Skip to content
 
Episode 67

Hack the Community with Phil Wylie

EPISODE SUMMARY

Phil Wylie, author of "The Pentester Blueprint," joins the 401 Access Denied crew to discuss pioneering methods to create a safe and supportive culture among hackers. We cover how to use gamified bug bounty challenges, mentorships, and free trainings to successfully impact recruitment and job satisfaction in the cybersecurity industry and help hackers develop their powers for good.

Watch the video or scroll down to listen to the podcast:

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello everyone. Welcome to another episode of the 401 Access Denied Podcast. I am your co-host for the episode today, Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea. And I'm joined with my co-host, Chloe. Chloe, you want to tell us what you do and a little bit about yourself?

Chloe Messdaghi:

Yeah. Hi there, I'm the Chief Impact Officer over at Cybrary.

Joseph Carson:

Awesome. And we're joined by a fantastic special guest today, which is Phil Wylie. So Phil Wylie, welcome to the podcast. If you'd tell us a bit about yourself, what you do and some of the things you enjoy doing? It doesn't have to be cyber security related.

Phil Wylie:

Yeah. Thanks for inviting me to be a guest today. It's an honored to be with you guys, and actually my second Cybrary podcast. But I'm Phil Wylie, I'm the Hacker in Residence at CyCognito. So basically, I'm the internal pentester for the company as well as an Evangelist, so I speak at different conferences and teach workshops on topics around defensive security. I'm a former Adjunct Instructor from Dallas College. I taught pen-testing, web app pen-testing there for almost four years. I do a lot of mentoring and helping people get started in the industry.

Joseph Carson:

Fantastic. And you also do have an awesome book as well. You want to tell us a bit about the book as well?

Phil Wylie:

Yes. I have a book called The Pentester BluePrint, and it was actually last month actually made the two-year anniversary. It was based on a lecture that I did for my pen-testing class. When I started teaching back in January of 2018, the very first lecture I gave was on what it takes to become a pentester. By November of 2018, that turned it into a conference talk and gave it at our local BSides Conference, gave it several times after that. And then I was in the Tribe of Hackers Red Team book published by Wiley Publishing, and they reached out to me and asked me if I was interested in writing a book. And I had the intent or desire to write a book based on The Pentester BluePrint book.

And so basically the book, it tells you about the pentester role and what it takes to become a pentester through prerequisites, different certifications and education and education resources around that. There are a lot of great books on the skill of pen-testing, but no one was really showing what the prerequisites were. And actually, it was really one of the first books of its type in cyber security telling people what it took to get into cyber security outside of just teaching the actual concepts.

Joseph Carson:

Fantastic. And that's what this episode's all about. I mean, I give it the title of Breaking Bad versus Breaking Good. And one of the reasons for that is that over the last couple of years, I've been interacting with a lot of, let's say in the malicious side of the hackers, those who have been doing malicious intent. And what's happened is we started seeing a lot of rehabilitation. We started seeing them looking to change their ways and start to use their skills for good. And this one is really important, that most people had the need to understand that not all hackers are bad. Majority of us are with good intent to make sure that we're helping organizations, we're helping protect society and making sure that, as many vulnerabilities, that we reduce those risked as much as possible.

But one of the biggest things we're facing is that really, the skills and the people shortage. We're having a massive gap. It might be impacted by the great resignation, where we've seen the pandemic, a lot of people changing roles. But one of my big problems is that I would really want to make sure that those who are starting off or those who are really exploring their skills is to make sure that they have a path to using them for good, they have a path to a job and a career. So one of the things is that the entry level, unfortunately for crime, is way much lower than it is to get into industry. What things can we do in order to make that a lower barrier? How can we make sure we attract more talent in order to choose the good path versus the bad path?

