EP#70 – Gerald Auger – How Simply Cyber Helps People Pivot to a Cybersecurity Career

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator(Intro/Outro) (00:06):

You’re listening to The Virtual CISO podcast, a frank discussion providing the best information, security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

00:00

screwed that one up before Don’t worry about it they’re gonna cut the cut this so we don’t have to start right away.

00:06

It’s all good.

00:07

You had a chance to look at the the the document that I sent over.

00:11

I did but not closely because I thought I had two weeks. But if you give me a second I can read it. It’s

00:19

no, no to be honest you all of them are good The only thing that you probably might want to think about a little bit in the back of your head is uh you know, I asked the question what give me an amazing a horrible see. So give me a fictional character, a real person you think would make an amazing, horrible season? Why? And people use things like yeah, I might make dick Okay, good. All right, good. So let’s

00:39

hold on. So like you’re saying like, like, take an actual person in real life.

00:43

Or a fictional character. A lot of people will use people from movies, they use your, your will be terrible. You know, this? Batman would be good, because he’s got a gun that does everything, you know, people have fun with it.

00:55

Okay, well, you then yeah, you will have to give me a second, I thought you were thinking of like, what are the traits of an awful system? Because I’ve worked with some and I can tell you this, like,

01:04

Well think of a movie character that or that embodies that, or somebody you could think of that embodies all those bad characteristics, you know, and that that’s how you will probably want to break up.

01:16

Okay,

01:16

if, if you when we get there if you don’t if you’re

01:20

from the office,

01:21

right? Yeah, that’s a great one.

01:22

Yeah, that’s what I use, like kind of enamored with the position and somehow failed up into it. But

01:29

that’s it. That’s a real good one. Because you do see that. Okay. And then one last thing is, and, you know, same conversation we have base already had basically, the only thing is that, like, if you can everyone’s while trying to leave a little white space in your answer, so that if I want you to drill down on something you’re talking about, it gives me an opportunity to kind of interject and say, Hey, can you can you fill us in on that, hey, you mentioned this. Alright, so I’m gonna kick it off, I’m actually going to record a very brief intro, because we’re behind and we usually record them afterwards. But I’ll do it right now. So with your blessing, here we go. Hey there, and welcome to yet another episode of the virtual seaso podcast with you as always your host, john very. And with me today, one of the good guys in the industry has somebody who gives back an awful lot to the industry. You’re gonna learn about that today. Gerald, Doctor, hey, Gerald. Hey, john,

02:19

thanks for having me. Know, excited,

02:20

excited to get a chance to chat with you again. So let’s start easy. Tell us a little bit about who you are. And what is it that you do every day?

02:29

Yeah, so I’m a 17 year practicing cyber security professional, kind of, you know, promoted up over the years now I run my own information security program at a fairly good size. $750 million 1000 endpoint, chemical manufacturing company, and just really passionate about cybersecurity when computer science background and kind of came up on the GRC track.

02:53

Gotcha. And then, you know, before we get down to business, what’s your drink of choice?

03:00

Yeah, I saw this in the notes. I appreciate it. I know you’re a bourbon man, john, but myself, I actually have quite an affinity for craft beer. I really appreciate it. I like the art, you know, artists and work that goes into it the skill, you know, like, occasionally on a hot day, you know, like a bud lights fine. But I really enjoy, you know, the craft of craft beer. So that’s, that’s where I go.

03:24

So you’re talking, you’re talking to a guy like, we go out often, myself and my family, we go out to different breweries, just so we can go and do the beer flights and the samples. And there’s a place locally, like we’re every Monday night, my son and I go, we play pickleball. And then we go watch a little bit of Monday Night Football and do beer flights. And they have the greatest selection of craft beers and microbrew beers from around the country. So I’m right there with you. Where are you? I don’t remember where you’re from.

03:48

I’m originally from Boston, Massachusetts, know where you are now. Yeah, Charleston, South Carolina, which may be 10 years ago, the state South Carolina State laws changed to allow high alcohol meaning higher than 4% beer and there’s actually been like a craft beer explosion, much like everywhere else. But there’s something like 30 breweries in the greater Charleston area at this point. So no shortage of opportunity to check it out.

04:12

Yeah, I’m right there with you. And what I do you know, it’s funny because all of the folks my family have different my wife likes cultures and loggers. My daughter is a sours person, my son’s a big juicy New England, you know, wet or West excuse me, West Coast IPA style, and I tend to favor the stouts and the stouts and porters. So we always have a really nice selection on the table and have a lot of fun.

04:37

That’s funny. Yeah, you can get a sampler pack and everybody seems to win.

04:41

Oh, absolutely. Yeah, that’s why it’s one of our favorite things to do. Okay, so what you didn’t mention is, is what you do at simply cyber. I’m a huge fan of what you guys are doing. So want to explain a little bit about what simply cyber is and if you could give us an idea what that what is the Genesis the idea agenda. there.

