Sofia Rodriguez on Breaking Into Cyber: The Entry-Level Trap, Help Desk Reality, and Networking

Fia. Welcome to Inclusive Cyber. How's it going today? Thank you for having me, Danny. It's going good. Lots of new challenges and things to do, I bet. And looking forward to this conversation. I know we met, it seems like maybe just last week, but I know it was a couple of months ago at. At a local event here in Denver, but can you first start off by sharing a little bit about yourself and what we're going to be discussing today? Yeah. So we met at the Amigas Intech panel, and it was a panel for how to get into your career and how did you get there? And that was actually the first time that I told my story. So I'm originally from Costa Rica. I moved here a while ago and I moved to New York. So I actually came to New Jersey to do some work training, and I went to the city, fell in love, and I said, how can I live here? And I looked for schools and I was always interested in security. My background is in information systems. It's always been technology for me. It started when I was 2 years old and I was helping my dad get into DOS and put the floppy disks into the computer, and then helping my mom do the same and getting to Word Perfect. So I always knew I wanted to do something with computers and that's kind of like the trajectory that I. That I started in. Then I fell in love with security. And of course, at first I was looking at all the green numbers coming down in the matrix, and I want to be a hacker, but there are so many different realms in cyber, and now I find that understanding, like, kind of like all of the terms that fall under the cybersecurity umbrella is important because you might want to start as a hacker, but then you might want to go into GRC governance, risk and compliance, which is something I'm really passionate about. Now, I found a school in New York and I actually wanted to do forensics and I have two masters, one is from the nyit, so New York Institute of Technology in Information Network Systems, Computer Security. And then I have one that I just recently finished from du, University of Denver in Information System Security. It's funny because both the times I wanted to take the forensics course and they either didn't have the quorum that they needed to teach the class, or they didn't have a professor available. So I haven't taken a forensic course yet. Got it, got it. A lot of great things that you mentioned there, Sophia. So I always like to kind of go back to the inception, you know, the. The idea to Go into cyber. So you had mentioned that at a very young age that you're helping your parents with dos. Yes. And I guess one question right off the bat, what computer did they have when you were growing up? So I know is a Pentium mmx. That was the, the processor. I don't remember what brand. It was probably IBM because I think that's what we had in Costa Rica. Yeah. So it's funny, just a flood of memories came back with the MMX that was probably late 90s, that's when I was in college and it was like, oh my God, Pentium MMX and multimedia capability. And they remind me, I have a story about another technology roughly about that same time. What were your parents, Were your parents in it? Cybersecurity. What were they using the computer for? There are lawyers, both of them, they actually met in school. No, they just use WordPerfect. So we had to boot the DOS and then switch the word perfect. Okay. Yeah. My first computer was my older brother convincing my mom at the time this was mid-80s, it was Opinium, but it was an 8088 chip. So this is late 70s 80s. So the Pentium chip wasn't that marketing buzz that kind of started in the mid-90s and obviously late, late-90s. So you fell in love with it. Right. Did your parents kind of feed that curiosity? How did you continue to learn and say, you know, this, this is going to be for me? Yes. They always encouraged me to pursue what I wanted. They never said, no, we're lawyers, so you have to be a lawyer. Because I know some families are like that where you have to continue the legacy. They wanted me to create my own path and whatever they could do to support it, they've always done it. I found out that there was after high school I found out that there was a interim quarter, the university that I wanted to go to. So it was not like an official Q1, Q2, it was like Q1 2. I want to go to school and I really want to get into this as soon as I can. And so I started in that intermediate quarter. That's when I started my bachelor's. And then did you have friends? Did you have like a network to kind of geared you or push you towards this kind of profession or at least school initially, or was it just more family? So at school we did have some computing programs and I used to be really good with. There is this program and I'm dating myself, but I think I already did with the floppy logo. It was the little turtle that you had to program it, and it could only turn in angles. There was a little turtle, and you could make it go like this way and then this way. And that's how it started in just elementary school. And then in high school, we had some other kind of like, programming classes. And I was always really good at that, and I was always helping other people. So I'm like, yeah, okay, this is what I've done for my parents. I'm going to continue doing this. I like computers, so this is where I'm