#10: An Exciting Career in Information Security

October 6, 2022 | Kristin Szalajko

"Once you are bit by the security bug, you're just bit." - Ken Hehl

Information security is an exciting career choice that has a strong, future outlook. Ken Hehl, Chief Information Security Officer, walks us through the different types of roles within information security and the type of a person it takes to succeed within the industry.

[00:46] What Ken does
[01:55] Information security has changed
[03:34] Crazy story
[05:07] Different types of jobs within the field
[12:53] Do you need a degree?
[20:40] Ken’s career journey
[26:52] Key elements as it relates to information security
[34:44] Unexpected aspects of the job
[42:12] Career advice

Links to things from the episode:

Please rate, review, and subscribe to the podcast!

Episode 10 Transcript:

[00:00]

Ken: Literally. The test, Kristin, is you’ve got 24 hours to break into this lab environment and get to the goods.

Kristin: Hello, and welcome to The Career Shaker Podcast. I’m your host, Kristin Szalajko. I’m a certified professional career coach who specializes in career exploration. I believe everyone deserves a meaningful career they love. I know it can be hard to find that career, and that’s why I’m here. I’ve developed an easy formula to help you identify the right career path for you. Let’s shake up the way you view your career. I’m going to challenge you to look at careers in a brand new way. Whether you’re stuck in a job you don’t like or just starting out on your path, my goal is to empower you to take control of your career.

Kristin: All right. I’m here with Ken Hehl. Welcome, Ken.

Ken: Thank you.

Kristin: Can you just quickly introduce just yourself and your job title and what you do?

Ken: Sure. I am the Chief Information Security Officer and Senior Vice President for Bill Trust. Bill Trust is a financial tech company that helps businesses invoice other business customers and then receive their payments. We move about $100 billion annually in funds between businesses. So instead of paper invoices and checks, it’s all done digitally through us; ACH payments and so forth.

I’ve been in the information security field for about 20 years as a Chief Information Security Officer for a good chunk of that at JetBlue, at Herc Rentals, which is a big equipment rental company, and then at another company that provided services for hoteliers around the world called Travel Click. And now I’m here at Bill Trust.

Kristin: Awesome.  I can imagine that information security has changed quite a bit over the last 20 years. Do you feel like it has, or has it stayed relatively…

Ken: No, it certainly has. When I first started actually at Eli, Lilly and Company, which is pharmaceutical, security was all about stopping these random viruses and worms that didn’t seem to have any real purpose other than destruction. And we’ve done a really good job of that. But today, there’s a lot of organized crime around the world that we think of organized crime, dealing in drugs and, I don’t know other nefarious activities, but a good chunk of organized crime today is actually focused on using the cyber capabilities to steal money from other people. It’s really a big business. And so when you think about how organized crime we see it depicted in portrayals and movies and television shows – there is a big network of skilled and people with real intent who are very much looking to steal money wherever they can, and they use cyber tactics to get to personal information. And ransomware is a huge thing. Maybe you’ve heard a lot of companies who have had to pay hundreds of thousands or even millions of dollars to get their systems unlocked. So, yeah, it’s changed dramatically from people who are just kind of doing interesting things to people who are very organized and very intent on breaking in and stealing what they can.

Kristin: That’s interesting. Okay, so do you have any crazy stories from your time and information security?

Ken: Yeah, I was trying to think of something that sort of fit the bill. I think the most interesting story, and unfortunately, I can’t go into much detail about it but was arriving on the job as the new Chief Information Security Officer for a company, and that very first day, literally the first day on the job, getting a call from the FBI…

Kristin: Oh, no.

Ken: …to let me know about something that had happened involving the company I was with at the time. So it’s kind of a fun way to start and start your new job is to have a call from the FBI.

Kristin: Yeah, that’s not a first day we all hope to have.

Ken: It’s not like top secret, but I think I signed some confidentiality things, so I can’t go any further than that. But it was a fun, weird first day. Best first day ever.

Kristin: Well, hopefully you didn’t want to quit after day one.

Ken: There was definitely some work to do. We got busy fast.

