This Framework in Focus interview was featured in the Spring 2022 NICE eNewsletter.
Title/Organization: Security Operations Center Manager, SpearTip, LLC
NICE Framework Category: Protect & Defend
NICE Framework Work Role: Cyber Workforce Developer and Manager
Academic Degrees: Associates in Sign Language Interpretation
This issue’s interview is with Joshua Peebels, Security Operations Center Manager at SpearTip, LLC. Mr. Peebles shares about his non-traditional path into cybersecurity, how he has quickly advanced in his career, and secrets to his success that others can adopt. Below is a summary of his conversation with Karen A. Wetzel, Manager of the NICE Framework.
KAREN WETZEL: Hello, my name is Karen Wetzel. I am manager of the NICE Framework at the National Initiative for Cybersecurity Education at NIST. The NICE Cybersecurity Workforce Framework, published as NIST Special Publication 800-181, establishes a taxonomy and common lexicon used to describe cybersecurity work. The NICE Framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE eNewsletter series, Framework in Focus, it is my pleasure to speak with Joshua Peebels, Security Operations Center Manager at SpearTip. Joshua, thank you for letting us learn more about your career pathway and understand the NICE Framework from your perspective. Let’s start by learning a bit more about your role and responsibilities as SOC Manager at SpearTip.
JOSHUA PEEBELS: Thank you for having me. As the Security Operations Center Manager my primary responsibilities include leading multiple engagements simultaneously as a managerial lead, heading up internal security development, coordinating efforts in threat intelligence and operationalizing these for our continued monitoring partners, and supervising multiple Security Analysts and Security Engineers in their development both personally and professionally.
KAREN WETZEL: Can you explain a little bit about the team you work with and the kinds of roles they fill?
JOSHUA PEEBELS: Absolutely. My department has 20 individuals that span from entry level security analysts performing security reviews and alert functions, to security engineers that create and modify security rules in real time to respond to new attack vectors, and advisory services specialists that perform assessments and security hardening engagements to educate and secure environments before they can be compromised. I also work with supervisors who lead from the front in each of those roles.
KAREN WETZEL: Can you describe for our audience your career path to this role?
JOSHUA PEEBELS: Deciding to transition into the cybersecurity field after nearly a decade of being an American Sign Language interpreter was probably the scariest choice I've ever made. It was simultaneously the most exciting. When provided with options, I've found it best to choose a path and give it everything you've got. That’s what I did when I started my transition into cybersecurity with the CyberUp apprenticeship program here in St. Louis—they gave me four weeks to complete training, and I finished in 11 days.
I strive for excellence and efficiency, and I've been rewarded for that. I was a security analyst during the apprenticeship program for about 11 months before I started leading engagements of my own when I was promoted to a security engineer full time here at SpearTip. I have had a steady increase in my responsibilities since that time, overseeing more projects, being a project lead for about five months as a supervisor, before being promoted to senior security engineer and then to my current role as a SOC manager. I’m now striving to take the next step: growing into the executive team as Director of Operations.
KAREN WETZEL: It sounds like you came to a field that works for you! What a whirlwind. Did you anticipate that you'd be making these jumps and plan to head into these leadership positions?
JOSHUA PEEBELS: I first transitioned into the cybersecurity field at the recommendation of friends who said, "You would be very good here. You have the right brain for it, you have the right passion for it, you have the right sort of hobbies that align. Why don't you give it a shot?" I decided to go all in. I enjoy working in this field and coming to work every day. That passion has been repaid back to me in turn.
KAREN WETZEL: We often hear about the importance of networking and how supportive the cybersecurity is. It sounds like you already had that built in with your friends before even transitioning to this field. Getting to know people who are in the field can oftentimes help you understand which direction you want to go.
JOSHUA PEEBELS: Absolutely. When I was deciding to make the leap, I was also fortunate to discover the local St. Louis CyberUp apprenticeship program. They specialize in transitioning people from other career paths. I got a lot of good networking and leads through their program, as well.
KAREN WETZEL: One of my final questions is usually this one, but I think I'm going to ask it now because you've touched on it a little bit. You said you like coming into your work every day. What is it you enjoy most about the work you do?
JOSHUA PEEBELS: Honestly, it's defending our partners every day. I like feeling like I’m helping on a daily basis. That includes managing a team of dedicated and passionate individuals who are also proud of the work we've accomplished. We're ensuring the hospitals, banks, city governments, and more can do their critical work at a time when digital threats are growing exponentially annually, and that makes it all worth it.
KAREN WETZEL: We often talk about how cybersecurity is needed across an organization. What you are describing is how important it is not only across an organization but in many kinds of organizations, as well. Understanding the impact of your work can make a big difference in recognizing the value of the cybersecurity workforce. One of the questions I always ask is about how the NICE Framework can help people who are interested in this field or in defining career paths. What are your thoughts?
