhart: 2:59
One of my friends came to me and said, there's this company
that's hiring interns. They're hiring intern programmers and you know how to
program, right? And so I went there and I interviewed, and this was the dot com
boom. You know, it's different now. At the time if you knew how to use a
computer, write some code, you could get a job, and I definitely wouldn't say
it's like that for programmers today. This was the wild west, and they hired me
on as a cold fusion and SQL developer at the time. And I was a kid, working
writing code, and for, you know, kid job prices. But it was great exposure to
corporate life and computer science and working in IT. So, I've been doing this
for a very long time.
Jason Nickola: 3:42
So, being so young - was that kind of nerve
wracking? Were you just excited to be there or, you know, did it make you feel
like you were playing with adults?
Leslie Carhart: 3:52
You're invincible when you’re a teenager. You know
everything when you're a teenager - except that you don't. And you know, it
wasn't bad. It was a cool culture to be a part of. You know, nineties IT
culture and hacking culture was just such a blast. Everybody was hopeful for
the future. I think that was really kind of a heyday, even though it was the
wild, wild west, because everybody thought the sky was the limit. You know,
where we would go. We weren't thinking about all these consequences. We have
today ethical consequences and, you know, social and political consequences of
the Internet and technology and social media that we have today. It was let's
go see what this wonderful new thing can do.
Jason Nickola: 4:34
Yeah, and the hacker and kind of tech community around
Chicago, is that how you first started to get exposed to some of those ideals
and how did you start to build yourself out as a community member in the
earlier days?
Leslie Carhart: 4:49
There was always a wonderful hacking community and tech
community in the Chicago area. It's always been a good center for a very
friendly community and a good group of folks, a lot of people who want to help
each other succeed. It's changed a lot, but it's always been good people.
Jason Nickola: 5:06
Right. So eventually you move on and you were in the armed
services right, you were in the Air Force?
Leslie Carhart: 5:11
Yeah, I was in the Air Force. After the dot com bubble
burst, you know, it was kind of like what now. Like, this is this sounds kind
of cool, let's go see how airplanes work, you know? So, I enlisted as an avionics
technician taking apart aircraft radios and GPS in the early days of GPS and it
was really cool.
Jason Nickola: 5:38
So, with your exposure to other areas of engineering and
technology, was there ever a sway to move you further toward that stuff, or did
you kind of have a running theme the entire time that computers are kind of my
thing, I'm committed to that, and I'm doing other things to expose myself to
new areas and to grow. But have you been consistently committed to computers
and technology as a career throughout?
Leslie Carhart: 0:00
It’s all technology, and I’d say I've always actually
naturally been a more of a circuits and wires person than a programming person.
I think people’s brains are protected a little bit differently, different
people are wired differently, and I've always been much more on the side of
circuits and wires and how are things processed at a low level than at the
higher level, like object-oriented programming thinking. And it's fine to do
either, but that does just fit naturally. I have an electronics degree and an
avionics degree as well as network engineering. That's kind of more of the way
that I work. So, in my brain it all fits together, in my brain I see the big
picture, and you know, it doesn't matter whether it's a computer that's running
avionics, or it's a computer that's running smart devices, it's all circuits.
: 0:00
Jason Nickola: 6:51
So, you mentioned that you studied networking,
and at that point coming out of that you were in the armed services and you
have a degree with formal education and you were a very precocious child that
learned to code early on and that professional –
Leslie Carhart: 7:07
Oh, I was a horrible child. But I guess I was precocious
[laughs].
Jason Nickola: 7:07
[laughs] I actually think about those kinds of things
sometimes, as I have a young son and as I start to see him demonstrate the same
kinds of curiosity and stubbornness and just real wonder at how things might
work and then frustration at not being able to figure things out entirely and
communicate it. It must have been very difficult to put up with me when I was a
child.
Leslie Carhart: 7:31
Yeah, my dad is an old school hacker. You know, he was a guy
building his own TVs out in the garage. We had constant wars growing up. He
installed a switch that was like seven feet tall on the ceiling to shut off the
phone line to my room. That was before the days of WiFi filtering. I’d be, you
know, doing whatever on the phone line and he’d come up and he'd switch it off
and I couldn't reach it without getting some boxes. And then, you know, on the
computer side of things he learned how to lock down executables as he could in
DOS. And then I'd figure out a way around it. It's amazing we didn’t kill each
other.
