Podcast image

Persistence on the path to career breakthroughs with Jose Barrientos

Trust Me, I'm Certified • 2020-12-15

A top red teamer and SANS VetSuccess graduate shares how he found the right path into infosec through skill and determination.

Notes:

As a kid, Jose Barrientos was continually innovating and learning complex computer skills – and also playing pranks. Yet it wasn't until he joined the military after high school that instead of getting in trouble, his technical abilities were finally recognized as an impressive asset. Thanks to his determination to break in to infosec, Jose is now a successful red teamer at a top organization. In this episode, Jose and Jason discuss the challenges of breaking through childhood barriers, overcoming imposter syndrome, and the importance of never giving up.

Bio:

Jose Barrientos is a U.S. Army veteran and infosec practitioner. Upon separating from the military, Jose followed his lifelong passion and worked as an amateur comedian and practiced pen testing on the side. He briefly went viral and began working as an IT professional before applying to SANS VetSuccess Academy where he earned the GSEC, GCIH, and GPEN certifications and began working as an offensive security engineer. He is now a senior Red Team Operator at a top technology organization.

Transcript:

Jason Nickola:

This is "Trust Me, I'm Certified" brought to you by GIAC Certifications, a podcast exploring how to conquer imposter syndrome.

Jason Nickola:

Welcome back to "Trust Me, I'm Certified" everyone. I'm your host, Jason Nickola. We have a really interesting, funny and worthwhile interview for this episode. I was lucky enough to sit down with Jose Barrientos, who is now a seasoned red teamer with lots of industry experience, but was only able to get there after a long battle trying to gain his first role in the industry, including a couple of stops along the way which that journey would have ended if Jose didn't go all in on getting a shot. Jose is a really funny guy and a great storyteller. He offers a really useful perspective on the value of unconventional thinking, sticking with your path over the long haul, even if that means years, and the precarious tightrope we sometimes have to walk in trying to build a career while providing for kids or a family. Jose is an awesome guy, and I really enjoyed chatting with him and hearing his story. I think you will too. Enjoy.

Jason Nickola:

Jose, thank you so much for joining us. Really appreciate it.

Jose Barrientos:

Yeah, my pleasure. Thank you very much for having me.

Jason Nickola:

So take me back to when the interest in technology and security started for you. Was it something that that happened for you as a kid or later in life? How did you get interested?

Jose Barrientos:

Yeah, so I was born in Mexico, and we moved to the United States when I was like seven years old, I want to say, and very early on, the schools that I was attending had computers, but it was something that was kind of in the background, you know, you don't really get into it right away. But by the time I was 10, and one of my mom's bosses was upgrading her computer or something, and she just gave me one. And, you know, that completely changed my life because and it was a Windows 95 Sony VAIO with the built-in speakers and the black tower - computers in those days were white. So this one being dark was really cool looking. And it came with AOL. So you know, logged in and that became my life for pretty much the next decade.

Jason Nickola:

So your mom's boss was fixing her computer, you got this given to you, which is a really awesome break, looking back and pulling on that thread from the future, knowing where you ended up. Was there anyone else either at that time or shortly after that modeled for you how to be a technologist or how to be curious as it relates to technology? Or were you kind of just figuring it out on your own?

Jose Barrientos:

Yeah, I mean, I'm an autodidact. I don't really need a lot of direction. I kind of take things on my own. I think I learn better that way by just doing it. That said, there was a neighbor who gave me Visual Basic 4.0 once I got into scripting and it's like one of those kids who's making AOL progs and like punters and scrolls and stuff like that. I was one of those punks. And so my neighbor gave me VB but then he moved, he was a software developer himself and couldn't take the time to teach me. But luckily, I was in one of the AOL chat rooms, and I was antagonizing somebody. I think I was 12. And he's like, you really need to leave me alone. And I was like, yeah, whatever, what are you gonna do? And then my computer got the Windows blue screen of death. And I was like, that's the coolest thing I've ever seen in my life. So I logged back in and I was like, sir, please, how did you do that? And he was like, I don't deal with punks. And I said, my days of being a punk are over. Please teach me.