Phil Wylie:

One of the things I really like, and that was, I used to be a Bugcrowd ambassador, and actually that's how Chloe and I met was through Bugcrowd. And one of the things I liked about Bugcrowd was the fact that people could get jobs doing pen-testing type skills without having to go through the normal way of getting into the industry, because some cases they expect you to have years of experience, and that's one of the things that makes it more difficult. So those options like Bug Bounty programs, Pen-testing as a Service like Cobalt and Synack offer, are great ways for people to get in. But we need more opportunities like that. And you mentioned the thing about the crimes and stuff.

I think that's one of the things that I think we need to forgive people for some of those crimes and realize people make mistakes. Everyone makes mistakes and should be given a second chance. Because a lot of cases, if you're desperate for money, I don't care who you are, you'll do just about anything you have to to feed your family or take care of yourself. And so I think we really need to learn that we can forgive people. And when people have the opportunity to make money, they're less likely to do those type of things. And usually it's because they have to, not really because... There's some people that like crime, they enjoy those type of things. But in other cases, I think most people want to make an honest, legal living.

Joseph Carson:

Absolutely. And Chloe, any thoughts around this from you?

Chloe Messdaghi:

Yeah. It was so funny because right when Phil was jumping out, I was raising hand. I was about to say, "Oh, yeah. That's how I met Phil, through Bug Bounty." But yeah. No, the reality is that when I worked for a bug bounty company, it made me really realize of thousands upon thousands of people that deserve to have a role in cyber security, but they're told they can't because of their past experience or because they don't have a college degree or a cert, and not everyone in the world has the opportunity to do so. So of course they're going to find a way using their skillset to pay for things, to have a living. A lot of the bug bounty hunters that I talked to that were previously criminals in their activity, what they were doing was that they had to make a living because no companies were going to hire them. So they started doing all these malicious things to get paid, and so then they could put food for their family.

I remember this one case, this guy, he was basically taking care of his parents and all his siblings and he had to try making a living for them at the age of 16. And just couldn't sleep during the night because he was just worried that he was going to be taken from his home and then no one's going to be able to provide for the family and then they would end up in the street. And so him, when he found out that there was a legal way how to do this, then he went to bug bounty and started doing that until he could find a job. And it took him a couple years to get a job because he didn't have a college background. So it's one of those things I also think about our US prison system. We always say, "They're going to repeat when they leave." In reality, the only reason they're repeating it majority of the cases because they can't get hired. And so it's like Phil mentioned, how do you change society to accept that?

Joseph Carson:

Absolutely. Many of the former criminal hackers, they end up being consultants and working from their cells because they just can't get jobs with the industry because the industry holds that against them. And I think it's sad. I remember cases I've seen in the UK. UK actually have a rehabilitation program to actually take juvenile cyber criminals and take them and start looking at using their skills for good and start getting them integrated into the industry, and helping them on a path where they can actually be helpful. And I think that's something we should look at from a global perspective, I think all countries around the world should be really looking at. I think even when I started my career, there wasn't any good way to test your skills. Everything was done by curiosity. We're doing it in live systems. But the great thing today is that you actually got a lot of great, even, platforms out there to do simulation and gamification to practice your skills.

So the great thing is that we want to make sure we point them in that direction. If they're looking to test and learn and share and explore, we should make sure they have access to the platforms which doesn't break the law, which allows them to really enhance their skills. So for me, I think there's multiple challenges that we have, and rehabilitation and making sure the opportunity for those who have swayed in the criminal side in the past and make sure they actually have a way to contribute to a society going forward. We should never exclude them forever. There should always be a path to contribute.

Phil Wylie:

Yeah, I totally agree. One of the things that I think is another barrier is the price of some of these certifications in security training. I mean, when you look at the ones like Offensive Security, which is less experienced than SANS, that's still 2 or $3,000 to pay for the training to get through that. And so many companies are so dead set on needing a degree or a certification to get jobs. And some of the best pentesters and hackers I know in the world have zero certifications. You don't necessarily have to have them, companies just have to find better ways of vetting their skillset and giving people a chance.