05:00

Yeah, so simply cyber is a it’s it’s primarily a YouTube channel, but it’s got tentacles going in all different other places at this point it’s starting, it’s really starting to grow crazy, but it’s a YouTube channel designed to help really anybody make and take a cybersecurity career further faster. And we you know, we do a lot on the channel. Like I said before, I’m very passionate about the subject. So it’s really like an outlet for me to talk about, you know, anything I want in the industry, but you know, we’ll do the kind of the meta of careers. So like, how do you how do you interview for a cyber job? What kind of questions can you expect? What’s a good resume look like? How do you? How do you like that catch 22 of how do you get experience without a job, but how do you get a job without experience, we, we tackle kind of the career piece of it. But then we also dig into like labs, like, you know, I find Raspberry Pi’s are, you know, really cost effective, right? So I have a bunch of videos on the channel of like, how you can stand up a web application pen testing framework on a Raspberry Pi. So for like 70 $100, you can, you can really train yourself up on web app. So it’s very technical, I seem to be the only person on the internet who’s doing education on GRC content, somehow. So yeah, it’s a really a, quite a, quite an eclectic collection of content. And like I said, I do stuff on LinkedIn, I do stuff a little bit on Twitter, and some of these other platforms. But it all circles back into this YouTube channel. And I gotta tell you, john, I’ve been doing it for a year, it started off as just kind of an outlet and a hobby for me to, you know, basically share some of my knowledge. And within a few months, it quickly turned into really this community that was really seeking out and hungry for this knowledge, and really weren’t getting it because a lot of the content on line and on YouTube, it’s almost exclusively focused on penetration testing, like, here’s how you do this sick zero day, or here’s how you like hack a box or privilege escalation like, which is great. You know, that’s great for the people who want to do that work. But it’s so misleading because there’s so much more other opportunities and jobs and roles and functions and all that and people don’t know about that. So I started doing it. And then it’s very much like a flywheel john, where people started asking me certain questions, so I’d make videos to answer that which would then feed into more community more engagement, and so on and so forth. And it’s really just, it’s been very satisfying to, to get those stories from people who reach out and say, Hey, like, you know, I got a job, I, in part because of some of the stuff you taught me, or I was able to mention this in an interview. And it really differentiated me among the other candidates. Thank you. So I feel like I’m doing good work for the community.

07:45

Yeah, let’s I that’s why I asked you to come on today is because I think you’re doing an amazing job and what you didn’t mention, which people should know, you’re not charging for this, right? You’re doing this for purely altruistic reasons. You’re trying to better the industry and help people get into what is a fun, fascinating and good paying field?

08:07

Yeah, absolutely. So I mean, I have monetized by YouTube channel, so like, maybe you watch like a 15 second advertisement or whatever, beforehand. But this isn’t money, that’s, well, first of all, it’s not gonna cost you like is an individual any money, right? You don’t need to pull a credit card out or something like that. So that that is fantastic. And I have like resume templates on my website, simply cyber.io that people can go I’ve curated a bunch of resources that people that are all free resources. JOHN, I’m really of this ilk that believes that, like, cybersecurity has given me so much right, I’d have like a family I have a house like I have a very satisfying career. And it’s all because of cybersecurity, I’ve traveled to some like amazing places because of cybersecurity. So, I want other people to have this opportunity. And I don’t want it to be exclusively withheld to only people who came up in like, upper middle class family or had access to college or something like that, like I want a single mother of three children who’s like making ends meet to have the opportunity to get access to the education and resources that that person needs in order to, you know, pivot into a cybersecurity career that’s both satisfying and financially, you know, really promising. So that’s kind of like my driving force, you know, so even even to be honest with you, like I just wrote a book recently, and you know, in the books like $25, or something like that, and it’s, I didn’t do it to make money I did it because I wanted to write a book and be I wanted to get this knowledge, you know, out there, and I know because of the publisher, I selected, like I know, in probably six months, it’s going to be like, you know, a humble bundle where like, for $1, you get 18 bucks. So I know it’s gonna get out there eventually.

09:53

So what? I didn’t know you were in the book, what’s that? What’s the title of the book?

09:57

Yeah, it’s called cybersecurity career master plan. Right there. Yeah, just came out a couple, like last week or something. It’s on Amazon it’s gotten I you know, one of the things that makes me so proud is a lot of people are talking online about the book and how wonderful it is. Right? So it’s, you know, you make the book, but you can’t make people say nice things about it. Right? So

10:19

Well, I mean, if you if you believe what they say about Amazon reviews, you actually can

10:24

well say that we only have seven reviews, but they’re all five stars. So five reviews 1000,

10:33

you bought you bought more than 70? Yeah, yeah. And listen, I just have one bit of advice for you is, if you sounded a little more excited about what you do, maybe people would just explode every time you like, people say that. I’m like, people, like say, they’ll spend an hour with me on the phone or a potential client, like chat about something. And by the end of it, they’re just like, you can see their hairs blowing back, just kind of like sitting there like, that was a little overwhelming. And I gotta be honest, you, you, you talk about, if you make me look low energy, you get so excited by this stuff, which is awesome. Which is awesome. I mean, I share your same genuine excitement and enthusiasm. I think the field of cybersecurity is awesome to be in. And where else can you have a blast, work with really smart people, earn a great living, have awesome job security, and do something good for the company that you work for the companies you work for we rise consulting firm, which does something good for the people that work at that company, right ensures the company’s successful, and then it helps the customers of that company, right, because of their processing information. Sometimes we have those people not having their identity stolen, you know, they’re not having to change their credit cards, they’re not dealing with those types of issues. So yeah, it’s like win win win. So so you know, I share I share your your thoughts completely.