So he did. He explained that at the time, if you could get a language pack on AOL that the other the recipient didn't have, just trying to render that would make it crash. We're talking single core at the time, right? We didn't have multiple core CPUs. So I immediately went into a chat room with some Chinese characters and crashed the entire room. So yeah, I mean, I was 12. What are you gonna do? But yeah, I think that was kind of what set me on the path of infosec and learning how things work and breaking things.

Jason Nickola:

Right, it's kind of that opportunity to peek behind the veil and see that, hey, this seems like a polished product where everything's thought out, and it just works the way that it's supposed to. But once you start to break that glass a little bit, and you start to see the cracks, you kind of start to see it everywhere and look for it. Right?

Jose Barrientos:

Yeah, that's true. I think that maybe the assumption, I suppose when I first got into computers, just as a layman user was that these things were built and they were built perfect. You know, that there were no bugs. What does that mean, and so we need to see that. Yeah, you're just like, I think this whole system is a house of cards,

Jason Nickola:

Sure. Yeah. And oftentimes, it turns out that you're 100% right, that's exactly what it does.

Jose Barrientos:

Right. Yeah, absolutely.

Jason Nickola:

So one of the things that is really prevalent in your background is development and a willingness to code and seeking out that stuff and even doing some of it professionally. You said you had a neighbor that hooked you up with VB and they were a developer but they moved away. Most people I come across in technology that are not already developers have a healthy fear of writing code and anything that they perceive as development. Was there some of that for you in the beginning? Or is it just something you have naturally gravitated toward?

Jose Barrientos:

Well, so programming in the beginning, because of my - so I grew up risibly poor, right? We just had like, no money. I didn't have a backpack; I had a grocery bag. And, you know, so programming became a means to an end, because we couldn't afford the internet. So I began sort of coming across, or coming up with basic social engineering attacks to get the internet, you know, and so I could do that manually, or I could automate the process just using like, you know, when API to like enumerate users in a chat room. I realize this is very unethical. But you know, I think that I was like 13-14 years old. And in those days, you don't realize what you're doing is fundamentally wrong. It's like, eh, it's gonna be okay, I'm not hurting anybody. So programming was a means to an end, just scripting out my attacks and stuff like that. It wasn't until I ended up getting in trouble that I realized that there was a way to do this legitimately. I didn't know what pentesting was. In fact, I don't think in those days we had a full branch of it. It was like, your sys admins who were just better at this portion of it could do some of this pen testing.

But yeah, after that, it was like a means to an end. And even now, right, doing what I do for a living now, it's like, every red team that I know of has to have some development, just because a lot of the tools that we build, we build in languages that are gravitating towards AMSI working with the operating systems. So you have to go to a lower-level language to bypass all that. But no, I was never - I love dev, web apps, desktop applications, you name it. I was always very passionate about that.

Jason Nickola:

Sure. So as you started to get a little bit older, you're working your way through school. Is technology and security something that you saw a future in professionally? I know it took up a large portion of your spare time. But is it something that you saw a future for yourself in?

Jose Barrientos:

No. In fact, I had some people that in retrospect, should have known better, fail me. So my high school offered a basic programming course, which would dip into regular VB. So I must have been 16 at the time, and I took this course because I thought, hey, I'm gonna learn some things that I didn't learn on my own. But I was moving really fast in the class. And I ended up building a chat client so that me and my friend could chat on the local network together. And the teacher found out and kicked me out of the course. So I instead had to do a study period. And so I thought, just this pattern was like, well, I do something with a computer. I think it's cool. And everybody else thinks it's bad. So you know, even as a developer, I'm getting in trouble. So growing up in school and stuff like that these were two separate passions. It was like, secret computer stuff that I couldn't talk about because people get would get uneasy, and then just regular academic stuff. But no, I had no idea that you could do this as a job. Yeah, it didn't even occur to me.

