My name is Zach Howlett. I am a manager of information security at Carbonite. Really, what shaped my career the most was going to the University of Utah as an MS IS student. I did both my undergrad and my master from University of Utah. My first job out of college, actually was from a professor at the UoU. I just really enjoyed his class a lot. I thought it was a great class, and so i would always talk to him. And then at the end of the class, he asked me for my resume. So i gave it to him, and then within three weeks i actually had a job, which is highly unlikely. I think I was pretty lucky to get that. But with that being said, i busted my butt. I worked my tail off to get where I was. Within a year or so, i'd kind of outgrown my position. I was one of the top performers for the company that i was hired out to and I decided to move on. But with that being said, i also used connections from my time at the business school to develop skills and friends, and they actually helped me. My network actually helped me get another job, which is really one of the biggest takeaways from my career. I think is that networking and being able to connect with people while in school will greatly help shape your career. I don't think there's any way i would be where I am today without the network and without the people that i have connected with, both at the UoU and outside of the UoU. It is very important that you take advantage of the time at the school to meet and get to know as many people as possible because there are a lot of great people that go there, and they're going to be a lot of very successful people that are in your class, and they can either help you, or you can help them later on in their career.
So, my responsibilities are kind of vast. The company that I work for has many different product lines. For the most part, I handled one of our product lines, which was, a company that was acquired by Carbonite. So i handle all of the information security aspects for that product line, which you can kind of think of as a separate cust or a separate company unto itself. So on that perspective, I managed firewalls, so we do a lot of the big banners of firewalls. We were backup company, so we saw a lot of customer data. I am in charge of managing the firewalls in and out of our production environment. I'm in charge of the r sim and our vulnerability scanning and results and trying to remediate the findings from the scans. I'm also in charge of helping secure new products that the company is developing and/or acquiring. And that can be from doing penetration tests on the product itself on the software that could be from environment, once your environ is live to support a new product ? And also really, I think of my job as well as trying to help others in the organization think about security, doing their day to day tasks because one of the biggest attack vectors is the human element. And if you can protect the humans, more than likely, you can protect your company within certain, reasonable,like chance or whatever just really depends. I think in an information security systeem, regardless, It's not if you're going to get breached its when, and so the best tactics you can put in place to protect it was a little states you're most vulnerable in, your most vulnerable assets, and that could be the human asset, that can be physical hardware, that can be software, and to put controls in place to help mitigate when that breach occurs.
Working hours are, I mean, lucky for me, I can kind of set my own hours. For the most times, I am in the office between seven and eight AM and leave between four and five PM. Different days, kind of different matters, kind of depend. I can get in at seven and leave at six. I can also work weekends and nights, just kind of depends on what's going on on this part of my position as well. I'm always on call. I don't get called frequently, but I basically always have to have my phone on me, in case something happens because I'm on the incidents, the incident response team, so if something does happen, I will be on the hook to be there and to show up.
Tools and software programs we use are almost always for security purpose . We use two different types of vulnerabillity scanning engines. So, we use Rapid 7, which has a tool called Nexpose. Tenable has a product called Nessus that we use as well. We also use Splunk, which is a great tool to know and is a highly competitive market to be a part of. If you get smart certifications, they pay a bunch of money. Let's see what else i constantly use. I've used Burp Sweet. I've used Kali Linux as well, which is a penetration testing platform. Really cool tool. Honestly, the tools I like the most are, anything that lets me get my hands a little dirty. So I like Kali Linux and I like tinkering. For my work, we use log stash. So doing a lot with that. I don't know it's all it's all the same to me. I think I think tools are cool, but your work is what you make it. And if you want, if you want to like something, you can like something. It just don't matter and how you use it.
I love to be in a learning environment and information security is that because there are new attacks that are found every single day, there's always something new coming up. A lot of my job is to read what is going on, either on the web or on the Dark Web. And to figure out if we are vulnerable to those things or what is going to happen. I can read a news article. And then based on that one news article, i read. I can be working on an issue for over a week. And that, to me, is really cool because it's tackling new problems, it's being able to figure out new challenges and how to protect the company. How to protect the employees of the company ? The pleasant surprise, I think, is just to continue to learn every single day. I don't want to be stagnant. I've been in a stagnant job in the past, and I got tired. I wanted something new to learn and that's kind of how i ended up where I am now.