Jason Nickola: 0:00
It's fun and funny, but it's great experience too.
Leslie Carhart: 8:38
Sure absolutely.
Jason Nickola: 0:00
So, by the time that you're ready to join the professional
world as an adult, you have way more experience than most people do at that
point because of some of your background. Did you feel that you were just
really confident to step into your first role? Were you super assured? Or was
there some trepidation as you started to step into the professional world?
Leslie Carhart: 8:38
Nobody’s confident. Nobody who knows a small
amount of things, nobody who's seen the big picture is confident they know a
lot. The more you learn in IT, in security, if you have any sense at all, what
you should be learning is all the things you don't know. And still that happens
to me today even. Somebody throws some random PowerShell problem it at me, and
I'm like, wait what. I haven't done that recently. You never feel totally
assured that you know everything, no matter how long you've been in security,
if you have any good sense and you have a real understanding of how big and
complicated the problem really is.
Jason Nickola: 9:22
Sure. Yeah, that's such a great point. If you have your wits
about you and you're going about things the right way, then sometimes the
increase in experience is actually more of a notification that wow there is so
much more to learn, there's so much skills that I still have left to learn.
Leslie Carhart: 9:40
Which is just great. It's great, I don't want to spend the
next 30 years of my working life, you know, being bored, not having anything
else to learn. I don't think there's any risk of that here. And there's jobs
out there like that that don't change a lot and you learn everything and just do
the motions for 60 years. You know, it's crazy, you know?
Jason Nickola: 10:02
Yeah, and there are lots of roles in lots of places where we
need those kinds of people that are more steady. But one of the things that I'm
really passionate about, it sounds like you are, too, is finding people who
have those same kinds of intangible skills that are maybe misplaced or
underserved or just haven't had some of the opportunities yet because if you
can find those people that are really passionate about growing and want to
learn new things and continually push the boundaries and that we are in the
field where you can have a lot of success if you just get the right opportunity.
Leslie Carhart: 10:33
Yeah, if you have the right climate. And also, if the people
around you understand – and something that I've really realized it's important
over the last few years as I've become, I’ve gotten into more senior rules,
more leadership roles, is you have to be in a culture that also understands how
you learn and how you think, that team dynamics stuff is really important to help
you grow.
Jason Nickola: 10:57
So important, sure. That's a great point. So, coming into
technology before the burst of the dot com bubble and then becoming a cyber
security professional, kind of at both of those stages, there's a lot of new
ground right and especially as you start to talk about women and minorities
there weren't as many models for success, and people that look like you or
sound like you or come from where you come from, that can kind of show you the
way. Did you have anybody –
Leslie Carhart: 11:28
No, I’ve never had that. I’ve never had that once in my
career really. I've never had a woman or non-binary mentor. I've had some
mentors later in my career, but really I had to go it alone early in my career.
You could find a lot of people who wanted to talk about things, you could find people
who wanted to explain how things work because people like to talk about things
that they know. But as far as like, OK, so this is what you should do next, no,
I didn’t [have that] starting out, and part of that was you had to work really
hard early on in this field to be accepted as one of the geeks. And, it's
gotten better but in the nineties and the early two thousands, man. And it
wasn't just, you know, IT and working in the field. It was being a Star Trek fan
or being a science fiction literature fan or liking gadgets, liking RC planes, things
like that. You showed up to those places, people made assumptions about you by
looking at you. They made assumptions that you didn't have the technical
knowledge, that you hadn't been doing this since you were a kid, that you
didn't have the fundamentals down. And you had to get in there really quick and
start, you know, being assertive and banging away and proving that you were one
of the guys. In any subculture, it's the way human brains are wired. Okay? It's
easier is a concept in anthropology called “the other,” and we tend to see the
group of people who are like us and whether that's, you know, subculture,
culture, politics, religion, our gender, you know, we see people who are like
us, and those are our people. And then there's these other people and that's
where these kinds of biases come from. We see somebody who doesn't fit in our
box, and we're like, they must not be like us, you know? And then we started
having problems, so definitely being assertive in being out there and proving
that I knew my stuff was really important. It's a lot harder to find mentorship
when people are like “You're not like me. I don't know how to handle you
because you aren’t in my group.”