Kristin: Yeah, I can imagine. Okay, so tell us now that you’re in the Chief Security Officer or Information Security Officer role, just tell us what your day to day looks like.

Ken: Yeah, well, information security is a lot of work in some of the mundane aspects, but it’s also kind of interesting. So it’s got both blends. So at the level I’m at, my day consists primarily of meetings and email.

Kristin: That sounds all right.

Ken:  Which is mundane – it’s meetings and email. But I think that my job is less interesting, and maybe I’d rather take a moment and just maybe describe what opportunities there are in information security and what typical days look like for some of the folks who work in this field rather than mine.

Kristin: Yes, that would be great.

Ken: Okay, so in information security, you’ve got three or four different areas that you could focus on. One is you could do something called threat hunting. So if you think of security as it used to be, there was just firewalls and antivirus software that protected your machines. But today, our computer networks for businesses are so porous, and there’s so many connected systems that, in some ways, you really don’t have much of what we used to call a perimeter to keep people out. So you have to kind of assume that people can occasionally get in. And then what you’re really looking to do is to find – the way I like to describe it is you’re looking for Loki impersonating, Captain America, right? Because that’s what happens today, is you get these really advanced actors, especially, who can come into an environment and capture someone’s credentials and then masquerade as that individual within the environment. So one of the jobs in information security is something called threat hunting. And threat hunting is very much what it sounds like. Your analysts are going over data from various sensors in the environment and looking for anomalous activity. They’re trying to figure out what’s typical, and then they’re looking for the Atypical. So a good example of that might be someone who has privileged accounts, someone with a lot of power on the network, which is always what threat actors go for. So if that person normally logs in at this time and works till that time and uses this machine and runs these commands, but just like, again, like Loki portraying or trying to mimic Captain America, you would look for anomalies in behavior. Maybe that person came from a different machine than they would normally do at a different time of day, going to a different destination than they might normally do. And you want to sort of follow up on that to see if that’s a potential threat actor in your environment. So that’s threat hunting. Very interesting job. Lots of data analytics, lots of understanding how to correlate data in these big tools that we have today.

Another part of information security is around some of the mundane things, but making sure that the company follows basic good practices, like having the right strong passwords and making sure that when people exit the company, their accounts are removed, and making sure people don’t have too many privileges. And that’s called information assurance, and it’s based on a set of controls that you want to make sure are just really good hygiene throughout the company.

Some other aspects of information security have to do with if you’re especially in a company like the one we’re in, where you’re developing software, that’s what we sell at Bill Trust. We sell software as a service. And when you’re developing software, you want to make sure that that software is very secure because it’s in the public domain and we hear about all the time what they call zero days or vulnerabilities in software. So another focus of security can be individuals who are working with the development teams to help them develop software that’s very secure. And you do that by really embedding certain processes all throughout the software development life cycle to make sure that that software is secure.

[09:20]

Kristin: So do those people need to know… if you’re working in that area do you need to know coding and do you need to be able to speak a developer language?

Ken: Yeah, good question. That’s a great question. So if you’re working on the software development lifecycle of the house or what we call application security, I would say yes. You’re going to be best served by coming from some sort of development background. If not being a full-time developer yourself, maybe you’ve dabbled in development sufficient that you know how it goes. And honestly, what’s really helpful is if you can get somebody who’s got some good development chops but also has done some penetration testing themselves. That’s another piece I was just going to talk about too.

There’s what we call ethical hacking or penetration testing, where you’re actually pretending to be someone who’s trying to get in and you’re using the same tactics that they would use and you’re testing the boundaries and finding weaknesses and then exploiting those weaknesses as you’re able.