Really, I think it's kind of easy. I guess if you're a people person, and I kind of think of myself as a people person. I think the biggest takeaways is to be respectful, to be kind and to listen to what people have to tell you. You don't always have to interject. You don't always have to say something back. I think one of the reasons I've been so successful in my current position is that I can feel out those situations, I can feel out those specific individuals, that need to get worked on, because a lot of my job is getting people to do work for me because I don't necessarily have the access to perform and to secure the environment that I'm supposed to be protecting because I'm not a system owner, I don't have the access required to make changes. And so what I really focused on building relationships, building trust and building confidence in myself and in the eyes of other employees, to help them help me. One of the most important things is, is working with people, and i think a lot of people in information security are kind of treated that they're here to stifle the business and make things a lot harder, but I've really tried to take on the approach that hey, we are both going for a common goal, and we both want something out of this engagement. How can we meet in the middle so that I'm not hurting you and your team to get the work done that i need and require to help the organization. And so to me, it's all about building relationships. Like they said earlier, it's all about networking, and that could be within your own company there. There are times of the day, we all just walk around, and i'll just go talk to other teams, the teams that i worked with the most. I don't have anything to do with work. It's all just go get to know people involved, so that when I come to them with a problem, they're like, oh, you know what, he's a nice guy, I can do this for him. That's really, really, what it's about. It is building the relationships, building trust, building confidence with other members of your own company.
So, I mean the challenges in my job! When I took over my current position, the previous security team didn't do anything. In all honesty, there was nothing in place, really, from an information security perspective. So I had to basically build a team and a framework from the ground up. The previous regime was also a No team. So any time, you asked a question, they gave a No answer and did not give you any reason for that. So, nobody in the organization had the trust and that I was going to do the same. So one of the biggest challenges I had was I needed to create the environment by myself essentially cause I started off by myself. To try my best to secure the environment because not a lot had been done for a long time. And what that came back to is building that trust and confidence in my coworkers because I would tell them that things need to get done and they didn't want to do. And i said, hey guys, this is this is what the problem is, okay we're running at a very insecure state right now. The previous regime didn't do anything, and not only were they jerks about it, but they didn't do anything. There are no controls in place, we're running at great risk here, and these are some steps that i think that can help us reduce our risk. Luckily, people were pretty receptive, they were willing to listen, and they gave me a little bit of confidence in the beginning and then after time, what has happened now is going from that zero security environment, as I call it, to a narrowly more secure place is that people will come to me when they see deficiencies in something that we're doing security wise. And I say, hey, I think I think this needs to be looked at. We have this issue here, and I don't think this is the best way to do it. I think we could do something that's gonna help me out, and then I will use what little muscle I have with any organization to try to implement the changes that they think will lead to a better security. And then a lot of times they're right because these are the people that are dealing with these systems on a day in, day out basis. They know the systems, they know the product, the software, they know everything that's on there, and they want to help. They just never had the chance to in the path. And I think a lot of the times biggest challenges people face, at least within my organization, it's the politics, of dealing with things. I've been lucky not to have to deal too much with that, I think so far. There are definitely some political battles within the organization, but like, I'm going to keep saying over and over again. I think the most important part is building those relationships, building that trust and confidence in others, because that will help reduce some of the political side, because people will look at you, it's not thinking, oh, he's doing this, to hurt somebody else. He's doing this because he thinks, or she thinks this is the right thing to do. And there's nothing, there's nothing going on in the back end that he may be trying to either screw you, my team or the company.
