If you’ve spent any time around us, you’ve undoubtedly heard us proudly talk about how awesome our team is, and many of you have experienced their brilliance firsthand. Whether you’ve developed a relationship with various team members over the years or you’re just getting to know NWG, we want to provide you with an opportunity to learn more about the people who work here, and the diversity of their experience and perspective. 

For this blog post, the first of what we hope are many on this topic, we asked a handful of our team members to reflect on how they got into cybersecurity — the things that inspired them, the challenges they’ve faced along the way and what they love about their jobs. Many of their journeys are unconventional but fascinating, and we think you’ll find that each of their paths perfectly led them to NWG! 

Josh Gatka, Senior Ethical Hacker

What initially drew you to work in cybersecurity?

My grandfather, my biggest hero and a WWII veteran, nearly lost tens of thousands of dollars after being hit by an overseas vishing scam. I’ll never forget the look of defeat on his face while I was at his home, helping him alert the authorities and report the fraud so that he could get any transactions reversed and freeze his credit. Knowing that he had survived the pacific theater and then worked decades behind a welder’s mask, only to have his hard-earned retirement threatened by remorseless petty criminals INFURIATED me. I became obsessed about learning everything I could about cybercrime and cybersecurity. I wanted to understand how the criminals that called him already had enough information to convince him that they were legitimate and trustworthy.

If you came from a different background, how did that background influence your eventual move into cybersecurity?

When I was teaching high school history, I used a lot of metaphors and inserted quotes into lessons that I found to be particularly thought provoking. That skill served me well in my first information security position as a “security evangelist” at an electronic content management (ECM) software company in Ohio. Despite the cool job title, I think this role was created to have someone on the team do the work that management was becoming too busy for: responding to RFPs, answering customer emails, writing security bulletins, and other customer-facing tasks. But I loved it. When we introduced support for TLS/SSL, I used the analogy of a school bus to describe the benefit provided by encryption of data-in-transit. Just as the school bus picks up your children and safely gets them to school, enabling TLS encryption of data-in-transit ensures that data is securely transported from source to destination. 

Today, I use the analogy of the Trojan Wall when discussing why clients shouldn’t ignore a multitude of low-risk security vulnerabilities. Having a strong wall is great, but if an adversary finds a way to get past it, you’ll wish that you had added extra layers of defense-in-depth. I’m a Bruce Lee fan and I find that his quotes are great for discussions on preventative vs. reactive security and defense-in-depth also.

“Do not pray for an easy life, pray for the strength to endure a difficult one”

- Bruce Lee

In other words, enable multi-factor authentication now, and be happy that you did later.

Was there a specific “aha” moment or event that solidified your decision to move into this field?

My first IT job was as a quality assurance tester at the aforementioned ECM software company after the great recession cut my teaching career short. I earned Security+ and told the company’s application security team to keep me in mind if there was anything they needed help with. I was recruited to join the company-wide security champions program and learned how to test for some of the things that I still look for on every pentest now, like cross-site scripting (XSS), SQL injection, Server-Side Request Forgery (SSRF), etc. etc. etc. 

But very little of it was relevant at the time because I was a QA tester for a desktop (thick) client that had been around since the 90s. Imposter syndrome reared its ugly head for the first of many times in my career; I doubted that I was good enough to find any security vulnerabilities. Surely anything worth finding would have had to have been discovered sometime in the past 20 years. Then I watched Collin Mulliner’s presentation from Black Hat 2014: Finding and Exploiting Access Control Vulnerabilities in Graphical User Interfaces. I used the tools and techniques from the presentation to discover and exploit a bug in the desktop client. I was able to go from bare minimum privileges to a member of the Administrators group in several clicks. When I brought this to the attention of the AppSec team, my life changed forever. I helped write the security bulletin, I helped test the fix, I presented to the champions program and the application security team took notice. They took me under their wing and eventually I earned a spot on the team. 

The experience taught me that sometimes aptitude to learn and dedication to your craft are more valuable than natural talent. I’ve been obsessed with information security, particularly application security ever since.

What was the biggest challenge you faced in getting to where you are in your career today, and how did you overcome it?

Imposter syndrome. Especially when starting out, it was particularly intimidating to be surrounded by teammates with computer science degrees and several years of experience. The courage to say “I don’t know this yet, but if provided with the right resources, I’m confident I can teach myself what I need to know and come back to you with an answer” was key. 

