From salesperson to security analyst, Siobhan Kelleher, who works at Boston College, a private university in Chestnut Hill, Mass., is emblematic of the many people who have traversed non-traditional career paths to arrive in the cybersecurity profession. She is also validation of how much promise awaits the industry when its skills gap becomes narrowed with creative and passionate practitioners.  Please enjoy Kelleher’s story of growth, development and confidence building.

1) Hi Siobhan! Thanks for (virtually) sitting down with us. Tell us about where you work, what you do there, and the role security operations play there.  

I am a senior information security analyst in higher education. A college campus is like a small city, so the team works on all kinds of projects. From things like securing network printers; ensuring faculty, staff, and student data and all types of research data is secure; to odd things like making sure IoT (internet of things) refrigeration units are safe. With all this comes regular security operations work: log collection, reporting, analysis of trends and IR. Most of what we do in relation to security operations is responding to alerts or reporting on trends we see in traffic. I have been specializing in web application security lately and getting to test out all kinds of attacks to learn how best to defend against them. In a small team, everyone does a bit of everything. 

2) Describe your career path and what propelled you to want to work in security?

I did not come into security in a “traditional” way, though I have to be honest, I am not entirely sure there is a “traditional” way. I was working in retail sales, and I decided I wanted more. I went to the local community college and looked at the degree programs. Eventually, I settled on its digital forensics program. While working full-time in sales, I took a full-time course load and got my associate’s degree, then transferred to a four-year school for my bachelor’s. After I graduated, no one would hire me because I had almost ten years experience in sales and sales management but none in IT.  I had to take a service desk job and work my way up over a few years. 

3) Open-source intelligence, the concept of leveraging data from publicly available sources, is one of your areas of passion. What do you find fascinating about it and what makes it valuable to security teams?

I have found my knowledge of OSINT most useful in user awareness. People have no idea how dangerous the information available on the internet about them can be. It is important to ensure your users understand their risks to social engineering attacks like spear phishing, especially your VIPs. The research skills used for OSINT are also really similar to the skills you would use to hunt for threats in your environment or investigate an alert. It is really fun to use analytical skills in different ways to research various types of information. 

I have found my knowledge of OSINT most useful in user awareness. People have no idea how dangerous the information available on the internet about them can be. It is important to ensure your users understand their risks to social engineering attacks like spear phishing, especially your VIPs

4) Which cybersecurity threat worries you the most/keeps you up at night?

One of the biggest concerns I have is not related to a specific cybersecurity threat. What concerns me is that we have many lawmakers at all levels of government who don’t understand technology. They cannot adequately create laws around protecting people’s data because they don’t understand all the ways it can be misused. We are making strides, which is, encouraging but there is still a lot to be done. 

5) What’s one piece of advice you’d give for someone considering a career in security?

Security is not an easy job, but if you want to be here, you belong here. Don’t let anyone tell you otherwise. 

6) You appear to be an active speaker on the infosec conference circuit. Why is this important to you?

I love having the opportunity to speak at different conferences for a few reasons. The first is that I am a woman in infosec: There are not many of us, and it can feel a little lonely. Seeing other women speaking at conferences has always made me feel more welcome. I hope that I give other women the same feeling. Additionally, putting your knowledge into words and teaching other people is a great way to combat imposter syndrome, boost your confidence and solidify your knowledge. I strongly recommend speaking to anyone who struggles with imposter syndrome, even if it’s just to a small group at work. You will prove to yourself you know what you are talking about and share your knowledge with others!

I am a woman in infosec: There are not many of us, and it can feel a little lonely. Seeing other women speaking at conferences has always made me feel more welcome.”

7) What is the most interesting thing you’ve learned (or learned about yourself) since the pandemic began? It doesn’t have to be related to security.

The most interesting and important thing I learned through the pandemic is that the voice in my head that says “I can’t” is not actually one I need to listen to. I used to tell myself that lie a lot to protect myself from doing anything scary. As soon as I stopped believing that little voice, I learned I could do all of those things and more. 

8) What books, blogs or podcasts have you read that have helped you advance your security operations skills and career? (Choose one or more.)

My favorite podcasts are: Layer 8, CyberWire, Breadcrumbs, and Malicious Life

A few books I would recommend are: “Women In Tech” by Tarah Wheeler, “Open Source Intelligence Techniques” by Michael Bazzell, “Why People Believe Weird Things” by Michael Shermer, “Getting Things Done” by David Allen, and “Difficult Conversations” by Douglas Stone et al.

9) Which security industry luminary would you most want to have dinner with and why?

Tarah Wheeler. (Editor’s Note: Previous SOC Star interviewee Haylee Mills also chose Wheeler as her dining companion. Read her  book, folks!) I saw her speak for the first time in 2017 for her talk “Freaks and Geeks: Why Infosec Needs To Be Weird To Save The World.” It was about the importance of diversity when building security teams. In a room full of middle-aged, white men in suits, I sat there with my friend, the only women in our sections and the only ones in jeans and T-shirts. I felt so out of place, but her words helped me realize my weirdness makes me an asset. I look at things differently, and that’s important when we are looking at different ways something needs to be secured. Her message is something I have kept with me when I feel like I don’t belong in the room. I remind myself not only do I belong, but my voice is important. I bring my uniqueness to the table. 

10) Given that you work in cybersecurity, what’s the funniest or most memorable help request you’ve gotten from a friend or family member?

No one in my family really understands what I do for work. They think I fix computers. I don’t even like to fix my computer! The oddest requests come from my dad, an engineer who is always trying to develop new ways to do things. I would have to say it was a tie between the time he asked me to help him build a Pringles can yagi antenna and the time he asked me to wirelessly stream the video content of the TV upstairs to the TV downstairs so he could get a snack without missing part of his show. He comes up with some pretty creative ideas. 

11) What is like working security in an academia environment versus, say, a traditional enterprise?

My direct security experience is primarily with academia. From what I hear from my peers in traditional enterprises, we all struggle with similar issues. Things like budget concerns, understaffing, getting buy-in from the top down and getting users to follow policies are universal to an extent. The biggest differences are that your average enterprise isn’t also going to be an ISP for thousands of students, and in a corporate environment things are more likely to be centralized. Many colleges have different IT teams for each school/department because how you would handle something in a nursing school will be different than how you handle it in an art school. Your average enterprise also won’t have things like a power plant. A college really is like a tiny city, which makes it very interesting when you look at all the different areas that need to be secured.

You can connect with Kelleher here.

Are you or somoene you know a SOC star with lots of insights to share and who is deserving of recognition? We’re always looking for new candidates. Email Siemplify Content Director Dan Kaplan.