This is an interview with Zach Tomlin of Tomlin Technology, where Zach discusses starting a cybersecurity business, getting into the cybersecurity field, and how his company handles hiring candidates. To view other interviews with cybersecurity professionals.

Matt:

Hi Everybody, this is Matt with Sec-Down.com. I’m here in the offices of Tomlin Technology with the owner of Tomlin Technology, Zack Tomlin. Tomlin Technology is an IT service provider and cybersecurity company in central Maryland. Zack, thanks for inviting us into the office to talk with you.
Zach Tomlin:

Yeah, absolutely man. Thank you for having me.

Matt:

So, let’s start off with you going through how you got into the IT field, your career track and how you became a cyber entrepreneur, starting your own company. Can you give us your backstory?

Zach Tomlin:

Well, it’s actually kind of a long story. I started working on computers when I was younger. I had a passion for playing video games. So, that’s honestly how I got it kicked off. Back in the day, if you needed to play a game like Ever Quest, you need 64 megabytes of RAM, and that was a lot of RAM back then, you know. My parents weren’t going to install it, so I had to install it. Video cards, I had to install them. Same thing. So, I started doing that and then started building computers for myself so I could play my games. 

I got into the construction trade for a while. That went south in 2008 and I said, “Well, what can I do, and I thought, I like computers, I’ve always wanted to get in the field, so right now is a perfect opportunity to do that.” I used the fact that I was unemployed to pick up an A+ book and I studied intensely and then used every opportunity I could to get my foot in the door. I worked for a local IT company and studied non-stop. You can’t stop at 5 o’clock. You can’t clock out at 5 o’clock. You have to study and keep up with it, and that’s what I did.

Eventually, I moved on from that and it was during the great recession, so there weren’t many job opportunities out there. When I left that (job), I had to make it on my own, and I said, “I have a new idea,” so that’s what I did. I started my company in 2010 and here it is in 2019 and we’re still doing alright.

Matt:

And growing! You’re going into a new office twice the size. So that’s exciting.

Zach Tomlin:

It’s very exciting. A lot of hard work is going into it.

Matt:

No doubt about it. So, what made you come to the decision to not just work for someone else in this field but to start your own company? Because one thing we talk about on the (Sec-Down.com) website is that with a skillset like you have, for example, you don’t always have to work for somebody else. You can always consult, start your own company and so forth. How did you come to the decision to start your own company and go in that direction?

Zach Tomlin:

Well, it wasn’t taken lightly, but after a while, I decided that I had views and ideas and things that I wanted to do. I kind of wanted it my way, so after a period of time of not being able to get my ideas across, I said: “Hey, you’re going to have to do it on your own.” So that’s what I did. I went out, and it was also during the great recession, so trying to find a job was not easy. So, it was either I had to make it on my own or I wasn’t going to have any money.

Matt:

So now it’s 2019, and if someone came to you today and said, “I’m interested in going into the technology field, into the cybersecurity field, what would be your recommendation today?

Zach Tomlin:

The first thing that I would ask myself if I was in their position is, do I love it? And the reason that I say that is because if you don’t really have a passion for information technology, it’s not going to be the field for you. It’s a constant stream of information, new technology that you have to keep up with. For example, you know school is a great foundation, but after you graduate and you get outside of the university walls, don’t expect it to stop there.

Things are moving, changing, the cloud’s changing, everything. So, my advice would be to first make sure that you love it. The second step, after you know that you love it is to find out what area of IT you love. Some people love software. Some people love infrastructure. That’s what I do. And security as well. You’ve got to find out where you fit in the realm of IT. That’s how you’re going to be successful. So, after you do that, stay focused and go for it. Take every opportunity that you have.

Matt:

Sounds great. With that said, how do you keep up with technology? I imagine it’s challenging for you in the sense that you have to run a business and be a businessperson, but also be technical.

Zach Tomlin:

A lot of it is colleagues. I have a lot of colleagues, for example you and many others that I go to and turn to, and we have discussions on “How do you feel about this product? How do you feel about this? How do you feel about the latest products?” 

