Skip to content
     
    Episode 67

    Hack the Community with Phil Wylie

    EPISODE SUMMARY

    Phil Wylie, author of "The Pentester Blueprint," joins the 401 Access Denied crew to discuss pioneering methods to create a safe and supportive culture among hackers. We cover how to use gamified bug bounty challenges, mentorships, and free trainings to successfully impact recruitment and job satisfaction in the cybersecurity industry and help hackers develop their powers for good.

    Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio   Google Podcasts

    powered by Sounder

    Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoining the Cybrary podcast or four when access denied, that make sure to like, follow and subscribes that you don't miss any future episodes. We'd love to hear from you joined the discussion by leaving us a comment or a view on your platform of choice or emailing us at podcast at Cybrary dot. I from all of us at Cybrary and Delinea. Thank you and enjoy the show. Hello everyone, welcome to another episode of the four one Access Tonight podcast. I am your co host for the episode today, Joseph Carson, chief Security Scientists and Advisory says Adelinia, and I'm joining with my co host Chloe. Chloe, don't tell us what you do and uh a little bit about yourself. Hi there, I'm the chief Impact Officer over at Cybrary Awesome, and we're joined by a fantastic special guest today, which is Phil Wiley. So Phil Wylie welcome to the podcast. If you tell us a bit about yourself, what you do and some of the things you enjoy doing, it doesn't have to be cybersecurity related. Yeah, thanks for inviting me. To be a guest. They honored to be with you guys, and actually my second Cybrary podcast. But I'm Phil Wiley, UM, the hacker and residence at Psychognito. So basically I'm the internal pintester for the company as well as an evangelist. So I speak at different conferences and teach workshops on topics around defensive security. I'm a former adjunct instructor from Dallas College. I taught pantesting webat pintesting there for almost four years. I do a lot of mentoring and helping people get started in the industry. Fantastic And you also do have an awesome book as well. Tells a bit of a the book as well. Yes, I have a book called The Pintester Blueprint, and it was actually last month, actually made the two year anniversary. It was based on a lecture that I did for my pentesting class when I started teaching back in January of The very first lecture I gave was on what it takes to become a penttester. By November of two thousand eighteen, I turned into conference talk and gave it our at our local B Sides conference. Gave it several times after that and then I was in the Tribe Hackers Red Team book UH published by Widely Publishing, and they reached out to me and asked me if I was interested in writing a book, and I had the intent or desire to write a book based on the Pentester Blueprint book. And so basically the book is not only it tells you about the pentester role and what it takes to become a penttester through prerequisites, different certifications and education and education resources around that. There are a lot of great books on the skill of penttesting, but no one was really showing what the prerequisites were. And actually it was really one of the first books of its type and cybersecurity telling people what it took to get into cybersecurity outside of just teaching the actual concepts. Fantastic and that's what this this episode is all about. It. I mean, I kind of give it the title of you know, breaking bad versus Breaking Good, And one of the reasons for that is that, you know, over the last couple of years, I've been interacting with a lot of say the malicious side of the hackers, you know, those who have been doing malicious intent. And what's happened is we started seeing a lot of rehabilitation. We started seeing them looking to change their ways and start to you know, use their skills for good. And that's one it's really important. You know that most people that need to understand that not all hackers are bad. The majority of was a you know, there was with good intent to make sure that we're helping organizations, were helping protect society, and weking sure that you know, as many vunder abilities that we reduced those risks as much as possible. But one of the biggest things we're facing is that you know that really the skills and the people shortage, we're having a massive gap. You know, might be impacted by the great residue, were seeing, you know, the pandemic, a...

    00:04:00 - 00:07:59

    ...lot of people changing rules. But one of my big problems is that I would really want to to make sure that those who are starting off, for those who are really exploring exploring their skills, is to make sure that they have a path to using them for good, they have a path to a job and a career. Um. So one of the things is that you know is that the entry level, unfortunately for crime, is way much slower than it is to get into the industry. What things can we do in order to make that much a lower barrier. How can we make sure we attract more talent in order to to choose the good path versus the bad path. Yeah, I think one of the one of the things I really like and I was, I used to be a bug Crowd ambassador, and actually that's how how Chloe and I met. It was their buck Crowd And one of the things I liked about bud Crowd was the fact that, uh that you know, people could get jobs doing pent testing type skills without how them to go through the normal, normal way of going getting into the industry because some cases they expect you to have years of experience and that's you know, one of the things that makes it more difficult. So those options like bug bounty programs, pent testing as a service like Cobalt and synec offer are great ways for people to get in. But we need more opportunities like that. And you mentioned the thing about the crimes and stuff. I think that's one of the things that I think we need to forgive people for some of those crimes and realize people make mistakes. Everyone makes mistakes and should be given a second chance because a lot of cases, if you're desperate for money. I don't care who you are, You'll do just about anything you have to feed your family or take care of yourself. And so I think we really need to learn that we can forgive people. And when people have the opportunity to make money, they're less likely to do those type of things. And usually it's because they have to, not really, because you know, there's some people that like crime and that's just they enjoy those type of things. But in other cases, I think most people want to make an honest, legal living. Around from you, Yeah, it was so funny because right when Sheil was jumping out was like raising handos but saying, oh, yeah, that's how I met Phil through bug Bounty. Um, but yeah, I know. The realities is that when I work for a bug bounty company, it made me really realize of thousands upon thousands of people that deserve to have a role in cybersecurity, but they're told they can't because of their past experience, or because they don't have a college degree or certain and not everyone in the world has the opportunity to do so, so of course they're going to find a way in using their skill set to pay for things to have a living. A lot of the bug bunny hunters that I talked to you that were previously criminals in their activity. What they were doing was that they had to make a living because no companies were going to hire them, so they started doing all these malicious things to get paid and so then they could put food for their family. I remember this one case, this guy, he was basically taking care of his parents and all his siblings and he had to try making a living for them at the age of like sixteen. And I just couldn't sleep during that because because he was just worried that he was going to be taken from his home and then no one's gonna be able to provide for the family, and then they would end up in the street. And so him when he found out that there was a legal way how to do this, then he went to bug Bounty and started doing that until he could find a job. And it took him a couple of years to get a job because he didn't have a college background. So it's like it's one of those things, like I also think about our US prison system. We also like, oh, they're going to repeat when they leave. In reality, the only reason they're repeating it majority the cases because they can't get hired. And so it's like Phil mentioned, how do you change society to accept that...

