My name is Carlota Bindner, and I am currently participating in Rapid7’s Security Consultant Development Program. Prior to this program, I was a stay-at-home mom and community volunteer whose only experience with security was through self-study programs. As I delved deeper into studying cybersecurity, I gained admission to the SANS CyberTalent Immersion Academy, where I had the opportunity to obtain three GIAC certifications. Rapid7’s program is my first experience back in the workforce.
My husband was the one who first heard about the position and encouraged me to apply. I was very fortunate to receive positive feedback during my interviews, and was offered the position. I could not be happier to have this opportunity to start my career in cybersecurity.
What I like about Rapid7’s program is that I’m not just gaining experience in one discipline. Throughout the 18-month program, I will rotate through penetration testing, incident response, and advisory services. This strategy is unique, as many companies tend to silo entry-level cybersecurity programs into one area. As I move into each new department, I bring with me the knowledge and experience I gained from the previous department. This program has helped to grow my technical and professional acumen, as well as give back to the different departments as we cross-collaborate on customer projects.
Working in penetration testing and incident response
The first six months of the program focused on penetration testing. It was a big leap from an academic approach to real-world practical application as I transitioned from lab environments to directly working with clients and honing my skills in live environments. I had the opportunity to perform both external and internal network penetration testing, as well as web and mobile application assessments. My manager was very supportive in providing me with varied opportunities to continually grow in the field.
I am currently working with the incident response team as part of the second rotation of the program. Incident response takes a very different approach with customers. During my pen tests, I was acting as an adversary, but in incident response, I was coming in as a partner to help determine whether organizations were breached, how it happened, and whether they would be prepared in the event of a large breach. For me, being there for clients as they work through an incident and determine how a malicious actor accessed their network is akin to being a medic.
I have enjoyed bringing my experience and knowledge as I have moved from one department to another. For example, the incident response team doesn’t have a lot of penetration testing experience, so I have been able to share insights I gained during that part of my rotation, such as looking for what a malicious actor was trying to accomplish through SQL injection attacks. It is rewarding when the opportunity to contribute back to the team presents itself.
Next month, I will move into the third rotation of my training: assessing clients’ cybersecurity maturity as part of the advisory services department. Advisory is very different from the more technically focused realms of penetration testing or incident response. In this rotation, I will have to look at the bigger picture to assess a customer’s overall cybersecurity health and maturity.
Since joining Rapid7, I have developed a keen interest in IoT security. I have been able to work with other team members on projects, since group-focused and independent research is highly encouraged. Through my research, I was selected as a speaker at the RSA 2019 Conference in San Francisco, where I spoke about bootloader security for embedded devices. One of my personal goals is to combine my interests in IoT and agricultural sciences to help producers integrate secure IoT and embedded devices into food production.
If you are considering a career in cybersecurity, I recommend finding an area you are passionate about and running with it. Cybersecurity is such a broad field with limitless opportunities. You can start by volunteering at various conferences, such as BSides, or participating in local security groups to meet others in the field and share your interests. This industry is incredibly supportive and focused on sharing knowledge, so when others see your desire to learn, they will want to help you grow. An eagerness to learn and gain hands-on experience are valuable assets when entering this field.
Rapid7’s Security Consultant Development Program has been a fantastic way to jump-start my cybersecurity career and is something I often talk about with the women I mentor for the SANS CyberTalent Immersion Academy. I especially appreciate how much knowledge is shared across departments at Rapid7. I thought I had learned a great deal going through various courses and certifications, but I have learned so much in the time I have been in this program. It is unlike any other development program I have seen.