In our second episode of The Cyber Security Matters Podcast we sat down with intelligence specialist AJ Nash. He is the VP of intelligence for external cybersecurity company ZeroFOX, and he spoke to us about his journey through the Intel sector and how that’s lead him to where he is today. Read on for his perspectives on accessing the cyber security and intelligence industry.
How did you first get into the Cyber Intelligence industry?
That’s a good question, and like a lot of people, I didn’t have a straight path. It wasn’t intentional, but I frankly don’t know if there’s a single thing in my career that’s got me here. I originally joined the Air Force, my intent was to be a police officer and go to law school, and my test did relatively well. I was in the Air Force for nine and a half years, then I medically retired and moved into defence contracting. And so I started doing traditional Intel work in counterterrorism, counterinsurgency, things like that.
I was recruited for an opportunity. I had an interview with a defence contractor, and I literally interrupted them about five minutes into the interview, and said ‘I think I’m in the wrong room’, because all we were talking about was maths, science, computer science, operations research and cybersecurity. I didn’t know anything about most of the stuff. I told them ‘I’m an intel guy, where’s the terror? Where are the bombs?’ And they said, ‘No, no, we got people for all these things. What we need is some intel folks, we’re trying to build a new concept for how to do intel analysis specifically for cyber, and we need to have experts. We need people who can translate this to make sure this is useful.’ That ended up becoming what we called at the time cyber intelligence preparation of the battlespace.
It was a great opportunity, and I accidentally got into cyber and helped work and develop that programme with amazing, smart, brilliant people. I was one of the folks who helped write the book along with my five or six colleagues. A couple of folks did the training. This ended up becoming foundational training for contracts at NSA and Cyber Command for a lot of cyber work. And so I learned a lot from a lot of people much smarter than myself. And that’s how I ended up in cyber, which was very much accidental like I said. So you know, from a career standpoint, it’s great to do terror and terrorists, there was certainly funding there, and then you go into cyber and it was a lot of funding there too. And so that led to a career doing cyber intelligence work at the agency and cyber command. I went into the private sector also by accident to be honest. A friend of mine convinced me to join LinkedIn, although I had never had a social media account for obvious reasons with my career, I would have been immediately compromised. That was always fun! But somebody recruited me through LinkedIn, and I moved to the private sector.
I had a really winding path from a kid who’s gonna be a competent lawyer to a guy who does cyber intelligence work with one of the greatest companies in the world. So I’m a lucky guy, they say you put yourself in the right position. Maybe I own a little bit of it, but people have helped me along and I’ve just ended up in really good spots.
We talk a lot about barriers to entry into cybersecurity. Is security intelligence still a good route into the industry?
I guess it was for me. Intelligence is enduring, Intel feeds everything. I don’t think it’s going anywhere, so I think it’s a great way to work in this industry. I don’t know if it’s the easiest way to get in, necessarily, but for folks who are coming out of government and military we’ve already got the background and experience. That’s actually where private sector companies probably should be hiring their first Intel leaders. For those who are in university right now, wondering ‘how do I get into cyber?’, it may or may not be the easiest route, because again, only maybe 10% of companies out there have Intel teams, but there is a lot of demand. So if they’ve done the research, if they’ve got the education to back it up, and they can make the pitch, there’s opportunity there. But I also think there’s nothing wrong with somebody who’s coming in and wants to be a SOC analyst or do threat hunting or incident response, they’re all great ways to get in, as long as people understand those are different careers. If you want to transition from one of those to Intel, it isn’t just changing a title and moving desks. There’s some study and work that needs to go into that. From what I’ve seen, most folks who are getting into cyberspace are not coming in through Intel.
Is diversity improving within cybersecurity?