Jason Nickola: 13:36
That’s one of the reasons that I think having those models
is so important because the reverse of that is that you know, if you don't see
anybody like you that has gone the path that you would like to go, then it is
easy, especially for some personality types, to maybe adopt that and limit
themselves from areas that they don't see others who they can relate to, kind
of breaking into it.
Leslie Carhart: 14:02
Oh, sure. And if I could encourage people to do one thing is
try to think outside of at least the box that you see, and this goes all
directions, this goes for everybody. When you see a group of people and they
don't look like you, understand that you might have similar tastes outside of
the visual things, you know, they don't have to look like you. It's what's
going inside in their brains and their lives. And you don't know any of that by
just looking at somebody. It doesn't matter how they dress. It doesn't matter
their gender, it doesn’t matter their ethnicity. You don't know what's going on
inside their brain. You can't make those assumptions. We are a community made
up of a diverse group of human beings. And that's the important thing. It's who
you are and what you bring into the field and your interest in it that matters.
Jason Nickola: 14:53
Yeah it seems like the answer to so many of our problems is
just to sit down and talk to people and kind of get into the weeds even though
we as a species do our best to avoid that.
Leslie Carhart: 15:03
And focus on the similarities and the benefits that the
diversity can bring. You might share a lot of things, and then the things that
you don't share, the differences that you have, only make us stronger, only
make you better. They only help you learn more, and they help the community
grow: the community of practice and the social community.
Jason Nickola: 15:24
Right. So, it sounds like early on you identified that even
in some of these subcultures I have to prove my chops. And I’m gonna do that by
knowing my stuff and sounding confident and being assertive. Were there times
when you maybe second guessed yourself or there was enough of going against the
grain and trying to beat back some objects in your path that even just a little
voice in the back of your head that would start to say, “well, maybe this isn't
for you?”
Leslie Carhart: 15:55
Yeah. So being somebody or not is very exhausting. When you
have to be part of the group, when you have to be one of the guys, yeah,
there's a lot of hate. This is quote unquote “guy things” that I like, like
marksmanship, like hunting, and I like the technology stuff and science fiction
and all that jazz. I love that stuff, I really do. But then there's other
stuff, like football and golf, and I don’t care about it. And just like the
seedier side of the guy culture. And there's these judgment calls that you had
to make at the time. You know, like I am in this community and they're saying
really important things that I need to learn about technology. And if I say,
stop making these jokes about sometimes really horrible things, if I speak up, then
I’m not gonna be one of the group anymore. I'm gonna suddenly be that “other”
and they're going to ostracize me, and then I'm gonna lose my access to that
community that's educating me on this field. You make a choice there. You have
to make a decision. Do I hope to make a dent in this person by getting in a
debate with them, and get kicked out of the group? Is that the ethical thing to
do? Is that the right thing to do, is losing my access to this group and my
ability to move further in this career? Or do I keep my mouth shut and not say
anything about this horrible culture or activity or something that's going to
harm somebody else? It's a constant set of decisions like that when you're
bidding into a culture that isn't yours or a group of people that isn't exactly
like you. And I don't think a lot of people realize that people are making
those decisions.
Jason Nickola: 17:51
Yeah, you're absolutely right. It's an important part of the
conversation that gets lost in the shuffle, especially from people who maybe
don't put as much credence in the need for advancement of any minority culture.
And it’s gatekeeping, is largely what it is, because you have to overcome and
make a lot of these decisions and deal with uncomfortable situations that other
people just don't have to.
Leslie Carhart: 18:15
I mean, it's not necessarily things that every white male likes.
A great example is, and I know you've been in this field for a long time, so
back in the late nineties, early two thousands, a big thing at security
conferences and security events was going to strip clubs and, yeah, not every
guy wants to do that, either. It's like a bravado thing. So, you know, it's
kind of awkward to be taken there as a professional event and just awkwardly sit
there and have beverages while some of the guys are having a good time, and
having that being a gate to get into a meeting next day, or being part of a
community, that's difficult. And to some people, that is much, much more
offensive and difficult to deal with for religious reasons or for cultural
reasons or for personal reasons. And I mean, why do you have to do that? Why is
that necessary? Really, I know it's like a bravado or macho thing, but there
are a billion other places you could meet. Why? Why did they feel like that was
necessary? Unless it was intentional gatekeeping.
Jason Nickola: 19:28
Sure. So, at what point would you say your career
started to shift into cybersecurity specific focus?