Joseph Carson:

Absolutely. The certification challenge that we have in the industry needs to be changed. I would love a lot more opportunities for things like, for everyone that an organization buys they get to give one away for free. We should look at the certification industry to find entry levels way for people to get free education, free knowledge. And if they don't do it, there's going to be other innovations and other new startups and other ways to find that. But we have to make sure that certifications is not the barrier and it should not be.

Because absolutely for me, a lot of the people I know in the industry have zero certifications, didn't go to university, didn't go to college, but their knowledge is all self-taught. And that's what you really want. You want people who have the drive and passion to learn, and when they go and spend their own time, personal time in order to get the skills and enhance those and really become the best that they can in that area without certifications, I think that alone is something that we should value and we should have a way to measure it. I think that's one of the things we're missing, is a good way to measure that skill and make sure organizations have a way to get the right people and not just go after those who can afford it.

Chloe Messdaghi:

Joseph, so you're talking about the hacker mindset basically?

Joseph Carson:

Absolutely.

Phil Wylie:

Some processes that I've seen that people use different companies, platforms to vet, and you see some companies like Synack and even Cobalt, they have challenges set up for people to come in and try those challenges and they get access to the platform. Another company has something really creative too, a consulting company called Praetorian. And if you go to their website, I haven't looked in their site in a while, but you go to their website if you're interested in careers, they have challenges on there. So they have these different hacking challenges. If you solve those, you submit it and you'll be considered for employment. So I think more companies need to do that, have those little challenges on their careers page and let people go out there and solve it. If they solve it, they apply. If they don't, then they know what they need to do next. Maybe even give people some guidance on what skills are required to pass that challenge.

Joseph Carson:

Absolutely. One of the things as well is I get really frustrated... Chloe, what's your thoughts? One of the challenges that I've seen as well is that not only with certifications, but also with job descriptions. I don't know who's creating the job descriptions or who's writing them, but they are just I think, no one can find the skills in those job descriptions even with years experience and tons of certifications. Any thoughts around the challenge there with, not just certifications but also the job descriptions as well?

Chloe Messdaghi:

I wish I had vodka in here and it was in the evening, but no. I'm going to be honest. The reality is that our job descriptions, there's so many issues with it. The first thing I would go with is that years of experience, just get rid of it. You don't need to have that on there. Just state what are the skills you need to know beforehand, and then what are the desired skills. And why desired skills? I mean desired skills should be things that you know you're going to have to train them no matter what. Now, one of the things I always have a problem with when it comes to job descriptions is that it's usually written by someone who is trying to fill a position using the history of a previous person who sat in that seat. So the problem you're going to get here is that sometimes you'll get job descriptions that will legit say "guy" or "man" in the job description, still to this day because they're hoping to fill that position with another guy.

And it's not a problem at all. But when you're someone who is a person of color or a marginalized gender, you're going to have some problems applying for that job. And so I think what we can do is shorten it. I really like how CyberSN does it. I don't know if you've been on their website, but basically they have this template for all the companies when it comes to a certain job title of what the requirements are that you need to know and what are things they're going to train you in.

And I really like that approach, and I think that we could do a better job on job descriptions. But also note that when you hire people, don't expect them to be able to do everything when they first get in. It is your job as an employer to continue training. At most companies, it's three months of training. So you are investing in these people you're onboarding, don't just bring them in and then have your way. That's not how things work and we have to do better on that front, is to know we have to keep training people. It starts even at the onboarding process.

Joseph Carson:

Absolutely. Phil, any thoughts on that topic as well around job descriptions, and also continuous training as well?

Phil Wylie:

Yeah, I agree with that because I mean it's ridiculous, some of the job descriptions and sometimes the people write them have no clue. It could be HR, they really don't have any idea about the role. I was a red team lead at a global consumer products company a few years back, and one of the things I noticed, we were trying to hire another red teamer in India, but the job description was so vague, because for actual true red teaming, you need a network pen-testing background. Web app pentesters, you could teach them to be red teamers, but it's going to take a little bit more. You really have to be heavier on the infrastructure side as well as social engineering, that type of thing. I went and looked at the job description, there were no mentions of active directory, nothing about network pen-testing.

