Nakia Matthews is SolCyber’s Manager of Global Security Operations, who transitioned from a career in media, marketing, and communications to security engineering. We spoke to Nakia to get an understanding of how someone can make a mid-career shift into cybersecurity, the lessons she’s learned, and the advice she’d give to anyone looking to enter the cybersecurity industry.
I initially started out working at a small non-profit organization. I was the third employee and I moved up the ranks as the company grew. I started as an administrative assistant out of college and then I moved into a communications and a technical role as the company grew and their needs expanded. Because I started so early and the company was so small, I wore many hats. I did admin work, social media and helped deploy computers and tech. I was the youngest person there so it was assumed I knew everything about technology!
As the company grew, I formalized my hybrid Communications/Technology role. By the time I left, the company grew from 3 to 41 and we had our own small IT infrastructure in the office (things like Office365. file/print server, a firewall).
We had an MSP (Managed Service Provider) but I was the first line of defense and the administrator for all things tech-related. The MSP would be our laptop provider and they would set up our accounts. I was managing a lot of that work with the MSP while being responsible for our 501(3)c compliance, ensuring accessibility was in place, managing the website, and even newsletters.
Generally when you have an MSP or MSSP, there needs to be a resource on staff that translates what the MSSP/MSP needs to do. It’s an on-premise point of contact. Depending on that person’s technical capability, it could mean just giving access to systems or tools or it could mean having more of a co-management structure.
The owner of the MSP was my point of contact and would sometimes do work onsite. At one point he expressed interest in having me work for them but I had a lot of loyalty with the non-profit — eventually I was there for 11 years. I also wasn’t very confident in my technical skills so I turned down the job offer.
Later, I was recruited by a friend who was moving to a security management role and had a lot of experience working with security practitioners. His philosophy was that you can teach technical skills but reliability and work ethic was more difficult to find. He offered to train me for the job and I couldn’t say no at that point.
A lot of googling and a lot of YouTube. I had some basic skill sets having worked with computers and in IT infrastructure where you tend to work in a heavy Windows environment. But security practitioners often don’t work with traditional GUIs, they work on the command line, which I needed to study up on. I had to do a lot of self-directed study to understand how security practitioners worked and what the tools of the trade were.
Technology was always a part of my life. When I was younger, I had a lot of old laptops and computers. I’d study the machines, learn how to navigate them. They were the equivalent of my lab experiments. I liked working with different types of machines and operating systems. So it wasn’t completely new and when I was training, I was digging into the wealth of security knowledge that’s available on the internet and I also took a security certification course to legitimize and validate my knowledge.
What I found (and continue to find) challenging was just how much there is to know in Info Sec. The knowledge base is very wide and constantly changing. For example, in my previous role, I took a course on how to make PDFs accessible for screen readers. That’s something that’s still helpful and still applicable 10 years later, even though I haven’t done it in years.
But if I stopped doing security and came back 10 years later, I’d be lost! I’m constantly learning because things are always changing. What’s considered good cybersecurity practice today could crumble based on a vulnerability in the future. I’ve worked in cybersecurity for 5 years and in that time, something like password best practices have changed so much. Before, the guidance was that passwords needed to be changed on a regular basis, but now we generally say you shouldn’t force people to change them because people end up using worse passwords. Instead you opt for different authentication types that don’t need changing.
There’s a big learning curve in cybersecurity even for someone who’s very curious about technology because part of your career is dependent on staying up to date with the latest information.
I was a junior security engineer and then I moved up to becoming a senior security engineer. I took to the roles well because they were jack of all trade positions. It’s an environment I was used to because you’re covering a lot of different areas. Security engineers tend to have specific functions but because the company I worked for had few security resources, I had to work with SOC, compliance, and many other departments.
The experience in my first two jobs really helped me make decisions and understand the possibilities of different outcomes. It was really helpful when I was studying to get the CISSP certification. It’s a notoriously hard exam but a lot of the concepts and terminology were already familiar because I had so much varied experience in my first two security roles. I was able to understand the concepts because I experienced them and knew how to apply them.
Now I’m in a more management-focused position, where I can still use my technical experience but I’m also leading projects, teams, and I need to make decisions for my teams. The goals and needs have also changed with this position. You could have the most technical knowledge in the world, but if you don’t have management experience, it’s not going to serve the organization as well. At the end of the day, It’s not about having the coolest tech but it’s about balancing organizational and customer goals with cybersecurity.
My title is Director, Global Security Operations but effectively, I’m managing the security operations center (SOC). I also work cross-functionally with the infrastructure team to apply the same security practices and principals we serve our customers to ourselves.
I also get to do some engineering, which is fun, but the majority of the role is ensuring the SOC analysts have the tools they need to do their job. This includes writing documentation, playbooks, having a concept of operations and structuring how the Solcyber SOC will serve their customers.
I’m a big Redditor and I’m part of various security Reddits. People are always asking this question and everyone who is a security practitioner will have a different answer. Some people join security after 10 years of being in IT. There are others that have been hacking since they were kids, skipped college and were able to join the industry.
You need to have the passion and experience for cybersecurity and infosecurity. There are a lot of BA/MA programs for cybersecurity but you can’t just stop there. Companies are looking for people who are curious about the field and want to make this a career. This may mean finding a way to make your own experience beyond just school. That will go a long way in standing out.
One question we always ask a SOC analyst during interviews is “what is one of your favorite security tools?”. Some people try to be really impressive, but I say, “Don’t be afraid to say Google”. I google multiple times a day. I guarantee that if I have a question about cybersecurity, someone has asked it before. Or there’s a tutorial on whichever tool you need to learn.
The information is there. Use Google and just start learning if you want to enter this industry. There are so many resources, usually free resources, for you to start building a knowledge base on it. You just need the initiative.
This is my first management role. I’m very nervous as I’ve never been here before but what I’m trying to do is be very relatable to analysts and be open. I understand how it feels to work under someone, feel intimidated, and feel like you sound stupid if you ask a question. Or you might get in trouble or reprimanded. But how is anyone supposed to learn if they can’t ask questions?
Most people in security management roles have tech experience. Remember that you were in the same position as a security analyst or engineer once. Make sure that you’re cultivating an environment where people can ask questions or where your department can experiment without fear of getting in trouble or looking stupid. Be open and be helpful.