So i think I'm in a little bit of a unique situation at my company. I have been with my company for six years now. and the current position of mine was not the position I was interviewed for. Before I was a subject matter expert on the specific product that we have. So I knew the product back and forth. The people who interviewed me for that were, it was just the manager and a couple of seniors. And then, you know, there was a director as well, that director wasn't local. So that was just strictly a phone interview. Um, gosh, the questions! They mostly just dealt with certain type of technical questions like Windows Host based stuff say we're Window shop, so if you need to run this command, do you know the command, if you're experiencing this type of network latency, what will you look for? And then when I was brought over to the information security side, I was interviewing with people that I already had built relationships with at the company, and they were more or less trying to just see if I would be the right fit. But I think they knew before they interviewed me that I would be the right fit, and I think as time is going on, I have proven that I was the right fit. So the questions that were asked, kind of hard to tell, because I'm in a fairly unique situation here, I've kind of started at the ground level in the company and worked my way up.
So for me, when hiring new people, I am primarily focused with the person's personality and the person's ability to be independent thinkers and independent workers. Those are the most important thing to me. Background, certification, education necessarily aren't the most important. I want somebody whose personality is going to fit with the team, somebody that everybody is going to feel comfortable working with and being around with for an extended period of time. It's very important that the persons are right. Also, I look specifically for self motivated people. I am a self motivated person, and at times get busy. I don't have the time to tell somebody what they need to be doing all the time. I want somebody who can take a look at things that they think they want to improve. I want to be able to give somebody a task that I need to do, but don't have the time to do. So they need to take that task and they need to run with it. I am not saying that I won't help that person, or that I won't be there when they have any question, but I want somebody who can think independently and get things done and be self motivated.
For me, career path, I'm a manager, right, and also I mean, I guess the next step would be senior manager, Director so forth. I haven't really decided or focus primarily on what it is I want to do, throughout my entire career. I really like what I'm doing now. I'm happy with what I’m doing now. I think I'm successful right now. I only think that I will continue, but I don't necessarily have a career plan at the moment. But I'm going to continue doing what I'm doing because, like I said right now, I really enjoy. I really think it's great right now, I'm kind of on, a certification a year. Little strategy, I have a CISA. I passed my CISM, and right now, i'm studying for the CRISC. Probably, next year I will either take CISSP or CIH. But like I said when I am hiring, I am not necessarily looking for certifications. I think a lot of times, it is just the check marks for the recruiters. And I think that is the way for my next position. To me, all I want to be able to do is to get the job interview and then get a good shot at showing my personality, my accomplishments in my career. Once I get to talk with people face to face, it is then I get the chance to win them over. All the other things are 'bullet points on the resume' type of things. But for me, like the things that I think I need to get better at and experience the most is the interactions and catering communications towards upper level management. In my position right now, that's also where I report directly to a director, but I also have to report things to higher level executive management, We're talking C-level execs at a big company, so one thing, I definitely need to focus on and experience more is, how to deal with and how to keep the attention with those higher level executives.
So starting positions, mostly in my field, are analyst work and engineer work. So analyst works are mostly dealing with alerts from the various systems we have in place, so they're dealing with the alerts from your sim. They're dealing with alerts from your vulnerability management tools that we use. They're dealing with endpoint solutions. You may have alerts, looking at reviewing emails that are constantly coming in like phishing scams. Let's, see the salaries. Typically, I think an engineer coming in at the ground level here in Utah probably make between sixty and seventy grand. That’s where we typically hire, and I think we try to do it at fair market value. Ah, and then career path, you can move up the analyst chain. From there, you can become a red teamer or a blue teamer, which means that you can try to hack into a company, try to protect the companies from attacks. On the engineer side, most of the engineers we have are dealing with firewalls. They are dealing with policy creation and policy modifications of our firewalls, setting up different environments in a secure manner, dealing with application, whitelisting, blacklisting, those type of things. On in the career path for them, are the same. That really kind of depends. You can become a super technical engineer, get really in depth with different firewall vendors and not just firewalls, either, like different offerings, the cloud offerings, in-house offerings and hybrid configurations, which most companies I believe have now. You can go down the management track or you can go the technical track. Really, I think, are the two primary forks. As I've chosen, the more managerial track than technical. But doing the managerial side, you need to be able to speak tech relate, what those super technical people are telling you to other folks who don't understand the tech behind it. But I would think that most of the career paths are kind of similar to mine. You start at a lower position and then you work your way up, prove your worth to the organisation. You make yourself valuable to the company and you continue to progress along in your career.