    00:08:01 - 00:12:03

    Absolutely many of many of the former you know, criminal hackers, they end up being consultants and working from the cells because they just can't get jobs with with the industry, because the industry kind of holds that against them. Um, And I think it's I think it's sad. And you know, I remember, you know, cases I've seen in the UK. UK actually have a rehabilitation program to actually take you know, juvenile cyber criminals you know, uh, and take them and start you know, looking at using their skills for good and start getting them integrated into the industry and helping them on a path where they actually be helpful. And I think that's something we should look at from a global perspective. I think all old countries around the world should be really looking at, you know, especially I think even you know, when I started my career, there wasn't any good way to test your skills. Everything was done like the curiosity we're doing in live systems. But the great thing today is that you've actually got a lot of great even platforms out there to do simulation and gamification to practice your skills. So the great thing is that we want to make sure we point them in that direction. If they're if they're looking to test and learn and enshare and explore, we should make sure they have access to the platforms which which doesn't break the law, which allows them to really enhance their skills. So for me, I think there's multiple challenge that we have um and you know, repilitation and making sure the opportunity for those who have have swayed in the criminal side in the past and make sure they actually have a way to contribute to society going forward. We should never know exclude them forever. There should always be a path to contribute. Yeah, I totally agree. One of the things that I think is is another barrier is the prices some of these certifications and security training. I mean, you know, if you look at some of the when you look at the ones like Offensive Security, which is less experienced than like Sands, that's still you know, a two or three thousand dollars to pay for the training to get through that, and so many companies are you know, so dead set on you know, needing a degree or certification to get jobs, and some of the best contesters and hackers I know in the world have zero certifications. You don't necessarily have to have them. Companies just had to find better ways of vetting their skills, skill set and giving people a chance. Absolutely, I I the certification certification challenge we have in the industry needs to be changed. We need to. I would love a lot more opportunities for things like more you know, for everyone that an organization buys, they get to give one away for free. Uh. You know, we should look at the certification industry to defind entry levels, way for people to get free education, free knowledge, and if they don't do it, there's gonna be other other innovations and other new startups in other ways to find that. But you have to make sure that certifications is not the barrier, and it should not because absolutely feel you know, for me, a lot of the people I know in the industry have zero certifications, didn't go to university, didn't go to college UM. But their knowledge is all self taught, and that's what you really want. You want people who have to drive and passion to learn and when they go and spend their own time, personal time in order to get the skills. UM and enhance those and and really become, you know, the best that they can in that area without certifications. I think that alone is something that we should value UM and we should we should have a way to measure it. I think that's one of the things we're missing, is a good way to measure that skill UM and make sure organizations have a way to to to get the right people and not just go after those who can afford it. Just so so you're talking about basically absolutely some processes. I've seen that people use different companies platforms to bed and and you see some companies like Senac and uh even Cobal, they have challenges set up for people to man try those challenges and they get access to the platform.

    00:12:03 - 00:16:02

    Another company has something really creative too, a consulting company Calpritorian, and if you go to their website. I haven't looked in their side in a while, but you go to their website if you're interested in careers, they have challenges on there. So they have these different hacking challenges. If you solve those, you submit it and you'll be considered for employment. So I think more companies need to do that, have those little challenges on their on their uh careers page and let people go out there and solve it. If they solve it, yeah, they apply. If they don't, then they know what they need to do next. Maybe even give people some guidance on you know, what skills are required to pass that challenge? Absolutely one of the things as well as I get really frustrated, Chloe, what's what's your thoughts on one of the challenges that I've seen as well is that only one certifications, but also with job descriptions is the crazy I don't know who's creating the job descriptions are, who's writing them, um, but they are just I think no one can define the skills and those job descriptions, even with yours experience and you know, tons of certifications. Any thoughts are one the challenges that are with not just certifications, but also the job descriptions as well. I wish I had vodka in here and it was in the evening. Um, but I'm gonna be honest. The reality is is that our job descriptions, there's so many issues of it. The first thing I would go with is that yours of experiences get rid of it. You don't need to have that on there. Just state what are the skills you need to know beforehand? And then what are the you know, desired skills and why desired skills? I mean desired skills should be things like uh that you know you're going to have to train them no matter what. Now, one of the things I always have a problem with when it comes to job descriptions is that it's usually written by someone who is trying to fill position using the history of the previous person who sat in that seat. So the problem you're going to get here is that sometimes you'll get job descriptions that will legit say guy or man in the job description still to this day, because they're hoping to fill that position with another guy. And it's not a problem at all, but when you're someone who is you know, for some color or marginalized gender, you're going to have some problems applying for that job. And so I think what we can do is short in it. I really like how cybersn does it. I don't know if you've been on the website, but basically they have this like template for all the companies when it comes to a certain job title of what the requirements are that you need to know and where things they're going to train you in And I really like that approach, and I think that we could do a better job on job descriptions. But also note that when you hire people, don't expect them to be able to do everything when they first get in. It is your job as an employer to continue training. At most companies it's three months of training. So you are investing in these people you're on boarding. Don't just bring them in and then like have your way. That's not how things work. And we have to do better on that front. Is you know, we have to keep training people. It starts even at the onboarding process. Absolutely fill any thoughts on that that topic as well around job descriptions and also continuous training as well. Yeah, I agree with that because I mean the it's kind of ridiculous some of the job descriptions, and sometimes the people write them have no clue it could be hr They really don't have any idea about the role. I was a red team leaded a global consumer products company a few years back, and one of the things I noticed, we're trying to hire another red teamer in India, but the job description was so vague. It really didn't because you know, for red for actual true red teaming. You need a network pan testing background, webout pent testers. You know, you could teach them to be red teamers, but it's going to take a little bit more. You really have to be heavier on infrastructure side as well as social engineering that type of thing. I wouldn't looked at job description. There were no mentions of active directory,...