Jason Nickola:

It's amazing to me how common that is. And I think and hope it's becoming less common, just because the world is like, everything is so tech based in the world at this point. But especially for prior generations, it's just amazing to me how many people are doing really amazing things in their spare time as children, and just kind of never think, hey, I could do this professionally - at a professional level as a child. So maybe doing it professionally and matching my prospects with something that I'm passionate about and interested in is, is something I should look into. It's something that has been missing from more stories than I would have anticipated.

Jose Barrientos:

Yeah, I think it's a symptom of two major fundamental issues, right? So one of them being imposter syndrome. It's like, I was doing dev as a teenager, that I thought, well, this isn't professional level. I couldn't write this at a company. And then I went and did it a company and I was like, oh my God, I absolutely was, but it took me taking a leap of faith to even realize that. On the hacking side, using something in a way that it's not intended to be used is discouraged and that level of thinking - like really beneficial as a professional hacker. But when you're a kid and you're doing something, I think that it just carries a negative connotation. Like as a once again, very poor - I feel like I have to justify the childish antics that I did as a kid. There was an arcade in my hometown that you would put in money into a machine, it would spit out this little like credit card. And then you would just use that.

At the time, I had heard somebody talking about how like maker ink on the bottom of checks is magnetic, and how it's similar technology to using a tape recorder, similar technology to a credit card, and why you shouldn't keep them together because it'll demagnetize or mess up the film. And so I thought, well, if it's the same technology - I took apart my mom's tape recorder, which had a play and record, you know, and had the dual cassette outlets, and I would put the card - I had to rig it so it would play with the door open. But I played the card with money on it and recorded it onto a tape. Then I spent the money on the card and reversed the process and was able to record onto the card the funds. I was cloning this and basically got to play video games for free.

And it didn't occur to me then - it was like I have to keep this a secret. I can't just go to a company and say hey, there's flaw with the way that you're encoding this thing. And maybe, so that you can't clone the funds. And so yeah, it doesn't surprise me when I do talk to people, it's like, something is broken, the system's broken and identifying people who think this way, and how we could like use this in a beneficial way.

Jason Nickola:

Yeah, and it's something I can relate to looking back in my past, especially grade school, right? When we know that people learn in lots of different ways. And there are people who have lots of different ways of thinking and looking at the world. I always kind of had my own crazy way of thinking and was going to kind of do my own thing. And most of my childhood was spent, like being told no, by teachers and adults, like, no, you got to sit there, and you have to do it this way. And don't do math this way. And don't think about it this way. And my son who's two years old, and he'll be three next year. He's so similar to me and how I was as a kid, like I kind of worry about it, you know, what's his public school experience going to be like if he's told to just sit still and think this way and kind of fall in line? And don't think at the edges and don't try to explore the world. It's a definite problem. And I think it contributes to why people like you who can go for so long, you know, thinking that it's wrong, or that they're doing something that is unaccepted?

Jose Barrientos:

Yeah, no, I agree. I think modern education is like a parabola, right. And it's designed to get the preponderance or I guess the great majority of people, to educate them, to teach them to be contributing members of society, to follow the rules. And there's nothing wrong with that for the masses. But I do think that there's two sides to that, where there are people who are like you and I, who were overlooked. And then there's people who really need that extra help and they're overlooked. So, yeah, it's a shame, but yeah, I totally agree with that.

Jason Nickola:

And to be clear, I think there's all kinds of awesome stuff that that's happening in school systems all across the country and the world, and I don't have any of the answers. So just that's my personal experience, right?

Jose Barrientos:

Yeah, no, listen, Jason, we're gonna start our own school.

Jason Nickola:

Right, let's do it. So what did you end up doing after high school? You mentioned the army. Did you go right to the army out of high school?