going to go. Now you're getting ready to go to college. How did you learn about the different, I guess, majors out there? Again, was it parents kind of supporting you and helping you along the way? Or maybe guidance counselors from high school? Just wanted to understand that leap. So I did my bachelor's in Costa Rica, and there were two major public colleges, but it was really hard to get into them. You really had to get specific kind of like SAT scores just to get into the university. And then you had to go through some humanities courses, which I did not want to waste my time in. So I looked into private colleges. And at the time, the university that I went to was one of the best. And so I just went with my mom and we looked at the programs. And yeah, again, my parents were my. Are still my biggest cheerleaders to date. That. And I guess it would be safe to assume that they're your mentors, especially early in your, you know, education career. Yes. Awesome. So then now you go through college, you graduate, you move to New Jersey. What was, I guess, your first role in IT and cyber, and how did you get that. That particular job? So before I actually moved, I do have to call out this other mentor. So she was the director of the career at the university where I graduated from my bachelor's for the longest time. And now she is the director at a different university. And I want to call her out, Patricia, because she gave me the opportunity, actually, a couple of years ago to do a lecture for her students at the WAM in cybersecurity. And it was in Spanish, so it was interesting for me, who's been doing cyber in English for the longest time, to actually translate all of the terms and everything, but it was a great experience. I think she was the first woman in STEM that I met, and I was her TA in program. And one. Yeah, it was. She. She was one of my mentors, definitely. No, I appreciate that story. And that's one of the things that I always ask my guests about mentors. Because mentors support us in so many ways, not only in our personal lives and it could be parents. Right. But then also in our, in our professional careers as well. So thank you for, for bringing up Patricia Mentor. How did you ultimately get to that first role? So I actually didn't get my first role in cyber until 2019, I believe, but I did do so I came here in a student visa and you had the opportunity to do an internship, especially if you were technical. So I think you had like a quarter that you could do like the summer. And I interned at mtv and I actually have a couple of people there that, yes, they were very supportive of my journey at mtv. It was Viacom, mtv. It was pretty interesting. It was just doing desktop support. But I did get to meet with the head of security at that time, George, and he's always stayed in touch and it's been great. Like he was somebody else to look up to in the security world because he was actually in security, even though I didn't get to do that. And I got my first role, like actual, hey, we're going to sponsor you for work visa. It was also just help desk. So I've been in help desk for the longest time. But you can make the transition. So yeah, I am one of those success stories where, yes, it took me a little longer to get there, but I eventually got there. And the role. The first time I actually got to be in Cyber was for a financial services company here in Colorado. And it was because I was working together with the security engineer at the time to complete a SOC 2 at a station. And that's how I got into. Oh, I really like this auditing and GRC stuff. I know it's kind of boring for other people, but I like my spreadsheets and I like having to gather evidence and people say, hey, do you have this ready? We need this. Are you sure you have everything? All of our T's crossed and our eyes dotted. So I think, I guess that comes from being a daughter of lawyers, right? You want to make sure that everything is in the proper place and organized. And so that's how I got my first break into actual Cyber. And then the security engineer left and I got the opportunity to be a co lead of security and compliance at that company. So I want to kind of pull back the layers on the help desk and going a little off script here. But I'm getting a lot of kind of DMs on my social medias and I'm too old for social media. I don't Know why I'm on it. But they're saying the best route to get into Cyber's Help desk. So that's the route that you took and you said it, you stayed there a little bit longer than you wanted to. So I guess the first question, how long were you in help desk and would you recommend that for people wanting to get into Cyber now in this kind of current environment? So I was in Help Desk. I think I graduated in 2012 from college. So for about eight years I was doing like help desk and field engineer and systems engineer. So kind of like the technical, all the technical realm. The only reason why I stayed there that long it was because I was still waiting for my turn to be sponsored for a green card. And so, you know, I think that's where I had to wait a little bit longer. Whereas if you're already a citizen, you have or a green card holder, there's a little bit more of opportunity, the world is a little bit more open versus if you have to get a sponsorship and then are you going to sponsor me for a green card? And then are there any visas available