Skip to content

About Me

Who is BLUE TEAM JAMES?

I'm James, full name blueteamjames. I'm a Cyber Security Architect for a larger municipality here in North Carolina. I've got over a decade of professional experience in Security and IT in general, but I've been dabbling with things (more like binging) since as long as I can remember. I was the kid in high school always stuck in the computer lab, robotics class, and engineering class. This focus on nothing but STEM and what interested me led to a less than ideal graduation rank, meaning I was no scholarship student. My family, being poor, but not dirt poor, didn't have the financials to back me for a student loan or pay my way through college. That's a good thing, I likely would have flunked out just like my parents did their first try around.

This led me to joining the Marines, where my inability to swim left me in front of a career planner for reclassification of my MOS. Initially joining in a combat role, but one that required advanced swimming, I did have a decent ASVAB score and really could have done any of the jobs I wanted. This conversation with the career planner led to my reclassification into the communications field, where I got my first "professional" experience in IT, despite doing it my whole life. Through whatever divine power blessed me with this opportunity, I excelled in that field and quickly became the batallions go-to-guy for anything network, security, or systems. Without this experience, I probably would have fell flat on my face or just re-enlisted.

First Security Role - Renewabales Company

After my contract ended, I started as a Network Admin for a renewables company in North Carolina ("COMPANY A"), after a few months I noticed a glaring need for a dedicated security team to handle the NERC-CIP, Critical Infrastructure, and Corporate security requirements. After months of egging on the Director of IT, I was able to bruteforce a job title of "Information Security Lead". Sometimes, breaking into Security is about being persistent, showing value, and making the case. Not every corporation will have a role for you, but if you have the will, there is a way. Though, this should have been a little bit of a warning sign for me. It's likely a good sign that if a company doesn't want to spend on a dedicated security team, MSSP, or even one person, that they don't have the tolerance for what it's going to cost to do things even half-way right. After about a year and half of clawing for every penny I could to fix security and somehow helping the business attain NERC-CIP Medium-Impact compliance for their control center, I finally decided enough was enough and looked on for other ventures.

During my time with "COMPANY A", I did everything in the policy, compliance, security analyst, security engineer, and network admin realm. Responsible for everything from Cisco Duo, to Splunk, Endpoint Security, and Firewalls from every vendor you could imagine and some you didn't even know existed. Solar sites are some of the most neglected parts of the power infrastructure. I cannot count the amount of times I had to beat down someones door to get me access to a Firewall because whoever initially built the site just port forwarded SCADA systems, PLCs, and other power-equipment, leaving it open to the world.

Second Security Role - Another Renewables Company

After leaving "COMPANY A", I started another venture with another renewables company in North Carolina ("COMPANY B"). What drove my interest in this role was that I was wholly unqualified and that I thankfully would not have to deal with the critical infrastructure side of the house and would only be responsible for the corporate infrastructure. This company was cloud native, and this enticed me as it was an opportunity to learn. Having only used AWS and Azure on a few labs here and there, I really didn't know what the hell I was doing to start. The concepts, fundamentals, and security components are all I knew. I didn't know what the hell a Kubernetes was or why it existed. Somehow I convinced someone that I would be a good fit.

3-Months into my role here, some bad news comes down the pipe. The company is doing a restructuring and removing some roles and doubling down on the east-coast presence to reduce personnel costs. Understandable, the IT team members in LA were significantly more expensive than we were. It's a business decision, it sucks, but I get it. This was a nerve racking time for me as I wasn't sure of the security of my role. Perhaps the worst time for stressing about job security, my daughter was born only 6-months ago. We ended up going from a team of about 9 for a company of 500-employees, to a team of 3, where I could no longer focus on just one thing, but had to do security, networking, cloud, and systems.

To be completely honest, there's nothing that defines my career progression other than luck and timing. Despite the stress of the situation and morale hit, this ended up probably being the best thing that could happen because it led to an incredible amount of professional growth. Leadership at this company was transparent about what was happening and even had the remaining team members sit in, interview, and have a large say in who we wanted to be our next IT Director. Everyone is imperfect, but in terms of giving us free reign, a voice, and giving us the resources, our new IT Director, Jennifer, was the perfect fit.

After she joined, we had a huge growth and shift in budgeting and resources. This is the point where security started to become the forefront of nearly everything we did. Once she joined we were able to implement a proper EDR, onboard an MDR vendor, deploy Abnormal for email security, implement a proper SIEM, have professionals pen-test our environment, actually remediate the findings in a meaningful way beyond checking the box, properly segment the network, and so much more that I can't even remember alot of what I did and learned there.