Jose Barrientos:

No, I didn't. So I graduated early. And then got a job at Subway sandwiches, not to brag, sandwich artist. That was my first certificate. Yeah, I just got a job. I started working a lot. And I didn't think that I would do well in college. So I didn't try. And again, all of these are symptomatic, or symptoms of that imposter syndrome and thinking about, well, I'm no academic. I don't really know much. And I didn't even think I was smart. Like I remember thinking was pretty bland and kind of -

Jason Nickola:

That's crazy.

Jose Barrientos:

Yeah, I mean, I can't even say that I'm smart now, right? But I think I'm good at backwards logic and I'm good at taking things apart. But the system the system wasn't there, wasn't designed to tell me that that was a skill that was valuable. So I didn't think it was valuable. So I just got a job Subway, you know, got a job as a waiter, food places, until my friends graduated high school. And they went to Europe and I was like, wow, I want to go to Europe, I haven't gone anywhere. So I joined the army as a means to like travel and you know, get some experience and I couldn't even do computer stuff for the army because I wasn't a citizen. I was a resident. And you need a secret clearance at least to do any cool computer stuff. So even though I knocked my test scores out of the park on the ASVAB and all that. They were like, yeah, how do you feel about being a mechanic? So I was like, sure, how hard can that be? So I did that, but in the Army I displayed strong computer skills and did some pranks, you know, took over one of the SMTP servers and spoofed emails to send my boss, who was a Sergeant E-5, to the Sergeant Major's office as a joke. Rather than getting in trouble, the army was like, well, hey, this guy's pretty good at this. And they moved me to the S-2 shop. So I started doing some signal intelligence stuff, regular intel work. That I think was the turning point where I was like, oh, there is a place for me. So it took that, and it came about from a prank, right.

Jason Nickola:

That's actually really cool. Because, you know, you graduated from high school early, you're taking cassette players and, you know, retrofitting them so that you can record funds onto a card for the arcade, and you're doing all this cool stuff, and you knock the ASVAB out of the park. And you're still describing it like, yeah, you know, at that point, I didn't think there was anything real special there. But then you get this opportunity where you use your skills, and somebody actually looks at and says, okay, this was funny, but also, you're good at this stuff. Come help us leverage your skills to further this mission. And it to me, it's like, yeah, picking apart one thing and maybe trying to read more into it than is there. But those kinds of experiences where somebody just says, you're good at this, and you can help us over here doing that, let's go do it, are so important for building your confidence and starting to change that narrative. Like, you know, I can't do it, I you know, I don't have anything special. There's not much that value that I can provide that's valuable to actually I can do some things and people out in the world have recognized that.

Jose Barrientos:

Yeah. That's a great way to put it. There's still - I mean, I can't say that that was the moment where I was like, oh, I'm home. Like, this is what I'm gonna do, right. But it was definitely like that moment is where, at least for me, I realized that there was a place for this. Hmm, and maybe only in the military, right, I didn't know anything about the private sector. And I was doing other things like, they had local internet called Sadiq Internet, and they were charging us a ridiculous amount so that we would have internet, otherwise you wouldn't have internet, right? But we were all on the same LAN. So they when they would shut us off or whatever, I would just turn it back on. And I can admit that now. Yeah, so I mean, I got to do some cool stuff while I was there that at least made me feel like well, maybe I do have a skill set here that is valuable. And doing it for the good guys and seeing things that were previously looked down upon, or things I had to keep a secret not only being like - there was adulation for my shenanigans, as opposed to like getting in trouble.

Jason Nickola:

Right. Yeah, sure. So you're in the military, you eventually end up doing signals intelligence in the military. What was it like for you to think ahead and try to translate those skills that you had before the military but kind of honed to a specific role in the military, moving out into the workforce and your post military careers? Was there a logical landing place for you? Did you know what you were gonna end up doing? And how did that process work?

Jose Barrientos:

No. So what I learned from my peers, like signal intel was a part of it, it wasn't the only thing, right? So there was a lot of human intelligence, looking at maps, and poring over reports, looking for reoccurring patterns in the way that the adversary attacks, that kind of thing, was not something I thought I could do in the private sector. So when I got out of the military, my goal was to open an ice cream shop. I know.

