National Heritage Academies Internship

Last summer, I completed an IT security internship at National Heritage Academies (NHA) as part of my bachelor’s degree requirements for Ferris State University. Since then I’ve also earned two certifications, graduated, and launched this blog/portfolio site. Now I have a little time to breathe while I search for an entry into the cyber industry, so I think this is the perfect time to reflect on my internship experience. I’ve recorded the details I remember and that I thought were worth sharing in this post.

To be honest, I was somewhat worried when I learned that I would need to land an internship if I wanted to graduate—I’d heard how tough it could be to find entry-level roles. Fortunately for me, things lined up well with NHA and it wasn’t long after the interview that I was eagerly awaiting instructions for orientation day. The following months presented some of the best learning opportunities I’ve ever experienced (they’re a school management company after all!), and I feel very fortunate to have been a part of their team.

Learning Objectives

The Information Security and Intelligence program at Ferris describes four key outcomes:

1. Become ethical members of the information security or intelligence profession.
2. Become experts at applying computing principles to produce effective computing solutions.
3. Be successful in computing or related careers, or in pursuing advanced degrees.
4. Continue to show personal and professional growth.

These outcomes guide our experience through the entire program. In a very similar sense, the university asks us to create our own learning objectives to guide our internship experience. Here were my objectives:

1. Learn to collaborate effectively within a team of cybersecurity professionals and improve my ability to communicate security-related information to others.
2. Improve my analytical process when investigating security events using tools such as SIEMs, protocol analyzers, malware sandboxes, and other common cybersecurity utilities.
3. Become a more well-rounded individual and professional by attending training, networking, presentation, and workshop events (as well as making connections) with other interns and colleagues.
4. Develop better organization, time management, and presentation skills by regularly presenting/discussing investigation findings with other analysts and accepting feedback.

The Job

Some details about the posting, qualifications, and requirements are preserved here for any that are interested. Continue reading for my description and account of the experience.

Posting

Qualifications

Requirements

If you read the job posting that I included, then you might be thinking to yourself: “well that’s slightly vague.” See the job requirements posted below if you want a more detailed look at what the position entailed, but keep in mind, the requirements listed in this section come from an NHA analyst posting and not an internship posting.

So why did I include them then? The gist of how this internship worked was that interns were treated the same as any other full-time position was, except that our main goal was to gain knowledge/experience rather than to produce value/utility for the organization. Another way of putting it is that I was able to get hands-on experience with all the things analysts are normally expected to do, but without the full weight of their bottom-line responsibilities.

This allowed me to focus on building new skills, improving the ones I already had, and becoming more employable in the information security industry rather than (for example) simply attempting to triage as many alerts as possible in our SIEM.

My Experience

Colleagues and Friends

First off, I want to give a massive “thank you” to the following people I met during my time at NHA:

• Tony Amato – An effective leader, always encouraging us to learn and achieve more.
• Brooke Biby – Previously my (beloved) manager from an older job, you make everything better.
• Lucy Bronkema – Countless great conversations during lunch were often the highlight of my day.
• Jacob DeBoode – Spent his entire summer in the trenches showing the ropes to us interns.
• Mark Jacobs – Advice, feedback, and judgments that you could always trust.
• Christian Kanis – Easily among the most genuine, kind, and professional people I’ve ever met.
• David Reed – Despite often being busy, he always had time to share a wealth of knowledge when asked.
• Kristen Ryskamp – Put in enormous efforts to ensure a great experience for every intern.
• Caydon Thomas – A reliable intern partner who was always quick to get us unstuck.
• Andrew Yates – Had an answer for every question and has seemingly seen it all.

About NHA

National Heritage Academies (NHA) is a charter school management company that operates in nine states and is headquartered in Grand Rapids, Michigan. Their 100+ schools serve 60,000+ students and employ 10,000+ educators and supporting staff members.

My internship happened at the service center headquarters, which is responsible for enabling NHA schools and employees to operate in the field and serve their students. The service center handles functions like HR, accounting, compliance, and (of course) information security for the entire organization.