Leslie Carhart: 19:36
I moved into a SOC after a while. It took a while. I really
wanted to do digital forensics. That was my thing. I had loved – and again I'm a
circuits and wires person – so hard drive forensics and RAM forensics was
something that fascinated me for a long time and just the investigation of it
is really cool and, man, I tried so hard for years and years and there weren't
many jobs at the time and not in that field. And I couldn't find anybody who
would even have a conversation with me in terms of mentorship. Though
eventually the only way I found to get hands on with forensic software was
becoming a stock analyst. And that's what I did.
Jason Nickola: 20:20
Cool, so at what point would you say your career
really started to take a turn? So now you're really well known, and you're the
one thing that I appreciate is you’re well known for continually being positive
despite the fact that you've had a lot of success and get a lot of recognition.
I think there are lots of examples of that not being the case, I appreciate
that. But at what point would you say you broke in and you started working in
forensics, and then there starts to develop this entire field around
cybersecurity, and you get these niches like DFIR and offensive security, these
kinds of things. You started to grow and become somebody who's known in the
industry. Was that something that was difficult for you to deal with? Was it
just kind of a natural thing, or was it a little maybe weird to you?
Leslie Carhart: 21:09
In terms of just having people listen to what I had to say,
I don't know why people do that, oh, my gosh. You know, I've been doing this
for a while and I know a few things, and I like to share them, and I try to be
positive. I definitely try to, because there's a lot of negativity in our
field. And I mean, God, we're not putting out house fires we're sitting in
front of keyboards, for Pete's sakes. I don't think you can take anything that
we do that seriously. It’s really important geopolitically in a lot of cases, but
again, we're not out there, you know, with buckets and hoses. You can't take
yourself too seriously in this field. And I think that a lot of people who get
a lot of attention really start to think that they're rock stars and they’re
the best thing since sliced bread.
Jason Nickola: 22:04
That’s one of my least favorite terms in business overall
and then in security specifically is that concept of a rock star.
Leslie Carhart: 22:10
I'm just some person you know. If I can help people do
better, that's great. I can help the community move forward. I'd like to make a
mark on it somehow. That’d be really nice. I’d like to see the next generation
not deal with some of the problems we've dealt with. Hopefully, by the time we
get two generations down the line, Windows XP is gone, but it won't be. It’s
always a little awkward for me to have people come up to me and tell me they’ve
been following me and they're super excited to meet me and oh my goodness, it's
just a little overwhelming. Yeah, but I'm glad to have made some dent on
something in the world. I think that's all that we can do as humans is try to
leave the world a little better than we came in.
Jason Nickola: 0:00
So, imposter syndrome is kind of a buzz word lately, and
it's gotten a lot more attention, which is a good thing because it reduces some
of the stigma. But is this, looking back on your career, is it something that
you see a running theme of? Was there evidence of it maybe earlier on in your
career? Is it something that you've only more recently become exposed to?
Leslie Carhart: 23:21
Oh, gosh, you know, I said this earlier in our chat.
But if you know anything about the field and you really have taken the time to
understand what security is and what computer science is, if you're not feeling
some impostor syndrome some days, then you really should be [laughs]. It's just
our field changes by the minute. It changes by the minute; there's new
vulnerabilities, there's new tactics from adversaries. There's new problems
that we have to face socially and politically. And what our job is - the little
blurb for our job position in general for cyber security changes by the minute.
And if that doesn't make you feel some imposter syndrome, I mean, I don't know
what to tell you. We all feel it. Like I said, I run into weird questions about
security or logs, niches that I'm not really involved with every day. I'm like oh
God, here's this whole other field that I don't know a lot about, and I don't
know when I'm gonna have time to learn more about it. And I'm very lucky to
work with a lot of really, really brilliant people in niches that are not my niches,
especially, you know, advanced red teaming stuff, exploit development, and I
wish that there were 50 hours in the day and I didn't have to sleep, and I
could just study more of this stuff.