News. Obviously, keeping keep an eye out for all the latest attacks and vulnerabilities, things like that. That’s really kind of about it. You go and search for it. I have a Google feed which is really nice because it’s very tailored to what I am into. 

Matt:

So you’re reading all the time?

Zach Tomlin:

Oh yeah, absolutely. YouTube videos. I get training courses. I just finished up an Azure training course. You can get training courses relatively inexpensively, and you don’t necessarily need to go take that certification or that exam. Just acquire that knowledge.

Matt:

So if someone followed your advice that you just gave a moment ago about “Yes, I think I’m really passionate about technology, I think I want to go into a certain realm of that“, let’s say security, being more of what I do. If they’re at that stage, what would your recommendation for them to get started, and get the ball rolling if they’re not of the field? What could they do to get into the field?

Zach Tomlin:

Start networking. Networking is everything. I know as a technologist it’s not really our forte at times.

Matt:

Do you mean networking, like computer networking, like what you and I do?

Zach Tomlin:

No. Business networking or professional networking. You need to go out and expose yourself to other people. The Carroll Tech Council is great. We have MAGIC. I sit on the board of that. That will get your foot in the door. All these organizations, the Chamber of Commerce. There are tons of resources out there for you to go out to meet people, and get your foot in the door. A lot of times its cliche, but it’s who you know.

Matt:

If someone’s out there networking, and moving into the mode of sending out resumes, what are some things that you’ve seen on resumes that really make them a winning resume? What are things you’ve seen on resumes that make you say, “I can’t bring this person in for an interview”?

Zach Tomlin:

That’s a really good question. I look for experience. Experience is incredibly important to me because there’s really very little substitution for actually being in the field and doing it. I also look for if they are involved in organizations like MAGIC or the tech council. I also look for recommendations and referrals from other people. I also check and make sure that their resume is well written. If I see spelling mistakes and errors like they didn’t take enough time or put enough effort into the resume, it goes in the trash.

Matt:

For people out there listening who may be thinking, “that’s great Zach, but how do I get experience when I don’t have experience?” That’s the conundrum of our field. How do you get experience when you don’t have any experience? How would you answer that question?

Zach Tomlin:

First, I will share a little story about when I was younger to give a little inspiration to people out there looking for jobs. When I was young I tried so hard to get an unpaid internship anywhere and I couldn’t. It was very hard, and like you said it’s a cyclical thing where you need to get your foot in the door in order to get involved in IT. At the same time, you need to get your foot in the door to gain experience. I just put myself out there and worked for free to do whatever it takes to make it happen. When I started, I would be working 40 plus hours voluntarily just to build experience and create my own position within that company. You have to hit it hard and take every opportunity that is presented to you. Make sure you stick your foot in every door that is opened to you and pursue it. You never know where you’re going to meet that person that will give you that opportunity.

Matt:

So, internships, paid or unpaid, volunteer opportunities, networking with people, build computers at home, and document all of that on a resume?

Zach Tomlin:

Yes, and practice. When I see that people are going out there and getting experience like programming even though its not part of their school curriculum, I can tell they are very interested. They are not just doing it for the money. You will be so much more successful if you care about what you’re doing.

Matt:

Good point. In addition to the experience, is it a benefit if you see that they are pursuing their education in some manner or taking online classes, maybe going to college? Are certifications worthwhile

Zach Tomlin:

I look at certifications as important in getting your foot in the door. The reason is because you need to go out and get a certification and pursue it. College is amazing to get the foundation. In my situation, I see college and certifications as equal.

Matt:

If I’m hearing your correctly, experience first and foremost, and then in addition to that, supplement that experience with certifications and education. If someone has education and certifications without experience is that going to be a challenge?

Zach Tomlin:

Yes. If someone has education and certifications only but they don’t have any experience, that’s a challenge. The reason it is a challenge, from a business owner’s perspective, is that we would have to train you. So when you start working, don’t expect to make thirty or forty thousand right off the bat. Do whatever you can to get that experience, even if you’re getting paid $10 an hour but you’re working for a professional IT firm. That looks amazing on a resume!

