¶ Intro / Opening
[MUSIC]
Welcome to the Executive Connect podcast, a show for the new generation of leaders. Join Melissa R. Skog as she speaks to a wide variety of guests that bring new insights into leadership, prosperity, and personal growth. While now it has all the answers, by building a community of open-minded and engaged leaders, we hope to give you the tools you need to help you find your own path to success. [MUSIC] Hello and welcome to Executive Connect podcast.
I'm so excited to have Cecille Mengay here with me today. She's a Cybersecurity Professional and Hacker at IBM XForce Red. She got there by actually experience a personal cyber attack, and it ignited her drive to get into the field of digital security, and publish her own book called Digital Security Overhaul, which equips individuals with knowledge and strategies to enhance their online security. Cecille, thank you so much for joining us today. I'm so excited to have you on the podcast.
Yes, yes. Thank you so much for having me. Cecille, can you share the specific moment that was a turning point in your career and tell us a little bit about how you got into the field of cyber security? What can I start? I actually went to school and got a Bachelor of the Great Incriminal Justice. I always wanted to go to law school, right? So my path has always been in some kind of liberal arts area, nothing technical.
But after graduation, I just kind of find myself online, just, they had this revolution of make money online, do things online and make money. I was like, OK, I could figure that out. So I find myself spending a lot of time online, just trying to be an entrepreneur and just create different avenue to make money.
¶ Cecile's turning point: From victim to hacker
So I started doing event promotion. So I did a lot of event promotion online. So one day, I get back to my computer, and I have like a Ramson note on my laptop. And I was like, wow, how did that happen? So there was kind of like requesting for a $500 fee in order to release my computer if I needed to get my computer back. Would have it absolutely no clue of what actually just happened? I stopped panicking.
So the only thing was now try to pay the money so that I could get access back to my computer. I didn't really think twice about it. And then I went ahead and paid the money. But one thing actually happened in that process as I paid the money, I thought that was going to be the end of my nightmare, right? But no, my attacker had already kind of like took over all my accounts, was kind of reaching out to multiple other people.
And because I had such a poor cybersecurity, I would say, like I pretty much used the same password in every single card I had. So that allowed them even into my bank account, which they also ended up transferring that money. So I started dealing with like all my money being transferred, the money that I sent myself, my friends getting like different email, different information and it was all supposed to be coming from me. Then I kind of got interested. I was like, huh?
I wonder how a complete stranger was just made it. I wonder how easy a complete stranger was able to just get into my life. And just almost pretty much take over it. Then I kind of became intrigued with that whole aspect. Then that kind of triggered me. I was like, I wonder what did they do? How did they do it? Then I started really studying. My very first question I remember in this place, like how do computer work, network communication, how do we come across this?
So I started looking into it myself. Little by little, that passion of trying to figure out how I became, what I became the chosen one, because I didn't feel like I was that interesting, right? Of the billions of people online that you could have picked, I didn't think you would have picked me. So when I started to understand that it probably was something about me that made it easy for them to come after me. So I started trying to figure out what that thing was.
And what I was kind of like, I got myself into this space of trying to figure this out. I really grew an interest of now. I wonder if I could find my attacker. Now, if I'm learning all these things and put in much the system that they use, and I start trying to start understanding how the whole thing worked, then I kind of set to myself. I was like, let me try to see if I could track my attacker down. Which, oh my god, it took me a while, but just kind of digging too.
One of the big things that I kind of came across that changed my life was the Ocent framework, which kind of showed you different aspect of open source intelligence
¶ Transitioning from criminal justice to cybersecurity
on the internet and finding information. But this attack on me was actually very elaborated. It was just not a one person thing. It was almost like a corporation. It was very elaborated. And it took every step to cover themselves. Right. Right. So, but one thing with the internet, like everything just kind of get interconnected. So the only thing I really have was the destination where I sent the physical money and first and last name. This particular person can find them nowhere online.
I mean, I tried everything that I could. They were pretty much ghost, right? But I had an idea and I was like, let me step back. They had to put a unique last name. So I started thinking of ways of any kind of other connection outside of self. So I stepped back. I used, I called the city where my money was sent to. So they sent me a phone book and I saw like three other people with the same last name. So they was one lady that was in that phone book then.
