Sign in Subscribe
14 min read Penetration Testing

From Carpool Lines to Command Lines: A Mother's Journey to Pentester

From Carpool Lines to Command Lines: A Mother's Journey to Pentester

Hi! Can you introduce yourself and describe your current role in cybersecurity?

Hi, I’m Jen and I am a pentester and a senior consultant on the offensive security team at Deloitte. We are called “Adversarial Simulation” and the team conducts penetration testing and red teaming on clients in the commercial sector.  

I have been in the offensive security field for less than 5 years. Deloitte is my 2nd employer within it. So far I have experience in infrastructure pentesting including Windows Active Directory and a fair amount of web application testing. Lately, I have been focusing on infrastructure pentesting on a large financial sector client, and learning as fast as I can on AI; both in terms of its vulnerabilities as well as what it can do to augment current pentesting methodologies. 

I really love the field and am constantly upskilling and trying to learn more than I did yesterday. If offensive security was not challenging, I would find something that was. 

My motto is: Learning is my drug. The cybersecurity field is my dealer.

What’s your backstory and how did you first get into cybersecurity?

I think my story will challenge every kind of stereotype. I did not grow up as a ‘hacker’ and we didn’t have a computer at home. I was a band kid and a straight A student. My mother was a calculus teacher and my father was an engineer, so I guess I was protected from the weird biological imperative our culture has that “women don’t like math”. When I went to college at the University of Michigan, I chose Electrical Engineering because that major offered the most math. 

Upon graduation, I was interested in biomedical engineering and the United States Air Force offered compelling opportunities in that field at the time. I took a risk and got my commission. I really enjoyed my time in the military. Later on, I met my husband and he and I were having difficulty getting stationed together so we opted to leave military service, and found work in San Diego. My career transition out of the military was not smooth, and the new job was a poor fit. I knew I needed a different career, but I did not know what.

We then had 3 kids in 5 years, all planned. All 3 boys are neurodiverse which was unplanned. Someone needed to pay attention. This type of thing is not in anyone’s career plans. We couldn’t really afford for me to quit my job but we couldn’t really afford not to. So I quit. After a long while, the kids were doing okay and I was looking for something else to do. The boys were in middle school by then. It had been so long since I’d worked … and I had forgotten the person I used to be.

There still was not some grand plan to be a hacker. I was making peoples’ lunches and driving carpools. My resume was as good as blank because of the career gap. I had done so much volunteering, I got a community award and my picture in the paper, but I knew nobody would hire me as an engineer of any kind. I knew I had to start over from scratch. I did not know anyone who had gone back to work in a technical field after a career break like mine. For that reason, I did not think I could do it, so I set my career sights very low

I decided I’d work at the help desk at the school district because I had done so much volunteering at the boys’ school, I thought they’d at least hire me for $20 an hour and it sounded like fun to fix things. I did not want to spend any money. After the A+ class though, I kept taking IT classes because the learning made me weep, as weird as that sounds. I was so happy. I realized I had been starving. I mean, I was terrified most of the time and felt like a total impostor, but I was also starving to death. It was like I was in a hot dog eating contest. I kept getting certs; as soon as the class was over I’d take the dumb test.

I had zero interest in security. I took the Security+ class as a filler because I had time before the CCNA class started. I knew nothing. The professor announced a CTF, the National Cyber League. I said, “I can’t do it, I don't know what that is, I am not supposed to be here” and “What is a CTF? What is Kali? What is Linux? What is Bash? What is sudo? What is anything…”

I fell down the rabbit hole when I did that CTF. Like I was made of lead. I am still falling.

You mentioned discovering your passion for pentesting during your journey. Can you share more about how you developed your skills and what resources were most helpful?

SANS offers scholarships for women, underrepresented groups and veterans.  They offer something called The Womens’ Immersion Academy. The requirement is that you must not already be working in cyber. I still had not worked, still driving carpool, still making lunches and looking out the window wondering who on earth I was. I did have Net+ , Sec+ and CCNA. The SANS scholarship is very competitive, you have to take a test and conduct an interview with SANS. The applicant pool for my cohort was 800+, and they only chose 13 women. During the interview I had the chance to tell my story, expressing frustration that I did not qualify for cybersecurity internships because I was neither a new college grad nor a newly transitioning veteran. I said I was trying to work help desk, but they wouldn’t call me back.

The SANS scholarship was life changing. SANS also offers mentoring to the scholarship recipients and help with resumes. We met weekly as a group to support one another. Every 8 weeks you take a certification test, and you do that 3 times. I took GSEC, GCIH and GPEN. The training was excellent and I had excellent instructors.

