Listen to learn how you can find the path in data security that's right for you.
Everybody has their own path to finding the job that's right for them. It's often easy to get discouraged when you're in the middle of the path to reach your desired goal.
Luana Pascu (Cybersecurity Researcher, GSEC) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss her personal journey, and how you can find the path in data security that's right for you.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics, and I think you're really going to like the topic today. But before we get to it, I've been told, remember to say subscribe and like and all those things.
You know how to do those things. I can't remember what they are on the fly. But please do that so that we can get the word out to more people who are interested in cybersecurity. Okay.
Topic today.
Lots of people ask me, how can I break into cybersecurity? What what do I need to do? What are the pathways in? And so I've I've been I talked to a lot of people like mentoring type things on how to get you, you know, your career path, the direction that you needed to go. And I the person that I have coming on today is is somebody I think that you're going to really be able to relate to if you're in the process of coming into cybersecurity.
We're gonna talk about several things. We're gonna talk about, you know, what are the different pathways in? What is a job in cybersecurity?
What is what is that career look like? And and, what are the things that you can do to take yourself there? Here's her bio. With close to ten years in the cybersecurity industry, Luana is an award winning security professional included on Canadian Canadian Security Magazine's top ten under forty for twenty twenty one. Before finding her passion for cybersecurity and cybercrime investigations, she worked in advertising sales for a top fashion magazine. Her fascination with criminal psychology and initial interest in pursuing a career in law enforcement have ultimately led her to cybersecurity.
Luana's official cybersecurity journey started in Europe at a company that developed email security and was later acquired by SolarWinds.
She later transitioned to Bitdefender where she got a really strong sense of what cybersecurity is all about. For nearly ten years, Luana has covered cybersecurity and technology topics for both consumer and business markets. Her current focus is to understand cybercrimes and how malicious actors operate on the criminal underground, including the dark web and chat groups. Luana's work and research have been featured in countless publications, including Dark Reading, Macworld, Infosecurity Magazine, RSA Blog, Tech Advisor, Biometric Update, and Edge Industry Review.
Luana is currently in the accelerated cybersecurity training program, Rogers Secure Catalyst, in partnership with the SANS Institute to prepare for the GSEC and GCIH certificates. Luana is also working hard to make b sides Montreal happen this year. Luana, thank you so much for joining me on this podcast.
Thank you so much for having me, Jen. I'm super excited to chat with you today.
Did I miss anything there? I mean, that's awful lot of cool stuff already, but, yeah.
Nailed it.
Perfect. Beautiful.
So I as you and I have gotten to be friends, I got to to know Luana a little bit online. I love that about the online experiences. You get to know people from all over the world.
Tell me a little bit about how you arrived to where you are now in your career path, in your education path, because I think it's a very interesting story. We'll we'll talk about that a little bit.
Sure.
So I think I have a pretty unusual story that many people might relate to.
I don't have a technical background.
As you mentioned, I started in sales, but what not many people know is that my background is actually in humanities.
So my bachelor's degree is in literature and, well, American studies and Swedish.
Did a lot of, literature and grammar analysis and stuff like that. And then for my graduate studies, I moved on to marketing and new media and digital research.
So I never thought that I would pursue a technical career or cybersecurity, But somehow, when I was in graduate school, so right after my sales gig, I started working with startups. And at that time, I was working with all these technology startups, and I started getting really interested in different technologies. And then slowly, my interest started taking me towards cybersecurity.
Now this is combined a little bit with this interest that I've always had in detective work and puzzles, and I kinda felt that cybersecurity is this puzzle that you always have to solve. Right? For sure. Yeah.
Cybersecurity is very challenging, and it's the type of industry where you always, need to keep your mind sharp and you're always alert because something new happens every day. That is why there's such a big interest in certifications, and everybody's trying to get involved with different, gaming platforms, like try to hack me, for example, or hack the box, because it kind of helps you grow at the same time, but it also helps you, as I said, keep your mind sharp. It's an industry that is not boring. There's always a challenge for you to solve if you're up to that challenge.