I went back online with what I knew at this point, but not she was helpful. Her footprint was everywhere. Her footprint was everywhere. Come to find out she kind of had she had a relation with the person that I sent my money to. So eventually, just going through her social media and different things, I find out that she had a brother who had the same name as the person that I sent the money to
and who was in a band. I was able to find his phone number, her physical address, just enough information to build a pretext on what my conversation would be with her. So once I did all that, I eventually just picked up the phone and called and directly was just asking for her brother, which she kind of was upset and was like he doesn't leave here. I said, well, he just gave me this number. We playing on a band tonight and I need to get in touch
with him. Do you know how I could get in touch with him? We went back and forth and she eventually gave me his cell phone number. So I called him and I'm like, hey, you know, I want no problem, but I sent you my money. Is that a way I can get the money back? And his first question was, which one are you? And I was like, hello. So this is not just me. So this is like, and come to find out he was just a middle guy and between a bigger scheme, right? So he really wasn't
anything or he wasn't even my target. So I spoke with him. So his job was to pick up to pick up transaction, which he told me he picks up hundreds of times transaction a day. And then he forwarded to the next person. So he was through talking to him and trying to get all the information. He was able to give me the information of all the all the information he had because I just for he didn't even know what he was doing, right? So I got that information that was a little more information
than I had. They went back online, you know, trying to figure, but the time I got to the very top person
¶ Overcoming imposter syndrome and finding mentorship
because the operation was actually out of London, but it's not like I got to the very top person, I've learned so much about computers at this point, networks, malware, build them, buy them, anything, anything you could think of like fishing. And I end up having to like send an efficient email to like the the the the top person in the operation, right? End of having to send a fishing email. That pretty much was very precise with all the information that I have on cover at this point. And
then they called me and so they called me and they didn't do anything. They called me and we went back and forward. And they was very interested on how I was able to track them more than, you know, what they're doing wrong with me on the internet with everybody. So I kind of negociate. I was like
if they return my money, I'll talk to them and I tell them like the clues and how I got here. So eventually they told me they promised me that was going to return my money, but they didn't at that moment. So I have another email now with more information on it and I sent it directly to the to the to the person over the operation and then he and the main guy the main guy. Yes. So he ended up finally clicking because
it was more information than what I led on earlier, right? And he ended up clicking. So I ended up kind of like taking over his whole desktop like his computer. So now at that moment, I see all my money kind of like just transferring back into my account at this point. So they give me my money. So they give me my money back. Then I just kind of went to my bank and and kind of like settle with my bank
and everything. But after that point, I never like had any other communication with him. And that kind of like got me interested. I was like, oh wow. First of all, I felt like I had at least like a skill or a passion. Where's not talk skills because I guess when I didn't think it was skill just yet. I had a passion. I always had a passion of kind of like protecting a good guy and like going after the bad guy, hinted my original, what is it called? My original degree in criminal justice because I
always had a thing about going after the bad guy, protecting a good guy and all that. That's always a role that I play. But I never really saw myself. I never really saw myself play that role within like computer, like dealing with computers and not until that actually happened to me. And I feel like that's kind of what I kind of almost find my destiny in that. That story is so amazing and just perseverance and persistence and digging in to find your money.
And because I would imagine I've not had an experience with this, but I've been part of multiple
¶ Tips for switching careers into cybersecurity
engagements where similar people have been taken advantage of or taken for ransom. And it almost feels like your identity is gone. Everything about you, you have no control. And it's interesting that you have this experience and it pivoted you into a completely different feels from criminal justice to cyber security, which is non-technical, to very technical. So what are some of the challenges you faced at the very beginning when you switched from into the cyber security industry without
technical background over some of the challenges? Well, let's just kind of go back into, I think I was my biggest challenge, right? I was in my head a whole lot. There was so many times where I'm like, okay, I'm going to do this. All I need to do is go back to school and just do this. Then I will go on Google and do my research and it's kind of like, I almost felt like everybody had the same story, right? It's like, yeah, I was five years old, my daddy gave me a computer,
and ever since then I'd be like hacking away. And I was like, at this point, I'm like 20 some years old, right? There's nowhere, there's nowhere I could compete, right? So I started at start pulling back and to me at the very beginning, I was my biggest threat, I would say. I was the biggest, I was the biggest thing that held me back because I feel like the industry could be very intimidating when you're on the outside and is, and we start thinking, oh, okay, then come then you,
then you, all these technical verbiages, like, English is like my third language. Now I need to pick up another something else on top of that. I don't think it's going to work, like, you know, getting my head, talking to myself into it and out of it every day all day. So once I was able to just, and it just didn't happen that I'm just like, oh, I could, all of a sudden, oh, I could do this.
