Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to The Virtual CISO Moment.
Travis Stein joins us today. He’s a Senior Security Engineer who’s taken an uncommon path through the industry, beginning in IT help desk and systems administration before moving into cloud security, privileged access management, Zero Trust architecture, and security engineering roles with organizations including CyberArk, Delinea, and AHEAD.
Along the way, he’s helped organizations achieve SOC 2 and ISO 27001 compliance while developing a practical philosophy that security must enable the business—not slow it down. He’s passionate about mentoring others entering cybersecurity and writing candidly about what it really takes to run security in a lean environment.
Travis, welcome to The Virtual CISO Moment. Thank you so much for joining us today.
Travis Stein: Hi, Greg. I appreciate you having me on. It’s an honor.
Greg: Well, it’s an honor to have you, sir.
We’d like to start where we always start off. I want to hear your story—how and why you got involved in this really weird field, sometimes it seems like—and just bring us through to where you’re at today.
Travis: Yeah, sure.
My path through the industry started off with, I guess, fairly humble origins, being in IT help desk to start out my career. I got it just kind of by cold applying off the street, back when cold applying was much more successful than it is today.
I did IT help desk and system administration work for probably eight or nine years. I got a lot of really, really good experience during that time, from about 2013 to 2021.
Over the years, even though the experience was good, the burnout became pretty real for me with IT help desk and everything that comes along with that.
I remember thinking, “I’m just kind of going from different jobs, but the burnout is the same. I probably need something different.”
Cybersecurity was something that had always fascinated me. I got into IT because I liked helping people, and I got into cybersecurity because I still liked helping people—but this time by helping protect them from threats, the bad guys, and all of that fun stuff.
Back around 2020, I started networking with people on LinkedIn. I’d ask them if they had twenty minutes for a virtual coffee chat just to talk about what they did.
I’d ask things like, “I noticed you’re in this position. What do you like about it? What don’t you like? Would you mind spending twenty minutes telling me what your day looks like and helping me understand the different areas of cybersecurity?”
One of those conversations ended up being with someone who eventually became my future boss.
He said, “Hey, we might have a Sales Engineer opening at AHEAD. No guarantees, but you’re welcome to interview. I can at least help get your foot in the door.”
From there, the rest was history.
I spent some time at AHEAD, then moved to CyberArk, later Delinea, then most recently Polly. I’ll actually be starting a new job soon, so stay tuned for details on that.
Greg: Well, congratulations on that. That’s certainly an interesting path.
I want to go back to the beginning, where you talked about being in IT help desk.
Is there anything from those days that’s helped you now that you’re in cybersecurity?
Travis: Yeah, absolutely.
I think the biggest thing was bringing an analytical mindset—a troubleshooting mindset.
There are a lot of common skills between IT and cybersecurity that people don’t always realize are transferable.
Being analytical, thinking critically through problems, troubleshooting issues—that served me really well.
Sure, cybersecurity has its own technical skill set, but those troubleshooting abilities absolutely carried over.
Another thing was learning how to research what I don’t know.
There have been plenty of times in cybersecurity where I’ve been completely stumped. I didn’t know the answer.
I had to ask for help.
I had to look things up.
Instead of panicking because I didn’t know something, I tried to lean into it and treat it as an opportunity to grow and become better at my craft.
Greg: I kind of chuckled a little bit when you said asking questions.
I’ve been in this industry for getting close to forty years now, and I still ask questions.
Sometimes I simply forget something, somebody reminds me, and I think, “Oh yeah, that’s right.”
It’s okay to ask questions.
It’s much worse to try to fool your way through it.
Travis: Exactly.
People pick up on that.
There’s certainly a little bit of “fake it until you make it” that happens in every career, but if it’s one hundred percent fake it until you make it, people recognize it pretty quickly.
Most people are willing to help if they can see you’ve already made an effort.
If you can say, “Here’s what I’ve already tried,” people are generally happy to jump in and help.
There really aren’t dumb questions in cybersecurity because we’ve all been there.
Every single one of us has had to phone a friend at some point.
Greg: I still have trouble remembering whether red team is offense or defense.
People who are newer to the field probably think that’s obvious.
But I come from an era where we didn’t have red teams and blue teams.
We just called it troubleshooting.
You have to understand the background someone comes from before judging the question.
I like to call it developing an investigative mindset.
I think everybody in cybersecurity needs that.
