Tyler Compton, lead information security engineer at Aaron’s, discusses how he began his journey in cybersecurity, what he enjoys about cybersecurity, and the value of the RH-ISAC community.
Tell us about yourself and your background.
I grew up outside of a little big city in North Georgia called Rome. There are not a ton of opportunities there unless you want to work in a factory or in the healthcare sector. I never really did well in traditional learning environments and found myself working a lot of odd jobs in my early 20s, going to college on and off again, until I had my first daughter at the age of 24. Around that time, I decided that I needed to do something more “career” focused and get my life trajectory together a bit more. I ended up picking up a CompTIA A+ book I had laying around. I cannot really recall when or where I got it, but I had it sitting on my bookshelf for some time. Long story short, I read the book, got my CompTIA A+ certificate, and wound up with my first IT job at a service desk in 2018. I instantly decided that I loved this line of work, and worked my way up through network administration, into network engineering, and eventually cybersecurity. Most of my work, in all those disciplines, has been in the hospitality sector with a managed service provider. Through that, I was exposed to a ton of different technologies, people, and processes that helped my career grow rapidly.
Why did you decide to pursue a career in cybersecurity? How did you start your career?
I got into cybersecurity by chance. There was a certain project in the first year of my career, where I was simply “in the meetings,” listening in to what was going on and getting exposed to things. Those meetings, specifically, were in reference to compliance efforts for a certain client of my employer at the time. A lot of people were talking about all these architectural and network considerations, and how big of a lift this was going to be, etc. I went off and did some research on the project, effort involved, and what we were discussing in the meeting. I discovered, by reading the regulatory authority’s documentation, that we had been pursuing compliance “the hard way.” So, I knew I had some relevant information, but I thought “I do not know enough about this, so it’s probably nothing.” I asked about the exception to some regulatory compliance rule that I had found, and it turned out to save everyone a lot of headaches, and from then on out I was always in those regulatory meetings. Through that, I started getting into NIST requirements for certain things like NIST 800-30, Guide for Conducting Risk Assessments, as risk assessments are a critical piece to a lot of compliance. From there I really took a strong interest in the pen-testing and offensive security side of the house because it seemed the most challenging and technologically involved. I really seek to be a security generalist that brings value in all security domains, though, so I am continually developing and pursuing new interests.
Can you expand upon your role? What are some of your day-to-day duties?
I am the lead engineer for the component of our security team that is threat intelligence and threat simulation focused. What we really do is collect and organize all our threat research and make sure that we are getting accurate strategic, operational, and tactical intelligence that we can use to influence our decision making. A lot of that is determining the likelihood of threat actualization and what that might look like, specifically for the organization that I currently work for. That is where a lot of the offensive security skillset comes into play, in addition to my experience in the other domains of infosec that pertain to threat actors and their TTPs. The small team that I have is fantastic now; I really enjoy helping decide the direction that the team is taking and helping shape the evolution of the security organization as a whole.
What do you enjoy most about the cybersecurity sector?
Honestly, I enjoy the diversity of background, experiences, and knowledge that gets circulated once you start networking. I feel like security professionals set us apart as community-driven people, for the most part. A lot of that comes from the other thing that I would have to say really keeps me drawn to security, and that is depending on your role, you have to be a jack of all trades, master of maybe one. Security is so all-encompassing, and titles are so ambiguous now, that you really need to be hyper-adaptable to work in this field. There is hardly a week or month that goes by where my knowledge is not directly challenged, and I must go learn something completely new. That is refreshing and engaging in a way that cannot be measured. That means security professionals are REQUIRED to constantly be engaged and learning, or you become somewhat obsolete. I would probably sum it up as, “I don’t know everything, but I can figure out anything.”
When did you first discover the RH-ISAC? How has the community impacted you?
Surprisingly, even though my early career was in supporting hospitality organizations all over the country, I was never privy to the information from RH-ISAC. I knew it existed, of course, because ISACs are mentioned in all the certification material for CySA+, PenTest+, etc. since the original ISACs were introduced through a presidential directive in the 1990s. However, I had no idea about the inner-workings or information-sharing capabilities of the ISACs before moving out of the managed services world and directly into retail. My current leadership really encouraged my team to get involved with RH-ISAC when we joined the team, and I will say it was as slow start, but after seeing the value RH-ISAC creates, I am trying to be more attentively involved in the community.
This community gave me my first speaking opportunity at this most recent Summit, and I have developed a lot of new and meaningful connections with people I would consider to be the best in the world at what they do. There is really no way for me to measure the impact that has on me, but it is more than significant. In turn, I really think this community is helping me to develop a personal brand that is going to greatly benefit my career and outreach as a cybersecurity professional. I hope to work within the RH-ISAC community for many more years.
What are a few of your hobbies and interests outside of your career in cybersecurity?
I am really a “hobbyist of hobbies,” as my wife puts it. My time is primarily occupied by raising my three daughters, who are aged five, two, and six months old. You can imagine my house is very full of life at all hours of the day… and night. I have always been a really big fan of tabletop games, so I have an area set up for Warhammer 40k, Star Wars X-Wing, and occasionally a game or two of DnD. There has not been as much of that going on since the most recent baby was born because she takes up a lot of time.
I also currently study Brazilian JiuJitsu and Judo, and I take my oldest daughter to the gym with me where she studies AikiJujutsu, so I am really dedicated to making martial arts a family activity for us. I am hoping when my other girls get older, they and my wife can join us as well, so it is one big family hobby that we all have in common and can develop an appreciation for together. I think it begs stating, cybersecurity is also my hobby. A lot of us, outside of our careers, got here because we took a deep interest in it before we ever had the roles that we may have now. It might even be reasonable to say that it is hard to get into this field and be successful if you are not somewhat of a security nerd to begin with.