It was somebody else who actually saw it in me, you know? Just kind of like, I'm having a conversation with you right now, and I just told them, and I told them how I kind of like, build my own hacking skill, just working on myself. Like, I spent a lot of time building like a virtual machines, like different ones with, with exploitable system, and I would exploit them myself and just trying to like, kind of
go back and forth and figure out, just understand how things work. So I started doing my own personal project, but even then, I still didn't think I was good enough because I just felt like I needed to start at five, and it's just way too late. Until I met this person, and I was talking to them, and they was like, you put it smart, you could do it. I don't know what they put in those words, but that
did something to me, right? To that person, to tell me that I was smart. And then I was like, you know what? I could do this. Then I went back and like, find my, find a school and went back and just kind of took like, a cyber security program in a university. That's amazing. It's amazing how words from people can positively or negatively affect us and literally change the trajectory of our life. And I think that's a true testament to you and your
mindset. It's really key when you enter and switch from field to field. Could you share some, maybe some insights on the shift that you had and how it's helped you thrive in a cyber security field? Because as you mentioned, you know, there was, it sounds like some imposter syndrome right out of the gate and wondering and questioning yourself, could I do this? Can I do this? How do I do this? Who's supporting
me? Talk us through some of those shifts that you had to make in your own mind to thrive like you are right now at IBM. Right. The first thing I really got was really good advice because
¶ Understanding the real value of personal data
and I see that in a lot of like people like career change or you just even people that want to come into the industry. It's like we all, we tend to want to be open because we feel like if we are open, we have more options and sometimes I feel like that open the openness, it could be contradictory, right? Because I was the same way. I was like, you know what? I just need to get in, get me anywhere. And it took me forever to even get anybody to sit down with me and talk to me about anything.
It wasn't until my mentor at that time just was like, you know what? You should specialize in the area and become really good at every single aspect of it. And that would be also easier for you to like to like to grab on into something versus just being open, right? And I felt like that helped a lot because you know hacking was my thing. So I just kind of started you know learning methodologies that are being used in companies to be able to like make this happen. What kind of tools are they
using? But you know trying to see how I could better myself in whichever area. So once I would ever understand the methodology, the tools and just pretty much like the outcomes that needed to come in each aspect. And also very, what's very interesting is once I understood, there was another thing, when I understood my why, why I wanted to do this, that completely changed my life. That was a game changer for me actually. Because at the very beginning, it was like, oh, what are you on this?
Also, they paid, they paid really good money, you know, very, I can just go in for the money, but I could make money anywhere as far as I was concerned. It wasn't until I was like, what do you want to do that? And I had to stand back. I'm like, yeah, that's true. But why am I working so hard to get in this industry? Once I understood why and it goes back to like, I've always been a person who wanted to like
protect the good guy from the bad guy, go after the bad guy. And that just kind of fell naturally in that thing. And I was like, this is why, this is why because that would give me a lot of, that would give me like a lot of joy that I am saving good people against the bad guy. And once I understood that, that mindset shifting that we were being talking about, that's really when it happened
for me. Once I understood what that was, my mindset changed. And then at this point with the with the tools that I had and the advice that I have from my mentor of like really focusing on an area, working, working hard to learn everything that need to be, that I could learn in the industry. And then get some hands-on experience. You don't have to wait for a company to hire you before you
¶ Final thoughts and actionable takeaways