We were getting a bunch of bug bounty resumes or web app pentesters. And this was a senior role too, so it wasn't you could bring in someone and train them from this lower level. It was a senior level role. And I see that with a lot of these descriptions that the descriptions aren't created properly, the details of the job and stuff. I've seen job descriptions where companies so blatantly copied it from some other company, they forgot to change the name in the job description. But it's this laundry list of stuff they want, it's ridiculous. They're looking for these unicorns. I mean, this has been going on for years because back in my IT days I was a CIS admin and I was looking at different job descriptions out there. This one company wanted someone that was a CISCO expert plus a database administrator. You're not going to be a database administrator and be doing this Cisco. You're going to specialize in one or the other.

But we've got to do a better job of doing that. And I like what Chloe was mentioning about CyberSN or whatever the company's name, the descriptions and what you'll learn there. I think that's good because if companies see what you can learn there, you're going to draw more candidates because people want to go somewhere where they can learn and they can grow. One of the biggest reasons people leave is they get bored and they're not learning, they'll go somewhere else. It's not always about the money, but at the same time too, I think we should make sure we're paying fairly.

Because one of the things that's a big pet peeve of mine, having a lot of former students and even seeing family members go through this where they go to work for a company and they start out at that entry level, $60,000 a year wage, but then they outperform their coworkers and it's a company that's basically, they pay on tenure. So once you've been here three years, then you can get promoted, but you can't get promoted to then. But yet this person is doing triple the work that everyone else is doing. So just the way they gauge and reward people is just ridiculous. And another thing to mention, to add to Chloe's comment about they mention "guy" or something. If you see that in a job description, avoid that company at all costs. If you're a female or someone who doesn't fit that description, that role, stay away from them because...

Joseph Carson:

It's not going to get better if you do get the job.

Chloe Messdaghi:

Even as men, don't do it either.

Phil Wylie:

Yeah, definitely.

Chloe Messdaghi:

Be an ally.

Phil Wylie:

Yeah, I agree.

Chloe Messdaghi:

We should be-

Joseph Carson:

I even remember. Chloe, do you-

Chloe Messdaghi:

... I was just going to say, the one thing that I really like is when they do job descriptions and then they put the expected salary. Because I always feel like they always say, "The reason you're not getting paid more..." For Phil, of what you mentioned about there will be someone who will do so many things but doesn't get promoted because they're so good at doing all those things and then their salary doesn't increase. And that's the thing that always bothers me because they throw it on the personnel saying, "It's your fault. You didn't negotiate better when you started." And I just feel like that's unfair. I think we should state what the salary is, then there's no surprises.

Joseph Carson:

Absolutely.

Chloe Messdaghi:

Joseph, you were going to say?

Joseph Carson:

Chloe, I was just going to add to that. One of the things I've seen as well is that when companies, we used to have that challenge because it used to be very location-specific as well. So you would work in a city and maybe there wasn't a lot of jobs in that city and this was what you'd be able to get. And over the last couple of years, of course we'd had the acceleration of remote working and people being able to work from different locations around the globe. And we've seen that great resignation where people, who may have been stuck in those jobs, now have been able to get opportunities across the world. I'd just like to get your thoughts around that, is that, what is the retention period of those employees? Because you're going to find better paying jobs very quickly, even with just a few years experience. Are we starting to see companies struggle with retention because of this? Because companies offering bigger salaries for people that's basically just getting that first few years and performing really well. Just thoughts around that as well.

Chloe Messdaghi:

I feel like I'm being Hermione Granger right now in Harry Potter, "Please, pick me."

Joseph Carson:

Yes, go ahead. You're on.

