The @InfoSecSherpa was a Librarian?! A Chat with Krebs Stamos’s Tracy Z. Maleeff

Some cybersecurity professionals jump directly into the industry after completing school. Others join in through work in adjacent fields like, software engineering and compliance. And others, like Tracy Z. Maleeff, aka the InfoSecSherpa, find their way into the cybersecurity industry after spending years working in jobs that aren’t typically associated with cybersecurity – such as library science.

A security researcher at the Krebs Stamos Group, Maleeff has not only successfully transitioned into a cybersecurity career, but has emerged as one of the foremost names for cybersecurity career advice and insight on hot button issues.

Find out more below on Maleeff’s fascinating journey from law firm librarian to cybersecurity professional and thought leader.

Leaving a Field She Loved and Moving to Tech

Tracy Maleeff was still very much in love with library science when she began to consider a change. Still, after years of working as a law firm librarian, Maleeff sensed that it was time for her to move on to try new things.

“My journey into cybersecurity actually begins on a bit of a sad note,” said Maleeff. “I was commuting back and forth between Center City, Philadelphia and the suburbs where I lived, and I just felt that I was very confused with my career. I had worked so hard to become a librarian. I have a Master of Library and Information Science degree from the University of Pittsburgh, and I’d been in libraries for about 15 years but I just didn’t really see a future in it for me. The next levels up were directors where that’s really more people management and not so much the library management, and also at this time in 2014, there were a lot of law firm mergers and layoffs.

“So I was really concerned about having a future career. I didn’t want to be one of many law firm librarians fighting for what jobs were left in Philadelphia. It just made me very sad. To pass the time, I read to try and take my mind off of that and I found this article in Entrepreneur Magazine that was entitled ‘How to Future-Proof Your Career in 2015.’ I read it, and the thing that really stuck out to me was that it said to figure out what you should be doing for a career, find the different points in your past jobs that really excited you, invigorated you, and challenged you in a way that made you excited. It advised to find a common thread. I thought about it and I realized that tech was that common thread for me.”

Settling On Cyber

Although Maleeff now had clarity in terms of a new general field that she wanted to join, she wasn’t sure which area of technology she wanted to dive into. After attending several tech meetups and events, advice from a friend ultimately helped her focus on cyber.

“I was really excited about the prospect of joining the technology world, but I quickly realized that while I liked technology, the atmosphere around tech events just felt unwelcoming,” Maleeff. “So I was getting frustrated, and a friend noticed my frustration. He had been in tech for a long time, in the backend in security, but I didn’t know this because those terms were unfamiliar to me.”

“After watching me spin my wheels, he said, ‘Listen, let me tell you about backend and cybersecurity. I think you’d like it, I think you’d be good at it,’ and then as fate would have it, he happened to go to the BlackHat conference that year and saw a table for the Women’s Society of Cyberjutsu. He started talking to them, telling them about me, and next thing I know, I’m back in my office in Philadelphia, getting texts on my phone of photos of their brochure with classes that they offered for women to get up to speed on cybersecurity, along with the notes of encouragement. The next month, I took the two part cybersecurity fundamentals workshop from The Women’s Society of Cyberjutsu and they had me at port scanning. I thought, ‘Where has this been all my life?’”

While getting acclimated to the technical aspects of cybersecurity, Maleeff began taking on an active role in promoting cybersecurity best practices, leading Cybersecurity Awareness Month programming at her law firm.

“Once I started taking classes, cybersecurity just really started resonating with me,” said Maleeff, “it became my quirky hobby.” “So much so that in September of 2015, I emailed the CIO of the law firm where I was still working as a librarian and asked, ‘what is the firm doing for Cybersecurity Awareness Month in October and can I be involved?’ And when his response was ‘what’s Cybersecurity Awareness Month,’ and I was prepared. I had a five point plan that I pulled together, I had slides, I had a whole explanation. I presented it to him and he thought it was great and he put me in charge of a five week long security awareness program. It was a great experience, and made me want to go even further in cybersecurity.”

Transitioning into Cyber

Despite now having a clear idea about where she wanted to focus, Maleeff needed to find a way to actually get from the legal librarian field into cybersecurity.