This is actually one of the most important activities you can do at this time. Probe your defenses and find where the weak spots are before the attackers do. So if you’ve got somebody who that’s another great area of security is understanding how to probe. You got to understand some good technological things bout coding, about some of what we call the common coding vulnerabilities, like a sequel injection or like a cross-site scripting or cross-site request, forgery – a lot of technical things that honestly more high school kids know about than I do very seriously. And what’s great about this, Kristin, is some of the very best people that I’ve had working on the teams I’ve been a part of have, have been self-taught, and they started out in high school or younger. They were very interested in computers. They love the idea of kind of probing and looking for weaknesses. And then they just got when you get bit by the security bug, you’re just bit. And almost anybody you talk to in the security field, they’ll tell you their story of when they first realized, okay, this is where I want to be. And that happens to a lot of people as teenagers. And they come out of high school and then going to college just doing stuff on the side. Honestly.

Most of the people that I’ve had working for me through the years are working with me through the years. A lot of them haven’t had degrees.

Kristin: Interesting.

Ken: No degrees at all. They’ve got a passion for it. There’s lots of forums where you can learn about it. There’s lots of places where you can practice your skills in an ethical way. There’s lots of books and lots of online courses and just a whole plethora of area where you can really become very smart about penetration testing activities and how to protect against that.

Kristin: I have, like, two questions there. We’ll start with the first one. So do companies care that they don’t have degrees? Is it hard to get a job if you don’t have a degree, but you have the experience and as follow-up to that, Is that true for all areas of information security or maybe just the penetration part?

Ken: That’s a great question. Do companies care?…I’m sure there are some companies that have blanket policies about we only hire people with bachelor’s degrees or above or something. But I haven’t ever worked at one.

Kristin: Okay.

Ken: I would say that no, in the information security space, if you’ve got some technical chops that you can demonstrate through various means, then no, you don’t need to have a degree. And I don’t think anybody cares whether you have a degree or not.

Kristin: Okay.

Ken: I think that answered both questions. No, the other question was in the other areas. No, honestly, a lot of the folks that I have working with me and working for me have degrees in a wide range of fields. We’re just having a couple of folks who are going to be starting for us soon. One was in a chemical engineering, had a degree in chemical engineering. The other is a woman who has a degree, a master’s degree in environmental planning. I don’t even know the full title of it, but totally nonrelated fields to information security or even IT. And they just have a passion for the field and they know how to learn and so it’s not necessary.

[14:11]

Kristin: So how do they show that they could do this? Do they show it on a resume, is there a portfolio you put together? What’s the best way to prove to somebody that you could do this even though you don’t have a degree?

Ken: Yeah, so of course the best way is experience, right? If you’ve been doing it somewhere else and you could do it here. So if you’ve got some experience and I would say if you don’t have a lot of experience, there’s still really great opportunities out there. For example, I remember hiring one individual who’s very young in his career, had a lot little bit of experience. but I was interviewing him for a position that really was well beyond what he had been doing professionally, but the individual was also into doing a lot of kind of cyber defense and attack games and then sometimes called capture the flag events or things like that, and also was doing bug bounty hunting. So there were ways for this individual, without even having a long resume of experience, to demonstrate. His team had gotten third at some event in Las Vegas, and I was quite impressed with that. So there’s a lot of sort of almost hobby-like ways that you can, if this is really your passion, you can demonstrate it through success in these non professional ways that can still be pretty impressive to someone.

And then there’s also something called certifications. There’s lots of certifications in it, and that’s not a bad way to go if you’re wanting to get into IT, and maybe you haven’t gotten that bachelor’s degree or something like that. There’s some great certifications. I would just say pay attention to which ones really have the weight or the gravitas for what you’re talking about or what you wanted to do. But, yeah, certification is another good way.

Kristin: Are there specific certifications that are more helpful than others?

Ken: Well, when it comes to pen testing and really demonstrating the chops, there’s something called the OSCP, which is pretty tough to get.

Kristin: Okay.

Ken: But if you’ve got the OSCP certification, literally the test, Kristin, is you’ve got 24 hours to break in to this lab environment and get to the goods.

Kristin: Wow.

Ken: And you got to get in in 24 hours, and you got to really demonstrate your skills there. I could never pass that. And some of the smartest people I’ve worked with have taken the test a couple of times before they could.

Kristin: Wow.