Right. And and that's what I like about it as well. I think it's interesting that you said you you didn't have a technical background.
And this is one of the it almost feels kind of gatekeeping or or or knowledge hoarding from certain people in the cybersecurity industry where where, if you don't have the technical knowledge that they think you need or the specific type of technical knowledge, that you kind of will will get, pushed aside in some groups. I personally have experienced that on more than one occasion where, I I was told throughout my career, oh, you're not technical enough. What they really meant was I didn't understand whatever specific tool they were using at that time, which is so that's kind of a a thing that I think people who are new to the industry, kind of, need to contend with a little bit. Can you tell me about, that from your perspective?
Sure. So I've also experienced, different types of behaviors in the industry. There were people that wanted to give me a chance, and there were others who didn't really consider me because I didn't have a technical background. And they kept putting me down and bullying me for that.
As a side note, I think the industry is slightly changing, and they understand the need for diversity of thought Mhmm. And diversity of just background experience because criminals are also diverse. We don't have have one type of criminal, so we need to understand them. When I started working in technology and cybersecurity, I had no idea what cybersecurity was. I didn't really know what malware was. Couldn't really tell you the difference between a Trojan or a virus, whatever. So it was a really steep, learning curve, to be honest.
I started writing about the industry. So my background is actually in writing and mostly marketing.
This has helped me learn a lot about the industry because throughout the years, I've had to write so many articles, so many industry related news articles, white papers. I've had to write scripts for videos where you explained trends, how different organizations, for example, were affected by ransomware in a certain year. This type of work has really helped me understand the industry and get a better grasp of the business aspect of cybersecurity.
But then I always felt like I had this handicap because I didn't really understand the tech aspect behind everything that I was talking about. And this is why I'm now here, in this training program because, for example, before, I was really focused on threat intelligence. Best job that I've ever had. The fact that I was missing the technical component, I I felt that kind of prevented me from doing even better work that I was doing at the time.
So I think I don't think it's important to have a technical background. I think you can get started without that if you put in the work and try to learn things by yourself and you start reading the news and trying to understand what is happening in the industry. But then as you move forward, especially if you wanna jump into technical roles, I think it's important to try and learn some technical aspects. Try and understand what TCPIP is, try to understand how packets work, that type of information.
I I agree with you a hundred percent. I love what you said about how you you, you came to this from a writing perspective. And a lot of people who are in jobs that they don't feel are are moving them forward quickly enough towards a, the cybersecurity pathway that they want, they're kind of like, well, my company isn't allowing me to do things, so what do I do? And I always tell them, go write.
Write things. Put articles. Put it on on on Medium. Put it on LinkedIn.
Do articles about, technology that you're interested in because it's a great way to learn more about that technology. But but you even took it a step farther and have been going into these, programs to learn things. Can you tell me about some of the educational opportunities that you've you've taken the chance to, to step into recently?
Sure.
So well, I try to learn Python by myself, and I'm still working on that. But right now, I'm working really hard, in this program that is in partnership with the Sam's Institute, and I feel it's it's such a roller coaster.
I mean, I really underestimated the amount of work and time that you have to put into this because people don't believe me when I say this, but it really does take me about twelve hours a day to prepare for, the certificates. I just passed GSEG, and I'm now prepping for GCIH.
Oh, congratulations.
Thank you. So the reason it takes me twelve hours a day is because sometimes I feel the need to, get further information on a certain topic. So what I do is I just go to YouTube.
And what I would like to point out is that I was very lucky to be part of this program, but not everybody can afford to take different certificates that are available out there. So there are so many free resources that people can use. There's YouTube.
There are different course platforms where some courses are free, and they're actually very good. When they have discounts, you can access these courses, for free.
The fact that I'm so passionate and interested in this has taken me down different routes to just learn more, and I'm even reaching out to people to learn more. So sometimes what I do is if I'm at a conference, minus the past two years Yeah.