In terms of getting shit done, this was the place to do it. If you had the capacity, motivation, and energy to do it, you could do it. Nothing was off limits, and I don't ever remember being told "No" when I recommended security improvements or changes. I must say, in the Security space, this is a unicorn. It is very rare to find a company with leadership (at the executive and board level) that understands the risks and is willing to put the money on the table to mitigate it as much as possible. The work we did there was fantastic.

So why'd I leave.

Burnout

Yes. Burnout is real. You can only go full-tilt for so long before you crash and burn. Towards the end there, my quality of work and motivation was lower than the Mariana's trench. For years I had been the only person focused on nearly all aspects of IT, with only two help-desk personnel to back me up. Even when we hired 2 systems admins, nothing really improved. Between the difficulty of hiring someone who actually fit the team and who the company could afford at the time, we ended up with two people who ended up being less than ideal. This is probably the straw that broke the camels back for me. I was super excited to get a new systems admin, even more so to get two at the same time. That excitement quickly dwindled after my first vacation. Up until this time, I only took maybe one or two days off at a time, but finally jumped on the opportunity to take a nearly month long vacation.

Multiple changes were made while I was out, which I was happy to hear about because they needed to happen. The issue was not the change itself, but the lack of planning and implementation of processes to mitigate the impact of those. Security is a balance of business requirements, user experience, and security itself. Being a fully Azure AD joined environment, everyone had admin access on their machine. This was a glaring issue that we knew we need to fix, and I had it in the roadmap to fix within the next year. The initial roadmap called for doing RFPs and finding solutions that could actually do granular administrative access, like allowing only certain apps to be run as admin and requiring elevation requests to be approved. Nevertheless, I was super excited that our new systems admin had the time to do it while I was out. His solution was to just revoke it from everyone, without gathering requirements and figuring out who would still need it. The good old scream test, which I must say I'm a huge fan of in certain situations. The problem is, a good portion of the workforce needs it in some form or another. From applications like AutoCAD, which at the time still required admin to run, to developers and data analysts needing it for their day to day, it quickly became a firestorm when I got back with executives breathing down our back. You see, one of the reasons we had very little pushback when we recommended improvements was because we did so methodically, with a plan, backed by research and data, and mitigated impact as much as possible. After having to clean up that mess, he was already on my shit list.

A few more things like that and an argumentative attitude, which by the way I've never met someone in a professional environment who verbalized wanting to punch me in the face before, I had pretty much decided to just take the first thing that came my way. I do miss that place often, and I hear he got fired after he got in an argument with a vendor a few months later resulting in the vendor (a large one, top-5) threatening to stop doing business with the company. I guess time heals all wounds, but with the level of burnout I had, a few more months would have resulted in spiraling even further.

Landing at Cisco

I mentioned I was at the point where I'd take just about anything that came my way. Well, I actually had the opportunity to revisit an old offer. When I was initially getting out of the Marine Corps, I was taking part in Cisco's Veteran Talent Incubation Program (VTIP). This program gets you certified and hands on experience, and at the end if everything goes well, you get a job offer. At the time, I ended up going a different route after confirming what the starting salaries were through that program. They were certainly livable, but it's not like I had no experience before then, and the company I ended up going with to start offered me about 30% more than starting at Cisco would have. Cash rules everything.

After a few weeks of waiting and an interview, I started on the Advanced Threat team. You probably didn't know that Cisco has a whole range of security products. There's proobably a good reason for that. While more tailored in focus, I did get a wide array of experience here as I got to work on malware sandboxing systems, endpoint protection, XDR, Umbrella, Duo, and tons of other things. I really abused this job for expanding my knowledge. One of the great things about Cisco is that as a full-time-employee, you get lab access and lab licensing for just about every product you could imagine.

While at Cisco, my homelab was beginning to look like the fort-knox of homelabs with:

  • Cisco Firepower
  • Cisco Duo
  • Cisco Umbrella
  • Cisco Secure Malware Analytics (fka ThreatGRID)
  • Cisco Secure Endpoint for EDR (if you can call it EDR...fka AMP for Endpoints)
  • Splunk (pre-acquisition, we did have some full enterprise lab licenses)
  • Cisco Vulnerability Manager for a few months (fka as Kenna, perhaps the most useless VM I've ever seen)
  • Cisco Secure Cloud/Secure Network Analytics (fka as Stealwatch)
  • Cisco Meraki (we did have to pay for this, but EPP gave us good discounts)
  • Cisco XDR for pulling everything together after that got released

And a few other things which I can't recall. You'll probably notice a trend here that's infuriating. Cisco continuously rebrands shit, which is why noone even knows what they offer in the security realm because none of it's consistent. Prior to working at Cisco, the only Cisco security products I'd really had experience with were Duo, Firepower, Umbrella, and Meraki. I didn't know the others existed, or what they did. Most of this, except Duo, has been ripped out in favor of open-source or cheaper alternatives now that I don't get the full licensing. I do still have Duo, primarily because it's relatively cheap for my use case, and I like having MFA on everything.