12:01

Yeah, yeah. And that’s why I mean, that’s, that’s part of the reason why I love simply cyber because I literally can talk about all of it. I’m not pigeon holed into just Blue Team stuff, or, you know, just whatever. So.

12:12

So one of the one of the things that I thought was clever, is your, your idea to use personas, I think you refer to them as avatars to represent like a logical group of people a certain like career point, because they all have the same attributes and objectives. Tell us a little bit about that. How it works?

12:30

Yeah, so you know, when I originally started doing simply cyber, I was thinking, Okay, like, it’s one thing to make content for me. But like, really, if you want to have an impact, and you want to have, like, you reach, you have to think about who is the person that you’re trying to talk to, right, and make content for them, right. So originally, when I was making this content, I really had the naive perception, probably, because of my own background, that I was really trying to target. People who are just graduating college looking to, you know, probably with a computer science screen looking to get into the industry. And so I started making content for that. But then I was getting messages from people who are like 35 years old, and they’re like transitioning out of the military, or I got, you know, questions from people who work in like finance and accounting and want to, like, you know, quit their job, because they’re so miserable and unhappy. And how do they switch over and people know it background and stuff. And I quickly began to realize, like, holy crap, there’s actually like, a lot of different people who have very different kind of starting points, right, or have very different optimal on ramps into cybersecurity, that I need to cater for, in order to serve each of them in a good way. This is not a one size fits, all right, some things are one size fits all. But really, if you want to have that value to the individual, I feel like you have to tailor it somewhat to them. So you know, everybody’s got their own special situation and stuff, but you can kind of categorize them. So, you know, to your point, I’ve actually curated content, I specifically focus on addressing certain groups. So like, for example, the military transition or the veteran, if you’ve already transitioned out I have a whole collection of videos just around content that would make sense for those people right? So and it’s and I didn’t serve john so I actually went out and got experts who served in the military that work in cyber security now and I asked them yeah, how did you do it? What did you wish you knew, what are some pitfalls etc, etc. And I get all that information and I put it there. And now I have like a whole like your, hey, if you’re a military person, and you want to get into cyber, like here’s a curated list of content, you can, you know, drink all this. And for me personally, time is like my most important asset like I have, I do a lot of stuff like this stuff we haven’t even talked about, and I need to be super efficient and super deliberate with how I spend my time. So I want to extend that to other people. So like, if you’re this military guy, I don’t want you or military woman, I don’t want you, you know, floundering around my channel because you’ve heard I’ve got cool stuff and trying to figure out which one makes sense. I want to deliver it to you in a packaged tight way so you can get what you need and get going on to the next step.

15:22

So I don’t know if you noticed that you actually create the perfect if it isn’t already your tagline to simply cyber, your your on ramp to cybersecurity. Yeah, I heard that. I was like, Man, that guy’s a marketer on top of things. I love it.

15:37

I’ll write it down right now. JOHN, thank you. I’ll give me royalties.

15:42

royalties? Yeah. So you’re gonna give me 10% of the $0 that you collect from the people that are on your site? I want you to stop negotiating. 15% Are you kidding?

15:53

Okay. All right. All right. All right, drive a hard bargain. I’ll send you the check. Yeah,

15:58

Jesse? No, that’s considered a verbal contract. So so you’re committed to that now. So one of the one of the terrible oddities of where we are right now is that there’s this giant catch 22. The catch 22 is that we don’t have, we don’t have enough, we have a shortage of people. we advertise entry level jobs, and you look at the entry level jobs. And you know, you need basically two to three years worth of experience to fulfill the qualifications of an entry level job. I think you kind of alluded to that I know, My son went through it, he joined the cybersecurity field, you know, a couple years ago, and he went through the same issue. So we don’t how do we how do we solve that? Does the simply cyber helped us all that? Is this a problem that, you know, you’re you’re solving part of it, and we need companies to do a better job, or we need recruiters to do a better job?