“Once I had tasted cybersecurity, I knew that is where I wanted to go,” said Maleeff. However,  I knew that I couldn’t just make a lateral move from the library world into InfoSec and that I needed some sort of buffer time to study and get up to speed and network with people and understand the industry. Not to mention, I still needed to have an income. I leveraged my librarian skills as a freelancer and I did research projects and social media management for any tech or cybersecurity companies that would hire me. Fast forward to February 2016, I left the law firm and started to get freelance work.”

“Just a few weeks later after I resigned from the law firm, I was on a plane to San Francisco to attend RSA because a company had hired me to do some work for them on-site in the field of research and social media management, and that kicked off basically a year and a half of me going to many conferences, meeting many people, taking classes, and just really learning and absorbing the industry and just trying to figure out my role in it. I used my library science skills as a way to introduce myself to the Information Security world and what I could offer.”

From there, Maleeff used her skills to help create content and do research that helped her clients better articulate their value proposition, while continuing to build her cybersecurity skills and networking. Through these efforts she was able to secure her first position.

“Through networking, I was able to get on the radar of a pharmaceutical company who was looking to hire an entry level SOC analyst and what they told me during the interview was we can teach you the tech. It’s all these other skills that you bring that we can’t teach someone. It is really important that people know that transferable skills are hugely important in cyber as well.”

Life as a Social Media Influencer

With the average number of followers on Twitter standing around 700, eclipsing the 1,000 is cause for celebration for many Twitter users. But with nearly 50,000 followers, Maleeff – aka, the InfoSecSherpa – has long been enjoying the heady heights of cybersecurity social media providing guidance to those both in the field and looking to join it.

“My social media history actually dates back to my library days as well,” said Maleeff. “A lot of people were asking me for tips and insights around library science so I came up with the name of Library Sherpa because I was trying to think of something about helping people. That’s how I see my role, as a guide.

“I then created another account to lurk on InfoSec Twitter, InfoSecSherpa. When questions arose that were in my wheelhouse to help with, so I would jump in to help and it just kind of grew from there. It was wild because I decided to put my picture on the profile and then I would go to events and people would recognize me and say, ‘Wait, aren’t you InfoSecSherpa,’  and then that would start my networking. I would sit down, chat with them, and get to know people. I knew that I wanted to be able to create an entity in this community and this industry. I knew that there wasn’t an existing path for myself, so I knew I had to cut my own path through and just make one.”

Outlook on the Cybersecurity Space

Maleeff certainly believes the cybersecurity space has a bright future. However, there are a few things that she knows the industry has to address and she is looking to highlight.

“There are a bunch of misconceptions about cybersecurity, but one of the biggest ones is that humans aren’t at the center of all security. Some people in the industry prefer to think of security more as ones and zeros and networks and things like that. Yes, there are very technical components to cybersecurity. I don’t dispute that, but at the core of security, whether it’s physical or cybersecurity, it’s all humans. The threat actors are humans, the victims of phishing are humans, we’re humans. When I was at the pharmaceutical company, I responded to a user’s email and she was surprised that I was human. She didn’t think that there were any people in the security department. She thought it was all computers and automated.”

“I think the misconception among the industry is that we’re really not human-centric, but we are. And then, for people who want to get in the industry, I think that too many people assume that it’s all technical, but that’s not true,” said Maleeff. “There are so many non-technical roles or lower technical roles that don’t require advanced technical certifications and that can be your GRC (Governance, Risk, and Compliance) roles or security awareness/human risk training. There really is something for just about everyone in the Information Security industry.”

To help dispel this myth, Maleeff noted that it is massively important for the industry to collaborate more to attract talent with the right skills and passion, not just search for a unicorn.

“There is so much potential to grow professionally in the cybersecurity industry,” said Maleeff. “But to realize it, we need to do as an industry to collaborate with personnel, human resources, directors of talent to correct job descriptions. Some are so way off base, requiring a CISSP for an entry level position, and unrealistic things like that. Granted, the (ISC)² has put out statements more recently acknowledging that this certification is not for someone brand new to the industry and that’s definitely a good start. To truly close the talent gap, companies need to be willing to take on folks like myself, career changers who have such a great value-add and bring them on because we can help with different points of view, understanding different threat models. There are so many different skill sets that we need in the Information Security industry. Diversity of thought solves problems and threat models vary greatly, so why not be more secure with more representation of all threat models? Companies need to be more proactive with DEI initiatives as well as training in order to help the world improve its security posture.”