Cisco was a great learning experience, from the lab opportunities, to getting alot heavier in automation, scripting, and programming. I learned alot of the inner workings of these prooducts and how in general all of them function. The one downside is that Cisco is in a never-ending cycle of "Limited Restructuring" (LR), which occurs about every 6-months to a year. LRs are just corporate speak for layoffs where they pretend like they're fundamentally changing the organizations makeup and focus, but just end up laying off about 5-10% of the workforce, only to hire that amount back in a year and do it all over again.

I actually left before the next LR was announced, and had a job offer in place arouond 3-months before they announced it. I liked working there but the constant stress of wondering if/when you're next, and seeing your teammates have to find new roles or leave the company is just exhausting. You get to a point where you're just apathetic and going through the motions. When I realized I started to do that I started looking for other internal roles and didn't really see anything I was interested in, likely this was because of a silent freeze in reqs, but even a different role internally likely wouldn't have helped much. It's not like I didn't love what I was doing, it was the outside factors and slow pullback on benefits that was wearing me down.

One of the main factors that led to me leaving was just a lack of focus and vision. The company as a whole is always behind the curve when it comes to innovations and making an impact in the security ecosystem. This is soomething that leadership even acknowledges. They've atleast reached step 1: realizing you have a problem. The vision for Cisco is to become a leading security product and services company. The problem is that they're not agile enough. This is something all large companies strugggle with and is nothing unique to Cisco. Go to any company with 80,000+ employees and you'll see some of the same issues. Falling behind to competitors and not having a clear or rapid path to catching up just left me feeling left out and like if I stayed too much longer, I'd be stagnating and get too roped into an ecosystem that it'd be hard for me to find a role later down the line.

Whenever you see me talking critically about a previous experience, you'll notice that I don't lead with that, I always lead with what was great. I'm not going to sugar coat any of my experiences and pretend like they were perfect, because no role is perfect. I'm just giving you reality. In all of my roles, the good and great has always outweighed the bad, but greener pastures are always available. I'm never one to stray away from new opportunities and change.

Current Role - Cyber Security Architect

Right now I'm a Cyber Security Architect for a large(r) municipality here in North Carolina. I just recently started this role, but the team and scope of work is awesome. This is truly the first job I've worked at where starting out I can see myself in the same place 10-years from now. That's something I've never experienced before. It could just be the pension motiviating me, but the culture and team are great. They're open to change, and happy to accelerate security initiatives. Being one of the larger munipalities, there is much of what you'd expect in a government organization. It's not overbearing, but still present and something to get used to. It's not something I'm foreign to as I had this same experience in past roles of a different flavor.

We're doing a ton of great work right now and we've got a full road-map for our security eco-system. If you've ever wondered, "what will I be doing in 5-years?", this place has a relative answer. Obviously details are going to change as the battlespace innovates and reshapes, but the underlying initiatives we're working on are great steps. We know our mission, how we're going to get there, and the purpose behind the work, and that's something fantastic. We are a small team, the smallest within the IT space at the city, but we're still an actual dedicated security team. Not many municipalities have that.

I did take a pay-cut for this job, but I knew that coming into it. My main motivator for switching to public sector was purpose. For me personally, the purpose and impact is my main motivator for working. If i wanted to be rich, I could go get rich, but I likely wouldn't enjoy what I'm doing to get rich and would still feel a great deal of emptiness. Helping to ensure continuity of operatioons and securing the cities critical infrastructure fills that gap. We know what we're doing, why we do it, and what happens if we screw up. It's not just profits on the line.

What about Certs and Education?

I've got a long list of them but none of them are relevant because certs are not equivalent to experience. I believe my experience speaks for itself, which is why I largely no longer seek out certifications. For some roles, they're a requirement, but for most they're only considered if you match up exactly equally with another candidate, which I've never seen actually happen. I have been on hiring panels and responsible for picking who gets the role and never once have I said "this guy has his CCNA, let's hire him over the guy that doesn't". That's just not a thing that I've seen happen.