16:50

Yes. So this is one of the bigger issues in our industry, right? So there’s a couple ways to that there’s a couple big macro things that need to change in order to address it. But I what I do, I’ve actually been thinking about this yesterday, I went for a run, and I thought about this exact question on how I would approach it, if I was your son, for example, john, like, if you need to do this today, like the macro changes aren’t going to help you today, these are bigger things. So HR is one of the big problems, right, because they don’t understand our terminology, they don’t understand our industry, they don’t understand that like the term information security, analysts can mean like 30 different things. And depending on what your needs are, what’s your progress, your tech stack, all this other stuff. You know, the perfect entry level candidate could be a bunch of different things. So I think what ends up happening is you get kind of a unicorn wish list put together by the hiring manager, or you get what’s worse, the HR person copies and pastes from a bunch of different racks, a unicorn that they don’t realize, and you know, you see this, like CISSP for an entry level, which is a five year level of five years of professional experience cert, right? So this is a problem. And what I would say is a couple things. One, I think you just have to apply. And really, unfortunately, like, Don’t lie on your resume ever. But definitely tailor your resume and include certain keywords to make sure that you get through any type of automated tracking system, right, like So the example I’ve been using lately is like, let’s say that you’ve got experience with graylog, which is a open source simpe. Right. In for those of you who are listening that are familiar with it, it’s just a it’s just a security tool, right? Well, if the organization that you’re applying that uses Splunk, a competitor to gray log, you know, maybe you say, you know, instead of just saying gray log experience, maybe you put like, you know, some some descriptive bullet that explains how you did worked on a SIM, right, because the skills are transferable, the tech stack doesn’t really matter. There might be a little bit of, you know, onboarding, but for the most part, it’s gonna be the same, but you’ll get through that ETS tracking. And you know, the hiring manager is going to know with like, I know a gray log is I know what Splunk is, like, I know they’re compatible. So that’s one thing. The other thing that I would suggest, and this is what came to me yesterday, and it’s funny, because it’s my story. professional services companies, right? There’s big ones like Deloitte, Booz Allen KPMG, Accenture, Capgemini, you can google these, they’re huge, like, you know, 100,000 employee companies, right. And basically, they’re just professional services, they get contracts, and they put bodies on the contracts. You owe us a year, they are charging on the contract, say $200,000 a year so like you’re guaranteed revenue for them so that what they need is a heartbeat, and a good attitude, and they’ll hire you. So I’m not saying that like you can be a complete hot mess and get the job. But I would say if you’re trying to get that first job that some of that first experience, you may want to look at those because I feel like they’re a lot more flexible. And open to hiring people and training them up. Because really they’re going to start charging the client to x for your body that day one. So they’re they’re incentivized to have people’s butts in seats.

20:13

Yeah, yeah. I think most of their customers would love if it was to x.

20:18

Yeah.

20:21

Okay, you’re being you will be you will be you being kind to say two acts. Yeah. So yeah, you know, it’s funny, my daughter is also breaking into the she’s gonna graduate this year, and she wants to go into the cybersecurity field. So I hope she’s listening because that was good guidance. And if anything is, you know, she’s she sent over some of the stuff that people are looking for. And, you know, imagine a entry level position. Now they know, this is their advertising. This is in college. And it was like, knowledge of ISO 27,001. So and experience working with NIST 853, which is one of the most complex, robust, you know, onerous security, like yeah, that’s a that’s a guy that’s been out in the field, five years, and it’s done really heavy duty work. And she’s like, Well, what do you do here? I’m like, I don’t know, I don’t know why they would go to a college fair. And that would be, that’d be who they’d be looking like.

21:13

Yeah, again, I really feel like that’s a disconnect between, like, you know, they don’t understand what they’re asking for. And just, like, you can’t even read the Wikipedia for NIST 853 and get it. So I’m 100%. Right.

21:29

So have you ever thought about um, have you ever thought about working with some of the recruiters and you know, that’s an example I don’t know if you know, a very dynamic young lady in the field, Deidre diamond. She has a company called cyber fn.

21:45

Yeah, I’m personal friends with her. Yeah.

21:47

She’s She’s great. I love Deidre. Have you have you? Have you had this conversation with her? Because you know, she, you know, if you think about it, logically, you guys are both trying to solve the same problem. I mean, you know, if she was able to source entry level people into places that would be good for her business, it’s good for the people that you’re talking to. And if you were, if you were helping them get up to speed to the point where she could effectively place them. That might be I’m sure you’ve already thought that if you’re friends with her.

22:13

Yeah. So you know, daydrian, I have talked. So she just launched her like they relaunched cyber sn like, yes. Yeah, and, but unfortunately, just because of the way it works, like right now, the site is more tailored for people who have some experience in the field to get in there. But if you’re not familiar with the paradigm that she’s kind of introduced into this platform for recruiting, it’s actually quite clever. So it very quickly, her platform is much more like a dating website, kind of configuration, right? It’s not like for hooking up like, it’s not where cyber people go to hook up. It’s, it’s like literally, like, you create, like a profile of who you are. But there’s no names. There’s no gender, there’s no age, there’s no, it’s just what you do. And it’s very, like, it’s, it’s almost restrictive, right? So like, if I put in that I have done GRC work, what kind of GRC work, like I have to pick from pre select,

23:08

she’s smart, and she’s smart enough to know what should be tagged and what should be relevant.