Matt:

I’ve seen situations where someone is in college but has no experience. They have an opportunity to get in the field but they think it doesn’t pay enough, so they turn it down. If they would just take the opportunity, in twelve months they would probably be making double.

Zach Tomlin:

That has happened here. We’ve had many people come in here and work for lower pay. A year later they obtain a government contract job and make tons of money.

Matt:

And you’ve promoted a lot of your staff as well?

Zach Tomlin:

Yes, absolutely. The more value that you bring to yourself, the more valuable you are to me. So if you’re making me more money then I’m going to pay you more money. That goes along with what I said about creating my own position at a company I used to work for. I worked hard and sold five servers in two months which was a lot of money. All of a sudden, it was hard for the company not to pay me more when I’m helping to bring money in. When you start working for a company, look for what you can help with or how you could supplement (their existing work). Don’t just clock out at 5 o‘clock. Go home and study, bring in ideas to the company.

Matt:

Let’s walk through the process if someone is interested in working here at Tomlin technology. Someone sends a resume in or drops one off in person. Their resume shows them having experience doing things like capture the flag competitions, hackathons, maybe they document that they’ve built a network at home. The candidate is pursuing higher education and completing certifications. What is the general interview process?

Zach Tomlin:

We have a multi-step interview process. First, we go through our resumes, then we schedule a phone interview. This way we can get a feel for how knowledgeable you are. Next, we bring you in for an in-person interview. The in-person interview is a little more involved, with a few people involved like my COO and my CTO. We run you through simulations and ask you to point out things on the computer.

Matt:

So the in-person interview is hands-on?

Zach Tomlin:

Absolutely. A lot of people will say they “know Linux,” but do they really know Linux?

Matt:

Any last advice that you would throw out there for anyone who’s looking to get into the cybersecurity field?

Zach Tomlin:

When it comes to getting into the field, if you don’t have any experience or knowledge, go out and talk to colleagues, join forums, Google things, watch the headlines. You need to take every opportunity you can to learn.

Matt:

How can people find out about you and Tomlin Technology?

Zach Tomlin:

Tomlin Technology is a managed service provider. We manage IT assets for businesses and make sure their business practices align with the technology that they’re using. We also make sure they’re secure. You can find us at tomlintech.com.

Matt:

What happens when your CIO or your CTO asks a question (during an interview) and the person they’re asking thinks “I don’t know the answer to that”? What’s a good answer when they don’t know the answer?

Zach Tomlin:

I don’t know the answer, but I can find the answer. If you don’t know the answer, you can find the answer. Google is amazing.

Matt:

But admit you don’t know the answer?

Zach Tomlin:

Correct. Always admit when you don’t know it, and that’s even after you get the job. Because, you know being the CEO, President, or whatever you want to call me of this company, there are many times that I don’t know the answer. That’s because technology evolves. It’s different today then it was yesterday. The things that I would have recommended six months ago, I now am recommending something else, because of this evolution. We can’t know everything in our field. It’s too big. Admit that I don’t know, but I can find the answer. Make sure that you can find the answer by utilizing your resources like colleagues, professors, your network, Google and YouTube. Information is in the palm of your hands, so there’s really no reason why you can’t find the answer.

Matt:

When I started in the field, that was the first piece of advice my mentor gave me. If you don’t know the answer you can find the answer.

Zach Tomlin:

Yes. You should never try to fool people into thinking you know the answer.

Matt:

When someone is asked to come in for an interview, what is the appropriate attire for an interview for a small business or IT firm like yours?

Zach Tomlin:

I was always taught to look at what other people are wearing at the company when you drop off your resume. When you come in and you’re dressing the part, wearing something similar to what everyone else is wearing, it’s like you already belong there.

Matt:

So they shouldn’t wear a t-shirt (joking)?

Zach Tomlin:

They shouldn’t wear those fancy $100 t-shirts with rips or bleached jeans.

Matt:

Once someone is hired to be your employee, what amount of time do you invest in them to get them trained up on your systems?

Zach Tomlin:

That is a very good question. It could take about two weeks to a month for a new employee to learn our systems and just how we operate. They would learn how to put people into our system and document things. However, the training process is continuous, so you will always be training and learning new things.