Ken: So that one’s pretty good. There’s another one that’s pretty broad and demonstrates good general domain knowledge of security. It’s called the CISSP.  I don’t even remember what it stands for. When I was trying to get a little further on in my security career. Just before I went to JetBlue, actually. I got that CISSP to sort of sort of demonstrate, because my degree is in English…

Kristin: That’s not related…

Ken: …An English major and here I am trying to help protect financial tech companies. Billions of dollars that flow through. But the CISSP helped out. And then after that. It’s really just experience that helps.

[17:24]

Kristin: That’s awesome. Okay, so I’m curious because every time you keep talking about, like, even this OSCP certification, I’m picturing the movies, the hackers are going into it. How close is that to real life?

Ken: Well, I haven’t seen many movies where they show the computer screens and they show somebody typing in and they’re kind of monologuing about what they’re doing. I haven’t seen many of those that are close to life. There was one I saw recently where I thought, hey, that’s actually, that’s actually not bad, but I can’t remember what the show or the movie was. But typically I’d say they’re not doing a lot of the penetration testing. And also what hackers would do. You’re going to run basic tools against an environment that kind of looks for vulnerabilities, and then you do a lot of what’s called open source intelligence gathering.

Believe it or not, the weakest link in the most companies isn’t technological. It’s a human being.

Kristin: Yeah. Our IT department at work tells us that all the time. The people are your worst problem.

Ken: Yeah. Where most of the organized crime –  we’re talking big organized crime today making billions – is through just hacking people, pretending to be someone that they’re not and causing… I was living in Naples, Florida, when a local story broke where the city of Naples paid $700,000 to the wrong account for some road construction that was happening in Naples, and it went to the wrong account. And how did that happen? Well, it happened because the attacker broke into somebody’s email, sent an email saying, hey, we’ve changed our bank account information. Can you send the payment to this bank account? And the City of Naples, didn’t follow some procedures and make sure that that didn’t happen. It happens all the time.

I also recall that big companies like Google and Facebook – you can Google it – Google and Facebook combined lost a total of about $130,000,000 to someone who is simply invoicing them for goods and services that they had never actually received, but somehow was able to get his or her invoices paid. Now, they clawed a lot of that back through the FBI, but think about that, $130,000,000 stolen just because they convinced somebody.

Kristin: Yeah, it makes you wonder, how do you go that far in before you notice?

Ken: Yes, I still am fascinated by that, but yeah, so hacking people is a big part of it, but then you use some tools to figure out vulnerabilities, and then you’re just manually probing what you find coming back from those tools. And if you’re good and I’ve never been good, so I can’t describe it in great detail, but if you’re good, you’ll know how to take advantage of certain vulnerabilities, send just the right packet of information to that application or system, and it could cause something to happen in the application that then gives you access, and you just go from there.

[20:40]

Kristin: That’s fascinating. Of all of these roles, which ones have you actually had experience in? You’ve obviously climbed the ladder, but where did you start, and how does your journey kind of look climbing the ladder?

Ken: It’s interesting. I actually started out, I was in IT, and I got hired in the security at Eli Lilly as a team leader, so I came right in as a leader. So I have to admit that I didn’t start at the ground level of security. But I had started… when my career all started I was going to school at BYU and getting my degree in English because I thought I was going to do something like law or something else. But I was working at the time at Word Perfect. And that then became Novell. And so I got deep into networking, and then I moved into a job outside of Novell as a network administrator. And that’s really kind of my foundation for IT, was networks and network administration. But I was only there for three or four years and then wound up going into a team lead role at Lily and kind of leading a security team. And then a few years later I had a chance to kind of start up the security practice at JetBlue.

So I have to admit that I haven’t spent a whole lot of time in the trenches in security, but my time was in networking. Another good area that you can start out in, we talked about development. I just mentioned networking and there’s system administration, learning how to administer a Linux or a Windows server. How do you keep it running? Those are all good areas. Those are the three most common areas to start out with before you move into security. And then auditing is also something good. A lot of people who are working for some of the audit companies as auditors of IT make good security folks when it comes to what I mentioned earlier about making sure that the company is all using kind of good security hygiene and how they do things.