23:14

Yeah, and I mean, she’s got a really robust taxonomy. That was like, half the time, half the research he did was to get that, but but on the other end, businesses are putting in wrecks. And here’s the, here’s one way that addresses this problem. We just talked about this unicorn rack, right? Oh, every, they only allow you to put five kind of attributes on each rack, right? So you can have someone who’s doing 10 different things. So really, you should only be doing five, and you have to put percentages out of 100. Right? So if it’s, if it’s a, you know, risk analyst, right, how much of the time are they actually doing risk analysis, and if it’s, if it’s 80% of the time, then that’s what it is, but you you can’t then say they’re also doing, you know, compliance audit for 50% of the time, right like that, you they, they restrict you into actually defining the rule, which I think is one of the key problems in the industry.

24:09

Yeah, no, I agree. And anything she’s doing is probably being done intelligently and well. That’s been my experience with her she’s she’s sharp.

24:17

Oh, she is Yeah, and she’s got I mean, she’s very much got a righteous mission to fix the broken system of like, basically, hiring and cybersecurity especially especially at the entry level. Yeah. The

24:30

other thing I like about our and something I’m also believe Ryan is she is a big supporter of things like Women in Science, Technology, Engineering and Management, diversity, hiring things of that nature. So she’s, she does a lot of good things. She runs. She curity Yeah, yeah, security conferences really cool. So if someone’s listening, and they wanted a break in cybersecurity, in my opinion, and you know, I get asked the same question like hey, you know, I’ll get paying like hat you know, I want to be different. Security, like you said, there’s 40 or 50 different discrete fields within information. So it’s like saying, I want to be a doctor, a doctor, like, yeah, there’s lots of different specialties. I think there are some that are easier to get in at a true entry level, maybe better due diligence, or maybe a pure Compliance Job. thoughts. They’re like, you know, where you help people target where those easier jobs to get in with less experience?

25:26

Yeah, and I just say, no quid pro quo, I’ll be also stealing there because, you know, I do that all the time. Like, oh, I want to work in cyber, okay, which part and then the person’s like, dumbfounded, that there’s more than, so I’ll be feeling that one as well. But

25:44

another 15% of your revenue? I mean, I know, I don’t know, I don’t want to be above 50%. Because then you’re gonna want me to actually do something. Yeah. Part of it just takes money off the table.

25:57

Okay. So yeah, as far as my thoughts around this, you know, this is anecdotal information, but people listening to think that, like pentesting, jobs are the there’s very few of them, right. So there’s a huge burgeoning market around it. But there in the grand scheme, compared to other jobs, there aren’t a lot. So like, even though it’s the coolest of the jobs, there’s less opportunity sock analysts kind of the blue team stuff is where you’re probably going to find like 15 to 20%, or 15, to 20x. Opportunities over the pentesting. One, but that job is a really great field, most organizations do have some kind of blue team operation if they’re fairly large. And, but you could suffer burnout. And it’s a very technical job, right? Like if you’re not comfortable, attacked, or whatever. And then the next kind of Avenue or space is GRC, which you kind of alluded to with compliance and risk and stuff like that. I personally believe that GRC is an excellent entry point, especially if you don’t have an IT background, because there’s a lot of audit, any, any industry that’s regulated. So with information security stuff, so federal, in the United States, federal it, and healthcare, with HIPAA and FISMA are both essentially regulated. And there needs to be annual preparation work, there needs to be annual audit work done around these standards. And people need to do that work, right. So if if you’re not super technical, and you know that this work needs to be done, there’s going to be jobs for it. And standard, I mean, you can just read it. And really even if you like, worst case scenario, even if you’re reading something that you literally don’t understand, you’re going to be asking, you’re interviewing a practitioner, and network engineer, sysadmin, you’re asking them if they do these things, and they’re telling you Yes, and how they do it. So you’re collecting evidence, and like, you’ll basically I don’t wanna say get on the job training, but just by sheer exposure, you will begin to like, put the pieces together. And obviously, if you’re going to work in cybersecurity, I mean, you you have to go get skills and get developed and and do stuff like watch simply cyber content or, or any of the other various resources out there. You can’t just like exclusively rely on on that on the job training. But I would I would bet you right now, if you’re, you know, pause the video, or pause the interview, and like, go on LinkedIn or something like that, and type in, you know, entry level, cybersecurity audit, you know, and see how many jobs come up, you might be surprised at how many there really are. It’s just, I feel like GRC gets a bum rap. Because it’s the it’s the least technical, right. And a lot of cybersecurity people identify themselves as technologists always doing cool stuff. And the GRC side, isn’t that, which is and it doesn’t have a lot of cool tech demos and labs and tools. It’s much more like Excel spreadsheets and reports. So it gets a little bit of a bum rap. But I’m telling you right now, if you want to get into cyber secure, and you want to do it quickly, that’s a that’s an excellent Avenue.