Jason Nickola:

Hey, everybody loves ice cream.

Jose Barrientos:

Right?? Listen, and overhead, it's the best. I could talk about that for hours. But it didn't pan out. So I just started going to community college. And the issue was that I wanted to work in the industry, because I felt like I was old, right? And so I would go out for job interviews and I would bring my demos and software that I had written and examples of attacks and stuff and they would just be like, we need someone with more experience. And I was like, I can't get the experience unless you give me the job. So that just - what it did was it fueled my imposter syndrome where I was like, well, maybe I'm not good enough. Maybe I can't do this and so that's why I defaulted to software dev. And even then, it was hard. I don't know if we want to get into this too much. But I got kicked out of school at college for a prank and that kind of killed my passion for academics. And I was like, well screw it, I just won't go back to school.

But I already knew how to dev and I already knew basic hacking, and or what we would call pentesting. But nobody would hire me. So I got a job making web apps for a moving company. And they were like, well, you don't have a degree and you don't have certs. So we're not going to pay you what a professional developer makes. But I was just so happy to be in the industry that I was like, no problem. So I did that. And I thought, well, this is my life. It's okay. And there was also like, a lot of bias, right? Like, when I would go to job interviews and stuff like to do pentesting, I felt like, and I talked about this before, but people were really surprised when I'd show up, right, because there's just not a lot of Latinos in tech from what I've discovered, and even less in our field, right? So I'd show up, and they'd be like, really, you? So I'd own it, I'd be like, yeah, it's me, I'm here to do the hacking. Full disclosure, tried to get on the WiFi, couldn't do it, you know.

So there was a lot of that. And just facing that, but without certs or an education, it just seemed like an impossible task. And I almost gave up, you know, if it weren't for CyberTalent, SANS, I probably would have given up.

Jason Nickola:

That's a good segue. How did you learn about CyberTalent? And how did you get hooked into that program?

Jose Barrientos:

So I was just doing dev work. And a buddy of mine who I met in the military was not doing so hot and was looking for a career change. And he said, what if I wanted to do dev like you? And I said, well, you could probably use your GI bill for a boot camp, you know, they have the coding camps. And he said, what if I want to do infosec? And I was like, I haven't seen any ones that are for veterans. But let me look. So I got on Google. And, oh, by the way, I already knew about SANS. And I tried to do SANS with my GI Bill in 2014, I want to say, but my VA rep was like, no, this is a waste of your time, and it's a waste of our money. And I said why? And she was like, you don't have a background in tech. You don't have a degree. There's no way you're going to be able to go into these programs and succeed. And I don't want to set you up for failure.

Jason Nickola:

Wow.

Jose Barrientos:

So I was like, what do you recommend I do? And she was like, I don't know, look into a trade, go be a welder. And just completely blew me off.

Jason Nickola:

Yeah, that's unfortunate.

Jose Barrientos:

Yeah, it is. But whatever. I wrote her an email after I graduated from the SANS thing, but I'll circle back to that. So yeah, I was looking around in that. And then I found SANS had the CyberTalent. And I was like, oh, my God, so I sent it to him. And you know, the process, you have to take this little test, sort of quiz. And then you do a phone screening. And then after that, they decide whether you can join or not. And so I did the test. And I passed that. And then I did the phone screening, and I passed that. And then I received an email telling me that it's very competitive, and they don't have space for everybody. And that I just didn't qualify. So yeah, I was crushed. But I was like, I'm not taking no for an answer. So I wrote this email, I was like, listen, your stipulation is that I can't be five years - once you're out of the military for five years, that's it, you can't do it. And I said after the end of this month, it will be five years and I will no longer qualify for this program. So it's now or never. I said I don't need to seat, I'll stand in the back, I'll show up early, I'll help set up like, I'll bring coffee and snacks. What do I gotta do? So they wrote me back and said, okay, okay. We'll let you take it.