Travis: I like that term—investigative mindset.
Curiosity is probably one of the most important traits someone can have.
The moment people stop learning is probably the moment it’s time to retire or change careers.
Being naturally curious is one of the biggest reasons I ended up moving into cybersecurity.
Even though I experienced burnout during those IT years, I don’t regret them at all because they gave me a really solid foundation before entering cybersecurity.
That broad IT experience made the transition much easier.
Curiosity serves people well no matter what profession they’re in.
Whether you’re a nurse, a lawyer, a doctor, someone in IT, or someone in cybersecurity, it’s a skill that transfers everywhere.
Greg: You touched on something that I think is very interesting, and that’s burnout.
Burnout can certainly be a problem in IT, but it’s also a problem in cybersecurity. There are a lot of similarities in how it develops and how we deal with it.
Did you notice any warning signs before you realized you were burning out, or did it just sort of happen gradually?
Travis: It was definitely gradual.
One of the biggest signs was that I’d change jobs every couple of years, but the feeling stayed exactly the same.
I’d think, “Okay, this new job will be different.” Then after a while I’d realize the tickets were still endless, the pace was still relentless, and the satisfaction would slowly fade.
I’m sure there are a lot of IT help desk folks listening who are nodding along right now.
It’s interesting because I genuinely enjoy helping people, but I eventually learned that I have limits.
Cybersecurity still has tickets. You never completely escape them. But a lot more of the work revolves around projects and longer-term initiatives instead of constantly fixing printers, troubleshooting Active Directory accounts, or dealing with day-to-day user issues.
Every time I switched jobs, my satisfaction would come back for a while, then it would fade again.
Eventually I realized the common denominator wasn’t the company. It was the type of work.
That’s when I decided it was time to pursue cybersecurity seriously.
My family and support network agreed. They could see that I wasn’t really happy with where my career was heading, so when the opportunity came to move into cybersecurity, I took it.
Looking back, those years in IT weren’t wasted at all. They gave me a really broad technical foundation that made the transition much easier.
Greg: You also mentioned LinkedIn, and I think that’s one of those platforms where you tend to get out of it what you put into it.
One thing that disappoints me sometimes is seeing people only show up on LinkedIn when they’re looking for a job. They disappear for years, then suddenly they’re active because they need something.
I’ve always believed you should be building and maintaining your professional network continuously.
Since LinkedIn played such an important role in your career, do you have any advice or tips that worked particularly well for you?
After all, getting your foot in the door is often the hardest part. Once you’re in, you’re in control. Before that, you’re at the mercy of applicant tracking systems, bots, fake job postings, and everything else that exists today.
Travis: That’s actually one of the areas where I probably spend more time than almost anything else.
I created my LinkedIn account back when I first started my IT career, but honestly, I didn’t really understand its value until years later when I began posting regularly and engaging with people.
I started noticing something.
People were getting jobs through networking.
They weren’t necessarily getting them because they clicked “Easy Apply.” They were talking to people, building relationships, sharing what they knew, and becoming visible.
That made me realize I should be investing in LinkedIn myself.
I’ve probably landed at least two or three jobs directly because of relationships that started there.
One thing I always encourage people to do is personalize connection requests whenever possible.
Instead of simply clicking “Connect,” I’ll reference something specific from their profile or something they recently posted.
For example, I might say, “I saw your post about AI governance last week. I really enjoyed your perspective. Would you be open to chatting sometime?”
That personal touch makes a huge difference.
People receive hundreds of generic requests. Showing you’ve actually taken the time to read something about them immediately separates you from everyone else.
Networking is also a long game.
You might send two hundred connection requests and only have ten meaningful conversations. Out of those ten, maybe five become valuable relationships.
That’s perfectly fine.
The important thing is continuing to invest in those relationships over time.
Greg: That aligns very closely with my own philosophy.
One thing I absolutely dislike is when someone connects with me and immediately sends a sales pitch.
I’ll happily accept connection requests from people I don’t know if there’s some professional alignment, but that isn’t an invitation to immediately start asking for something.
Let’s build a relationship first.
From my perspective, when I’m looking for consultants for virtual CISO engagements, I don’t advertise those opportunities on job boards.
I simply make a post to my LinkedIn network.
Over the years I’ve built relationships with people, and because of that I already have some sense of who they are.
One of the first things I look at is whether they’ve been active on LinkedIn.