28:58

Yeah. So So hey, I couldn’t agree with you more. In addition of any due diligence, I would say getting on the audit side, but and I’ll disagree a little bit, because we live in a governance risk and compliance realm, I believe a lot. And I think it depends, I think there’s a piece of governance, risk and compliance, which is fun, which is the advisory side, like, you know, we act as virtual CSOs, we’re going in and helping organizations strategize and build out their cybersecurity programs from the ground up. So you know, having this ability to look at a broad organization’s requirements, interpret it, you know, Intuit where they need to be in three years, and then chart a path to get there, build that program, and then monitor and govern that program until it gets to where it needs to get to, that can be a lot of fun. But in order to do that, you need to have usually some no less than six and probably closer to 10 or 12 years with a broad knowledge. So going into the fields that you talked about going into risk going into compliance. You know, going into into vendor due diligence gives you going into audit really builds your skill set to be able to come To move up to that more consultative advisory level role, which is a fun place to be, yeah, absolutely.

30:06

And yeah, by no means am I saying that all the roles in GRC are entry level, right? Like Like any any vertical you go across if you’re going to have more senior level roles, but even in the advisory role, john, I could see the need, you know, like, or the ability to leverage entry level people to help you do some of that, you know, frankly, grunt work, you V, Cisco, you’re gonna help chart a course. But you really got to understand what the threat landscape is for this particular vendor. Hey, go out and do some analysis, find out what you know, give me the last year and a half of attacks on manufacturing sector, or oil and gas, and what was the average ransomware? You know, all this stuff? And yeah,

30:48

yeah, run, run, run that run this tool on that. And see, from an asset management perspective, where the router lets, you know, let’s make sure that they have a user account management is being properly managed, how many ad administrators they have? Yeah, there’s a lot of pieces of that, that somebody doesn’t have to be a rocket scientist to do. We just got we just got to do a better job in our industry of making those jobs available to people. So you talked about some of these fields that we talked about, do you align your training with fields like so do you have stuff that’s around GRC? Right, that stuff? That’s right, I want to be a pen tester, hey, I want to be a GRC person, you align your training that way?

31:24

Yeah. So on the channel, I’ve got 150 videos at this point. So just nice, because now I have a large enough catalog where you can actually bucket it right? If I just had one video on blue team, it’s silly to say like, I’ve got a blue team catalog. But I actually just recently made an effort to catalog and curate them in a way because YouTube allows you to make different playlists and stuff. To say, like, I actually took it again, from the perspective of my avatar, like, hey, I want to get into cybersecurity, and I don’t understand it. Like, like, how do I get into how do I get into cybersecurity? If I don’t understand it, question mark. And then I have a whole curated, specifically laid out playlist for those people. And then I actually have one that’s coming out either tomorrow or next week Tuesday, that says, I want to hack all the things, how do I do it? And it’s basically to become a pen tester. Professionally, like, what, how do you like, where do you start? And how do you get there? So I in the sock analyst one, that’s actually there’s my content around sock is quite popular, so that I already have that one made, but it says I want to be a sock analyst. What do I do? That’s literally the name of the playlist? That’s awesome. Yeah. And I’m hoping that people find it. And they’ve asked themselves that question internally in their in their own inner monologue, and like, here it is in front of them on on the screen, and why wouldn’t you want to take advantage of it? At the end of the day, john, I just want people to find it and take advantage of it and help and help themselves. That’s, that’s what I really want.

32:57

Yeah, one question for you there. So, you know, we’ve talked a lot about people getting into cybersecurity. You know, a lot of small businesses can’t afford high end cybersecurity people and they’ve got somebody who knows enough to be dangerous, or maybe they’re an IT guy that’s doing some information security. do you how do you look? Do you think any of your content would help a company improve the the quality of the folks that work with them, and at the same time, advance their careers further in cyber beyond just getting from out of it into it, but into it to a higher level?

33:33

Yeah, so you know, my, my content could help people level up their career. I do. So just as a quick aside, we didn’t mention it. But I have a PhD in cyber operations. And my dissertation research was specifically looking at why smoked like it was much more nerdy laid out than this, but it was essentially looking at why does small businesses suck at information security? And I looked at it from a management perspective, like what what is going on over there? Why they Why are they always not good. And it’s not just the financial thing, actually, my research found it’s actually has nothing to do with the financials, it has to do with a mistaken belief that they’re actually secure. But But the problem, you know, so and there’s evidence to support it. But the problem is that the small businesses that don’t have the dedicated IT staff or they’ve got a jack of all trades person, they don’t really I don’t want to say they don’t want to do information security, but they don’t have the bandwidth and it doesn’t align to their business mission, right. So it’s just like it they almost want it to be like it where it’s a commodity and they just pay a monthly subscription fee and they’ve got access to email or they pay a monthly fee and they’ve got word, right it’s it’s just seen as a service offering. But but it’s not that’s the thing. They can’t buy it in a commodity commoditized subscription based way. So they just kind of assume that they got it by default, because they’re They have someone doing it for them. So unfortunately, there is probably a small segment of people that do it at a company, a small business that do watch simply cyber videos. But it’s it’s likely because they actually are personally invested in wanting to learn how to do cybersecurity versus trying to to do it as a business value type type thing.

35:25

two things. One is that is your work that you did I PhDs available somewhere, I’d be very curious to read that.