    00:16:02 - 00:20:03

    ...nothing about network pent testing. We were getting a bunch of bug gunny resumes or WEBAT contesters. And this was this was a senior role too, so it wasn't like you could bring in someone and train them from this lower level. It was a senior leveal role. But just and I see that with a lot of these descriptions that the descriptions aren't created properly, you know, the details of the job and stuff. Sometimes it's just something that I've seen job descriptions where companies so blatantly copied it from some other company. They forgot to change the name in the job description. But yeah, there there, it's this laundry list of stuff they want. It's kind of ridiculous they're looking for these unicorns. I mean, this has been going on for years because back in my I T days, I was a SISS admin and I was looking at a different job descriptions out there. This one company wanted someone that was like a Cisco expert plus a database administrator. You're not gonna do You're not gonna be a database administrator and be doing this Cisco. You're gonna specialize in one or the other. But yeah, we've got to do a better job of doing that. And I like what Chloe was mentioning about cyber s N or whatever the company's name. The descriptions and what you'll learn there. I think that's good because if companies see what you can learn there, you're gonna draw more candidates because people want to go somewhere where they can learn and they can grow. Uh. You know, one of the biggest reasons people leave is they get bored and they're not learning. They'll go somewhere else. It's not always about money, but at the same time too, I think, you know, we should make sure we're paying fairly because one of the things that's a big pet peeth of mind having a lot of former students and even seeing uh family members go through this where they go to work for a company and they start out at that injury level sixty year uh wage, but then they outperform their co workers. And it's a company that's basically they pay tenure, so once you've been here three years, then you can get promoted, but you can't get promoted then. But yet this person is doing triple to work that everyone else is doing. So just the way they gauge and reward people, it's just kind of ridiculous. And another thing to mention, to add to add to Chloe's comment about you know, the mentioned guy or something, if if you see in the job description, avoid that company at all costs. If you're female or someone who doesn't fit that description that role, stay away from him because yeah, it's not gonna be. It's not don't do it either. Yeah, yeah we should be. Yeah. I was just gonna say the one thing that I really like is when they do job descriptions and then they put the expected salary, because I always feel like they always say, oh, the reason you're not getting paid more like fulfill what you and and about like there will be a someone who will do so many things but doesn't get promoted because they're so good at doing all those things, and then their salary doesn't increase. And that's the thing that always bothers me because they throw it on the personnelity saying, oh, it is your fault, you didn't negotiate better when you started, And I just feel like that's unfair. I think we should state what the salary is then there's no surprise comploying. Yeah. I was just gonna add to that. One of the things I've seen as well is that when companies, you know, we used to have that challenge because used to be very location specific as well. Um, so you would work in a city and maybe maybe there wasn't a lot of jobs in that city, and this is what you'll be able to get and over the last couple of years, of course, but how the you know, the accelerations remote working and people being able to work from different locations and different around the globe, and we've seen that great resignation where people who may have been stuck in those jobs not I've been able to get opportunities across the world. Um. I'd just like to get your thoughts around that, is that are we starting to see what is the retention period of those...

    00:20:03 - 00:24:00

    ...employees because you're gonna find better paying jobs very quickly, even with just a few years experience. Um, are we starting to see companies struggle with retention because of this? Because you know, uh, companies you know, offering bigger salaries for you know people that's basically just kind of getting that first few years and performing really well. Just also round that as well. I feel like I'm being Harmony Granger right now in Harry Park. Please pick me, yes, go ahead your own. Oh jeez. The I think the Great resignation was showing like you're going to force people come back in the office. That ain't happening. And then now they're like, we need you to Okay, okay, you don't have to come in the office only like a few days a week. Also, um, I'm going to hand over Paul's work over to you on top of things, because Paul is leaving. And then you're like great, and then so on Nelson, and I'm gonna hit you Sarah's work as well. Sarah is leaving. The reality is that we have that it's not really called quiet quitting. The reality is that people will leave if you do not invest in them, if you have poor leadership, they will leave. If you don't believe in them. They will leave if they don't see a future there. They will leave. If they want to do things outside their work and you don't let them, they're going to leave. If they are a blue teamer but wants to learn the Red and you're not allowing them to take that scans training training course or anything like that, they're going to leave. If you don't listen to your people, they will leave. That's where we are right now. We have a huge retention problem. This is the worst I've ever seen it. I don't know a single person in cybersecurity who isn't open to looking elsewhere. And that's when you know we have a problem when it counts to leadership. It also means that we have a problem when it comes to over demanding things as well on security people. But also we're not investing in them and so they're leaving and herds and then not just that, but and we also have layoffs happening across and tech companies. Like today there was a big announcement of a large tech company kind a massive layoff of its workers. But the good news is like the security team was still safe. So the good news is that when it comes to layoff, security teams tend to be more safe than other departments, but they also seem to be the one department that could use some help and assistance and some respect to all mic draft. Yeah, one of the things I just see the biggest problem around is the entry level more junior level folks that they come in and and they're they're being held back and and not trained, and there's no opportunity for for growth, and you can't blame them from leaving. You're going to have those people leave. And I encourage anyone I talked to if you're okay, have you been that your company X amount of years? You're no longer entry level. So if your company is not going to pay you the way you should, then you do need to move somewhere else. I mean, it's sad it has to be that way. One of my former colleagues to college where I taught at was part owner of a consulting company. He was always complaining the students about job hopping. But it's like, if you can't blame them, if you've got to make more money, why would you want to stay? What is the reason to stay somewhere? You know, the loyalty usually doesn't go both ways. You know, if the company is loyal to you then if you feel loyal to them, I can understand, but you just can't be held back. And I think too many companies are making a mistake of that, and you're just you know, be quite blunt. They're getting what they deserve. Wh people leave if you're not taking care of your employees. When you see the money that h these companies are spending for CEO s and all this and things they're spending on buildings and stuff. I worked for a mortgage company back in the back in the late eighties I mean late late nineties up to two thousand twelve, when we're moving into a new building and just kind of of the things where priorities get put some...