and all of that immigration jargon. So that's why I stayed, I think longer than I wanted to. But I do think if you want to go into technical aspects of security like networking, pen testing, any red teaming, it's very important that you have the basics. So Help Desk is going to help you get the basics of, oh, how do I set up the network, how do I set up a firewall, how do I set up a whole infrastructure and how do I do it securely? And so you're going to have that technical expertise. Whereas if you try to come from a different industry, it might be easier to go into one of the more admin sides or even grc, because you don't have to touch configurations as much as if you want to be like a network security engineer or an application security engineer. If you want to be really, really technical and do things like firewall configuration, network configuration, application security, then I do think Help Desk is beneficial. No, I appreciate your perspective on that because I think a lot of people are in that kind of unknown, you know, do I go to Help Desk to get into Cyber or should I just apply for those positions? My take on grc, maybe about three or four years ago, I thought it was the most boring job ever. I'm like, nope, I'm never going to touch that. I've come, you know, full 180 and I would argue it is the foundation of any cybersecurity Program from a global corporation standpoint, you get into that. Can you describe your initial kind of role? What were you doing? You said, you mentioned SOC2 audits. How long were you doing that? And would you recommend people getting into GRC as a potential kind of entry level into cyber? So I'm still doing grc. I'm currently manager of security operations for another fintech company. So it just encompasses everything from network security to the GRC side. And I do think it's important, even as a network engineer that you understand the risks of that you're bringing to the company. Because if you leave ports open, then you're going to let attackers get into, into the company. But I do think that getting something in grc, I'm actually pursuing the CJRC certification because you should not be tied if you want to be in grc, to a specific framework. Like you don't want to be just an all know it all in SOC 2. Because there are organizations that might need to be HIPAA compliant. There are organizations that might need to be ISO 2700. Now there's a CMMC requirement if you want to go into government, then there's like FedRamp and CMMC, which is also being required by DoD. So I do think it is. I agree with you. It is the backbone of any company because it tells you, okay, these are your risks, this is what you need to do to mitigate them. You have the frameworks to kind of like guide you on. Okay, this is what we should be aiming for. You might not be able to get to all of them, at least not right away, but. And you have NIST too. Sorry, how can I forget, like the biggest one. So I do think it's a, it's a good avenue to pursue if you want to, if you want to do. Might be hard to go for an entry level in GRC if you don't have any prior knowledge, which is kind of silly because it's entry level, but then you need to have two to three years of experience in this. So how is that entry level? It doesn't, doesn't match. But you do. If you can read up on NIST or if you read up on Soc 2 and you look at like HIPAA and CMMC, if you kind of like have a general idea of how a framework is set up and what you need to do for the company, how to set up controls, then you might be able to. But I know I applied to several entry level jobs and I mean it could have been AI sorting me out, but I Did wait quite a few months without a job trying to get into other GRC positions. So another pivot here just based on what we're talking about. Entry level positions, right? There's on one side saying cybersecurity as a whole, it's not entry level. And potential help desk would be the route to get in. And then a different camp says, yeah, there is entry level, but like you just mentioned, you have all these ridiculous requirements. The cissp, which is a executive or should be an executive, at least that's the way they market it. But it's being pushed for entry level positions. So there seems to be a schism on potential people coming into our industry, whether they're coming straight out of college or transitioning professionals. And then kind of the reality when they start applying and it's like, I'm not hearing anything. I guess there is an entry. So what are your thoughts on that? So I think first of all, for cissp, you actually need to have the experience to back the exam to actually get certified. So it's kind of ridiculous that you ask an entry level person to have cissp. I think even for TGRC also, which is certification I just got, you do need to have the experience, the years of experience to prove that you did it and somebody else has to test that before you can get certified. I think some of these jobs may be bogus. They might just be there to inflate the actual gap that's in there. But. And to get like some maybe resources from investors, but they're not actual open jobs. They just have them just to say, yeah, we're trying to hire this many people, but there's nobody that can fulfill this position. It's just not happening. We just need AI or it's even AI filtering really good candidates because it hasn't been configured correctly. And