Other things: The Cyber Mentor offers some practical and reasonably priced classes on hands on pentesting, web app testing, API testing, Hardware Hacking and more.  I found TCM on Youtube during my first pentesting job. This was before he developed his full platform. I wish he had been around sooner because the Practical Network Penetration course closely matched the skills necessary, in my experience, of pentesting a small company. Heath is very calm and I really like his teaching style. He does not overcomplicate things and emphasizes practicality. It is not some hazing thing where he thinks you need to “try harder” or go figure it out by yourself endlessly. He kept saying, "don't worry, we are going to do this together”. I felt pretty freaking alone during most of my journey, so that helped. 

Currently I am really enjoying HTB Academy, and am on their CPTS path. I love any kind of learning and especially enjoy HTB. Academy makes the HTB platform a little less intimidating and it is more structured. I highly recommend it.

How did your background in electrical engineering and your experience in the U.S. Air Force influence your approach to cybersecurity?

EE majors are taught binary math, it is pretty much hammered into your head. That knowledge had lain dormant and was easily resurrected when I needed it. It was like riding a bike. Learning subnetting was not difficult. Lately I am exploring hardware hacking because I still remember circuit theory.

I took one coding class required by my major, which was Fortran. I hated every minute. I took Python during my time at the community college and I really enjoyed it. I did not find it difficult to learn. I picked up Bash scripting along the way. My coding is getting better as I need to learn it. I can learn anything but I cannot learn everything. I learn as I need things. I wish I’d had a better introduction to coding than Fortran. 

USAF taught me how to manage multiple technical projects at the same time. I also learned client service skills because I had a lot of internal clients with a wide variety of backgrounds during my USAF time. I had multiple layers of management to report to, so I learned to tailor my technical messages to the different audiences. I learned how to be flexible and deal with changing priorities that ride upon the whims of management.

What were some of the biggest challenges you faced while re-entering the workforce after your hiatus, and how did you overcome them?

At first, the demons come. Despite 7 certifications and a technical degree, I was plagued by self doubt. My resume was so bad. My resume was as good as blank except for my degree and certs because it had been more than 10 years since I’d worked. I knew it would fall down the HR black hole.

For that reason, I had to get out and network in person. Terrifying. I remember the first time I went out at night to a local OWASP meeting. It took pure courage to walk in the door and of course the room was all men. They were having a career panel and there was one woman on it, and that helped enormously. One of the audience asked what would be asked in a pentesting interview. One panelist started to answer, and then said, “tell you what, after the meeting we all go to the pub. Meet me there and I will tell you.” There was not enough money in the world to get me to go to a pub with bunch of strange men. I went home after the panel. I never got to hear what he had to say.  

You must battle those demons first.

Eventually, I landed some offers. This is because I interviewed everywhere and battled my deer-in-the-headlights demon.  The first time someone asked me what ran on port 80, I froze and my internal voice whispered only,  “What…what is a computer?” I am proud of none of this, but this is my story. If you want some perfect story of someone who had all the answers and everything was nonstop winning in a straight line, maybe you should read someone else’s story. 

Mostly I have stumbled around like a kid with her shoelaces tied together. I fall down a lot. 

Leverage your network. Our super power is we know a lot of people, plus the people your spouse knows. That is how you get your resume seen by a human.

All of this got better with practice and I found a junior pentesting job through a classmate that I stayed in touch with. I did well on the interviews, and started working remotely on the cusp of the pandemic. Normally, we would have traveled and shadowed the senior engineers in person, but we could not do that so we went straight to screen sharing instead. I felt like I was learning how to swing a hammer by watching people build houses on TV. I was a nobody from nowhere. I began to learn in galloping bursts like I always do, but it was a tough year. 

That would have been challenging for anyone, but also I was on two different large teams of all men. We’d be in these big Zoom calls, and I remember really struggling mentally with feeling weird and the odd person out. Have you EVER been the “only one” of something in a room? The only man? The only white person? Most white males have never experienced this. Now imagine it is your job every day.

I finally wrote "THEY ARE NOT BETTER THAN YOU" on a sticky note and stuck it to my monitor. I needed to see that. I needed to see it every day. One day, after about a year, I stood up to get some water and my foot hit something. I looked down and realized it was the sticky note. It had fallen down and I had not noticed.  I figured that meant I didn’t need it anymore, so I wadded it up and threw it away. I haven’t needed it since. 

I am well supported in my current company and role, and my work place is fine and my managers are wonderful. It is all sustainable. But… if you don’t fall down, it means you are not doing anything. So I still fall down. But, I have a bright future and I love offensive security because I love a challenge. I get excellent work reviews and recently was promoted to senior consultant. But what I am most proud of is: I didn’t stay down the last time I fell.

As a mother of three, how do you balance the demands of your career in offensive security with raising a family?

Haha I did not have balance at all! Let me rephrase the question: “As a mother of three, how can you do two full time jobs simultaneously?". There, fixed it for you! 😄

I feel like we are not talking about why moms get these questions and not dads.  Please ask the fathers working in offensive security the same question! And you will see how much their career success depends on the unseen labor of their spouse. Which often goes completely unacknowledged and unseen, because nobody asks and it is simply assumed.