    00:24:00 - 00:28:06

    ...time. And this is not even just around people, but just showing what they prioritized as far as where the budget went. We're moving into a new building. Gigabit networks were out. We moved to this new building. We kept our hundred megabit network, but yet we had this huge Remington's statue in the hallway where you come into the building. You have these leather chairs in the boardroom and all this stuff that's really not there's no r o I on it, no justification. We're not going to business, We're not gonna put the money where you could process loans faster, you know, a faster infrastructure. So you know, that's a lot of cases with the people sometimes too. There there's such a imbalance in what people are getting paid. And I wish I could think of the name of the company, but there's this one company that where the CEO actually took a pay cut or a bonus cut to raise everyone in the company up to at least seventy seven tho dollars a year. And what they noticed in that guy is awesome. I love following his Twitter and he came up. The employees actually all pulled in together and bought him a Tesla because that you know, you know, when you get respect for your employees, the respect is going to be returned, the loyalty is gonna be returned. They're gonna work harder, absolutely, and that brings up I think one of the one of the things I find in our industry is is that if you don't do continuous learning, you'll fall behind. That's definitely one of the things that you know, I've been doing this for so long now, it's you know, over twenty years, and when I started my career is completely different to where I am today, from the technology I'm using, from what I do day to day, and so if you stop, stop and stand still. That's one of the things organizations need to understand in this industry is that you need to invest a lot into training, continuous training for employees to make sure one is that they feel valued, that they want to stay because that's what they actually that's that's a part of the passion, that's part of the value um. In addition to sell is continuing investing in the in the employees. I can find that. You know, if you look at if you look at the average employee in our industry and you try to kind of guess their training budgets apply to that employee, it is so tiny, it's so such a small part after actually the organization's investment in people. I should be I'm thinking that organizations need to be thinking that this needs to be off. The employees actually value that they're getting salary should be invested back in because that will help you definitely grow and help you actually be you know, make sure the employees actually going to be retained, because I think that's one of the things that we're missing is to make sure that we don't forget that this is not a job that stands still. This is a job that is continuously evolving. The threats change. We need to continually as you do digital transformation, as we do cloud, we do cloud workloads, different platforms, different technologies get introduced. We need to make sure we stay up to date with that. In organizations who don't invest in employees over time, you organized sations because the risk was going to keep increasing if you're not invest in correctly. So I'd like to get you know, thoughts Chloe on your thoughts are roned the lack of investment that companies doing employees when when when they're on board? Yeah, exactly, I will do so. But I just want to quickly. I just looked up it's gravity payments as a company and his name was Dan Price, the person who did all his CEO cuts so then everyone could make at least a minimum. Sony k awesome person to follow. He sticks to his values, you know, which we need to see in leadership. That's how you build trust is when leaders share their value by doing the things that they talk about. They take actions on it. But and that brings me to my first point. So I'm going to tell you about a case, and this is a very common case. I'm not going to mention the company or anything like that. So there's this company where a good number of their individuals on their security team use Cybrary for themselves outside of...

    00:28:06 - 00:32:00

    ...work because their boss didn't want to give it to them. So the boss basically said, or has this case that if I trained them, they will leave. After talking to their his colleagues that are on you know, using Sibery for themselves, they're all planning to leave. That's why they're on the platform because he's not investing in their future. So that just shows you how how often is this cue? Oh my god? I would like to tell you it's every single day. There's not. Every time I go to a conference, I bring up a conversation with certain ces so's about like, hey, what about training your team? There was like, oh, I they're going to leave if I invested them. And then I'm like, okay, so what are you doing for your risk got its? What about cybersecurity insurance? Because if you have a breach, they're not going to cover you if you're not you know, make ensure their team is up to date. On your training. And that's like one of the things that it's I remember right when I joined Syberary and I went to r State conference and how I for the first time in my life, I started hearing that myth and it drove me up the wall because you know, even in d I, the whole practice is if you want to keep people continue their education, and you have so many leaders that are afraid to provide because they're like, they're going to leave if I do, which then is disheartening to think of because there's not a single piece of evidence out there that that is actually a true thing. If anything, the invest in their future and their education, they're going to stay absolutely and with people. People will always stay around people who who value them, um and invest in them. That's that's that's kind of that's where you get loyalty from is when you when you find that people's investing back in you and spending the time. Um, you want to stay, you want to keep doing that, um, Phil Any any thoughts of from you run the serby as well as you know from the training and and and balance that we have and you know, how do we should we we keep employees investing in them? Sure? One of the comments I'd like to make to start out is the fact that if you're not training these employees, they don't have these needed capabilities down the road. I had a friend and worked for a company and they got into heavy in the cloud, and no one on the team had any train on cloud pin testing. They had all hands meeting and the SESA was kind of be rating people for not advancing and learning. But whenever your budgets constantly being canceled, you're not providing a guidance. We really we need to do more than just I think you should give them some the employees freedom to pick what they want to, but also kind of give them some guidance. Here, you've got this amount of budget, take wherever you want. Here's this other budget. We're moving towards cloud. We're going to use Azure, so we'd recommend you get some Azure security trainer. As as your training, you kind of guide them because a lot of cases some people need them mentoring and help, especially earlier in their career, to kind of guide them on what to learn to help them grow. But you know, whenever you don't train the employees, it's I forget who the quote come from. I think it was Steve Jobs or something where they said what if you pay them? What if they leave? And he says, what if they don't? So you know, you keep people that are not growing and getting better than you're going, you're you're just falling behind. And it comes up that Another great point as well is that if you've got people that's been staying around for ten fifteen years and you're not investing them, you could find actually people who's coming in from you know, who's got a one or two years experience that a state of the date that's not you know, current with the latest technologies UM and actually, you know, their value might be much greater today was somebody who has one or two US experience with cloud security, UM or Cosby or access controls than somebody who's been around for fifteen years who's just not invested in themselves or had the company invest in them either. So that's some of the things that we also have to look at as well. As...