Have they been helping other people?
Have they been sharing knowledge?
Those are the kinds of things that stand out to me because, as you mentioned, many of the best opportunities never get publicly advertised.
They come through relationships.
Travis: Exactly.
Cold applying probably works some of the time, but networking dramatically improves your chances.
Of course, if you’re networking, you’re probably hoping to find a cybersecurity job. There’s nothing wrong with that.
It’s just the way you approach people that matters.
Take time to get to know them.
Show genuine curiosity.
People are much more willing to help when they feel you’re interested in them as a person instead of simply viewing them as someone who might get you a job.
One thing I also look for when people ask me to mentor them or review their résumé is what they’ve already done.
Have they been active on LinkedIn?
Have they been building a portfolio?
Working on home labs?
Posting about what they’re learning?
Those things demonstrate initiative.
Networking has become incredibly important.
It used to almost feel like a secret that relationships helped people find jobs, but today it’s very much true.
It’s still important to know your craft, but it’s also important to know people.
Once you finally get into cybersecurity, staying in the field becomes much easier because you now have actual cybersecurity experience on your résumé.
Every opportunity after that tends to become a little easier to pursue.
Greg: Let’s build on that a little.
Sometimes you land in a position where you’re essentially the security program. You’re the security department.
For someone who finds themselves as a one-person security team, how do you approach that? You start the job on Monday morning, you’re the only security professional there. What do you tackle first? How do you survive?
Travis: Before Polly—and before the opportunity I’m about to start—I had never been the only security person at a company.
I’d always been part of a team of five, ten, or fifteen people.
At Polly, it was really just my boss and me. He oversaw multiple teams, including security, while I was the sole security engineer. In my next role, I’ll again be one of the primary security people.
It’s definitely an adjustment going from being part of a larger team to realizing that, from a security standpoint, the buck stops with you.
There are pros and cons.
One of the biggest challenges is that you have to trust yourself.
If you make a decision that doesn’t work out, there’s nobody else to point to. You’re accountable.
At the same time, that’s also one of the things I’ve really relished over the last couple of years as I’ve had that lead experience.
One of the things I really love about being the sole person on the security team is that I get to influence policy and really shape the security program.
Leading ISO 27001 initiatives, SOC 2 audits, helping define how security operates within the organization—that’s been a lot of fun.
At first I thought being the main security person wouldn’t be all that enjoyable, but it’s actually been quite a bit of fun.
At most of the places where I’ve been the sole analyst or engineer, you’re not completely on an island.
Sure, a lot of the security decisions lie with me, but at the same time there are engineers, leadership, vendors, consultants, and peers that I can bounce ideas off of.
Even if folks find themselves owning a security program by themselves in their next role, I’d really encourage them to lean into it and embrace it.
It’s a lot of fun being at the forefront of things.
Being an individual contributor is certainly awesome too. Nobody probably starts out as the sole security person, but if you ever get the opportunity, it’s definitely something I’d encourage.
Greg: So, putting on your mentor hat now…
You’ve got somebody who’s a technical specialist, and they want to move into a leadership-type position like you were just talking about.
What advice would you give them?
Travis: If they want to make the jump from being a more technical specialist or practitioner into a leadership role, I’d say it’s always the “act as if” principle.
If you’re on an individual team and you want that team lead role—or maybe you want a management role someday—start acting as if you’re already preparing for it.
Try to take ownership.
Lead projects.
Show initiative.
If there’s a project that maybe nobody wants to do, volunteer for it.
Take it from beginning to end.
That goes a long way toward demonstrating leadership skills.
Being willing to volunteer for different projects, showing that willingness to learn, the willingness to adapt, and being willing to tackle difficult work are all really important.
Certainly, in cybersecurity, one of the things I’m currently working on myself is the CISSP.
It’s obviously not a first-year certification. You need experience before you can sit for the exam.
But if you’ve got cybersecurity experience and you want to move into a leadership role, that’s a pretty significant checkbox.
It’s not an easy checkbox for HR, but it’s certainly an important one.
That said, you don’t need a certification to prove you’re ready to lead.
Volunteering, showing initiative, and demonstrating leadership qualities early on can go a very long way.
Greg: Absolutely.
But all of this can come with more stress, which is okay because we love our field and we know there’s going to be stress.
We just have to channel that stress and not let it overtake us.