it's just so many biases that it's like, oh, you're a woman, you're a Latina, you're out. So that can also happen. But I do think that cyber could be entry level. It just, it depends on what you're trying to do. Of course you're not going to be a CISO entry level, because that, yeah, you need some experience in that. But you can get into networking and be it entry level, you can learn how to configure a firewall. You don't have to build the entire architecture of an organization, but you can start small. You can start with just like that building block, literally building a firewall. No, I appreciate your perspective on that because There's a lot of talk in, you know, how kids nowadays and social media that this is the route, this is the roadmap to get into, you know, X, Y and Z role within cybersecurity. So you, you also mentioned that you're navigating that space, you know, whether AI was filtering, et cetera. And I guess maybe this would be an appropriate time to go into that generative artificial intelligence discussion. I'm, I'm personally over it. It's too much marketing, too much fluff out there and it's try, it's hard to separate the value prop versus kind of the noise out there. So two part question, macro. First, is Gen AI good or bad for society? And I think you've already kind of mentioned some hints to that. And then micro for our profession, is it good or bad for cybersecurity? It's both. So you're right, it's a lot of over promising and under delivering. It's a lot of taking up resources like taking up water for the data centers because it's heating up, bringing back nuclear sites just to power up data centers. And for what? Like what do they have to show for it right now? It's like a glorified search engine. What else do you want to do with it? Like they're trying to push some narrative. Like I know I can't remember who it was, but I did see somewhere that there's a major media mogul who is pushing for AI because they want to push their narrative, they want to push their content and that's what they want us to focus on while they do some other things which could be nefarious. There's also a lot of bias and AI and I don't think that that's being regulated. The President just signed the executive order to sue states that are actually trying to regulate AI. And even if it's not just like, let's say let's put nefarious agendas behind, but you do need to regulate AI because what are you going to, what is AI going to do with people's data? What's going to happen? I know data privacy, it's kind of like a utopia because really pretty much the government knows everything about everyone. Especially now with Peter Thiel's Palantir getting access to all our Social Security information. But still I do think that everyone deserves to have a little bit of a degree of privacy. And so what's AI going to do with that data? And then are there any checks in place for AI not to turn evil, not to Tell people, hey, this is how you build a gun. This is how you build a bomb. I know some companies are trying to have some regulations where you can't ask AI, for example, like where to buy liquor or things like that. But there needs to be some regulation. And I think we're just removing all of the guardrails if there are any in place and just going, woo, let's see what happens. And I think it's scary for cybersecurity. It's good and it's bad. It's good because it can help you detect patterns and lock down on like phishing attempts, for example. It's good in the healthcare industry too, where you can help diagnose other things, but there's so many other negative components about it that if it's not being checked, I, I don't know what's going to happen. Everything that you mentioned resonates with me, especially the, the, the lack of one accountability and regulation. Obviously we know Silicon Valley's ethos is go fast and break things, right? How far are they willing to, quote, unquote, break things? And when I say that, it's breaking people, right? Harming people. And is it one person, a hundred people? When does that regulation come in? There is this book about OpenAI's kind of history and how they were using people in Africa, what African country, to review all the negative content, to flag, to say, okay, yeah, this is bad, this is bad. Similar to the captcha, you know, where we're trying to log in, spot the bikes, I'm like, or the hydrants, right? We're actually teaching their AI models and it's primarily Google that does that. But now with all these AI models, they're doing the same thing with people in Africa, but they're being exposed to the vitriol of human nature. And they're like, oh my God, that's horrible. Yes, that's bad. But they have to consume that. They have to check those boxes there. I guess for me, I'm a little bit pessimistic. And you also mentioned that the current administration is, you know, trying to prevent any regulation on that and that is going to harm, you know, people at the end of the day, whether it's psychological or, you know, physical there. I know there's a lot of different organizations trying to make sure that AI is ethical. There's this ethical tech project I want to say on LinkedIn that I follow and I know some, some of the leaders there and they're trying get with policymakers to say, hey, we need to put guardrails, just like the automobile, you know, to, for, for safety, for the seat belts. Yeah, Planes. Planes as