I do have a B.S. in Cyber Security, but I only got that after being denied a role that "required" a Bachelors. That was nearly 7-years ago, and I got it more out of spite. It was a "I'll never let anyone use that as a reason not to hire me again". Thankfully there's been a good shift in the field where even the federal government no longer requires degrees for high-priority roles like Cyber.

My View on Breaking Into Security

Breaking into Security is a different experience for just about everyone I've talked to. Though one of the most common trends I've heard and personally experienced is having moved laterally from another field within IT. You see, Cyber is not an entry-level role. You cannot expect someone who just graduated or obtained their Security+ and has no real-world experience to understand how networks, applications, and systems operate. Logically, you therefore can't expect them to know how to secure them.

That's not to say that you can't be successful if you've had no prior experience in IT, I've seen a handful of professionals who excel at what they do that started out straight into security. Overwhelmingly though, the majority of cyber professionals I know either started out in the early days when security wasn't really a thing and grew into what it is today, or laterally moved from a networking or systems admin background. I do believe that is the best path. Remember that getting into security is not the end goal, it is a journey. You aren't going to be the Senior Architect on day one. It's going too take years to build your reputation and skillset to get you there.

We have a role that when we fail, we fail fatally. We're securing critical infrastructure, government systems, and the backbones that make everything operate. We have to be on top of our game and continuously learning the trends and battlspace. When hospitals go offline because of ransomware, critically ill patients can't get the level of care they need. When water infrastructure is compromised, chemical and pollutant levels could be fatal. When the integrity of the power grid is compromised, it's a cascading effect.

We saw this with CrowdStrike's outage in July of 2024. The cascading impacts of that brief incident showed us just how bad things could be. We've been fortunate to not have a cyber-incident cause us that level of disruption (well...EternalBlue bought us pretty close). That is why it is critical that are cyber professionals have a wide array of experience to back them in decision making, design, and implementation. It's difficult to properly design a secure architecture without knowing what the business requirements are, how those systems operate, how users interact with them, and what to be concerned with.

So, if you're looking to break into security, It's a journey. Just graduated? Try taking a systems or network role. It's adjacent to security and you can practice the same principals you'll need to be a security engineer or analyst. In the field already? See what's out there. No prior security experience is nesecarilly required--start by learning your environments weaknesses and work with your security team and leadership to find fixes for them. Sooner rather than later, they'll see you're adding value to it and maybe just give you the break you need. Don't be afraid to stick your neck out, you might get shot down, but in todays battlespace, businesses understand the risk and are looking to do everything they can to ensure that their cyber-liability insurance pays out and that they don't get bankrupted by a cyber incident.

It's Okay to Fail

The breach is going to happen. It's inevitable. There's nothing we can do to keep up with threat actors. We have to be 100% right, 100% of the time. Attackers just need one opportunity to wreak havoc. We're not building forts that can keep attackers out, we're building a layered defense that could resist the presence of an attacker. We can't stop them all, but we can certainly limit the time they're in our environment, the scope of what's breached, and the impact to the business.

This is where that buzz-word zero-trust comes in. It's really just re-branding of the defense-in-depth model with some new fancy spins on verbiage and making it hard to swallow. I've seen everyone want to shift to it, which is great, but it's not any crazy new concepts that haven't been around since the beginning of time. Technology has certainly evolved making some of the components easier to implement, but you don't need a specific solution or set of tools to do it.

Don't be discouraged by knowing this, we have a role and thats to mitigate as much of the risk as the business can tolerate, and make it as resource intensive as possible to achieve actions on objective. We might not stop initial access, but perhaps we could prevent them from propagating ransomware throughout the environment, moving laterally, or exfiling a large amount of sensitive data. Rest assured that if you're doing your due-diligence, making clear the weaknesses, obtaining acceptance of risk, and puttting in the work, it'll pay off in the end.

That brings me too the next issue. Prosecuting CISOs. This is a recent trend that really bothers me and that I hope doesn't expand. Obviously there are some extreme scenarios where the CISO is dismissive and shoves critical weaknesses and vulnerabilities under the rug instead of fixing them, but I do not know of (personally) any CISO or leadership that has openly displayed that kind of behavior and I believe the few high-profile incidents are damaging to the community because for the most part, everyone is just doing their job and theres only so much we can do to prevent or limit a breach. Anyway, that's just a side tangent. I hope this trend stops. It's harmful to the security community and eco-system, except in extreme circumstances.