JOSHUA PEEBELS: The NICE framework Task, Knowledge, and Skill (TKS) statements can very clearly identify, roadmap, and execute on necessary functions and competencies required to fulfill SpearTip's growing mission to defend our partners in new and effective ways. One of SpearTip's core values is continuous education and establishing competencies that serve as a guideline for knowledge and skill growth is fundamental to encouraging and fostering individual advancement.
KAREN WETZEL: We have found that people really like the NICE Framework because it describes the broad variety of cybersecurity roles. From your experience, what do you think are some of the most difficult cybersecurity roles to fill or areas in most need?
JOSHUA PEEBELS: Supervisory roles that require soft skills, technical skills, and management skills are more difficult to fill because there are more competencies that must be satisfied. These positions are often not suitable for entry-level candidates unfortunately and although an applicant may be able to check two out of the three, it's hard to find candidates who can cover all three.
KAREN WETZEL: I think a lot of people would agree with you. So how does one develop those kinds of skills? You're certainly in some of those leadership roles now. What are your recommendations on keeping your skills sharp and current?
JOSHUA PEEBELS: I'm a big champion of apprenticeship programs—being able to get hands-on experience and learn while you're doing is always going to be the best way to build skills and keep current. But attending classes, studying for certifications, and enrolling in new degree programs are other great ways to form a growing and diverse knowledge base.
I personally have needed to grow and evolve as my career path has shifted, and at SpearTip we are very fortunate to have reimbursement programs for learning through certifications and those sorts of things. It's about being able to champion yourself in your own learning growth, and then also finding a good fit in a company or in support systems that will support that growth and continuous learning.
KAREN WETZEL: It sounds like SpearTip does a lot to help support your development. In addition to the reimbursements, are there other ways they support development of the cybersecurity staff and your team?
JOSHUA PEEBELS: Yes. We have in-house training specialists who design our own internal courses so that when a new employee is on boarded they sit down and have a one-on-one experience with someone who can guide them through the process, as well as have internal courses they can take. We also like to jump right in and get people to shadow in order to, again, learn by doing as quickly as possible. It might be that the new hire first observes someone doing something and then the next time takes the lead but with a safety net, and then maybe the third time we back that safety net off just a little bit more and let you spread your wings and fly.
KAREN WETZEL: That's a great approach. It's not just about getting someone in the door, it's about making sure that they don't leave and that you're preparing them for success. We have to anticipate that we’re not always hiring someone for what they can do on day one; it’s what they can do on day ten or day one hundred and building them towards that.
Let’s talk a bit about the cybersecurity workforce pipeline and bringing people in the door. You've come through a nontraditional route, and my question to you is about degrees and certifications. What kind of role do you think those play in hiring or being able to do a job in cybersecurity?
JOSHUA PEEBELS: I think the need for an academic degree or cybersecurity certification really depends on the specific requirements of the job in question. Cybersecurity is a very broad field; some positions can be filled by qualified individuals who may not have formal training but have knowledge and skill sets that can fulfill the core competency requirements. Other positions require very stringent certifications or degrees in order to execute appropriately, such as compliance auditing or assessing. It really depends on the requirements for that specific role, and the specific niche within the cybersecurity field.
KAREN WETZEL: Can you explain a little bit about any efforts you're engaged in to help to make sure we have a diverse workforce?
JOSHUA PEEBELS: As we recruit and hire top industry's talent with a mission driven focus, I like to emphasize the importance of inclusion and teamwork in growing a unified and mission centered culture within our security operation center. I continuously seek to educate myself on various cultures and traditions represented by my teammates, and actively seek out new perspectives and ideas. I work to develop and strengthen my relationship with every team member so that I can meaningfully connect with them as individuals.
KAREN WETZEL: I love that you're taking it to a very personal level and making that effort as a supervisor and as a leader to engage with your team. We, often times, hear about how diversity of thoughts and perspective can really make a difference in a team’s effectiveness. Do you find that to be the case?
JOSHUA PEEBELS: I really do. My goal every day is to ensure that my team members feel understood, accepted, supported, and encouraged, both at work and outside of work. That personally helps me become a more compassionate and focused leader, and better understand how to build a more cohesive, inclusive, safe, collaborative, and effective workspace and team dedicated to protecting our partners from the malicious threat actors.
KAREN WETZEL: You made the shift to cybersecurity not too long ago. What would you advise someone else who is thinking about doing that same thing?
JOSHUA PEEBELS: If I could sum it up in three words it would be: “Nothing is impossible.” There is a path for everyone, even if that is the road less traveled. I really encourage everyone to find their passion, explore their options, and look into apprenticeship programs like CyberUp. What may seem like barriers to entry may not be barriers at all. You just have to find the way around them.
KAREN WETZEL: That's great advice. Thank you for your time today—what a fascinating experience you've had. It sounds like there is a new title coming your way pretty soon, too, so keep in touch and let us know how that goes.
JOSHUA PEEBELS: Absolutely. Thank you very much. I appreciate the opportunity to speak with you today.
To listen to the full audio interview with Joshua Peebels, click on the audio below:
Download a full transcript of the interview.