well. Yeah, yeah. It's just like another machine that we're supposed to be using as a tool. We shouldn't allow it to control us. So we need to put guardrails in place to make sure that we're controlling it and it takes us where we want to go. But it shouldn't be just like, oh, the Wild West. Yeah, no, I definitely agreed. And I don't know if, as you're mentioning from kind of a cyber perspective, I don't know if you've read the anthropic intel report that I think came out last last month that essentially nation states are leveraging agentic, which is AI, nation AI to target 30 companies. Yeah, the adversaries are going to use it and you know, the defenders in our space, we, we have to start leveraging. I think there's just again a lot of over promising and under delivering when it comes to AI. What would you say if a student or transitioning professional or maybe somebody already within our industry, they're like, I'm concerned that AI is going to take my job. How do you respond to them? So I think right now we're still in the training phases, so you might still have a job training AI to do your job. I do think we're still going to need people for a lot of the jobs. But for example, like factory workers, you might be replaced by a robot. And I know my husband actually he's a software engineer and he's like, well, I think we're going to be replaced soon by AI. But I think that there's still the human factor that is needed in there. For example, if you're trying to get requirements, you have to be very precise in what you tell AI, at least right now. And it's kind of difficult already for product and software engineering to communicate and get the requirements correctly and what needs to happen. So I don't think that the human factor is going away that quickly because you need to be very specific in your prompts with AI. And if you're failing to communicate it to another person, you're going to be failing to communicate it to AI and to get the actual product that you want. So I think we still have time and I don't think all of the jobs are going to be replaced with AI, but eventually some of them are going to be moving away. But how do we explain that to CEOs that they always look at the short term Value right from quarter to quarter, how much money did we make? So there they're probably going to get rid of people and then, oh, wow, yes, we might have, you know, met Wall street expectations, but now we don't have a product and then obviously. So I think that is the concerning part when it comes to Wall street and how it's always more, more, more in a short period of time as opposed to looking strategically to say, hey, yes, we're going to have some horrible quarters, but we're building something that is ethical, that is going to be safe and is not going to be used for nefarious purposes and taking those guardrails into account there. So we'll see, we'll see how it goes. In the years that you've been in cybersecurity and GRC and then now leading kind of a security operations center, what has surprised you most about the industry? I thought that best practices were widely used and they were not, especially in the fintech industry, because the company that I worked for before was actually leading in security efforts and there are other big companies around it and they did not have even half of the things that should be considered like best practices, like multi factor authentication. That was not a thing. And because I remember getting all of those due diligence questionnaires, oh, do you use mfa? Do you require mfa? Do you actually employ mfa? I'm like, this should have been a given. Like, everybody should be using MFA at this point. And so, yeah, it surprises me how what I thought as a professional best practices are, they're actually not wildly implemented in other industries. So if you're a security company, you're obviously going to have it already implemented. But if you're in a different industry and you're doing security for that other industry, that's where you're going to see the most shock. Because you're going to be like, wait, you haven't implemented that yet? What, you're sharing passwords? You don't have a password manager? Well, you know, there's a case for and against password managers, but things like that, like you're, you're reusing passwords, you don't have multi factor authentication, you're not encrypting your hard drives. What are you doing? What do you think is driving that? Why aren't they doing it? Because it's costly. They see security as a hindrance to the productivity. But especially in the financial industry, like, it's money we're talking about. Money is being moved. Some PII is being moved, some PHI is being moved in there. So it's only when they're hit with either a breach that some of the competitors have had or like the clients have had, or when they have organizations like New York, fdfs, nydfsdf, Financial Services say, hey, you need to train your people in cybersecurity. You need to implement these things that they're actually doing. So they're waiting for another regulatory requirement to actually bring security in. They might not be listening to their security personnel and they might be seeing it like that costs too much money. Why do we need email security? Why do we need, I don't know. Firewalls? No, I think firewalls everybody has. But something like email security or something like insider risk