Jason Nickola:

Awesome. I love it.

Jose Barrientos:

Yeah. So that was it. That was the transition. And the program is - you're supposed to have three months per certificate. But I did it in three months total. So I did a certificate a month, the GSEC, GCIH, and the GPEN. And to my knowledge, I think I'm the only person who did all three successfully the first go around.

Jason Nickola:

Nice.

Jose Barrientos:

Yeah, I do take pride in that. Especially because it was an uphill battle just to get into the program.

Jason Nickola:

Of course. Yeah. It's a common thing, right, that you hear, when people have to fight so hard to get a seat at the table. It's like, once you get there, I'm gonna eat.

Jose Barrientos:

Yeah, that's a great way to put it. Exactly.

Jason Nickola:

So why do you think you doubled back and said, hey, you know, let's take another look at this. I'm running out of time, you got to get me in. There's the easy answer of well, I wanted to get in and they said no, and I was up against it. But did you feel like a sense of desperation at that time? Did you feel like it was now never for you in general or just for the program?

Jose Barrientos:

No, in general. So I spent a lot of time being afraid. I spent a decade thinking that I wasn't good enough to do these things professionally. Yeah, I'd had some success going viral with a hacking video here or there because I'm funny and I do stand up and all that stuff. But there's a difference, right, between a four minute video and actually doing this for real with tier one professionals. And so when SANS turned me down that first time, not through the VA, but through the CyberTalent program, I was actually on my way to a wedding. So I was in the car when I got the email, and I was crushed. And my daughter was with me. And I was thinking, about her future and my ability to provide, and what that road looks like, and where am I going to go from here, right? And so it was more of like, I wanted it more than everybody else. And I wanted to be there. And I just knew that if - that was my whole premise of the email, it was like, if you just give me a chance to prove myself, I'm not asking for a handout, not asking for special treatment, nothing, just let me attend. And I will do my best and be successful. So yeah, I guess it was just a sense of desperation. And a sense of if this doesn't work, then I don't know what I'm going to do, I guess dev at half the salary for the rest of my life, right.

Jason Nickola:

But you did it, you got in. You really made great work of the certification process. You came out with those three certs? GCIH, GSEC, and GPEN. So coming out of the program, did you move right into a security role? And how did you go about trying to get your first role in infosec?

Jose Barrientos:

So listen, I don't know how you feel about The Secret. But I feel like everything magically - I mean, it was insane. So I had just gotten the GSEC, and was prepping for the second cert. And that neighbor who gave me VB 4 found me on Facebook, and was like, hey, man, what are you up to? And I was like, wow, I'm just doing security now. And I just got this cert. And he was like, well, we're looking for some blue team guys, if you want to come and run the SOC and maybe do some pentesting. And I was like, I would absolutely love to do that. So I went in and interviewed and, now that I had the pedigree of SANS certificate, doors opened, HR was like, get this guy in here, you know. Yeah, I mean, that immediately, it almost - not to brag, because it wasn't a lot. But for me, it almost tripled my salary. It was full remote.

And I got to work with industry professionals. And that was the first year. And so three months after that I had the other certs. And yeah, I was like pentesting and doing junior red teaming stuff. And that's it. That was the point, right, that was the moment where I was like, you know what, I can do this. Like, I know enough. I work hard enough. I don't have to be afraid. And what was really cool is if you look at the online hacker community, a lot of them are very egocentric. They want to be the smartest guy in the room, they'll call you a skid and they make fun of people and stuff. But once I started meeting other SANS graduates or other professionals, they're super team oriented. Like you don't know, something, ask, it's totally cool. Nobody knows everything. And that was so welcoming for me that it was like, oh, man, this is great. This is where I want to be. I felt like I belonged.

