Tell us a little about yourself.
Well, I was born at a very young age (apologies for dad jokes right out of the gate!).
Born and raised here in Cincinnati, grew up in Colerain Township, and I’ve been a nerd since age four, sitting with my dad, goofing around on our Commodore 64. I’ve been in IT for 24 years, starting from computer repair and sales, to tech support, to running an IT shop. Fifteen years ago I jumped into cyber security here at CBTS, first as an engineer, then architect, and now overseeing our security consulting program.
I’m a husband, dad, follower of Jesus, and I still geek out about technology. You’ll also find me gaming, cooking, sailing, and sipping some bourbon.
How have you seen your job and the field in general change since you began your career?
In the mid-90s there was no cybersecurity industry, and there wasn’t much of one in the mid-2000s either. As threats have matured, so has the concerted effort to protect our data and assets from them. It’s been really fun to be a part of that, to see new technologies emerge, formal higher-ed programs to train practitioners, and most of all, to see the community grow. The cybersecurity community—the loose, informal network of practitioners that gather at meetings and conferences—is pretty special, and I think more than any other area of growth in the past few decades, has done more to better our collective ability to defend against threats.
With those changes, how has your interaction with our clients changed?
I don’t have to work as hard to convince leaders and executives that they should take cyber security seriously. The question nowadays isn’t “should I invest resources into protecting my data?” it is “how do I do it?” We are fortunate to have a customer base that’s been smack in the middle of that transition for the past few years, because as a team and a company, we’re really good at having that conversation. That said, it’s still surprising how few of our customers have developed a formal information security program, and if I have a passion in my day-to-day work, it’s evangelizing that idea: a security program is essential in 2020.
How do you stay on top of new developments and skills to learn?
It’s definitely not as easy as it once was. I spend more time in PowerPoint than PowerShell nowadays, which I often lament; it means I have to carve out personal time to learn things like cloud security, DevOps, and containers. Just because I’m a manager doesn’t mean my customers will forgive my ignorance about modern IT.
I have a lab at home and try to spend time with new tools periodically. I stay close to the community, and watch a lot of talks, training, and how-to videos on YouTube and LinkedIn Learning. More than anything, I learn from my team—the technical consultants that do our assessments—since they are the folks doing the hard work day-to-day of assessing our customers and, as a result, have the best understanding of the tools, tactics, and procedures used by attackers.
What are some of your favorite aspects of information security?
First, it’s never, ever boring. As a consultant I get to talk to a new customer, in a different industry, with new challenges, every week. As someone who gets bored easily, it’s perfect!
Second, there’s a nobility to the cause. We’re not solving world hunger or saving lives or improving justice for the oppressed, but as technical jobs go, we make a dent in the world. It means something that I spent my day helping a hospital protect its medical devices, or a manufacturer protect its shop floor so that its workers can get paid.
Third, the community is wonderful. The crew I work with are some of my favorite people, and the larger community—especially here in southwest Ohio—is really great, made up of smart, passionate, fun folks that love to help each other grow and learn.
What advice do you have for students who are looking to go into information security?
Do it! We need you. The jobs gap is continuing to grow, and so now’s a great time to jump in feet first. I wrote a three part blog series a few years ago on what I see as the three key paths to starting a career in infosec. One, develop a broad knowledge of enterprise IT. Two, learn how the attacker thinks and what they’re after. Three, get comfortable with the tools and frameworks we use to protect our assets and data.
Any final thoughts?
I’ve really found a professional home at CBTS. Our CEO, Leigh Fox, likes to talk about the culture here as an “engineer’s playground,” and I’ve found that to be true. I’m surrounded by the best technical talent in the region, because this is a place that recognizes, rewards, and promotes smart people. I also like that Leigh pushes the idea of servant leadership, and that he does more than talk the talk—he leads by example. I’m incredibly proud to have spent 15 years here and look forward to the next 15.
Justin Hall has worked in IT for over 24 years. For the past fifteen, Justin has been an information security consultant at CBTS. He has performed work in every field of infosec – vulnerability management, digital forensics and incident response, security architecture, operations, and governance and risk management. He’s consulted for customers in every vertical and all sizes, from SMB’s to the Fortune 10. Justin is the Director of the Security Services team, overseeing the world-class CBTS security consulting group. Justin has a BBA in Information Systems and International Business from the University of Cincinnati. He is GSTRT certified in Incident Response, Digital Forensics, and Penetration Testing.
Learn how Justin and his team at CBTS can help improve your organization’s security posture.