35:32

I can, I’ll send you a link.

35:35

Oh, that’d be that’d be really cool. Because I would like to, I’d like to see what you found. The second thing, which is really interesting, and maybe a good way for people to think about this is they want it to be a service. But I think that the difference between being service like an IT service and a service, like any information security services, that the impact of an error occurring is so dramatically different. But if your IT operations fail, you’re without email for 20 minutes. If your information security fails, you may be without a company for or without large amounts of your data. Right. Or you may be dealing with a breach notification that’s going to shut your company down. So they have found, you know, the problem is, I think one of the problems with businesses that I don’t think they understand risk very well, generally. And I think that’s really what the challenge is, I think they had a better understanding of information security risk, I think they would have a more realistic understanding of what they should allocate, to manage that risk.

36:33

Yeah, I agree. 100%. I mean, you know, infosec isn’t exclusively an IT thing. But it’s often seen as an IT thing by those who are, you know, I guess, not, you know, smart on what cyber security or information security actually is. And because it’s complicated, and it doesn’t, you know, another thing, john is, I feel like, it’s because like, nothing bad has happened. You don’t you don’t see it happen. Right. So you don’t think it’s an issue. So you must be good to go. Right? It’s almost like because there’s nothing happening. We’re fine. In obviously, that’s, that’s not the case. Plus, it doesn’t help that doesn’t help that, you know, hollywood depicts like cyber attacks is like, very, you know, obvious and very overt, when really, that’s not how it happens. So, so yeah, but I will tell you, like we see with the major companies, like any business that suffers a true, you know, cyber security incident that has real impact, they get pretty serious about about it afterwards, you know, that either through investing in insurance, or hiring staff or flipping out and wanting to like restrict everything. So we do you see that?

37:43

Yeah, people always find religion after they have like a heart attack, right? Or they find nutrition or whatever it is, you know, unfortunately, unfortunately, take it off, they often need a catalyzing event. You know, ideally, you would need a catalyzing event. Where do you see simply cyber going over the next few years? I mean, like I, when I look at the catalogue, you’ve put together in a relatively short period of time, it’s pretty amazing. What are you? What are you thinking?

38:07

Yeah, so I never really had a long term vision for this, because I just I just love it. You know, like, I work a nine to five, I teach at a college, I have simply cyber, I have a family, like I’ve got a lot going on. So I was just kind of making the content and engaging with people. But it’s interesting. Like, it’s interesting that you asked me that question today. It’s It’s October 2021. And I actually was just having a conversation with a good friend of mine who’s like a marketing executive at lesean. About simply cyber, like we’ve, I’ve basically started to hit like a threshold of there’s too much to do, and I don’t have enough time again, time is very, very important to me, I see these opportunities, I see these questions coming in, I have ideas of things I’d love to do. And I just don’t have the time to really do it. For example, I got I’ve been getting a lot of questions lately, of putting simply cyber out in an audio format. So like a podcast, right? And it’s not, it’s not new information. They just want me to take my youtube channel video and put it in a podcast and have it in two different mediums. Well, that’s a cool idea. It’s a way to get the word out in a different medium. Maybe I’ll connect with some more people. But but it’s work. And I don’t know if I have time for that. And there’s other things going on. And oddly at the same time, and I don’t know why this is happening at the same time. But at the same time, I’ve literally had five people over the last week, reach out to me independent of all of each volunteer their services, like hey, I’d like to be part of simply cyber, I will I will help you in any way Please tell me how I can help I want to help the way you’re helping others. And I’ve got like now I’ve got people who help moderate my chats during my live streams that I’ve trusted, you know, with a certain level of permission. I’ve got some people who want to do some other stuff like around the podcast and around some graphic design stuff. I don’t quite know how I can take

39:59

that Man, yeah, but and the flip side is, and that’s awesome. But managing people takes time as well. Right? So, so, so So yeah, you know, you’re at that point where, like your own success has put you in a position of, you know, having a, it would be fun to see, you know, is there any and again, it takes time and money to do these type things. But is there Yeah, I mean, I wonder if there’s a government grant program or something of that nature, you know, that could that could provide you with some, you know, because, like, what you’re doing probably is more significant than half of the other educational efforts that they’re funding you know, I don’t know if there’s any dollars out there to do what you’re doing through the government. But you know, I think they should look at it.

40:38

Yeah, that’s a good question. To ask you know, it’s um, you know, it’s funny like I’m actually so NIST the National Institute of Standards and Technology, they have a division called nice which is the National it’s like cybersecurity career education or something like that I forget exactly what the acronym is. But they reached out to me last year and I collaborated with them and I did a live stream event on behalf of them and they actually asked me again this year to do it so on October 18, I’m actually doing like a nationwide speaking engagement around the title of my talk is let’s get your let’s land your first job in cybersecurity. I think that’s the title of and but but in this always does these grants so I mean, it is a potential opportunity, but then, you know, even if I got the money even if you handed me like yeah 50 grand john, what do I do with it? You

41:25

know, yeah, it’s it’s still you’re still back to that same Yeah, your your, your, your finite limitations time? Yeah, with money, you’ve got to manage people you’ve got to match you’ve got to make decisions on how to spend the money and it comes back to time.