But usually when I'm at a conference not been too hard about the last two years.
So usually when I'm at a conference or even in the company where you work, if there are any interesting people that are in the type of work that you wanna do or just you feel they're doing something interesting, I go talk to them. And I try to find out, so what was your career map? What, like, what kind of skills did you need to be where you are now? What helped you? What kind of education do you have? Are you technical?
Do you maybe also come from a different background? And that has also helped me shape my career map a little bit.
So, one of the things that I I we kinda glossed over was, the the constant theme of you wanted to do something and you found a way to do it. Starting from you're living now in Canada, but you didn't start out in Canada.
You started out in Europe.
Right? So, how did you where did you start out from, and how did you get to Canada? And and what did it take for you to get just there?
That is true. I'm not from Canada even though I live here now. So I'm from Romania, former communist country in Eastern Europe, where education was very important. And the way society works there and how we are raised is it's important to go to school, to go to college, to get all this education, to make something on of yourself.
But because I had the opportunity to live in the US as a child, that kind of, broadened my horizon. And it's always made me feel like I could just do a little bit more than I felt Romania could offer at the time.
So what I did was, because I also love to travel, I went in different countries where I felt technology was advancing. So for example, I went to graduate school in the Netherlands because the program at the University of Amsterdam that I did was very focused on research, was very good in that field. And I learned that that educational system was so different from what I was used to, because in Romania, it was mostly based on memorization, and you were not necessarily encouraged to have an opinion or to just break any barriers. You were supposed to be just a normal member of society without too many expectations and too many opinions.
So for me, the Netherlands really opened my mind in terms of what I could do and what I could achieve in life. And then when I went back to Romania because I had the feeling the company the sorry. I had the feeling the country was changing a little bit. I thought there could be some opportunities there.
However, I I soon learned that, Romania still was on the path, was still transitioning, I guess, from communism into something else. So even now, we still haven't gotten rid of the mentality and some things that are really, keeping us behind everybody else. So I started doing some research, and I really wish I could have gone back to the US.
But, unfortunately, the US doesn't have an immigration program. So then I thought Canada would be the next logical choice. Australia was just too far and too hot for me. So, it generally gets hot in parts of Australia.
So it really seemed like, at the the time, Canada was investing in technology.
It really cared about women in technology because this is another topic that, not everybody is comfortable talking about. There are not enough women in technology also because they're not really encouraged Depending on the countries where they are, they're not necessarily encouraged to get into this type of fields which are more family. So I did a little bit of digging, and for about three years, I guess, I saved up.
I sold my apartment. I sold my books. I sold everything that I had, and I moved to Canada without really knowing many people.
By yourself? Yeah.
Yeah. Yeah. It's a crazy thing, because I do that sometimes.
And there were many people that were afraid, and they projected their fears onto me, and they tried to, you know, discourage me, say that it's a new country, and you're not gonna be successful.
And I knew there were some unsuccessful immigration stories, but I kind of prepared for the worst and hoped for the best.
Well, you know, top ten under forty in the Canadian Security magazine would say, you have reached a measure of success there.
I I feel they were impressed with my story and my resilience and this crazy drive that I had to really make it in cybersecurity.
Well and then also, you do the work to get to where you want to be. Like, nobody said you had to take on, helping to produce b sides in my in Montreal. Tell me about that adventure a little bit. Has that been, you know, especially with the lockdowns and other, various things, is b sides gonna be happening there?
B sides is happening in two weeks.
And it was it was such a challenge because I had to navigate this while being in the SANS program and also working full time at that time. And but it was just my happiness project. I needed this to feel that I'm somehow contributing to the industry.
Nice. So like you mentioned, you were working, but then, you you are now not working so you can really focus on this educational part of what you're doing plus b sides.
So but tell me a little bit about the, the work experience that you had. It sounded like some really interesting interactions with, some of cybercrime, basically. So I'd like to hear some of that.
