Information Download: InfoSec Q&A - Mandy Cox

Tell me a bit about yourself, what is your current position, what are your current responsibilities, what's something interesting about yourself?

My name is Mandy Cox (@iNeedAdult on Twitter) and I am currently the Senior Team Leader at Innocent Lives Foundation, which is a non-vigilante nonprofit that identifies child predators who think they can stay anonymous online. I manage ILF’s Education & Outreach and Software Development teams, so I do everything from design to coding. Fun fact about me: I know all of the words to the song “Barbie Girl”— in Portuguese, not English. However, I do not know Portuguese, so your guess is as good as mine on that one.

What got you interested in infosec? What does the path look like that lead you into your current role?

My first tech job was web quality assurance, and I loved testing the bounds of applications. Later on as a web developer I became interested in how my sites were vulnerable to hacks and I started playing on http://hackthissite.org. I went to DerbyCon in 2017 where I saw Chris Hadnagy talk about the newly-launched Innocent Lives Foundation. I started volunteering with the ILF in 2018 and I became an employee in January of 2021.

Do you think a formal (four year degree) education is recommended for getting into an infosec career?

A degree doesn’t hurt, but I don’t think it’s required. Many hiring managers will be looking at experience, rather than what school you went to. If you can land an entry level position or an internship anywhere in tech and work on building up your skills on your own, you can definitely get into infosec and hopefully save yourself some money. Don’t sleep on networking, either. If you can network with the right people and show off your skills, they won’t necessarily care about your degree (or lack thereof).

Do you think certifications are a good way to get into the field? What, if any, do you personally have? Do you think they've been beneficial in the long-run?

Certifications are a good way to force yourself to learn things with a deadline, and they tend to be cheaper and more specialized than a degree. Many infosec jobs have been requiring certain certs to prove that an applicant knows the things on that cert’s checklist. They can also be a good way for you to prove to yourself that you’ve learned a set of skills. I don’t have any infosec certs, but maybe I’ll change that soon!

What do you think is something often overlooked by people interested in entering/transitioning into the field?

Coding isn’t a required skill for infosec, but if you can learn that on the side you can become a very powerful asset. Whether you learn to manipulate the DOM with HTML/CSS/JavaScript or Python for in-depth command line tools, anything can go a long way.

What challenges do you believe newcomers to infosec may face when starting out? What are some common career mistakes people make, and what advice would you give them?

Infosec is a lot of fun, so it’s easy to dive in and forget to come up for air. Burnout is very real, boundaries should be set, and work/life balance is a necessity. Know your limits, and only test them for the sake of productive growth.

What do you feel is something organizations continue to miss/ignore when implementing security practices/features?

Many organizations fail to explain security practices to non-technical employees. People can be told all day to not click on phishing links, but unless they understand the true gravity of what can happen if they do, it’s just another required training they have to blow through to get back to work.

Do you find it difficult to maintain a proper work-life balance?

I don’t think so. If I feel particularly tired at the end of a work day, I’ll relax. If my mind is still energized, I can work on side projects or learn new skills. I try to trust my own energy levels and respond accordingly.

If you weren't working in infosec, what would you be doing instead?

Architecture! I love math, designing floor plans, and studying unique buildings.

What advice would you give to someone looking to make the move into infosec?

Get to know the community on social media and at conferences (not just big names). Networking is one of the best things you can do, and over time you start recognizing tons of people in the field. Plus, who doesn’t love making new friends?

What's a major accomplishment you've had (work related or not)?

Back when I reached out to Chris Hadnagy in 2017 about joining Innocent Lives Foundation, I wasn’t familiar with him or social engineering. I just wanted to be able to use any skills I had to help people. I still have no idea why he responded to my email or accepted me as a volunteer in 2018, but it changed the trajectory of my life. Working for ILF now as an employee hardly feels like work. It’s such an honor to work with such a skillful team and to log on every day knowing we’re working together to help make a better world for innocent children.

  What are one/two things you believe the current infosec field is missing?

I think the current infosec field can lack humility at times. Many in the field forget that there was a point at which they knew nothing about infosec. Some may refuse to help someone still learning, or make them feel bad about not knowing things. We should be welcoming people into this space with kindness rather than pushing them away with shame. I do want to note that there are many communities where this isn’t the case, and there are many experienced people in the field who are always happy to help.

If you could go back 5-10 years and give yourself one piece of advice regarding your path in the infosec world, what would it be?

Just because the class seems boring now, doesn’t mean it won’t come in handy later. Go to class and pay attention!