management, which I think in the fintech world is important because you want to make sure that there's no opportunity for fraud. But I think, yeah, they're seeing it as cost more than an opportunity. But luckily the company that I worked for before and this one, we're actually seeing that it's an advantage, it's a competitive advantage to have security elements in place that maybe are not the norm in the industry. What advice would you give people coming into our industry, into any role within our space? Stay up to date with either podcasts or news or, or I think there's like a TLDR on Instagram that gives you some snippets of security information. It's important because security is ever evolving and if you're not in the news, then you're going to be behind. Stay up to date in LinkedIn. Connect with PEOPLE. Network networking is your greatest asset because you might think, hey, I don't know anybody, but if you go to an event and you start introducing yourself, then somebody might think of you and somebody might say, hey, you know who'll be perfect for this role? That person. And actually that's how I got my, my position right now. It was through. Through networking. And that's how we got. Got you on the show as well. Through, through the networking. Any organizations that you're a part of that kind of help build that networking that you're talking about that you'd like to share for, for the audience. Yeah. So I'm the VP of operations for Latinas in Cyber. And it was, it's. I have a funny story, actually. I was going through my LinkedIn and I was going to clean it up and I'm like, who's this lady? Angela Hill. And then I realized that she was one of the founders and recently stepped down, but she was the president for Latinas in Cyber. And it was great actually connecting with her. She sent in an open call for volunteers and I started just in a committee, just getting more volunteers. And now I'm the VP of operations. And the organization is great, is trying to get more Latinas, Latinos into the cyberspace. There are partnerships with Fortinet, with Google, and there's different programs. So definitely look at Latinas in Cyber. Even if you're not Latino, you are welcome to come into our space and get access to the resources that we have at the. It's very important to find people that look like you, that talk like you, that might understand what you're going through. And there's a lot of people in the community that are transitioning from different industries. Not everybody came from the help desk route, which is kind of like the stereotypical one that I came through. A lot of them are veterans. So, yeah, it's been great connecting with all of this, all those people. I'll make sure to put the links to Latinas and Cyber on the show notes as well. And I guess before we get to our last question, I'm going to, you know, give you the floor. Anything else that you wanted to cover or talk about? So I think when we met before, we talked about the imposter syndrome or the imposter, was it that what you called it, somebody else had called it phenomena, the phenomenon, yes. So it's very important for everyone to think about themselves. As you're always learning, you're not always going to be the smartest person in the room. That's a quote that if you're the smartest person in the room, then you need to find a different room. If another quote is, if you can't find a seat at the table, then build your own table. But anything you can do to support yourself. I'm very lucky that I have my parents to be my biggest cheerleaders, that I've had mentors and former workers, coworkers who have vouched for me. But it's important that you vouch for yourself first. So believe in yourself. Believe that if you walk into a room, you can go and shake hands and introduce yourself and don't be scared. Like, don't be a mouse. And that's something that I have had to learn because I was very much an introvert. But definitely advocate for yourself, be vocal on what you want and bring other people up with you once you are in a position to do so. So the last question that I always ask my guests, and I got this from a consulting, I think it was. It's called Consulting Success. Podcast is what book? And now any podcasts that you've recently read or listened to that you'd like to share with the audience. So right now I'm reading this. It's cyber strategy, Risk Driven Security and resiliency. I read this for my Cybersecurity Management graduate certificate that I also did from du and I'm looking to apply this to the company that I'm working at now. I'm looking to build a cyber strategy because cyber needs to be connected with business goals. If it's separate, then it is going to be a cost and a burden. But if it's tied to the business goals, then it's something that's going to push the company forward to be in a better state for business and for selling too. That and again, we'll make sure to put that book in the show notes Sophia, this has been an amazing episode. I appreciate you taking the time to chat with me and we'd love to get you back on. The other thing that I'm trying to do is kind of break up the interview and kind of career episodes with Fireside Chat so we can dive deep into AI Quantum. That's another kind of episode that I'm trying to build out as well. But yeah, appreciate your time. I love your career journey and wish you continued success. Yeah, thank you. Thanks for having me.