I think diversity is better now than it was, but we have a long way to go. So you know, I think if you go look at any panel discussion, chances are you’re gonna find four white guys on it. If you look at most Intel teams, most cyber security teams, the majority of them are likely to be white males especially in the US and UK areas. But I do think it’s changing. Our teams are great – we have three senior directors on the team, two women and a guy. They do all happen to be white, but one was an immigrant, so we’re not all Americans. I think part of the challenge is the talent that we still have to grow, right? There’s still a challenge in many ways, women are still not being encouraged enough as girls to go into STEM, so there’s still a lot of cultural challenges. The trouble we have is where do you hire the people from if they don’t go through the funnel, if we don’t build people with these skill sets? I think we really need to encourage young people, all ages, races, genders, to, you know, to embrace technology and embrace these opportunities. And we need to put funding in place for them and give them opportunities to do it so that we have more diversity across the board. So that’s a challenge. For people in my position, if you’re hiring folks, you have to keep in mind, I don’t want 10 people on my team that are the same person 10 times over. There’s a value to it for the team standpoint. I think a lot of folks are putting a lot of effort into this. But it’s hard, and it’s a long way to go. So better, yes, but not nearly good enough yet.
You mentioned a few really interesting things there about potential barriers to entry into the sector. So what would you say are the barriers to entry? And what practical steps can we take to reduce those?
Access to education is a barrier. I’ve talked about this around the world. There’s a privilege that I’ve had to get where I am, and certainly access to education has been there. I think we have to develop programmes that give people opportunities, regardless of their socio-economic standing. There are there are great programmes that do these things, other mentorship programmes, and there are other education programmes, that give people some of these options, but we need more of that. We’re seeing at least in this industry a move away from the bias towards everybody having to have a degree. Certifications are really valuable, and being able to demonstrate you have a skill is really valuable. On the other side, I know self taught people who are brilliant but they have a hard time getting the interview. I think folks are trying to do a better job of saying, ‘let’s get them in the room. They say they can do things, let’s test them out.’ We can be more creative in our education, but also much more creative in our hiring.
I think that the biggest barrier to entry right now is still having the resources, funding and opportunity to get the education, skills or certifications needed. We then need to have the creativity on the hiring side to look beyond a paper and a resume and say, ‘who is this person? What do they bring to the team? Can we give them a position and a shot?” That is tough because we’re for profit companies, and a lot of companies don’t want to invest in training, they would prefer to hire somebody who’s plug and play, because it saves them time and energy and money. I think we have some challenges to solve in that area as well, especially as we keep saying that we’re 3 million people short in cybersecurity, and the number goes up every year, so it’s gonna take a collective effort to get there. Some of that might involve the industry buckling down and saying ‘we’re gonna hire people we know are qualified, we’re going to train them up.’ I think we’re seeing some of those areas improve as well.
What one piece of advice would you give to someone who is entering the cybersecurity industry?
My one piece of advice is to be bold. I think a lot of people self-select themselves out of opportunities. Confidence is a challenge. Imposter syndrome is real – I can attest to it. I think be bold, and don’t undersell yourself. If it’s something you think you can do, and you want to do it, even if your resume says nothing about it, try to throw your hat in the ring, Try to get into the interview, try to have a discussion. The worst thing that could happen is you’re right where you left off. You gotta go do the thing, right? Try to get in there and find a way and be persistent with it. If you don’t get it one time, try another time, you know, talk to people. That includes things like just reaching out to somebody on LinkedIn. Don’t stop yourself by thinking ‘that person is really important, they don’t have time for me’. Reach out! That’s how I did a lot of it. I built a lot of my connections just by saying ‘let’s have a conversation’. Now people do that with me, I have had tons of folks reach out to me. They always seem surprised when I answer and I say ‘yeah, let’s have a conversation instead of a call.’ And people seem shocked by that. Listen, I’m not that important. I’ve got time for you, and if it’s something I can help with I will. I think a lot of people think that these people with these great titles and great roles and great amazing things won’t be interested. But you reach out, and you realise they’re awesome, and they’re happy to talk to you, they want to help. If you’re not bold, you don’t ask the question. So what if they don’t answer and move on to the next person? A lot of them will, though. People want to help each other. My best advice is always to be bold.
To hear more from AJ Nash and other industry experts, tune into the Cyber Security Matters podcast from neuco here.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.