    00:32:00 - 00:36:01

    ...that's sometimes you know, getting somebody with the only a fewyears experience might significantly add a lot of value to the business as well. And I think you want to encourage that culture of learning if you if there's no trending budget there there's no encouragement to learn, then they're not going to learn. And a good example of what I saw that someone is doing this the right way is I was listening to to Rob Fuller's talk at Texas Cyber Summit recently and he's talking about his his Red Team. Every Friday towards like the end of the day, they get on Hacked the Box and they practice, you know, doing CPF challenges on there to help hone their skills. So, I mean, this is a creative way outside of just taking a course. They're constantly practicing and learning new skills, and they're doing this during business hours, and that's that's fantastic. I think that's what all companies would be doing. I was just gonna say, yes, when it comes to education, you need to have a good strategy like what film eunin like doing Friday's afternoons as your training pulled. That's really good. Also tie in why they need to do it. So if you just like, Okay, when you're going to take this course, it's like cool, what does that have to do with me and what I do? So it's like you have to find something that engages people, because no one wants to learn something that they don't want to learn, Like especially if you're someone who's like I need that dopamine hit to be able to learn something. Right, if we can't get that dopamine hit, we're not going to want to learn something. So make it out as if it's a mission for them to learn it. But why You've got to tell them why and then set it up for success as like, here's some KPI s doing it through. How this is going to matter to our team, our security in the long run, how this will go back to your job and tying into your role, and always open the floor up and ask them what do you think we need to learn as well? And I think what Phil mentioned, which is impractical exercises like CTS, those are great because you're gamifying what you just learned. I love that right now. I love CTS. I love CTS. It's my it's my thing, you know. I spent a lot of time and and filter your point. One of the things I really like what you said as well as you know, doing that simulations, that's a great way for team building. And one of the things is that you know in this this industry is very stressful, there's a lot of burnout, there's a lot of stress, you know, long hours when when when incidents happened, it's chaos, you know, it's it's basically you know, working long, long hours, long days, and sometimes sleepless nights. And I think we really need to bring in you know, a lot of fun and and you know, team building, and I like those those types of things where you bring the team together and have them trained together, especially if you've got you know, even red teams and blue teams and actually mixing that or you're assimilating an incidence and stuff, you know, and it makes it it can make it a lot more fun um and at the same time it actually gets you simulations and gets the team practicing real, real events. I really, you know, I think organizations should be doing a lot more of that style of activities. And I think something that's very cost effective is cross training, true to let people go shadow someone else for a week or two to see how their job is. Because you know, if you're passionate about what you're doing, you're going to be you know, passionate to learn, motivated to to improve, and so maybe someone finds out what they're true you know true interest is there was a guy that was on my team uh a while back at this bank I worked for. He started he was an I T and he was taking some STANDS courses for digital forensics, and he decided one day, I think I'm gonna take a PENT testing course to help make me a better digital forensics person. And when he took that, he found out he liked PIN testing a lot more and he totally switched careers. And now he's got like a ton of not saying you have to have a ton of certifications to be a penttester, but he's got a lot because he's invested that much time in his education. Absolutely, And that brings me an important point as well, is that one of the things I love about the...

    00:36:01 - 00:40:02

    B Sides events is when they do the pairing UM with you know, experience speakers with new speakers. UM. What I'd love to see in our industry a lot more better organization of basically matchmaking from mentors and new entry people who's looking to get in the industry. UM. I haven't seen anything really a facial around it. I've seen bits and pieces of it, you know. I do mentoring of speakers for some of the b sides events. I've done a few other you know, U hackathons and so forth, but I really love to see a much more well organized establishment of those who, like myself in a new film Chloe, that all of us having a way for us to give more back in the community and mentor. And I have a way of matching and getting mentors in certain areas. Maybe somebody's looking to get into Capture the Flag, or somebody's looking to get into pentesting or or digital forensics UM or you know, education or whatever it might be, but finding a way to match them with those who because even today I have my own mentor that I've been going to in the industry for a long time, but I would love the opportunity to mentor a lot more people. So any thoughts around and I know, Phil you've done quite a lot of mentoring as well with the students, and anything that we can do as an industry to make that much more, let's say, easier for for those new UM people that whether they're you know, starting their career or mid career UM looking to really you know, accelerate and get guidance as well. Yeah, I would encourage anyone to reach out to people, whether they're actively saying they're looking for people to mentor. Because one of the things that like my mentoring style is I kind of like to mentor a lot of people, and I'll spend more time upfront and then just periodically will exchange text messages or emails or calls to kind of you know, just to kind of discuss things, but just kind of help them get set up with here's some good materials to study, here's some good things, some good conferences, different groups to join, kind of get them started, but definitely reach out. Some people aren't always don't have enough bandwidth to mentor people, but most people have fifteen minutes or an hour. And one of the things I would encourage is the way diversity is good for organizations is good for the industry. Diversity and mentors is good to not only gender rays and all this belief and all this is just having a diverse number, having multiple mentors and not just really depending on one. I think it's you know, that way you're getting the different opinions, the different UH resources and things that you may learn better from one than the other. But I would highly encourage you to reach out to anyone. And that's for me, I've got at least a little bit of time for anyone that wants wants the time, And also want to encourage anyone out there that if you're not mentoring, you know, do some mentoring. That doesn't mean that you have to spend an hour a week each week or whatever, just whatever time you can do. I mean one of the things that like on Twitter, there's the cyber Mentoring Monday that they do periodically that they sent out the tweet on Monday and people looking for mentors will reply. So if someone is interesting in mentoring, just kind of monitor that and see who needs help with some mentoring and and help out because I mean it's a very rewarding experience. And you know, if you haven't mentor to highly recommend it, at least give it a try, just from what you the experience of helping others. You know, like they say it's better to give than receive, and you just get tenfold of what you're giving when you help others. Any any thoughts, Yeah, So, my cofounder and I for we Open Tech, we did a talk at arts a Confidence that breaks down what this mentorship, how does it work, how the best practices. So I really encourage people that if they want to go into mentoring UM, then themselves to check it out. It's really important that we learn best practices because I'm one of those unfortunate people with other people that how to mentor one point or a couple of mentors at one point that...