Jason Nickola:

That's awesome. And, you know, we've talked about a lot of things here. The role of education, and you mentioned sometimes being failed by the system and by people along the way. And there's certainly lots of other things with prejudice and the industry being flooded with white guys, and having a preconceived notion of what a security professional looks like, sounds like, talks like, and there are lots of systemic and larger societal problems that you can point to about why people do or don't actualize. But another part of it is just your willingness to put the work in and keep going and identify a moment in time and say, I can I can give up here and I can accept the answer, or I can kind of make it happen for myself. Oh, and by the way, once you do that, it's not, you get a job and you get paid and live happily ever after. It's like, no, you have to put in the work now. That's all that you got was the opportunity to go work your tail off to try to make something happen in an industry where you have to continually do that in order to stay current and stay relevant and have opportunities. So just a big credit to you for kind of identifying that and over the long haul, being willing to do it, and just making it happen.

Jose Barrientos:

Yeah, well, thank you for saying that. I mean, this is a massive summation of my experience, right. So there's a lot of people along the way since then that have really helped out, taking the time to explain things to me and show me things or send me books and resources and blogs and podcasts and such. So, you know, it has been very much a team effort. And that's something that I'm happy to report when people ask me is that the professional community in infosec is awesome and collaborative and, you know, just really solid. And I do the same thing now that I'm working with junior pen testers, or junior red teamers, I go out of my way to make sure that they don't feel like they need to be intimidated, or they feel like they're not good enough. It's like, no, you know, bidirectional mentoring, you're gonna know something better than me, and I expect you to teach me that. So yeah, it's been a really good journey. And I would be remiss if I didn't mention that it wasn't just me. For sure, it was a lot of people helping me and, and taking the time to show me things.

Jason Nickola:

Which is a real shift, even from the beginning of the conversation, when you were talking about how you did things when you were younger, when you were a kid, and just going away, and I'll figure it out. And now kind of wrapping it up, identifying a real role that other people and teamwork and working through being the new person and trying to be accepted and finding resources from others to then paying that forward and trying to serve the same role for other people as they're coming up, which is - I don't use the word beauty often in relation to these things. But that's the beautiful part of the journey is when you get to kind of close the gap and come out of the other side of it and do the things for others that either you didn't have, or that really made a difference for you.

Jose Barrientos:

No, totally agree. And actually, to that point, I feel like that's kind of what SANS solidified for me. So because I didn't have a formal education by any stretch of the imagination, including and especially in infosec, I considered myself a scientist without a science. So the good thing about that is that I question a lot of things that other people assume. But the bad thing of this is that I also waste a tremendous amount of time trying to solve a problem you would've to learn your first semester in a comp sci class. So what SANS did was fill the gaping holes in my knowledge to make it so that I had a really good solid foundation, as opposed to like, yeah, I can reverse a binary but I don't know anything about man in the middle, right? Like what's ARP spoofing, what is this right, and so all of those things, and the foundational information you need to sort of transcend to be able to do things.

And the other thing too, is that a lot of - at the higher levels, a lot of the red teaming information is tribal knowledge, right? Like, go ahead and ask a red teamer what their spon 2s are and they'll lock up, they're not going to tell you. Cause once we all know, then anti malware knows. But yeah, once you're on the team, everyone's really good about sharing information and stuff. So it's been a collaborative effort. You're right, I did go full circle, because I went from sort of being like a lone wolf and doing stuff on my own to finding a wolf pack, if you will.

Jason Nickola:

So it's good timing for us to have this conversation. Because you've, you've recently started a new role. Do you want to talk about what the role is, and just take a couple of minutes to talk about how you went out and got a new role in this climate that we're in now and what that experience was like, and maybe advice for other people who are finding themselves in the same position?