I took time away, more than 10 years, from paid employment to do the unpaid labor of raising children. If we had to pay someone to do my job instead, the salary would have been $150K+ per year. Instead, I am (big air quotes here) “NOT WORKING” aka “ON A BREAK” (lol) and then had a blank resume. Yay moms.

How can we as a community solve this challenge?

  • A gig based economy would have helped. Faced with the choice between a 40-hour-a-week remote job or nothing, I chose nothing. I could have managed smaller, piecemeal work, but not a full-time schedule. I had pockets of time –  not 40 hours.
  • Flexible working from home is a game changer. Especially now it has crossed the gender divide and we’re not weird if we WFH. 
  • We need more technical career paths that are more accepting of career “relaunchers” or “returnships” (internships designed for people returning to work after a break). If your company doesn’t have one, advocate for one!  
  • I think the more restrictive a workplace or industry is, the less diverse it will be. For a lot of the STEM fields, you have to have a spouse who has a very flexible job where they can be home for the kids. I did not have that in my first career so I had to leave engineering. One thing I really like about my current employer (Deloitte) is they are very supportive of work from home and flexible work hours. I have seen more women at Deloitte balance their work and parenting life than anywhere else I have worked in my life. They are thriving and Deloitte is thriving as a company and in the marketplace.
  • If your own mother means anything to you, hire one returning to work. 

How has networking and being part of the infosec community helped shape your career, especially after returning to work?

I go to OWASP meetings all the time now and always go to the pub! 

I joined WiCys San Diego because I was looking for moral support during my job search. WiCys aka Women in Cybersecurity is a national organization dedicated to the recruitment, retention and advancement of women in cyber. We have a national conference. I am in leadership now at the local level. We have won some neat awards from the city! Also, I help run a WiCys San Diego Cyber Career Day at the community college where my story first began. We are gearing up for our 3rd year.

I am also a member of Women's Society of Cyberjutsu (WSC), which is an amazing organization with a lot of training resources. They do amazing work.  Plus….Women In Security and Privacy, aka WISP who does amazing work and gives amazing scholarships to worthy individuals for conferences and more.

San Diego has a wonderful group of welcoming established security professionals. We started a quarterly happy hour between WiCys, OWASP, ISSA, ISC2, ISACA, CSA, Raices Cyber, and more. The first time we met, we broke the restaurant!

Veterans groups were of limited benefit to me because I was not a newly transitioning veteran when I started in cyber, and most of the resources are designed for that group. SANS was the exception. I even lost my Montgomery Era GI Bill because it expired while I was raising my kids. I quickly realized employers want to hire veterans because of their security clearance, and mine had expired. Again I see this as a diversity issue. We don’t all have the perfect predictable lives and careers and some of us have different needs. Veterans as a group are also diverse within. I try to be grateful for whatever help people have given me

What advice would you give to women or other professionals who are considering a return to work after a career break?

First, you can do it. Call me if you need a pep talk.

Leverage your network. Our super power is we know a lot of people, plus the people your spouse knows. That is how you get your resume seen by a human. It is not about who you know, it is about who they know. Do not leave a networking conversation without another name of someone they think you should reach out to. “Who hires junior people around here?” or “What do you look for in a junior xyz?”

Don’t submit your resume online, that is fighting the battle of the resume and you will lose. What is the rule in the Art of War, where you want to take your battle to where you have the advantage? For a career changer that is the interview. Leverage your network to get that interview. If I get to an interview and my competition for that job is a 22 year old new college grad, I will bury them. Career relaunchers are a PHENOMENAL bargain with advanced social skills. Take the battle to the interview chair. That is where it belongs anyway.

Apply for jobs that say 2-3 years experience. That means 0. The money will come, don’t worry. You will progress faster than most. Or you can bounce after a year for a huge raise and a signing bonus like I did. 

Consider technical roles first. They pay well, garner more respect, and you will give you power. I used to hate when people would say to me, without knowing anything about me other than I am a woman, “You should try xyz in cybersecurity, because it is not technical”  What? Why are you saying that automatically? 

Don’t let people tell you what you want to do. It happens a lot when you are female. As soon as they realize you have people skills too, they will try to push you into sales or project management. Stick to your guns. They stereotype us, they can’t seem to stop.

Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?

Being outside and exercising help my brain and stress a lot. I run, go to the gym, hike, and bike. These things are a required activity for my health, akin to brushing my teeth. Not optional or a luxury. I hang out with my family, with 3 sons there is always something going on. I play pickleball, read, cook, go to concerts and plays, and play the guitar badly. Your brain doesn’t need a break. Your brain needs a change!

Lastly, where can people connect with you or follow your work online?

LinkedIn

Wrapping Up

Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.

We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/