    00:40:02 - 00:44:00

    ...we're using it to both themselves up in their career. So basically they use you and your image to increase their opportunities or they want to have a relationship or romantic relationship with you. So it's one of those issues that I have found and other people I know have gone through, and so I took a break from mentor like getting mentored by anyone because I was so afraid that those things would happen again. So one thing I really recommend is checking out a couple of different organizations. So Diversity has a mentorship program, Diana Initiative has a mentorship program, so were Jitsu wis is. These are great organizations to get involved so then you can be matched with someone UM. But also internally, you should all have a mentorship program because it could be really good for everyone. At the end of the day, it's not just like oh, we just need a mentor woman. You know, it's for everyone to participate. If they want to learn something new from one of their colleagues or something that's across the department, this gives them an opportunity to learn from you. And also, if you're reaching out to people for mentoring, please don't send a message saying like, hey, I would love for you to be my mentor tell me why I should invest in my time with you. Why are you coming to me in particular, what is it that you're looking to get out of it? So when you do send those emails and everything, make sure that you are being direct about what you're looking for and reach out to people and state wide them in particular. That will help you out a lot. M absolutely be very clear and what you're looking for. That that definitely makes it a lot more easier to make sure you're getting the right person and the time is being bodied. So absolutely, I'd like to kind of cover some of the the you know, as people are you know, coming down this path and they're going into their career um and one of the things that you know, I come from old school education, you know, really kind of the industrial side of education. That's my backgrounds. But I always kind of looking I was always one for reading and learning and learning from others, and uh, you know, spending time trying to find new ways. Is there new ways? Is there new kind of you know, startups or new techniques or new methods that's really helping accelerate, you know, the path into the industry as well. Is there something that you know, we're starting to see what I really enjoyed. You know, Philip Medson earlier about the gamification platforms, the bug bunty platforms, which a great, great way to you know, then there's different levels of entry and bug bities as well. You can go for some easy wins versus you know, some of the more you know, complex ones. Is there any new technologies or training methods it's really helping UM make sure that we can accelerate where we need to be, because I just feel that every year we're falling that slightly a bit behind UM with getting the diversity, getting people from different backgrounds as of all, people who are good at communicating, people are good at psychology, who can talk to users much better because we we you know, cybersecurity in our industry, it's not just about technology, that's what we sometimes, you know, we have to remember it's not just about the tech, it's about processes, it's about business, it's about people, and we have to make sure that we go beyond that. So it's just interesting both Phil employee and just is there any new ways that we can, you know, start looking at that can help make sure we're accelerating and closing that gap in the future. I think one of the one of the things the platforms I really love is try Hacked Me and Hacked the Box since it's kind of hands on, and you know, when I when I'm talking about Hacked the Box their new Hacked the Box Academy because the method they use and Try Hacked Me a similar. You'll go through and read, you know, a few paragraphs of how to do a certain task, and then they give you the task to perform. So I've seen some things that are kind of overwhelming your throne in into a CTF type scenario of vulnerable VAM or something. They give you directions on what you're supposed to...