As an information security engineer! So when I was an information security engineer at EVault, which was a company that was acquired by Carbonite. Like I said, when I came in, I was the only information security person, at the company and it was a mess. So, I handled all the responsibilities, and I made all the decisions myself without, really, somebody to go to and guide me because I reported to a finance guy and he didn't understand any of the technical limitations or requirements that we have. So i was working a bunch. I don't even remember what we put in fifty, sixty hours a week and then feeling guilty about not working more while I was doing it. But that's slowly tapered down as I became more comfortable within the position. Then we hired another person to help me out on. That really helped, but mostly the decisions and responsibilities. I was trying to build a security framework from the ground up at a company who is kind of well established and didn't have any security control in place, so that was a big challenge.
So this is kind of the same question, I kind of spoke about this earlier. For this job, I was just interviewed by a couple of business leaders, two business leaders, actually, who I had worked with for a decent amount of my time at the company. I think they're really just looking for somebody in-house to come and take over for the previous regime that was really bad. So I had expressed my willingness to do information security in past with different people within the organization. They knew my background is having my MSIS with security focus from the UoU and so, I think they had picked me for this role. Um, and so most of the questions are, hey, how are you gonna work? What are you working hours like? Are you, Can you do this by yourself ? Are you going to be in over your head? They were just trying to gain confidence that they weren't gonna hand it off, and I wasn't going to do any, any work.
for : Senior Cloud Service Engineer, EVault/Seagate
Summarized By: Jeff Musk on Mon Oct 08 2018
As a Cloud Service Engineer, so this comes back to when I was the subject matter expert. Subject matter expert for product that EVault was known for. So here, I was mostly
charged with custom handling and maintaining customer data. So the software products was a little buggy, and so I was forced with fixing those bugs, running different commands on the data itself, to try to clean up, clean up the data so that customers could continue to back up, handle, replicate over the wire. It also included doing various different projects to try to help clean up and improve and automate processes for the team. Although, the biggest things I did in that role was, I modified our inventory handling system so that we actually had a good inventory of all of the different servers and systems that we had in place before. We didn't really have any of that in place. We had no idea what we had, what we were supposed to be managing. And so I helped build a system that automatically found and managed from a central point, all of the systems that were in place to help the team.
for : Senior Cloud Service Engineer, EVault/Seagate
Summarized By: Jeff Musk on Mon Oct 08 2018
So this goes back to what I was talking about earlier as well, where I was interviewed by a manager, a couple senior leads and may be a tech leader or two. They were just asking these specific questions that would relate to that current position, like windows host things, network place issues, latency issues, disc issues, various troubleshooting methods on, If you were experiencing this problem, what would be your response ? And how would you react to it? And what would be some steps you would take to troubleshoot and find the cause for this issue.
Working with and to be compatible with the personalities that i'm working with. Ah, because that really for me, is what makes me happy. I think most people are smart enough to do almost any line of work. But it's, really, about the people you work with. That makes the work more enjoyable. And that was a big takeaway. For this, for that job interview, um, to be honest, i don't even really remember ah, trying to block out those memories for that. For that position, it was mostly just technical questions. How would you handle if, ah, you have to tell bad news to somebody with the higher rank than you or somebody in a different department if they get confrontational because it's, part of the auto position, that's, caa, that's, generally how things go, you're telling people what they're doing wrong, not necessarily what they're doing right, and some people don't want to hear what they're doing wrong, and they don't wanna fix or change it's. A lot of it was kind of personality type questions. How would you handle this ? How would you handle that ? Those type of things, and then how i answered him, is kind of like what i was talking about, like, i'm a people person i can interact in, talk with people of in the past, at my other all that position, i had to do the same thing, so something those experienced with dealing with it's, just kind of being a professional and just saying, hey, this is how i'm looking at things. This is where i'm coming from. This is how i see the situation. Is there anything i'm missing ? Can you help me ? Um, are there things that you're doing that health, mitigate these concerns that i have ? Is there something that i'm not seeing in this in this scenario ? And then if you put it like that, i think people are more receptive to hearing bad news um