41:38

Yeah, exactly. And you know, so I guess long term, you know, what I would really like to do it would be interesting if I could get my current job at a you know, operating at a level that I really like right, like so the security posture of the organization because I was brought in to help them bring it to a certain level, it’d be nice to throttle back to maybe 75% f t have some grant money to cover that another 25% and then be able to kind of ratchet up simply cyber, it would be nice, like to give you an example of some of the things that I would love to do with simply cyber, I would love to have either another channel or another strip like to add to the programming if you will, I would love a daily threat Intel briefing that is either provided by me or if I have co hosts but like hey, here’s three here’s the three things in cybersecurity that you need to do today and it’s targeted for professionals who are in the who are in the space right hey exchange zero day we’re not doing three today we’re gonna only do one exchange here a day dropped, here’s here’s how you need to you know, patch it or here’s here’s what the exploit is whatever it is right? But like basically do that kind of like Daily News. tailored for cybersecurity professionals. That’s that’s like one idea also, you know, like the tick tock Instagram group so you know, having like a 62nd simple basic question answered every day, like what is the risk analysts do like boom, like 45 second social media posts, here’s what it is, but I don’t want to do anything. sporadically, right? So I like consistency. I like committing to a schedule and delivering consistency because people are creatures of habit and if you can deliver consistently, they’ll you know, they’ll, they’ll want to ingest it. Right? But if I’m just throwing stuff all over the place, it doesn’t make any sense. So I do have to be deliberate. But we just passed 20,000 subscribers on simply cyber yesterday. Oh,

43:30

yeah, I kept that I told you that was because of me right? Thank you, john. Yeah, that’s another 15% for 45 here’s the good news. I’m only gonna go up another four on something because I want to say a minority shareholder in this

43:46

so we’ll see i’d love I’d love to take it as far as it can go as long as I’m still helping people then you know it to me the more people I can help the better

43:54

I think which I think what you’re doing is is amazing. Alright, so last question. Give me a fictional character a real person you think would make an amazing or horrible see so and why?

44:08

Yeah. So you know, I think Michael Scott from the office would be like, you know, almost a prototypical terrible seaso and someone who would actually get the job unfortunately. So if you’re not familiar with Michael Scott, he’s basically kind of like under under qualified kind of moron who has been put in a position of management and power of an organization on the show the office but you know, a lot of times unfortunately, you know, cisos maybe they get put in because they’re the last person to you know, to not stand up or they fail into it or it’s a you know, they’re getting pushed around. And if I feel like if you truly don’t know what you’re doing, you can do a lot of harm in the cybersecurity office right? So you know, Michael Scott in that show, he’s a manager and the company continues to move forward despite him right but in the in the information section. office you have some serious responsibilities. you’re protecting Yes, you’re protecting the assets of the organization and stuff like this. But it can be really, really high stakes. And if you’re, if you’re a buffoon, like you really could cause serious damage, and I just want to point out one thing because a lot of people think like, Oh, you know, like, I work in manufacturing now. Okay, so like, what’s the worst that can happen? If you get ransomware? You don’t make a couple widgets today? No, it’s not quite that, like, think about the people that work there. If we get hit with a ransomware event significant enough, and we have to close the doors, that’s 1000 families that just lost their paychecks that’s people who are depending on money in order to like live so you know, and it’s because you were like haphazard, reckless with how you approach cybersecurity you didn’t take it seriously. So you know, and then it gets even worse as you get into other industries right, like oil and gas. We saw what happened in Texas last year, right? Can you imagine you know in a blizzard and you Wayland gas goes down because of a ransomware incident people freezing to death. So you know, so Michael Scott I guess to get back to your point is if if you’re if you’re a fool and you’re in a position of authority in the cybersecurity office it’s it’s it can be really dangerous

46:14

as a as a office fan and Michael Scott fan, I couldn’t agree with you more How can now folks it just simply cyber channel on YouTube is best way for folks to get in touch with you.

46:28

You know, it is I mean if they want you know, I engage with folks in the comments all the time, but I’m pretty active on LinkedIn, the social media site for professional so I do a lot of my posts in there. So you can definitely get connected with me there I do have a website simply cyber.io that has, you know, all my videos, plus all of those free resources I was mentioning earlier so if you’re interested in like getting access to a bunch of other people’s resources, I basically bundled them up and made them there. And you can connect with me there I have like email address and stuff like that. So I have a Discord server as well. If you want to get with me there I I’ve made it very easy to get a hold of me.

47:07

Awesome. Well, listen, thanks a thank you for coming on the show. Be I truly appreciate your contributions to the industry. I think they’re very significant. And I think you’re doing a lot of good for a lot of people. So thank you.

47:18

Thank you, john. I appreciate it.

You’ve been listening to The Virtual CISO podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.