could start practicing and getting your experience. And I'm going to tell you one thing, while I was still in school, there's this small TV station that streams online. There was a TV station within the city where I lived in. And I would always go there to stream. And one day I just went and I was on the website. The website just looked, it was just strange, right? I was like, that was with my small education or like going into like taking these classes. So now I could see things
differently than before. So I reached out to the, the website was just missing, it was just missing an SSL certificate, right? So I called, I called the company and I was like, hey, did you know that you don't have a certificate in this area and then people are filling out the form to get to you. That could be a security problem and thing. And I asked to speak, because it was a fairly small company, so I asked to speak to the manager of the company. And they allowed me to go in. So I went in,
I was like, hey, I'm in school, I'm studying cyber security. I would be glad to, you know, to try to see, what you guys have in place and trying to help you in the air because I only find that they have one IT person. And nothing was, I mean, they, they was not security focused at all. Yes, yes. From somebody who would just learn you security too, I could see it straight up. So when they agreed to like work with me in like trying to help them kind of like create like a system,
a system in place so that, so that the system could be more secure. I have no clue what I was about to do. I was like, oh, so I was like, oh, you want me to do it? Now, I don't, you know what I'm talking about. So, but I went back to my teacher at that time and I kind of explained to him and he was like, yes, you should, you should absolutely take it. And what he did at that moment was kind of just give me like a,
he put him, I did most of the work as far as putting all the framework in place. And I just kind of like, I was the hand and, you know, and the body doing the activity, but he put him much help by putting all that together. So once I was able to do that and there was very happy. They gave me a recommendation later. So once I was there with that and I contacted the next, then I contacted a church, then I did it with a
church, then I did it with another church. So I kind of like went out there and find my own experience like to build my own skills. And then of course, and my own home build the network. And like I was saying, like, uh, uh, uh, uh, download many different, um, machines and try to attack them and between to figure out just so I could get a hands-on experience, build my own network, secure it, and things like that. So that really, uh, helped me to that when I was able to like come in front of
somebody for an interview. And, and by the way, IBM was like my very, the very first job I had as coming into the industry. Right? That's amazing. I love you. Use one of my favorite words, the M word, mentorship. It's such a big word that sometimes we find mentors, sometimes they find us. I feel like in my life so many of my pivot changes came from somebody saying something to me or somebody saying,
hey, you're good at math, you should look at engineering. But you really followed through. And I think it's one thing to be mentored. And it's a whole nother thing to follow through, to listen to your mentor, to ask for their help. And for them to hold you through that process and having somebody that you can bounce things off of, like it sounded like you were able to say here, I have this thing, I need
your help, here's what I'm thinking. They made suggestions to you and you went and then had the confidence to go do something, which says a lot about your personality and you were able to leverage them as a resource while you were building your own skills. And I love that because it's one thing to to have somebody give us advice. And, but it's a whole nother thing for somebody to take it back and say,
okay, what's my why? Why am I doing this? How can I make this better? How can I learn? How can I help others? And you really took that directly to heart and made those changes. So for our listeners, what advice would you give them if they're contemplating a career change in decipher security or any other technical field, especially if they lack technical background, like what would you suggest to them? Well, the first thing I would say you could do it.
Like believe in yourself, like that will take you a long way. Believe in yourself, do not listen to that, that little voice that will come. And trying to tell you other things, the second thing is, I mean, understand, I always say like, know your why, right? Sometimes we want to jump into things because it's the hard thing to do, right? It's training. It's what's going on. But then we find ourself in it and it's just kind of, you know, I could have done something else.