Jason Nickola: 24:47
Right. Yeah, so for me being a SANS instructor
and trying to present more and be out in the community and even in my day job
talking to lots of important companies and that kind of thing, you sometimes get
into a mode where you’re just like, do I belong with this group and is this the
right opportunity for me? And when I talk to others about it, that's one of the
most common repercussions of imposter syndrome that I find, is people gatekeep
themselves from new opportunities. Whether it's seeing a job posting that that
they’d really love to go for, but they see that it says you need to have 5 to
10 years experience and they don't have that yet, or looking at a community
group and seeing some of the people that are involved in and deciding, well,
that group's not for me, because I'm just getting started. Do you hear a lot of
those same things of people kind of keeping themselves from opportunities just
because they're unsure of whether or not they have the chops?
Leslie Carhart: 25:47
So, Auntie Lesley secrets for young people getting into this
field: we've all been rejected, we’ve all applied for jobs and got rejected and
it's been terribly disappointing, and we don't know why, but – and community
groups too. We've all gone to a conference or gone to a meet up where the
people were toxic, and they were just really unpleasant to deal with or they
just didn't want us there. It was their group, and they didn’t want us there,
and that rejection will happen.
Jason Nickola: 26:20
So, one of the things that I really enjoy about
your story and some of the things that you talk about is you are interested in
so many different things. I think it's probably rare to find a woman that works
in cyber security that was in the military, that does martial arts and a lot of
the things that you're interested in. So, I think that having lots of different
interests and finding small success in many different areas can be a real
confidence builder and help to do things like combat feelings of imposter
syndrome when they do happen. Has that been your experience? Have you made a
conscious effort to try to be varied in your interests? Or is it just, you
know, a natural occurrence of your personality?
Leslie Carhart: 27:06
Oh, well, I mean, I would like to be a doctor and a lawyer
and an astronaut [laughs] and I want to learn everything. But, you know, it's
really important to be, for work-life balance too, you need to be well rounded
and be a human being. There's a lot of people in our field who think that to
succeed, they have to work 12 hours day in security and nothing else. And I meet
people like that sometimes in job interviews. And I try to get them to talk
about their other hobbies and tangential stuff, and it's like “I build exploits.”
And that's okay, but human beings should be able to do a lot of different
things as well, like survive and take care of themselves and be a well-rounded
conversationalist. You should have outlets. It's just good for your mental
health and wellness. You should have things that help you walk away from
security for a little while, even if they’re tangential things like
electronics, you know, hacker space stuff, etcetera, craft projects. But you
need to have things that help you decompress and stay healthy and stay
balanced. And that’s gonna become - when I said I said earlier, when you're
young, you're invincible. You know, when you become a little bit older after
you've been invincible for a while, you realize that you're not invincible, and
you need to do things to make yourself a healthy person and step away from your
work sometimes. And you know, you only live once, too. And if you want to do
things other than security in your life, well, get out there and do them
because your life goes fast.
Jason Nickola: 28:48
Yeah, it sure does. Something else that I think
really plays into being able to build up your confidence and combat feelings of
imposter syndrome is training and getting some of the actionable skills and
getting credentials that when you look at what you've accomplished can make you
feel good about things. But for me being in a room with bigger companies and
accomplished people and really smart instructors and just getting out and
having the experience and feeling like, hey, I can keep up and I can do good
work even with people that I respect and that I know are strong in the field,
has been a real asset. I know that you've done a lot of training and have produced
resources on certification study and that kind of thing. Has that process been
helpful to you, not just in building your skills, but in more confidence
building and your ability to continue to push yourself out there into the
world?
Leslie Carhart: 29:45
I think that formal education is great. I think that there's
definitely other avenues if it doesn't work for people or if it's not
financially doable. But I mean, there's a lot of things you gain from being in
a classroom situation or doing formal organized training that you don't
necessarily gain from self-study, and they're not necessarily the technical
details. I've always been one of those people who does say that college is a
great route to get into security because - I mean, it doesn't work for
everybody. There's definitely other avenues, but certifications, college
classes - you get things out of them that are separate from, you know, just the
stuff on the page. And there are things like what's the instructors teaching style?
So, when you teach a class Jason, you probably teach it differently than the
other people who teach that certification. You take pauses at different places.
You explain things differently. You might explain problems from a different
direction or a different perspective, sharing your work, your real-life
experience and stories and you're helping people grasp things from a different
direction, and you're also teaching them how to teach. Because everybody who
teaches or instructs - and I teach courses as well certification courses from
my employer. Everything that I know as a teacher, I've never gone to a formal
course on teaching, but everything I know about teaching, I've learned from
watching other instructors in college and in certification courses. So, you're
getting that, too. You're learning how to express and convey ideas to other
people, and you're learning how to organize your time, you’re learning how to plan
for an exam and get your ideas on paper and sort them out in coherent ways. So,
you're not just getting the certification contents, which are great, but you're
also learning a bunch of other skills as well. So, I'm definitely an advocate
of both, and I think that they're both beneficial, but if you can't afford them
there are other options. Or if they're not something that works for your
perspective and your mind, that's fine.