    00:44:00 - 00:48:01

    ...do, but no guidance on how to do it. Both these platforms, they'll show you how to do this first thing, and they build on each one of those tasks up until you're doing a bigger task and you're actually performing at hands on in a simulated environment. I think those are some of the best ways to do it. It makes it more interesting than just trying to read a three D four hundred page book. Because one of the things that when you mentioned kind of the older ways of education I think kind of fails is you know, your traditional universities typically don't get much hands on. It's mainly reading and theory. Yes, And I ran into a student a few years ago back when I was first starting to teach, and he was asking me, why do my friends with two year degrees find jobs and technology or security easier than I do with a four year degree. And part of that is that usually the two year degrees focus more on hands on. You don't have as much time, but they're using it's really lab heavy and they're getting the hands on So that's one of the things that they're kind of missing in the college level. And I think this is just really a good way to learn, is to make sure you're emphasizing using hands on methods to actually learn learn the skills. The methodology is important, but we need to apply the methodology absolutely. Chloe, any thoughts are run that as well. Yeah, I would say apprent instance, like programs are really good, um like Phil is mentioning where we have people that kind of like we can shadow and learn straight from, that's gonna be really great. I think like having a daantal life where you go around with someone for like a day or a week to get an idea of what that job entails and things you need to learn, and it's great. I think one things is that we are overwhelmed with all the things that we think we need to know before we get started or before we can become good at that area. And there's a lot of misinformation out there. Like you go on YouTube, you're gonna watch the videos that talks about, oh, this is the way of you know, becoming a pantester. In reality, like Phil's book is probably the better one, and so it's it's really depends on the person and their learning style. For me, I have to read it and experience it to know what to do. I can watch videos that people doing it, but I'm not actually really it's just give me an idea, but it's not training me on how to do those things. But being there physically with another person is much easier for me. I have to experience it to know it. So that's why like labs are really important cyber we have labs on all our on our courses and that helps us from reading something or watching some video to be able to know what do I do next? So I think it all depends on learning. But the more interactive the better. The more gamify you do it the better. Anyway that you can increase dopamine everyone is the way how you win the game. Absolutely, the more you make a community based and gaming based, that's when you when you give people rewards back for the progress that they make. I think that really gets exciting. And for me, what I really you know what Phil you mentioned about try hacking me, I really through entry level people, try hack me is FANTASTICAU. It's just that step by step just you know, it takes you step by step through the process to train you know, to train you in their specific you know either tracks or or are certain areas um To clue your point as well is that you know, like the SEB platforms where you get the instructor let approach, we get the actually person training you and taking you through it as well, and then the hack the box, which I would say, you know, a bit more of advanced words the exploratory UM side of things. You're not giving the exact steps, but you have to explore and not every solution is the same UM. So there's very different ways of kinadaa going through. But at the end of the day, you know, absolutely it's getting a gamification, getting a challenge, either your team up or you decide to go solo. UM. But it gives you a kind of progress. UM. It gives you simulation and a lot of times there a pretty real world scenarios. Some of the things I also really like today is also there's a whole new generation. You know,...

    00:48:01 - 00:52:00

    I come from the the old times of blogging where you write a blog and post it. Um are we you know, we're doing the podcast and we release this so people can listen to it while they're commuting. But I really love the kind of the new age and generation of content creators were Um, they're spending an hour of a week um and just sharing their skills. I even think like hacking e sports is going to be taking off. We're you know, people will be paying just to watch people hacking and showing off their skills and learning from that as well. And they also become the mentors. So I think there's a couple of definitely new ways that uh that you know, we've all kind of looked at it well. Definitely. I think the more people get involved in them, the more the people are worth that they're available. UM. And I think also, you know, for those maybe that might be considering, you know, that are interested in this area and they're going on YouTube and they're watching videos and they're learning these skills and they might you know, download Kelly and um and they start playing around, I think, you know, the more there were were that there's platforms that they can use, which is you know, is not going to make them illegal activities versus going in testing it on legitimate companies. I think that's one of the things we have to make sure that people are worth of these before they start going to do in that path of you know, illegal activities. UM. So I think that's one of the things we know, more awareness of these capabilities and and uh platforms before people take the wrong path. Yeah, h yeah, Yeah, just one comment I wanted to comment on the Hack the Box. They actually the Hacked the Box Academy actually provides the step by step part of it now part of the the academy. Yeah. Yeah, they have the both the both options where you can get the guided step. We can actually go through a lot of the retired machines how the walkthroughs, but those active machines and the challenges, uh, you know, either team up with people are or are you go you go done the path from or you know, like I do sometimes some weekends where I'm looking at the challenge, I'm just like, I have no idea and you started, you'll you'll have to go off and learn. Um. You know something I think it was the last time I was hitting my head against the table was I was it was a server side template and Jackson with Flask, I know nothing about Flask and and that for me was something I had to go and teach myself install it, find out how the default configuration is and try to understand it from m by actually installing and going through the process myself and then starting to see k from you know. You know, it's like almost like I was like, it's like looking at a house from the outside and trying to determine how the rooms configured. Um. And that's some of the things you know, they explore its side and started that gets into the mindset as well. I think those are something good ways of challenging and learning. So I'd like to get for for those who's listening in in the podcast and you know, either they might be starting their career, UM you know, this is their their first kind of they're they're interested, they're interested in learning, or they might have already kind of got you know, the basis of skill sets. They've been watching tons of YouTube and Twitch and they might have watch a lot of videos with the cyber mentor or Hip Sack or John Hammond or whatever it might be. Under they've been kind of really interesting. It's a path that they want to go on. UM or somebody who's whose mid career and they're doing so maybe their assisted men or maybe they're an I T or maybe even maybe an accountant or somebody's just or somebody who's in you know, psychology and other areas. For those who's looking at this industry and considering getting into it, what what kind of words are, what what wise kind of you know pass would you recommend that they go and start off with our our kind of UM, you know, how to start looking for jobs, how to get into the industry and how to really evolve and get their career accelerated. Yes, so, as you mentioned some of those other resources like John Hamm and...