IT Security

My official title for the duration of my time at NHA was IT Security Intern. This section outlines some details about the IT Security team, our tools and technology, and some of our daily tasks. Additionally, I give an overview of the Security Onion refresh project that I undertook with Caydon Thomas.

Team

When you consider the number of schools, users, and devices in the organization, we actually had a relatively small cybersecurity team. It consisted of only seven people:

• David Reed (director)
• Tony Amato (manager)
• Andrew Yates, Mark Jacobs, and Jacob DeBoode (analysts/engineers)
• Caydon Thomas, Me (interns)

Between us we had 103 schools, 10,000+ computer assets, and many thousands of user accounts to monitor. This resulted in over 4 billion logged events every week during peak business before schools started going on summer break.

Tools and Technology

So, where do you even begin when you have such a large amount of information to sift through? Fortunately for us, we had a lot of advanced software, tooling, and automation to make things more manageable. Otherwise, it would simply be impossible to adequately protect an organization of this size in cyberspace. Here are some of the tools and technologies that we used and interacted with daily:

• ANY.RUN malware sandbox
• Cisco Umbrella
• LastPass password manager
• Microsoft Defender XDR
• Okta SSO
• PhishER
• Rapid7 InsightIDR
• Rapid7 InsightConnect
• Security Onion
• Slack
• TeamDynamix ticketing
• VirusTotal threat intelligence
• VMware vSphere virtualization

The Rapid7 and Microsoft SIEMs served as entry points into the ocean of information at our fingertips. Investigations begin (and sometimes end) there with an alert. Depending on the contents of the alert, we might have to leverage additional tools to get a better understanding of what happened and what to do about it.

The logging tools really are quite incredible if you haven’t seen anything like them before. With enough data captured, the knowledge to understand it, and the experience to piece it together, you can get a very complete picture of what someone was doing on their device when an alert was generated.

In the cases where we don’t have enough information outright, we can start to leverage things like threat intelligence to see what the information security community has to say. Another option is (for example) reconstructing or examining a series of events yourself in a malware sandbox and correlating them to what your sensors recorded. I can recall one or two cases where I was able to conclude that a file was likely malicious when I observed strange behavior in the VM environment and demonstrated that the hashes matched what we observed on our endpoints.

Daily Tasks

Like I mentioned before, interns were treated essentially the same as any other employee. This means that we worked very closely with the full-time cybersecurity team, and often spent the day mirroring their activities.

Typically, every day begins with a meeting between all members of the team where we have a brief discussion about what we’re expecting the workday to look like. After this it’s off to the races. For me, this usually looked like:

• Reading email and Slack communications
• Checking SIEM platforms and triaging alerts
  • Perform investigations and incident response if necessary
• Assessing phish email reports
• Attending team and vendor meetings
• Wrap-up meeting to go over the day and discuss our investigations

That being said, there was also a lot of flexibility here. We were encouraged to get our hands in everything at least once, and this often meant spending the day getting trained by a team member and experimenting with the technology while a different analyst handled the day-to-day tasks.

Project

So what do you do when there aren’t any alerts, phishing reports, or meetings to take care of? You might remember reading this if you looked at the job posting I included:

This basically means that we were assigned a summer project of our choosing. I was asked to brainstorm ideas for a potential project a few weeks into the internship and came up with this:

1. Security Onion update – Maintenance and updates for our outdated Security Onion instances.
2. Documentation/reference library – A ready-to-go indexed library of useful documentation and references to use during investigations.
3. Automation and query library – A library of pre-made scripts and queries to be used during investigations and incident response.
4. Improved SIEM dashboards – Purpose-built dashboards for specific investigative tasks and recurring alerts within our environment.