Jose Barrientos:

So yeah, after being in DC, and being on the red team over there for about a year and a month, I started looking at other opportunities. And you know, it's really difficult I feel, to switch careers, or switch places that you're working, especially during COVID. But one of the benefits of the CyberTalent certs that I got was that it opens a lot of doors. So I was able to find a job, doing, basically I'm an AppSec engineer and doing some pen testing and red teaming, full remote, great benefits, all that stuff, with a tier one company. And again, I mean, just having that on my resume, opens doors, you know, it's really beneficial now to have the experience and the education that recruiters and HR is looking for. So that has definitely been a huge, huge help. And I think it sets the tone, like I don't think getting an interview is going to be a problem for me for the rest of my life like it was pre-CyberTalent, pre-SANS.

Jason Nickola:

Right. Well, congratulations.

Jose Barrientos:

Thank you. Yeah, well, I wouldn't be there if it weren't for SANS, right? So it's like, all of these opportunities began opening up for me. And it's just been exponential. It's like, the more work I do, the more exposure I get, the more opportunities come my way. And I went from like making $35,000 a year as a JS developer to getting to the highest levels you can get to in terms of infosec. And I did that in, what, two years? And I don't even think that's a testament to my skill. But more or less what happens when you put passionate people with the right team. I know. I mean, SANS inarguably changed my life forever. So I'm eternally grateful.

Jason Nickola:

Well, thank you SANS.

Jose Barrientos:

Yeah, and CyberTalent as well.

Jason Nickola:

Yeah. So what advice do you have for anyone who's listening that is thinking about making a career change? Or is a few months or even potentially years down the path of, I want to work in security, I can't get the role, or they're really struggling to make it happen. What advice do you have for those people?

Jose Barrientos:

So I read somewhere that there are two types of people that job hunt. And when they look at a job that has 10 prerequisites, requirements that they need to have or know to get the job. There are two types of people: people who go who have nine out of 10, probably shouldn't apply for this job. And then the other side that goes, well, I got five out of five, I'll probably learn the other five on the job, let's do this. I highly recommend that if you want to move into this industry, you want to move ahead in the industry, is to just do it. And I know how platitudinous that must sound. But it's like, what are you waiting for? Like I said, I've wasted a decade thinking that I couldn't do this. And whilst I don't regret it, because I don't want to look back, it's like, yeah, it was a big waste of time.

You know, and the community is welcoming. The community wants more people. Every year we have less and less professional hackers. And I don't know why that is. So there's jobs, there's opportunities, you just have to go for it. And, like I said, I know that just sounds like a commercial. Like, here's a positive PSA from Jose, believe in yourself and move forward. But I but I mean, that like, right, you know, it? There's nothing to it but to do it, right? There's no secret or path or whatever. Just go and do it. Like, you'd be pleasantly surprised. This is a job that you can do, and so long as you're willing to work hard and learn, there's something in it most anyone can do.

Jason Nickola:

Yeah, I mean, you're right. It's so easy to dismiss all of that as just a simple platitude, just for the sake of coming across as positive. But it in my experience, it really is how it works. Make the first step and then keep taking the next one until you get where you want to be. And then eventually you look back and you're like, yeah, I did it.

Jose Barrientos:

Yeah, I think people don't give themselves the permission to fail. It's when you realize, you know, like, okay, you go for a job, and you don't get it, guess what, you're no worse off than you were before you went out for that job. Like, there's no real risk here. So what, one person tells you no, two people tell you no, I've turned failing into an art form. Like it doesn't - the idea that I'm going to do this thing and it's going to fail does not deter me at all. Not even a little. And so, I think once you accept that, like, hey, you know, you're gonna fall, so long as you keep getting back up and going for it, eventually, something's gonna work out and stick.

Jason Nickola:

Right. Totally. Well, I've really enjoyed this. Jose, thank you so much for joining us.

Jose Barrientos:

Yeah, of course. Absolutely. Yeah, thank you for having me.

Jason Nickola:

That was Jose Barrientos thanks a bunch to him for coming on the show and sharing this journey with us. And also thanks to all of you for listening. We'll be back in two weeks with our next episode so please don't forget to subscribe to the show at giac.org/podcasts or wherever else you listen in order to get notified about new episodes as they're released. Until then, stay safe, and we'll see you next time. Thanks.