Last time, I spoke with technology marketing communicator Stacey Holleran. Our work is similar but different. Plus, she warned me about what I might expect from the tech industry in a few years when I turn 40! For my last interview until fall/autumn, I had the pleasure of speaking with Yaz. She went from the military to a civilian career as a Principal Threat Researcher for Blackberry/Cylance, a company I also work for. We discussed hiring managers being detrimentally obsessed with certs, Islamophobia and... Area 51? Kim Crawley: Please tell me a bit about yourself and what you do. Yaz: I’m a recently separated vet. Joined in 2003, got out last year. I was a signals intelligence analyst. I’ve always enjoyed being in a world most people don’t see. And knowing things that not everyone might know. I’m currently a Principal Threat Researcher for Blackberry/Cylance. KC: Were you interested in computing before you enlisted in the military? Y: Yes – my adopted father is a software engineer, and I wanted to follow in his footsteps. KC: Were you into computing as a little girl? Y: I did enjoy taking computer classes growing up. We had some real basic programming classes back then. (Late 90s.) KC: The first PC I ever interacted with was a Commodore 64 in the late 1980s. Your curiosity led you to take those classes? Y: School was making everyone take them. I just enjoyed it. And I would add things to the code to see what happened. I’ve always been doing things just to see what happens. KC: That's the hacker mindset! Do you think you'd be where you are now, working for such an innovative company, if you had been a civilian your whole life? Y: To be honest, I think I would be further. Before I joined, I was just starting to do web development. And that was leading me to tinker with webpages’ vulnerabilities. I think I would have kept pushing that area had I not joined. I had just discovered spyware before entering, and I thought it was the coolest thing. I had infected my own systems to see what happens. I was starting to really get curious. Joining the military pushed that off, as I had to learn new skills and had less time to tinker around. But the military taught me how to track threats in the cyber and signal space. And that was really fun! I use both skills now. But I feel my scripting skills and pentest skills would have been better if I didn’t join. KC: When did you start pentesting? Y: I started to tinker with things around age 16. Didn’t take the CEH (Certified Ethical Hacker) test until 2014, though. I didn’t even know pentesting and reverse engineering was a real job until 2012-ish. I think the military shielded me from buzzwords and certs. I know CEH was a buzz cert years back. Everyone wanted that. And now I think it’s CISSP. KC: Yeah, the CISSP is really hard to get. I also think, unlike the CEH, it requires years of industry experience first. Y: I’m not sure. I don’t have funds for certs, so I hardly ever look into them. KC: Do you think employers are often too obsessed with certs? Sometimes I think companies should pay to train a promising person for a CEH or CISSP rather than demand it of the job market and then complain that they can't find anyone qualified. Y: I think some companies are too focused on certs. And I feel like those hiring managers turn out to not have a good understanding of things. If that makes sense. Like a good hiring manager knows a person might be kickass and broke. KC: Yeah, honestly when companies complain about not being able to find qualified cybersecurity people, my eyes roll a bit. Y: Same. A good company with a good grasp on the field won’t demand every cert. I feel like the more a hiring manager doesn’t understand the field, the more they cling to needing all the certs. KC: And maybe invest money in training for certs and paying for their employees' exams! Crazy idea. Y: I was hired for a malware analysis job with a focus on reverse engineering, and they wanted a CEH for that... KC: I always thought of the CEH as a red teamer/pentesting cert. Y: It is! Haha. The hiring manager had no clue how to use me as a malware analyst when I showed up the first day. KC: Maybe HR managers don't know what they're doing a lot of the time. What are some of the misconceptions about the work that you do? Y: People assume I do admin stuff. Like hand out creds. Some people think I sit around and put malware in sandboxes all day. I had a dude basically tell me my job couldn’t be hard to do cause I was a “girl.” My 16-year-old tells his teachers I’m a hacker... I got a call about that because they think I’m doing illegal stuff. The assistant principal told me to have my child stop talking about my job at school. I told him he needs to grow up. My job isn’t illegal, and I’m not a hacker. Some people think I fix computers. Some people think my job is DevOps stuff. Most people just don’t understand cyber threat intelligence. (It’s why I finally made a talk for it.) KC: Oh gosh, I've written about misconceptions about hackers for 2600 Magazine. I feel for you. Y: One person thought I took apart alien stuff at Area 51! I said I do reverse engineering stuff, and the dude said that. “Oh, so you take apart alien software at Area 51?” I was like... sure? ‘Cause at that point why not go with it. KC: What kind of malware have you reverse engineered? Y: So much stuff. I have blogs on the Cylance portal. Basic malicious macros, encrypted upatre, North Korean malware, point of sale malware, Emotet and more. KC: Is reverse engineering fileless malware more difficult? Y: It was the first time. But it’s just code that is injected into a running process. So the hard part is being in the right spot. Everything is hard the first time. And sometimes the second and third time, depending on the malware. KC: Has sexism ever impacted your career? Y: Ugh, yes. When I wanted to stop deploying, I took my first cyber interview at US-CERT, and the lady said she couldn’t hire me because I would be a distraction to her team. KC: From a woman? Wow. Internalized misogyny. Y: It was an older lady. And there was the guy who interviewed me in the room. He just gave me a look. She insulted us both. I think her comment led me to want to wear hijab more. I wanted to cover myself up. I wanted to be unnoticed. KC: So, you must be impacted by Islamophobia, as well. Y: I deal with men not wanting to take my answers or results at work. And my team lead has to step in and back me up. My coworkers will use language to back me up when we get men not wanting my answers. They will say “I agree with Yasmine” or “as Yasmine mentioned.” Thom, my team lead, understands the struggle because his wife deals with it. And he tries to be proactive to stop it at work. I get less people caring about my religion in this field. It’s more being a female. We do have one person who made a comment about us not hiring enough white people. I turned him into HR. KC: Wow. Yeah, sometimes I forget my white privilege quite honestly. I have a face full of piercings, and I'm goth, and I don't get anywhere near the kind of bigotry I would get if I wore a hijab. (I know that white people can be Muslim, but Islamophobia is about perception.) Y: It’s easier to get further in interviews I think when I’m wearing hijab. Because people have to pay attention to me. I’m not giving them anything else to look at. KC: I have learned so much from you, Yaz. Do you have anything else you'd like to add before we go? I'd love to hear it. Y: Nothing to add!
Previous Interview
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