After discussing with Caydon and Tony, we decided that the best option would be Security Onion updates. Caydon and I put together a plan and began working on ideas to get everything back up-to-date. Here’s a high-level overview of what we did:

• Create project charter
• Access and examine the old environment
• Determine node maintenance/update needs
• Deploy and configure updated nodes
• Create project documentation
• Present project progress to the IT Security team

View full size image

It’s worth noting this was a very involved project that Caydon and I both put significant time and effort into. Unfortunately, there aren’t many other details or documents that I can share without divulging information that should probably not be made public (e.g., project documentation, BPF configurations, etc.).

Lessons Learned

It’s difficult to distill an entire internship down to just a few statements about what you learned from the experience. A lot will inevitably be left on the table in doing so, so think of this more as what my most important personal takeaways were—I learned much more than I could hope to articulate in just one post. I wrote a full reflection as part of my university requirements (visible below), but I’ll try to summarize the main points here:

• Keeping notes is very important, and slacking on it will come back to bite you.
  • Staying organized is worth the effort (“sharpen the axe”)
  • Finishing an investigation doesn’t always mean you can just put it out of your mind the next day.
• Display more confidence in your abilities.
• Know your environment.
• Have a plan during investigations and search logs with intent.

Training and Workshop Events

NHA hosted a variety of training and workshop events for interns over the summer. Some of the most significant ones are outlined below. I’ve scanned and inserted copies of most of my training materials to preserve them for future reference.

Professionalism and Communication Workshop

This event covered professionalism and business communication in the workplace and was lead by Thea Reigler, the former Chief People Officer at NHA. Her presentation was excellent—it had clearly been well-developed and rehearsed. She shared many valuable insights, and we had the opportunity to discuss the materials during the “what would you do?” slides. As a gift, she gave each intern a copy of the Emotional Intelligence 2.0 book to keep.

DISC Training

If you’re unfamiliar with DISC, then the introduction from the cover page of my assessment does a pretty good job at getting you up to speed:

My DISC style ended up being C/s (clarity/support type), indicating that clarity is my most important work style with strong representation for the support style. According to the DISC assessment, this means that I tend to be analytical and observant. I prefer to work independently, but I also look for opportunities to assist others. This is hardly surprising when you consider I studied to be an analyst in a degree program called Information Security and Intelligence. Honestly, I think the assessment was spot-on for the most part.

View full size image

You can read the full assessment if you’re interested, but I picked out some bullet points that I think are most descriptive of my personality and work style.

Resume and Interview Workshop

Our internship coordinator (Kristen Ryskamp) invited her brother to host the resume and interview skills workshop. He had tons of advice to share with us on crafting the perfect resume and nailing your interviews due to his experience with recruiting for global financial organizations.

My full resume isn’t public, but you can view some of the bullet points that this workshop helped me write on my internship below:

• Assisted in security monitoring of 10,000+ assets with Rapid7 InsightIDR and Microsoft Defender XDR.
• Developed TeamDynamix/Slack automation to improve response time by 1~3 minutes per security incident.
• Deployed 6 revamped Security Onion SIEM nodes and created 10+ pages of detailed project documentation.
• Collaborated to update security awareness training plans for delivery to thousands of employees.
• Investigated 25+ security monitoring alerts and resolved 120+ phishing threat reports.

Presentation Skills Workshop

This might’ve been my favorite training event. I don’t remember exactly how the introduction went, but the gist is that someone very hurriedly came into the room while talking about how unexpected circumstances mean that they will be required to lead the training event without preparation. They were dressed in pajamas and looked generally disheveled.

This person (I can’t remember her name anymore, sorry) poured their heart and soul into this performance, and they kept it up just long enough that we all started to think it might be real. Interns start exchanging glances, and right when smiles begin to fade, the real presenter (Kari Avery) makes their entrance and launches with explaining the importance of a good first impression.

Intern Events

Most of these events were hosted by NHA specifically for the benefit of interns. They don’t necessarily fit the description of a training or workshop event, but these were still valuable experiences.

School Tour

One of the first events that all the interns attended was a tour of the nearby Excel Charter Academy. Although it was certainly less involved than many of the other events, I still believe that it was just as important. You need to feel a connection with that you’re working towards and/or contributing to.