Kristin: Okay, so information security and Information Technology, IT, are they in the same department? Are they two separate departments? How do they work together? How does that work together, or do they not work together at all?

Ken: They’re definitely working very closely together. Information security in some companies will report not to the CIO, to the information technology leader, the chief information officer and other companies. They do. It’s just a matter of what that particular company thinks is the best way to implement security. So at all the companies I’ve been at, I’ve reported to the CIO, and for me, that works great because I look at my role as partnering with all my colleagues within IT, the development leaders, the operations leaders. I look at my role as partnering with them to get security built into what they deliver to our company. And sometimes, if you’re outside of it in a different department, you’re thought of more like you and I would think of the IRS coming to audit us. And it’s very much an adversarial relationship, and you tend not to be able to affect the same changes. You can still use a hammer to affect change, but I like using partnership and collaboration. For me, it’s always been good to work within the IT department and report directly to the Chief Information Security Officer excuse me, the Chief Information Officer who is the CIO.

[24:27]

Kristin: Okay. So it could vary, but that makes a lot of sense. So it seems to me like information security is really fit for somebody that maybe has this interest in criminal justice. You have that mind that you think that way, but also technology. It seems like a good marriage of the two. Do you think that’s accurate?

Ken: I think there’s a lot of people, I don’t know about criminal justice, but there are a lot of people who come to it through the military. Maybe there’s something there. I think it’s a really interesting field because it’s always evolving, it’s never going to stay the same. Maybe you could say that about other fields, and I’m not diminishing other fields, but I think some other fields haven’t changed much through the decades.

Like financing accounting, maybe you use a different tool than you used to use, but finance and accounting is largely the same. Sales is maybe a lot the same, maybe slightly different tools. But this one is always changing because it’s an arms race, right? So it’s constantly trying to figure out you plugged one hole… and ransomware is in the news a lot today, but it’s starting to get plugged. And when it does get plugged, remember we said there’s these big organizations, organized crime, well they have families to feed and whatever to buy, illicit goods to buy, and they don’t want to lose their lifestyle, so they’re going to constantly look for the next hole. And so security really is an arms race and it’s really fun and it’s always changing. And unfortunately today it’s really great job security. I mean there’s a hot market in this space.

A lot of the big tech companies that we hear about on the west coast, Facebook, Microsoft, I’ve had people who are interviewing with us and literally got calls from top dogs at some of those companies because they’re just snatching up all the talent they can get because there’s such a demand to protect your company. If you’re a Facebook, you just got to protect Facebook or something like that. There’s a lot of great work out there.

Kristin: That’s interesting. Okay, so I want to move into… so when I talk to people, I tell them there’s six keys that you need to have a good job. There are six different buckets. You kind of need to make sure they’re all filled. If you don’t mind, I want to go just kind of through each one and you tell me how information security checks off that bucket. Okay, so the first one is engagement. So your job needs to be engaging, which includes variety, which you just touched on. There’s obviously a lot of variety, but also needs to include the sense of accomplishment and having some sort of control over your work. Having control over your day-to-day or having some sort of say into what you’re doing. How do you think information security fits with that?

Ken: Well, first of all, I think that most people can draw a line directly to how their job is critical to the overall success of the business. Which I think is great if you’re in security, it doesn’t take very much thinking to see how your company would not really survive or thrive if it wasn’t secure. So I think there’s an element of engagement because of that. I think that there’s a lot of job satisfaction that comes. It kind of depends on the role, but I think there’s a good deal of jobs. Almost all of those areas that we talked about, you can see direct results.