Knowing why you want to do this will really give you not only the passion that you need to get this through. It will give you the conviction. And it will also allow you to be able to talk about yourself in a more convict, like you could be more convicting when you speak or when you try to sell yourself to even a company to hire you because you will be so solid within yourself that the skills, we could always learn the skills, right? A lot of time, I say, right now I'm working
for this company. Like now if I go and I've been doing this for a while, and I leave and then go to another company, guess what? I would have to be trained over there or another system for other things. So the skills are always, you could always learn them. And just as the industry kind of just always moving forward, always stay up to date. Pretty much, I will always say focus on the area
at the beginning. I'm not saying that this is if you starting here, if I'm starting as a hacker, this is where I'm staying, but focus on a particular skill set that that would really be that you could be able to sell yourself on. And that would make it a lot easier to get into the industry. For example, when I was, let's say applying for jobs at the beginning, it would just like whatever job I put out so many resumé, so many resumé and nothing was almost coming back at me. And then when
I had to, when I died back and I was like, you know what? I don't want to do just anything in cyber security. I know exactly what I want to do. Ethical hacking is my space. This is what I need. And then when I kind of just focused on that, every other resume that I put out there was coming back with a hit. Hey, we want to talk to you, right? If you know that I was brand new and I would just come in into the field. And by the time I actually got into a company, I had couple offers. And that,
that flip just changed. It just wasn't any believe that, you know, the direction of like being, being an expert in a certain area versus like kind of just trying to like know, know everything and not master a particular thing could play against you if you're trying to get into the field, especially
if you're coming to a, what from a place that would know technical background, right? Somebody who's been doing, who been having multiple technical skill, oh, I know network, I know this, I know that they probably would be a lot better for them to be open to the aspect, but especially with time constraint and you trying to make it, make it happen is to me, it is very, very important that you that you choose an area, a niche where you actually going to shine and learn everything that you
need to learn, know your why, practice, practice, practice and practice and stay up to date with everything. I love it. Cecilia, you are such an inspiration. There's so many people in cyber security and as a woman in STEM myself, I am so happy to have you on the call today. You motivate me to re-look at my why for so many things and look at the mentors that have come into my life and how I can be a support and you mentioned ethical, have it be a good guy be one of the people that helps to move
communities forward. I love this about you and it's your third language, English, unbelievable, your third language, your non-technical and you've done, you've been able to shatter all these ceilings and I just love your energy and I think one last question for you if I can, what are your future goals and aspirations in the cyber security field and what do you hope to
achieve in years to come? Oh wow, my aspiration within the industry since working as a hacker and having to get into a company system in many different ways than companies who would like to and this also kind of touched back to like
Kaga here in the beginning. Personal data is like a big deal to me, right? I feel like it is not giving enough attention especially with so many data breached that are going, that are going out out there and just how easy it is for people to collect people personal data and which is that information that nine times out of ten end up getting companies a breached so it is very, we've been on the internet for so long, a lot of us, the majority of us
have been on the internet for so long, we have shared so many things online and it's just not about just what we share, what the third parties are sharing, what the data breaches are saying about us and everything is just all over the place and now attackers including myself understand the value of this information and we are actually not using that information to attack companies whether it's through phishings, whether it's through credential stuffing, whether it's through you know
vishing over the phone like I remember when the MGM attack happened and somebody and I read a comment and somebody was like now who gonna give that information over the phone I say do not end on the estimate, a hacker with the right information you just cannot, that could be anybody so I'm very passionate about just bringing the education to the average person to the everyday users people that are on a computer, people that sit behind your organization, behind your network, a lot of
time to authenticate most of us in a company, companies use a personal data so if that personal data is not protected outside of the workspace that could turn around and become an issue and I just kind of be like really doing a lot of research in this aspect so is it a way we can actually stop the attack from happening by kind of like reducing the information footprint of every single person that is within a company or is it just like I'm just to a process of trying to
which I've learned a lot in this area and I also do a lot of, as also focus on open source intelligence and my job open source intelligence technique and social engineering and I know the places I go to get this information and why is this not becoming more of a priority because as as we go and we continue to see attacks I feel like it's going to come more and more and more from personal data and I believe it was verizon that one of the statistics say like 60% of bridges
now happen because personal data and this is only going to grow at this point. Yep, I absolutely echo that. I think it's, you know, we talk a lot about AI but if we can't figure it out now
with AI and in more advanced technologies we're in a big big challenge there. You know, I yet ask a lot about AI, should I allow chat GPT and all these things and I'm like, well, I mean it depends, it depends on the strategy but if you can't get it right in like in an on-prem environment it's going to be harder to get things more secure in the clouds so I know I want to be mindful of our
time and I thank you so so much for being here. I love everything about you and I appreciate your time and I just feel like you keep shining girl, keep shining, keep meeting, keep sharing and I thank you so much for being on the podcast today and thanks for being here. No, thank you, thank you so much for having me and giving me this platform and opportunity to talk to you. You are very soon. Thank you. Thanks, have a good day. Good to see you too.
You've been listening to the Executive Connect podcast. If you have questions or ideas on how to bring leadership to your next level, email us at ExecutiveConnectPodcast@gmail.com. And don't forget to subscribe so you can catch every new episode. Until next time. (upbeat music) (upbeat music)