Otherwise, it can lead to exactly what we were talking about earlier—burnout.
I’m a big believer that people should channel that stress in positive ways and find healthy ways to decompress.
What’s one of the things that you do to manage your stress in this wonderful field?
Travis: Yeah, there are a couple of things.
Some of them are actually lessons I carried with me from IT help desk.
I’ve been working predominantly from home for the past four or five years—maybe even longer than five years now.
It’s a different perspective because my office is inside my home.
There’s really no separation between work and home other than the office door behind me.
That can be a little tricky sometimes.
So I try to keep decompression pretty simple.
I’ll go outside for ten or fifteen minutes and sit on the patio.
Sometimes I’ll even bring my laptop with me.
Even just that little change of scenery is surprisingly refreshing.
I’ve got a two-year-old son at home, so I like to step out of the office, play with him for five or ten minutes, then come back to work.
You don’t necessarily need a kid to do that.
If you have a dog or a cat, that’ll work just fine too.
Literally, the old saying about remembering to touch grass.
Getting outside and getting out of the house is really important for me.
Certainly exercise helps too.
I also feel like I’ve got a much better support network now than I did when I was working IT help desk.
I’ve got doctors, a wife, my son, friends, family—I really built those relationships over the years, and they’ve helped tremendously with burnout.
There’s definitely still burnout in cybersecurity.
I think a lot of people would say, “You’re talking about IT burnout. What about cybersecurity burnout?”
Absolutely.
It exists.
There are definitely days where I finish work and think, “I don’t know how I got through today.”
But compared to my years in IT, I have far more days where I’m not burned out than days where I am.
Maybe that’s just learning how to handle things better.
Back in IT, I would work myself to the bone.
I was a pretty competitive person.
I’d tell myself, “I’m not stopping until I close three more tickets.”
Eventually that came back to bite me because I was constantly chasing one more ticket instead of taking care of myself.
Travis: I needed to come up with better techniques.
Having decent mental health support is kind of an underrated thing.
Whether that’s a good family member, a friend, your spouse, a therapist—having people in your corner is really important.
Work can always be stressful, no matter what field you’re in.
Having techniques—even if it’s stretching for five minutes or walking outside for a few minutes—is a reminder that there’s a whole world outside of work.
Work isn’t the end-all, be-all.
I used to get really wrapped up in work as my sole source of identity.
Now it’s much more balanced.
I’m a family man.
I’m a friend.
I’m a father.
I’m a son.
Those are all important roles that I play too.
That perspective definitely helps me a lot.
Honestly, I probably couldn’t have made it into cybersecurity without having a decent support network along the way.
For folks trying to break into cybersecurity—especially with how difficult the job market has been recently—I think having those people around you becomes even more important.
You’re probably going to hear “no” more often than you hear “yes.”
You’re going to have interviews that don’t work out.
You’re going to have applications that never get a response.
Having people around you to remind you to keep going makes a tremendous difference.
Greg: Absolutely.
Work to live.
Don’t live to work.
I think that’s something we all need to remember from time to time.
So, future plans.
I know you mentioned you’re starting a new position, which is certainly exciting.
Beyond that, what else do you have coming up?
Travis: Yeah, definitely starting the new job in a couple of weeks.
That’s probably the biggest thing on the horizon.
Beyond that, my wife and I have a trip planned to the Dominican Republic in a couple of months.
From what I’ve heard, the new company may also be taking us somewhere in Europe for an anniversary celebration, so that’ll be exciting if it works out.
Greg: That’s never a bad way to start a new job.
Join a company and then get to go to Europe a month or two later.
I highly recommend employers that have benefits like that.
Travis: (Laughs.) I certainly won’t complain.
Greg: Well, I have two responses to that.
First, I’m jealous.
Second, for everybody who works with vCISO Services, no—we’re not going to Europe anytime soon.
Sorry.
Travis: (Laughs.) Darn.
Greg: Travis, it’s been wonderful catching up with you.
I really appreciate you taking the time to join us today.
I think there are a lot of valuable lessons here, whether someone is trying to break into cybersecurity, transition from IT, or move from being a technical practitioner into a leadership role.
Congratulations again on the new position.
It sounds like a fantastic opportunity, and I wish you nothing but success.
Travis: Thank you so much, Greg.
I really appreciate you having me on.
It’s truly been an honor.
Greg: And everybody…
Stay secure.