Having said that, if you’re the type of person who likes to not have to operate with a little bit of chaos, you want to come in – and you talk about control over – security has always got a mix of chaos. Not in every role, right? You could be helping train all the employees at a company and there’s probably not a lot of chaos in that security training. But most of the other jobs in security, you don’t know what you’re going to run into. Like that first day at work at that one company, you’d show up and my team and I were then suddenly doing something for the next several months that we hadn’t planned. It wasn’t part of the budget or the annual plan. So there’s a little bit of chaos to it. And I find that sometimes folks move over to security and then they move back out because they liked a little bit more structured and they can look ahead and see the deliverable that they’re going to produce in a certain time frame. And there wasn’t any real pressure or stress other than just meeting whatever the target date is. Whereas in security there can be a little bit more pressure and stress. So I’m not saying there always is. There’s different roles in security, but yeah, you definitely have control, but there’s also an element of not having control.

[29:44]

Kristin: Yeah, there’s a lot of surprises you have to be able to jump and adapt to. So the second key element is skills. You obviously need IT, information security type, computer skills, but are there any soft skills, even like you just talked about being more adaptable, that seems like a good skill to have? Is there anything else you could think of that serves you well?

Ken: I think a couple of the folks that we’re just bringing on board – when I interview people, what I’m really be looking for more than their technical knowledge, especially in certain roles, I’m looking for someone who is really self-driven. So they are… an old CEO that I worked for said they have fire in the belly. Right? So that to me is just a stellar trait. And you could demonstrate that not just through your career. You could demonstrate that through your hobbies, through your service, through other aspects of your life outside the office. You can demonstrate that sort of fire in the belly of passion to learn, to progress, to move forward. So I think that’s a great thing to have.

The other thing that’s just critical in security is analytical skills. The ability to sort of look at all the pieces of data and ask the right questions to get to what you need to accomplish. And then I think the third thing is to be able to – I just so much value people working for me who I can give them an objective and then I can let them run with it. And they don’t need somebody to guide them every step of the way. If they don’t have answers to kind of figure it out, they come back and ask questions when they need to. But they’re just because they’re self-driven, they have fire in the belly, because they have these analytical skills and they can kind of get the job done without having to be guided all along the way. Those are probably the most important soft skills for me. Besides, of course, the technical aptitude for whichever job it is.

Kristin: Yeah. Okay.

Ken: You know, I have to say and the further you move up in whatever field you’re in, the further you move up the leadership ladder I shouldn’t say move up, but deeper into leadership you get, the more communication is essential. It’s all about stakeholdering with people. It’s all about talking to the right people, ability to collaborate, collegialness, whatever it is, interactions and communications between people. The more you move into leadership, the more critical that becomes.

Kristin: Yeah, I can see that very clearly. So another aspect of these key elements that I tell people to look for is work-life balance. I really say fit with your life because work-life balance means something different maybe for everybody else, but do you feel like there are more roles that take more time, more travel than other jobs? Is all IT jobs really demanding when it comes to your time and the hours spent? Or do you have to be on call? What does that look like?

Ken: Yeah, you know, security. ..There’s development jobs – those are pretty steady. And you know what you’re in for from the get go within IT. Then there’s operations jobs, which is you’re keeping the systems running, you’re keeping the lights on. Those jobs can be kind of tough if you want to have work life balance unless you’re working at a company that’s got a deep pockets and has hired a whole lot of people. But those jobs can often times keep you up at night when you’re doing changes in the after hours because you can’t make changes during the day and things like that. Or whenever something breaks, you’re the one who gets the call. And then security is somewhere in between those two. Security…hopefully you’re not getting attacked and hacked all the time, so you’re not getting called into things. In my career, I would say you’re called into an emergency situation maybe once a quarter. Right?

Kristin: Yeah, it’s not too bad.

Ken: And as far as travel is concerned, honestly, the whole world has changed when it comes to travel. You and I are talking across the United States face to face without being in the same room. So everything’s changed there. I think most travel today is pretty voluntary and if you want to do it, it’s available to you, but it’s not a heavy requirement in IT any more than any other field. That’s probably less so than many fields.

Kristin: Okay, that’s really helpful to know and to understand. Is there any unexpected aspects of your job that you don’t think someone like me that doesn’t do information security would realize as a big part of your role?