Sometimes it can be easy to feel somewhat detached and disconnected from your work, and this is especially true of information security roles. When you monitor a SIEM that logs a billion events per day, a part of you starts thinking that “this can’t possibly all be real” even though you know that it is. Getting to tour the school helped to remind me that each piece of information we look at comes from a real person’s device—someone that’s trying to teach students right now. It’s important that we stay sharp so they’re able to keep doing their jobs when cyber incidents inevitably occur.

Leadership Panel

The leadership panel was our second large non-training event. NHA leaders from across the entire organization took time to join a panel (some virtually, but mostly in-person) with their peers and answer questions for the interns. This included prepared questions for the duration of the panel with the opportunity to ask whatever was on our minds on at the end.

A lot of great wisdom and advice was shared here, but the discussion that I remember most involved grit (something that we also talked about in the resume and interview workshop). Specifically, grit is a great descriptor for what many of the leaders involved with hiring look for in their candidates. A person with grit displays determination and perserverance—they remain resilient and motivated to reach their goals despite facing challenges and adversity.

Another great discussion centered around AI and sources of truth. I’m sure I probably don’t need to tell you that AI is kind of a big deal in the business world right now. Everybody is trying to figure out what to do with this technology, but one thing to keep in mind as we navigate this change is that AI LLMs are not sources of truth. While we can’t deny how useful these tools are, we also have to remember that they can “hallucinate” because of how they operate. In a very basic sense, this happens by taking your prompt and making a prediction about what the following token should be based on the model’s training data. The bottom line: you should know what you’re getting yourself into if you want to (for example) outsource critical business functions to a predictive system or hand encryption keys over to autonomous AI agents.

CEO & President Meet and Greet

For this event, interns had the opportunity to meet NHA CEO Jason Pater and President Nick Sheltrown. Most of this event involved listening to them describe their experiences and answer some of the questions that Kristen had helped prepare. We all had a chance to ask our own question or two at the end before time ran out. Mine was something along the lines of:

I was so nervous that I can no longer remember what the answer was.

NHA Leadership Summit

I had the opportunity to attend the annual NHA Leadership Summit hosted in downtown Grand Rapids at the DeVos Place as part of my internship. This event was a particularly special one, as 2025 was NHA’s 30th anniversary. The event serves as a gathering place for leaders (principles, deans, etc…) across the 100+ schools managed by NHA. Attendees have the opportunity to participate in training and professional development sessions as well as awards ceremonies.

Fundamentally, my role as a service center employee (and indeed all service center employees) was to enable the aforementioned leaders and educators to do their jobs out in the field. As such, this event wasn’t really for us, but it was still our job to help facilitate it.

View full size image

View full size image

I was at the event alongside fellow intern Caydon Thomas and two NHA analysts: Jacob DeBoode and Mark Jacobs. We spent our time at one of the informational tables (many service center departments had at least one) ready to take questions and offering handouts with some useful security awareness information. Scans of the phishing handout (minus the included Swedish Fish candy) can be viewed above.

I mentioned that the internship program works by treating us essentially the same as a regular employee, and it was often joked by IT Security peers that they would never give us “intern jobs” or “make us get coffee.” However, Caydon and I did technically end up with at least one intern job. We had to copy, cut, and count the phishing handouts (printed in sheets of four per page)—and there were a lot of them.

Intern Presentations

Intern presentations were undoubtedly fun, but I would be lying if I said none of us were nervous. The reality is that we always had this event in the back of our heads. From day one (and even before landing the internship), we all knew that we would be required to give presentations on our experiences. What we didn’t know until orientation day was that our entire department (along with the full roster of summer interns) would be in attendance and have the opportunity to ask questions.

I remember discussing the presentations with Kristen during one of the intern check-ins over the summer. She asked me how I felt about having to present, and I answered honestly:

She was satisfied with the answer and encouraged me to keep practicing. I’m told by Kristen and my intern peers that Caydon and I had presentations that perfectly complimented each other, and that we did an excellent job communicating our experiences. You can view a copy of my presentation with included notes here.