Matt:

So within two to four weeks, you would expect a new hire to be effective at looking up tickets, answering the phone from customers, and addressing their issues? However, there is still additional training on specific technologies that are rolling out?

Zach Tomlin:

Correct. It’s like a tier system where you can be helpdesk or bench tech, where you’re just literally fixing physical hardware.

Matt:

Then you move up from there?

Zach Tomlin:

Correct. We expect you to, and we want to see your progress in those skills. A lot will be take-home work. I shouldn’t have to pay you to learn things that you’re going to be able to utilize anywhere you go.

Matt:

When you send an employee out to a client’s site, they are representing themselves, representing you, and representing Tomlin Technology. What characteristics should they have when they’re on-site in this field representing your company?

Zach Tomlin:

The first and foremost thing is to smile. Be friendly. Talk to everyone with respect. It doesn’t matter if they are the janitor or the CEO. Everybody is important, and you should act as such. Like you said earlier, if you’re asked a question that you don’t know the answer, admit that you don’t know the answer, but tell them you can get the answer.

Matt:

What would be your dress code for your staff members when you send them out to a client site?

Zach Tomlin:

Something similar to what I’m wearing now. A polo shirt with the Tomlin logo, khakis, and nice shoes. You don’t need to be overly formal because you are working, and you’re going to sweat sometimes moving stuff around.

Matt:

Where do you see the field of cybersecurity going in the next ten years? Where will we be ten years from now?

Zach Tomlin:

That’s a scary question! I was a network administrator, a network engineer, an infrastructure, business consultant. Five years ago I saw ransomware for the first time. It was the first iteration of the Cryptolocker. I saw it and I said, ‘this is bad’. And then from there, hackers kept getting more sophisticated. They started disrupting more businesses. It went from being funny, viruses that were just funny.

Matt:

They didn’t mean any harm in a sense?

Zach Tomlin:

Yes. They were just trying to mess with people, and that’s not cool, but that’s what it was. Now they’re trying to collect money, they’re trying to do extortion. Now consider advanced persistent threats or criminal organizations. Why would someone need to rob you at gunpoint when they can hack into your system and steal money without risk? And we’re seeing more and more of that. The hacks are getting more sophisticated. So I said it was time to go specialize in cybersecurity, which is completely different than infrastructure. There are (similar) components in there, but just because you’re in infrastructure doesn’t mean you know cybersecurity. So I went in that direction, I studied and trained (in cybersecurity). The hacks are getting worse. They are just non-stop.

Matt:

Every so often I’ll have people ask me about cybersecurity and ask “Is this a fad? Is this just a hot thing right now?” What do you say to that?

Zach Tomlin:

I worry for them because you need to be protected. It’s not just businesses. When you have the Internet of Things like your smart home. That needs to be protected. You need to make sure that that is protected. There are so many ramifications for not. I’ve actually been in a situation where a friend of mine had a default wireless network. It was bothering me so I asked her if I could fix it. When I logged into her firewall I found a whole bunch of iPod devices that were connected to her network. It turned out that a former boyfriend had hidden IPods around her house, and he was listening to her.

As soon as I saw this I shut the devices down a lot of the harassment that she was enduring stopped. You have nest cameras, you have smart locks. But you will grant access to these devices to significant others, or maybe your dog walker. If you don’t revoke their access to these, you’re basically giving them access.

Matt:

And hackers are able to steal so much – intellectual property, money. They’re not going to stop because they’re successful. They’re becoming more sophisticated but the tools are also becoming easier for the hackers to use. 

Zach Tomlin:

Right.

Matt:

To wrap up, I would like to ask just off the cuff, what’s some quick advice you have for anybody who is planning on getting into the cybersecurity field and they’re starting from scratch?

Zach Tomlin:

Go out there and get information. Pick up a book. Start watching YouTube videos. Start joining forums. Get into it. Immerse yourself into it. Read the stories. Read the headlines. And when you don’t know something, look it up and see what it means. That is the best way to do it. If you don’t do that then you’re not really learning anything.