Ken: That’s a good question. I think…interestingly enough, there’s a bit of sales in security. I think that’s probably something that was unexpected for me. You’re not a profit center. You’re not making money for the company. It’s not a matter of if I give you a million dollars, you give me back $10 million like the sales teams do. Give me a million, I’ll give you in salaries, and I’ll give you back $10 million in revenue. So when you want to convince others of the need to invest, it’s a difficult job to try to convince that, hey, we need another half a million dollars for this tool. Why? Trying to help other people understand the value of what you’re doing. And especially when you have to understand that at least in the CISO role and senior leadership roles, the good outcome is –  nothing happens.

Kristin: I need money to make sure you don’t lose money.

Ken: Yeah. So that’s a challenge in security that especially as you move up the ladder again, you have to deal with, is figuring out how to help people understand the value of an insurance policy, if you will.

Kristin: Yeah, that makes sense. Okay, so if you could go back and talk to your younger self, would you give yourself any advice or do anything differently than you did in your career journey?

Ken: Very interesting. The other day, I happened to be on a cruise in Alaska, and we splurged a little bit, and we got into a little plane, and we flew over the Misty Fjords National Monument out of, I think it was Ketchikan, just outside of Ketchikan. And I’m sitting there in the plane next to this woman who is piloting us. I actually got to sit right as her copilot. I sat in the copilot seat and thought, oh, my gosh, if I just sneeze and bump into these, we’re going to send this down and move.

Kristin: Don’t move! Don’t move!

Ken: I was very careful, and she’s like, at one point, I brushed something, and she said, don’t do that. You’ll kill the engine. Okay…

Kristin: No pressure.

Ken: But anyway, I talked to her, and she had to be about my age, I’m guessing. Here she is flying over some of the most beautiful terrain, and I thought, man, maybe I missed out. This sounds so cool, right? But then I think back and think, you know what? Security has been it for me. It’s been a great career. It’s provided for my family. It’s been a stable, steady job, and it’s been incredibly fascinating. So I don’t regret the career choice at all. So I think I would have been tempted to go back and say, make sure you really pick a career that you’re passionate about, that you really do enjoy. I hate hearing those stories about people who say it’s golden handcuffs or something like that. I’m here because I need the money, and I need to provide for my family.

Pick the career that you can really feel passionate about. And I think Disney said something along the lines of,  “Do what you love and do it so well that people want to pay you for it.” And I think that’s probably the best advice. It might have caused me to think… I never would have guessed I would go into security. I had no intention to do that. It might have caused me to think of going into something else earlier on, but it turns out this has been great.

[38:37]

Kristin: Yeah. So here’s my opinion on passion. I tend to differ. So tell me what you think about this. So I think finding your passion is important. And once you have passion in a career, it’s obviously so much easier and more fun. But we don’t always know what our passions is or necessarily have a passion. And so I think that can limit us. You are such a classic example. You had an English degree. You had an entirely different intent with your career. You sort of took this job maybe not intending that, maybe not with the passion of information security, but they sort of developed into a passion. I think that can happen. I think if we are only looking for things we’re already passionate about, we might miss out on opportunities. But I think we should certainly try things and let passion develop. What do you think about that?

Ken: I could not agree more. I think that is so perfectly said. Sometimes we think of follow your passion as okay, I’m 22 or 23 years old, I got my degree. I’ve always wanted to do – this. And like you have to know right at that moment no, I think you just said let passion develop. I think those are such wise words. They feel exactly right for me. That’s exactly what happened. I got into IT because it was a good way to put my family, support my family while I was going through college. And then when I got done with college, it was just happened to be the place where I could make more money than being a Bachelor of English person. And then once I got to security, about seven or eight years in my IT career, that’s when the passion hit. So I couldn’t agree more.

Kristin: What would be your advice to help somebody be open to opportunities that might lead to a passion?

Ken: Maybe it’s just talk to a lot of people, try to get some good perspectives and something will light you up. And like you’ve just said, and maybe I’ve experienced, you may start into something and then it leads to something else and leads to something else and maybe just keep being open to that. But I think the one thing I would say is this – don’t, don’t, don’t, don’t stay in a position or role where you’re just not happy.

Kristin: Yes, I agree.