Unfortunately/fortunately, this is an ever-evolving field. So we’re *ALL* perpetual students. There are always going to be tools/techniques/technologies that I know that someone else doesn’t, and vice versa. This is why it’s so important to work on a well-rounded team at an organization that encourages and leaves space for cross-training. If you do it right, the cross-pollenation of skills is always happening because you’ve staffed your team with people that are naturally curious and endlessly inquisitive.

What non-technical skill do you find most valuable in your day-to-day work?

Empathy. Most people are trying to do the right thing and are fighting battles you don’t know about. I have the benefit of having worked as a security engineer at a previous software company, so I know the pain of the people on the other end of the zoom/teams call. I’ve had to triage and prioritize security vulnerabilities while wrestling with obstacles like insufficient budget or staffing shortages. I know how important it is to get the people reading my reports the information they need in order to solve the problem in the most effective and efficient way possible, because I was once the person reading those reports myself.

What’s the most interesting or memorable project you’ve worked on at NWG?

For me, the most exciting part of our full-scope engagements is always the on-site, physical social engineering portion. I’m literally getting paid to try to sneak into buildings – how cool is that? I sometimes have to remind myself that when I was a kid playing Metal Gear Solid on PlayStation, this was the type of work I could only dream of doing. The brightest minds at NWG leading these types of engagements are former military red-teamers, so I’ve learned A LOT from them. 

I’ll never forget when we snuck into a building late at night, found the office of the head of HR, opened a drawer, and found about a dozen visitor keycards on lanyards that we were able to use to access most doors in the building. The next day we walked around in business casual outfits with those around our necks and drew zero suspicion. We were able to hang out in the building's atrium and nobody asked who we were and what we were doing there.

What’s been the most rewarding part of a career in cyber?

I’d have to say the travel. I’ve been able to travel to places that I never thought I’d see. The former history teacher in me really appreciates that. If I finish a pentest early, I make an effort to go on a quick “field trip” to visit a site of historical significance before I have to be at the airport. 

In New England, I got to see the location of the first shots of the Revolutionary War and leave a pen at Jack Kerouac’s grave. After a pentest in Jersey City, NJ, I had enough time to visit the Statue of Liberty and Ellis Island. I was able to search ship manifests from the late 1800s for my relatives that had arrived from eastern Europe. 

Traveling for security conferences is fun as well. Every year I go to Las Vegas for Def Con, aka “Hacker Summer Camp.” The vibe is always more family reunion than trade show and I’ve made some great friends there.

What are your favorite kinds of things (projects, tasks, etc.) to work on?

Web application penetration testing is my forte. After all these years I still really enjoy the chance to find serious vulnerabilities on web applications before criminals like the ones that scammed my grandpa can.

When you’re not focused on security, what are your favorite hobbies or ways to de-stress?

Playing guitar in my melodic death metal band, Druparia (druparia.bandcamp.com) and going on weekend backpacking trips in Allegheny National Forest.

Ryan Hoppe, Cybersecurity Engineer

If you came from a different background, how did that background influence your eventual move into cybersecurity?

After high school, I thought I would go into the trades doing HVAC, but I realized that it wasn't something I was passionate about. I later went back to school and knew after working in a tech-adjacent field I would study computer information systems. While taking classes, other students were talking about cybersecurity and that piqued my attention. It sounded new and different.

What was the biggest challenge you faced in getting to where you are in your career today, and how did you overcome it?

Getting a job to gain experience. Then after getting a job, I dealt with impostor syndrome in the early years. My path was different from others. Most start in a help desk or sys admin role to gain technical skills. I started in customer service where I was building a different set of skills along the way and going to school to gain technical knowledge. 

What is one common misconception people have about your specific role in cybersecurity?

I think when people who don’t work in a field that interacts with cyber teams, they think it’s just hackers and incident responders, but it’s more than that.

What non-technical skill do you find most valuable in your day-to-day work?

My communication and customer service skills. In a previous role at another company, customer service was a huge part of our tech support jobs. People would come in and our job was to focus on the customer. They were there because something wasn't working properly, and we often had to educate the user on the device or software and ultimately repair the relationship and provide a white glove service that would satisfy them. We needed to be able to communicate with them in a way they could understand.  

What’s been the most rewarding part of a career in cyber?

Continuing to help people, solving problems and solutions for them and trying to make a positive change with any challenges they face.