Sure. So I am indeed now on a bit of a sabbatical because I felt I needed to learn more about the industry and be more tech savvy than I was, again, to help me grow in my job.
But before, I've done some of the most interesting research. It has really been the best work so far because it really allowed me to get into the criminal mind and somehow be a criminal. I didn't do anything illegal if there are any law enforcement people watching.
But the fact that I could, monitor different forms on the dark web, different chat groups, have alternative identities, talk to criminal organizations, talk to different fraudsters, try and extract information, basically use social engineering on them, flatter them, try to get information, try to get methods for free. It really opened, my mind into this whole criminal underground because I've always wondered, if they are just lone wolves or if they're organizations, how are they doing everything? And I know maybe for a security veteran, all these questions might be a bit naive. But I was genuinely interested in how everything works.
And at the end of the day, these are real businessmen.
There was this guy who was trying to offer me one on one coaching sessions for two hundred bucks with a commitment. So he made the commitment that after our coaching sessions, I would be making sixty seven hundred dollars a week.
And he was willing to do anything, whether we would have video chats or audio chats. This guy was well, guy organization, really into customer service. So they even had a contact form. It really operated like a business, a normal business.
So, like, coaching to become a cybercriminal?
A fraudster.
That's wild. So so in general, you said that was, some of the most fun work that you had. What did in what did you find out about these criminal organizations that you basically infiltrated?
What I thought was really interesting is that some of them are international organizations. They operate everywhere. They use standard postal services to deliver their products.
And, again, I am shocked how easy it is for them to make these transactions, to get customers, to just operate this business like a normal business.
However, I do wanna point out that, research into cybercrime can also be a little boring at times because you can't really expect the criminal to respond during office hours. So there I was sometimes at three in the morning on Telegram trying to communicate with different people, trying to convince them to give me stuff for free. They were just not responding. It's frustrating, especially if you're on a deadline and you have, send out a report. Mhmm. Some of them would just respond after twenty four hours or even after a week because these people, they have, some of them have regular jobs too.
Oh, interesting. Sounds like a lot of late nights then.
Yeah. It depends. I mean, Infosec is not necessarily a nine to five job, especially if you have to deal directly with the criminals. You kinda have to adapt.
And what I wanna point out is that some of the criminals that I was trying to communicate with, they were on a different time zone.
Mhmm. Well and and, you know, the the whole point about cybersecurity not being a nine to five, I like that about this work. I like I think, some of the people that I talk to who say, hey. How do I get into cybersecurity?
They don't even know that cybersecurity is way more than just one thing. There are a lot of types of jobs you can have in the cybersecurity industry.
I don't know. Let's try and listen. So you can be a penetration tester and try to get into and and, access information that you shouldn't be able to access. You could be, a third party assessor where you go look at their systems. You could be a threat hunter who who looks at, you know, kind of what's out there. You can do what you were doing, which is the research part of things. So there's a lot of different types of work that in cybersecurity that people could could pursue.
And and maybe that's a place to start for a lot of people is what do you wanna do in cybersecurity?
What do you know about it?
And then go from there. Because it it requires different education. It requires different, knowledge, I think, for the different, paths in cybersecurity.
For sure. Someone, gave me some really good piece of advice a while back and said, you know what? When you're reading the news, what is it that interests you?
When you're reading the news about cybersecurity events, what type of titles attract you? What do you wanna read about?
Because maybe that is what you should be, looking into as a career. So for me, it was always related to, ransomware groups, FBI, cyber espionage, understanding hackers I mean, understanding malicious actors and how they operate.
That is what kind of drove me to threat intelligence.
But I do agree. It's really hard to think of a career in cybersecurity because it's like saying you want a career in medicine.
Right. There's a lot of directions you can take it. Right?