Ken: If you’re just not happy, then you’re not in the right place. So maybe it’s easier to say what you shouldn’t do than how you get to it. And if you just avoid getting into those dead ends. And I have so many relatives and friends who just are in that position, so it’s easier to say than to do it, but somehow find a way to not stay in a job you don’t like. It’s just the worst thing ever.

Kristin: I totally agree. I compare it to dating all the time. I say careers like dating. You know, you have to kind of try a bunch of things, but, you know, some people find their soulmates in high school, but how many people do you actually know that have married their high school sweethearts? Not very many. And so it does happen. Some of us know at a very young age exactly what we want to do, but the good majority of us don’t. We had to go out and date a bunch and try different careers, try different things, and then you kind of land on you finally find the one. But it takes work, and you don’t have to get stuck. And it’s like, just like dating. Don’t get stuck in a crappy relationship, you know? Okay, I tried it. It’s not working out. It’s okay to move on.

Ken: Yes. In fact, the worst thing in the world is two people who are stuck in a relationship, and neither of them is happy. If one of them is not happy, the other one is certainly not happy. And that’s the same way it is with the job. If you’re not happy at your job, probably they’re not happy with you either. And it’s probably going to just get worse.

Kristin:  Agreed. You don’t tend to flourish at work when you’re not happy at work.

Ken: Yeah, agreed.

Kristin: All right. Do you have any final advice for anybody for their career?

Ken: Final advice for someone’s career? I think it would be to own your career and not expect people to just come tap you on the shoulder. Sometimes I think we’re waiting for our manager to talk with us about how we can advance, or we’re waiting looking for something to happen – to get a promotion or something like that. My advice would be to own it. Very few things in life just sort of come to you, but you go after it and you own it. And go talk to your manager and say, I’d like to get promoted. What is it going to take for me to do that? How can I demonstrate my value at this next level? Or go talk to other managers in other departments, other people in other departments about maybe changing your role into another department. Get broader experience, but just own your career. Go ask somebody that you admire if they could be a mentor and give you some advice. Don’t wait for people to come to you. Just go after it yourself.

Kristin: Yes, I think that’s great advice that goes along with what you’re talking about earlier, just being self-driven. Take it in your own hands and run. I like that.

All right, Ken, if someone wanted to get a hold of you to maybe ask you some questions about information security, what’s the best way to reach you?

Ken: Yeah, I’m happy to have my email. I think that’s the best way. And it’s ken.Hehl@gmail.com

Kristin: Okay, awesome…

Ken: Although I have to admit, I’m terrible at responding, so it might take me a while.

Kristin: Okay. So don’t be offended if he doesn’t respond.

Ken: Don’t be offended. Yeah, just send me another email because it may have faded. I’m pretty busy, and I have to admit I despise email. Even though it’s a great tool in personal life and professional life, we just use it way too much, and it’s just such a terrible form of communication. But it’s what we’ve got, so…

Kristin: Sure, I can imagine by the time you get home, you don’t want to email anymore.

Well, thank you for joining me today.

Ken: My pleasure, Kristin, and I wish you the very best.

[44:28]

Kristin: Thanks for joining us today. It was so great to have Ken Hehl with us, and I think I learned a lot about the various different types of jobs there are in information security. There’s a lot more out there than I was aware of, and so it’s kind of exciting. And I’m not a big computer person, but I think Ken made information security sounds so exciting, I thought, okay, this seems like a really great job.

If there’s any other jobs that you’re interested in that you want us to interview someone in that particular field, please let me know, and we’ll find someone to get them on here.

In the show notes, I’m going to link to the two certifications that Ken talked about, and so you can find those at kristinszalajko.com/episode10.

Thank you for joining us, and we’ll see you next episode.

[Outro]

Thank you for joining me today. I hope you found value as you listened. If there’s anyone you feel can use this episode, please go ahead and share it with them. Also, you’re likely listening to this on the go. When you find a quiet moment, could you be so kind as to leave me a review that will help others find me as well? Be sure to come back next week for our next episode. Same time, same place. Have a great week!