In this episode, we spoke to Tracy Maleeff a.k.a. InfoSecSherpa on Twitter.
Tracy began her career as a librarian who had never heard of OSINT — now she’s a senior cybersecurity analyst for a Fortune 200 company and the head of her own company, Sherpa Intelligence.
Below you’ll find lightly edited and condensed highlights from our conversation with Tracy.
On discovering what OSINT is:
When I was a librarian, I was doing all this, but I didn't know it had the cool name of OSINT. So there's a very good chance that you already have these skills and you just didn't know that they were called OSINT skills.
That's a big thing that I want people to understand — I thought that OSINT was a computer program. When I first got in, when I was looking to get into infosec and I actually asked someone, I said, “Hey, I'm really embarrassed, but I have a question for you. I don't know what this OSINT means. What is OSINT?”
And this person knew my background and he said, “Tracy, you know, OSINT, you do it as a librarian.”
And I honestly didn't even know what he was talking about. And I said, “What do you mean?”
And he said, “What do you call all that research you do when you find all that information?”
And I said, “doing my job.” That's what we called it.
That's why I wanted to make sure it was clear to anyone who may have that light bulb moment of, “Oh, I already know this. I just didn't know it had a name.”
On using OSINT as part of a skillset vs. 100% of the time:
I don't know that I'd want to do OSINT 100% of the time because I also like the synthesis of that information. Because you have to think about that too — you need to look at the intelligence cycle as a process. Just having raw data isn't intelligence. It's having action items and an analysis of that raw data is where the intelligence comes in.
So that's where I also think people get confused.
They think that just their Googling skills means that they're an OSINT professional. There's a mug that says, “don't confuse your Googling skills with my library degree.” And, and as the same kind of idea for, for OSINT of like, yeah, just because you can Google doesn't mean you're skilled at OSINT.
On the ethics of gathering data:
I'm biased because I do have a Masters of Library and Information Science degree, but there's also ethics behind this. I mean, how are you obtaining this information? There are people who will obtain technically OSINT, but by suspicious means.
I worked in law firm libraries for most of my library career. So I have the approach to OSINT that it has to be admissible in court. I can't obtain anything by a questionable ethical means because it wouldn't hold up in a case for an attorney.
So what I'm trying to do when I speak to folks in OSINT or people wanting to get into this industry, I encourage them to use research in OSINT in a way that's ethical, legal, and also very mindful of what sources you're using. If you come back with a bunch of links from Russia Today, well, that is a known biased source.
On the importance of staying organized:
I think a lot of people think that OSINT is that famous meme of somebody standing in front of a board that has all these pieces of paper string and they look all disheveled and kind of out of their mind.
No, you need to be a little bit more organized than that. And that's where information management comes in and where my library skills come in. And this is why I'm trying to encourage more librarians to get into OSINT and InfoSec, because it's also organizing that information.
On being “intrapreneurial”:
What I'd recommend is while you're discovering things, while you're learning, step up where you are. Have what I call an intrapreneurial spirit.
We're all familiar with entrepreneur. You know, they go around and starting businesses and things like that. Harness that energy. I call that an intrapreneur, because you're working within your company. Maybe just start OSINT or security projects on your own or maybe offer to help better organize.
Carve a niche out of your job and obviously talk to your manager or reach out to a different department who might need assistance with that.
The way I did this with security, I called it my quirky hobby. I reached out to the CIO and I presented a plan to do security awareness for October. And he said, “Oh, I love this plan. You're going to run it.”
And I was still the librarian at this firm. But I wrote up this five-point plan and I had this whole presentation and I sent it to him. And that's what you have to do. Sometimes you just have to step up, show what you know, show your passion. And what was the worst that was going to happen? He wasn’t going to tell me no, that I couldn't do it. I wasn't going to get fired over it.
On not being taken advantage of in the workplace:
When I first joined InfoSec, and people knew that I had a librarian background, I would constantly get private messages from Twitter, people asking me to do personal research for them. And I get why they were asking because it was my skill set, but my skill sets come with a price.
So what I recommend that people do, if you're put in that position, you can just very politely just respond, “Yes, I would be interested in looking into that for you. Would you like my hourly or project rate?”
You're letting them know that your skills have value. And 99% of the time, if people weren't looking to pay for your skills, that will push them away. And then if someone is rude and pushes back and says like, “Well, you know, you love to do this.”
“Well, I also like to pay my mortgage.”
You can find Tracy’s blog on Medium and follow her on Twitter.
Share this post