Co-op/Intern Spotlight: Ashton Richards

Picture of Ashton Richards

Dec 20, 2021, 8:30 AM

Ashton Richards is a senior majoring in Cyber Intelligence & Security at Embry-Riddle Aeronautical University - Prescott, AZ. He shares his experience at various internships.

How did you obtain your two internships and what were your responsibilities at each?

My first internship at Early Warning was the result of a singular call in a sea of over 200 applications I had submitted. They were the only ones to give me a chance at an interview, which is my strongest skill in the hiring process. I consulted with Career Services quite a bit leading up to the interview to leverage free preparation and thus managed to succeed at each stage. One of the biggest factors was that I had good experience with the company before; talking to employees at various events and hacking conventions, as well as working directly with their employees in high school on a class project we were doing.

While working there as a security architecture intern, I dug into the threat modeling process and started to understand the flow of idea to design to architecturalization. I worked on various threat models for new applications, like the Zelle Profile Picture functionality. I had to think about things like where the data was being stored, how attackers could leverage it, how you could upload malware samples as your "picture" file, and even things like how to use technology to identify inappropriate images or illicit activities. While working on threat models, I was constantly thinking about loopholes, threat actors, assets, data, and how they could all be exploited. On top of that, I worked on my own project to better align our architecture team to the MITRE ATT&CK and CAPEC frameworks to set default controls for our models. I analyzed the most common attack groups and techniques in the financial industry and determined what controls were mandatory for every project going forward. My threat library was developed into a well-formed standard for threat modeling and is now the standard going forward. After working on the security architecture team, I transitioned into another internship with Early Warning working in business intelligence to get a feel for more business-oriented processes. I worked in that area to develop a more efficient Tableau dashboard for senior executives to look at payment and product data.

My second (technically third) internship at Ascot Group is not a standard internship - it was a role created for me and labelled as one to get me on the team quickly. Achieving this opportunity spans back to 2018, when I first started my Twitter account to become more immersed in the information security community. I was adamant about meeting and discussing with well-known leaders in my field, and eventually made my way into a community of CISO-level executives that shared their experiences in building and maintaining security programs. When I talked about my work at Early Warning and mentioned how I had not received a full-time offer there, one CISO stepped up and offered me the opportunity to discuss his efforts at Ascot Group. I was able to tell him where I could add value and how I could help him shape and support his growing security team, as he was relatively new to the company at the time. Now, I'm working to develop the vulnerability and patch management program at Ascot, which entails me reviewing policy, helping in writing new policy, and determining how we go about implementing updates and managing vulnerabilities. In the future, my individual contribution will grow to a team of cyber resilience experts that work to actively understand what can be exploited in the company and how to manage securing it.

Did your career aspirations change after completing your internships?

Considering I knew almost nothing about security architecture or governance, it absolutely did. Before my internships, I was focused on penetration testing and various red-team roles. Now, I have a more fundamental understanding of the business processes involving security and I want to actively work towards growing security programs and helping to mature organizational security. While the technical side of cybersecurity certainly still interests me and hosts many of my strong skills, the area of architecture, governance, policy, and auditing is what really sets organizations apart in their security posture.

What are the benefits of completing an internship and what did you gain from your experiences?

The biggest benefit I've experienced is my network. After these internships, I'll have centuries of collective knowledge to call upon and a plethora of opportunities to ask about. Each member of the security architecture team at Early Warning has held senior positions at various financial institutions and have pledged to helping me in my career if I choose to pursue a job at any of them. My CISO is now a mentor to me, and he also supports the development of my career and cares about how I'm growing my skills. Besides that, the understanding of how real-world business works and how departments interact is key to explaining your value-add to a company. Even if you were to learn nothing about your specific field, interacting with the business itself gives you great experience.

What advice do you have for other students contemplating doing an internship?

It can be very hard to get your foot in the door somewhere, but it's very worth it. Set a goal for a certain number of applications per day or per week and just do it. There will be a lot of no's, but it only takes 1 yes to open many doors to your future. When doing the internship, ask every question you have, even if you think it's not a good question. You'll interact with many business tools and vendor applications you've never touched before, so asking questions about them is great. Talk to people in the company across a wide variety of roles to better understand how the business works. If possible, try to get 1 on 1 time with executive leadership. All of these things are what make the internship experience great. While you may think you're there to work on a project or produce something tangible for the company, you're really there to immerse yourself in the company and learn. Take the pressure off of yourself to perform well and just soak up everything you can.