Jason Nickola: 31:44
Sure. So, you mentioned that early on you didn't really have
a mentor, and it might have been nice to have one. You've grown into someone
who really provides a lot of even indirect mentorship by sharing your
experiences and putting a lot of resources out there in the world. How has that
experience of not having a mentor and kind of having to work through some
doubts and build your career on your own, how is that colored the way that you
try to be involved with the community now, as somebody who's kind of come out
on the other side?
Leslie Carhart: 32:17
It broke my heart. It made me really mad, you know. I
desperately wanted to get in to forensics much earlier. I desperately wanted to
learn more about DFIR topics. And I really wanted that mentorship. I wanted
somebody to talk to about these things that fascinated me and I couldn't find
that. And I don't want anybody else to feel that way. I don't want anybody else
to be out there and going, I don't know how, I guess I'm gonna give up now. I didn't
give up because I'm stubborn. But, you know, other people do give up because of
these gatekeeping things. These unconscionable things that people do with the
culture and they give up and they decided not to go any further because they
feel like they're never gonna be accepted in the group, or they don't know
enough or they’re never gonna know enough. I hope I can save some of those
people. It's a big industry and there's a lot of fields and there's a lot of
different ways you can go about working in them.
Jason Nickola: 33:16
I think you're one of the best examples of trying to provide
those positive messages and really not only focus on the technical component,
which we're all interested in, but in things like how to build your career and how
to interview well or how to construct your resume so that you can get new
opportunities and kind of pushing people beyond their comfort zone. So, with
that experience and in kind of your place in that area, what words of
encouragement would you offer to listeners that are maybe thinking, I want to
get in to cybersecurity or I'm working help desk or I'm trying to build my
career, I'm just not feeling like it's for me or are there opportunities out
there that I could get. What would you offer to those people?
Leslie Carhart: 33:57
Find something that fascinates you. Go out there and watch
videos from conferences or read articles, whatever medium. Or, if you prefer,
listen to podcasts and find some little tidbit in there that really, really
just cooks your bacon. You're like, this is really, really cool, and focus on
that for a while. Go read into it more. Go down your YouTube rabbit holes or,
you know, start reading up on it. Spin up a virtual machine at home and start
poking at things. Find something that makes you sit there when you could be
watching Netflix at night or, you know, out with your friends at the bar, you
want to stay home and read more about this thing or listen to more podcasts
about this thing. And it could be an incident in the news, a cyber security
incident. Or it could be a vulnerability. Or it could be a historical story
about, you know, a piece of malware and how it impacted or how it was built.
You know, whatever area of cyber security interests you, find that thing that
really, really makes you want to sit there and learn more. And then once you've
really read into that, hey, that's your thing. You can explain that to other
people. Go give a little talk in your local community group or, you know, if
you're not comfortable with that, write a little blog or something. It's okay if
it's old news if you explain it an interesting, informative way and it's useful
for people who are also in your position. So, it's really a matter of when
you're up against the odds, and you're like, I don't I don't know if I know
enough, I don’t know if they’re going to accept me, find something that makes
you want to fight.
Jason Nickola: 35:32
That's a great point. And also I'm definitely stealing the
term “find something that cooks your bacon.” I think that's needs to be on a t-shirt,
if it’s not on a t-shirt already. Well, thank you so much for joining us, Lesley.
It was great chatting and I really appreciate it.
Leslie Carhart: 0:00
You too, thanks for having me!
Jason Nickola: 0:00
That was Lesley Carhart, Principal Industrial Incident Responder
at Dragos. Thanks to all of you for joining us for our first full episode. Be
sure to subscribe wherever you get your podcasts and visit giac.org/podcasts to
sign up for alerts about the show. We'll see you in about two weeks for our
next full episode with Chris Cochran, Threat Intel Lead at Netflix to chat
about building confidence and experience you can lean on during an incident and
throughout your career overall. So, thanks again and we'll see you all soon!