Exactly. There are so many, niche departments that you could get specialized in and such different education, and you can't really know everything. Another mistake that I've seen and I've made it as well, just because I went through this phase where I I wanted to learn everything, and I wanna know everything. And I was doing research, and at the end of the day, I had about, I don't know, twenty certificates that I wanted to get done in a year in different fields of cybersecurity.
So, I mean, it's really cool to do that because it really shows, that you wanna get started and you wanna learn as much as possible. But I really do think it's complicated to know everything, and it's just best to find your passion and your niche and try to go down that path. And then maybe along the way, try to add different skills, different courses, because I'm pretty sure a couple of years down the line, I'm gonna be interested in adding things. It's not gonna be just right intelligence. Maybe I get into forensics. Maybe I, you know, it really depends on the work experience as well and on the mentors that I have in my life and their experiences. Is.
Sure. I love that advice about what interests you about what's in the news. Because for me, it's always, alright. How did they get in and what could that company have done to prevent that?
So so it feels like I'm in the right place because that's that's what I do is alright. How are they gonna get you? And let's make sure that the things are in place to keep that from ever happening. So yeah.
That the idea of what does what excites you about what you're hearing and then find out what is the job that would would allow you to do those things more. Well, this has been very informative. I know that a lot of the people who are looking at how do I get into cybersecurity are gonna maybe think of their path differently now.
I hope because, alright, maybe I should say a little more about some of the people who come to me for mentoring.
Most of about ninety percent of them talk to me once.
And I think it's because my first conversation with them is this, what are you doing to take ownership of your career path? What is the next step in that path, and how are you going to achieve it? And and, it's almost like well, some people think mentoring is, oh, you tell me what to do. There's no way I can do that.
I can't tell people you do this in your path and then you will be all of your hopes and dreams will come true. It's more the ownership, the responsibility, the the, the drive has to come from the person who wants to pursue that path. And frankly, any career path, if they're not taking the steps to do it. And and I think that's one of the things that I love about your story is that every step of the way you said, alright.
What are my personal gaps in knowledge and experience? What is my how am I gonna get to that next step?
And I really appreciate that about you.
Thank you.
Two things.
Two very important things I learned when I worked in Amsterdam for a a start up accelerator program. So first of all, you're the CEO of your own life.
Right.
And you're responsible for everything that happens in your life. You have to make decisions. It doesn't matter if they're bad or good. It's important what you learn from them. Because the other lesson was if you fail, just make sure you fail fast and you get up and you learn how to pivot.
So maybe in your cybersecurity career, you really wanna do forensics, but you find out it's not really for you. Maybe you're not good at it. You see it's really boring, and you don't find any passion in it. Mhmm. Just do something else because there are so many departments in cybersecurity. There are so many, there are so many jobs available in cybersecurity.
Exactly. So you mentioned that you're working on, an an you just passed the GSEC, and you're working on the GCIH?
Yes. So what's your timeline for that one?
The so we start the boot camp on Monday, and I believe the final exam is mid November.
And then are you gonna pursue additional certificates, or are you looking at maybe reentering the workforce in November?
I'm definitely looking at reentering the, workforce. I'd really like to apply all of the skills that I've learned in this program, and I'm definitely looking at other certificates. As I mentioned earlier, I do have a list of, like, twenty certificates that I wanna get done, including related to data security and data privacy and financial crime. I'm still going in a couple of directions, I have to admit, because my passion lies in different niches.
I'm trying to narrow it down, so we will see. But I'm definitely looking at finding the right type of place where I can grow and I can apply the skills that I've learned.
Excellent. Well, I want you to let me know what what direction that goes because I am just fascinated by your career, and I think you're going to be doing some great things.
Thank you so much.
I appreciate you coming on and talking to me. I hope this has been value valuable to other people who are looking at growing their careers and who can see what it takes to actually take responsibility for that and drive your own career forward.
Thank you for having me. It was amazing experience.
Alright. You take care and we'll talk to you again soon. I sure appreciate you tuning in and I hope you will join me again next time. Take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