How has your role evolved since you started working in the field?

After graduating from school with my Cybersecurity degree, I got a job working as a SOC Analyst and Incident Responder. Later, I transitioned to Data Loss Prevention and Insider Risk, and after that I worked on developing a cyber education program within the company. I am grateful to have had the opportunity to experience all these different roles before joining the NWG team.

What most excites you about the field of cybersecurity today?

The creativity and out-of-the-box thinking involved in coming up with solutions or, with ethical hackers, finding ways to compromise a company or system.

When you’re not focused on security, what are your favorite hobbies or ways to de-stress?

I am really into collecting comic books. I’m currently reading Teenage Mutant Ninja Turtles and pretty much anything written by James Tynion IV.

Rachel Park, Research Director and Ethical Hacker

What initially drew you to work in cybersecurity?

I was initially drawn to cybersecurity because of puzzles. I played a lot of NotPron back in the day without ever really thinking about website design. I was just playing a game. When so much of life moved online during lockdown, I started studying VPNs and other digital infrastructure out of curiosity. I discovered I greatly enjoyed it. My immediate next thought was how to tinker with anything I could get my hands on. My biochemistry background was in hijacking natural cellular processes to re-engineer and sometimes invent novel macromolecules, so getting routers to do unexpected things was the obvious thing to do.

There wasn't really an "aha" moment for me that solidified my decision to move into cybersecurity. I was more a frog in boiling water. I just kept asking questions and trying to answer them, and before I knew it I was an ethical hacker.

What was the biggest challenge you faced in getting to where you are in your career today, and how did you overcome it?

The biggest challenge I faced was actually transitioning into a career in cybersecurity. All the bootcamps and certs being advertised during lockdown added to the noise. In the end, obstinance and curiosity led me in the right direction. It felt like everywhere I looked people were recommending formal training, but I wasn't interested. The bootcamps and certs I saw were all teaching me how to hack instead of teaching me about networking architecture. I didn't want anyone to teach me how to break things. I wanted to know how they worked so I could break them myself. This meant I had no industry connections, no teachers, no direction on how to find an ethical hacking job, and no relevant references.

So I just started shotgunning it, but I only sent applications to jobs that seemed interesting. This was likely not a wise decision. Some of the resumes I sent out were laughably bad. I had no idea what the industry was looking for and got a lot of silence. Despite this, I continued to have zero interest in bootcamps and instead stubbornly attached myself to people I found interesting on GitHub rather than joining a course. I was very fortunate to be mentored by some talented people who nurtured and grew my affinity for tinkering. When I finally landed a couple interviews, both resulted in job offers. Succeeding this way probably didn't have a good impact on my character, but now I'm in an industry that rewards my type of curiosity and obstinance. I'd say it worked out.

What’s been the most rewarding part of a career in cyber?

The most rewarding part of cybersecurity for me are the endless opportunities to feel stupid. This field is in a constant state of flux and urgency. Learning never stops because tools can become obsolete overnight and new threats are invented. Pivoting is a state of existence. There is never just one, clear-cut goal because the demands and motivations of cybersecurity programs are myriad. Communication is as much a part of the tradecraft as technical ability. I like chasing a sense of mastery. I like trying to become a human Swiss army knife and getting to solve constantly changing puzzles. I enjoy meeting clients with a variety of goals and needs, trying to help them with the toolsets and expertise available to me, finding out my skills are woefully inadequate, and then learning from team members and collaboratively problem solving. In short, this career is a near daily shot of adrenaline and frustration with occasional moments of euphoria. I love it.

What most excites you about the field of cybersecurity today?

The information market. Information is always important, but in cybersecurity it is paramount. We protect information, we produce it, we steal it. With the right tool and the right info, even an unskilled attacker can execute sophisticated exploits. The internet provides information in varying states of accessibility, a wealth of data that is difficult to query and sift. Add in information behind barriers like pay walls or individuals who prefer to keep their tradecraft in their heads, and you have a fascinating ecosystem built on flowing electrons and neural connections. The instability reminds me of one of Ted Chiang's short stories, “Exhalation.” If you've read it, you know what I'm talking about. If you haven't, read it. It's excellent. Plus, with AI, information is being collected and distributed like never before. It's a thrilling time in human history.

Thank You

Thank you to our brilliant team members who took the time to share. We appreciate you! 

‍

Publish Date: March 5, 2026