    00:52:00 - 00:55:59

    ...in the cyber mentor their content is is really good look for the I would say look for the free and low cost type of content. And also too, I would say if you're wanting to be a pentester and that appeals to you, do that. But I would encourage you to check out the different areas of cybersecurity because you may find something that you like better than that. And if you if it's something you really like, you can be passionate and you're going to be willing to put in more time and effort to learn. So I definitely explore the different options instead of just being said on if it's something you want to do, do it. But I would also encourage you to look at some of the things and if you go as you mentioned earlier, like the b Sides conferences, those are either free to very low cost, then you can go see some of the different talks there and and you know, over the different disciplines and then maybe find an area that you would be more interested in. Absolutely very wise, Chloe, any any thoughts as well, yes, read the first Try of Packers book. I give you not that's going to give you a really good idea of like what kind of things that are going to be good for you or things that you may have a similar background as one of the people in the book. Um, but also check out so Cybery. We did some webinars that I recorded and posted on our website that do role dives of various different roles to get into. I think that's really good to know, like what you need to know what the every day looks like for that role. I think that's the thing is that your is like come and join us, and then they're like, okayn, you get CERTs, but then they don't know what job works for them. So for me, I'm always thinking, like, first, think of your background. You know, are you one of those people that when you're playing chess, are you defensive or you the opposite? Are you one of those people that want to learn how things work? And then like how do you break it? Then maybe right teaming might be good for you pentesting. If you're someone who is more of like how do I protect this from someone who may try to break something? You might be a blue teamer and then there's also purple team, which is when you're like, you know what, I kind of do both. So there's so many options out there no matter what your background is. Even if you are in marketing and you're trying to get into something new and want to get a technical role, just going to apply for a job in marketing in cybersecurity, get your foot in the door, learn everything you can about the industry, and then start training to get that technical role. There's always a role in cybersecurity, and sometimes the fastest way to get there is first getting a role that's connected to the one you already have in a cybersecurity company and then moving over. So don't give up. Enjoy your research, experience things, talk to people in that and roll and learn if that's a one for you. And if you do something and it didn't work out, cool you try something else. Life is an experience. Absolutely absolutely this, I mean that's that's an important thing, is that cybersecurity is not just one role. It's an entire so many different roles to your point that you can even be simply marketing um that gets the entry point, that gets you familiar with the verbiads and the terminal roles in the content um to cryptography which is more maths based or two pent testing. You know, at your point you made me laugh about the chest side, you know, because I myself, I'm a very aggressive attacker and chess what was always going straight for the for the checkmate um, which is not always the best approach, but it's just my style. But to your point, absolutely that it's important also to find what you what you're passionate about, what you enjoy doing. That's what the important is that because a little to me like myself, this is my hobby, um that I just happened to be doing as my job. Um. And for you you know, anyone who's getting the industry, I think you know also find find your hobby, you find what you enjoy doing and make a career out of it, because that's where you start really getting passionate. But that's where we have fun. Um, that's where you enjoy it, and that's where you know you yourself can can make...

    00:56:00 - 00:59:59

    ...or that you're surrounding yourself with, like you know, mindy people and also people who don't. You know, diversity is also important as well. You want to get people who think differently than you so you actually learn from them as well. So I think it's really important to make sure that you know, find something you really enjoy doing. UM. And you know, as Chloe mentioned, UM, if you get into one thing and you might find that you know it's not for you. It doesn't mean to say that you need to leave cybersecurity industry and find something else. You might find something else in the same industry that might be more enjoyable, that might be more aligned to what you want to be doing. I think that's what's really critical here. So absolutely, you know, it's been it's been fantastic having you both on this session. I think this is a really critical thing. I think this discussion is an important topic. UM, you know, for for anyone who's who's looking to get in the industry. UM. There's lots of great knowledge here, lots of great information about we know, I think Phil you mentioned about it. There's lots of low cost options UM to get in the industry. It doesn't need you don't need to go and get a certification. That's definitely not something it's not mandatory in the industry to get into. You don't need a certification, you don't need years of experience. You just need to have an internet connection, a computer, or you know, basically access to a community that's close to you, whether it being going to be sides or whether being other similar types of events, to really get access to to people who can sometimes point you in the right path. So it's been fantastic having you both on the show. I think this is so vital. I'm really hoping that's uh, you know, that we can find a way to make sure that we get more people. And I think one of the critical things that both of you mentioned as well is, you know, even those who have went on the criminal path in the past, that we have to make sure that there's actually an opportunity for them to add good to the industry going forward. I think that needs to be something it's critical many organizations. If there's one thing to take away is make sure that we give people the opportunity that we give them, you know, the opportunity to to use their skills um and and contribute to society and make the world a safer place. So, Phil, it's been great having on the show. Fantastic meeting you face face. We've been communicating quite a lot on social media a long time, so great to finally get to chat with you and hear your view, Employe, is great to catch up with your gain so fantastic. Any final final words of wisdom. Yeah, one thing I'd like to share is is the tilp on your learning journey. Be patient with yourself, give yourself grace. It takes time to learn complex things. Don't give up. Just be persistent and be patient. Absolutely very wise words, Employee. You're gonna feel at times that you don't know anything and that like you barely scratch the surface. And when you start thinking like that, that's actually a good sign. That means that you are aware of yourself. But also to note that there's so much information out there, always new things all the time, So just be kind to yourself because you're not gonna be able to know everything. And so if you're dealing with the imposter syndrome, just remember you're here right now. You've done successful things your life, So why aren't you successful right now? Why are you thinking that way? And I guarantee you it's probably because one you feel there's a lack of representation, or it could also be the fact that there's so much information out there that you feel like you are not you know, smart enough in that area, and I'm gonna be honest with you that's not the case. So be kind to yourself. You're a great person at the end of the day. Pretty wise. I think it's important, you know, is take time to reward yourself. Um, you know, take pause and you know, look at your achievements, look at what you've done so far, and and and reward yourself with it. I think it's really important. I think one of the talks John I haven't given recently, which I thought was impressive, you know, and you mentioned by the impossive syndrome is that you have a lot of knowledge to add that other people don't know. Um, and that's something that you know, that's the value that we have to add to be and it's always continuous learning in that side. So so again, thanks very much for joining me in the episode today for the audience. To make sure you know, we've had awesome guests with...

    01:00:00 - 01:00:44

    ...uh, you know, Chloe back on as my co host and Phil Wylie here who's really an industry kind of pioneer and and a huge person who adds a lot of knowledge to the industry and community. So again, thank you for being on the show. Everyone tune in every two weeks. This is the four one Access to I podcast with Joe, Chloe and Full of Today um and so let's stay safe out there and I will see you on future episode. So thank you and Tick care all the best, goodbye. Learn how your team can get a free trial of Cybrary for Business by going to www.Cybrary.It/business. This podcast is also brought to you by Delinea. Thycotic and Centrify are now Delinea, the leader in privileged access management. To learn more, visit delinea.com.