Chloe Messdaghi:

I think the great resignation was showing, you're going to force people to come back in the office, that ain't happening. And then now they're like, "You don't have to come in the office. Only a few days a week. Also, I'm going to hand over Paul's work over to you on top of things because Paul is leaving." And then you're like, "Great." And then someone else goes, "And I'm going to hand you Sarah's work as well. Sarah is leaving." The reality is that we have that, it's not really called quiet quitting. The reality is that people will leave if you do not invest in them. If you have poor leadership, they will leave. If you don't believe in them, they will leave. If they don't see a future there, they will leave. If they want to do things outside their work and you don't let them, they're going to leave. If they are a blue teamer but wants to learn the red and you're not allowing them to take that SANS training course or anything like that, they're going to leave. If you don't listen to your people, they will leave.

That's where we are right now. We have a huge retention problem. This is the worst I've ever seen it. I don't know a single person in cyber security who isn't open to looking elsewhere and that's letting you know we have a problem when it comes to leadership. It also means that we have a problem when it comes to over demanding things as well on security people, but also we're not investing in them and so they're leaving in herds. And then not just that, but then we also have layoffs happening across in tech companies. Like today, there was a big announcement of a large tech company having a massive layoff of its workers, but the good news is the security team was still safe. So the good news is that when it comes to layoff, security teams tend to be more safe than other departments, but they also seem to be the one department that could use some help and assistance and some respect too.

Joseph Carson:

Absolutely. Toss Phil in that, as well.

Phil Wylie:

Mic-drop. One of the things I just see the biggest problem around is the entry level, more junior level folks, that they come in and they're being held back and not trained and then there's no opportunity for growth and you can't blame them from leaving. You're going to have those people leave. And I encourage anyone I talk to, if you've been at your company X amount of years, you're no longer entry level. So if your company's not going to pay you the way you should, then you do need to move somewhere else. I mean, it's sad it has to be that way. One of my former colleagues at the college where I taught at was part owner of a consulting company, he was always complaining to students about job hopping. But you can't blame them. If you got to make more money, what is the reason to stay somewhere? The loyalty usually doesn't go both ways.

If the company is loyal to you, then if you feel loyal to them, I can understand, but you just can't be held back. And I think too many companies are making the mistake of that and you're just, to be quite blunt, they're getting what they deserve if people leave, if you're not taking care of your employees. When you see the money that these companies are spending for CEOs and all this and things they're spending on buildings and stuff. I worked for a mortgage company back in the late '80s, I mean late '90 up to 2012, and we were moving into a new building.

And just one of the things where priorities get put sometime, and this is not even just around people, but just showing what they prioritized as far as where the budget went. We're moving into a new building. Gigabit networks were out. When we moved in this new building, we kept our 100 megabit network, but yet we had this huge Remington statue in the hallway where you come into the building, you have these leather chairs in the boardroom and all this stuff, there's no ROI on it. No justification.

Joseph Carson:

No doubt about it.

Phil Wylie:

We're not going to put the money where you could process loans faster, faster infrastructure. So it's a lot of cases with the people sometimes too. They're such a imbalance in what people are getting paid. And I wish I could think of the name of the company, but there's this one company that where the CEO actually took a pay cut or a bonus cut to raise everyone in the company up to at least $77,000 a year. And what they noticed, and that guy's awesome, I love following his Twitter, the employees actually all pulled in together and bought him a Tesla because of that. When you got respect for your employees, the respect is going to be returned, the loyalty is going to be returned. They're going to work harder.

Joseph Carson:

Absolutely. And that brings up, I think one of the things I find in our industry is that if you don't do continuous learning, you'll fall behind. That's definitely one of the things. I've been doing this for so long now, it's over 25 years, and when I started my career is completely different to where I am today from the technology I'm using, from what I do day-to-day. And so if you stop and stand still, that's one of the things organizations need to understand in this industry is that you need to invest a lot in the continuous training for employees to make sure, one is, that they feel valued, that they want to stay because that's what they actually need.

That's a part of the passion, that's a part of the value in addition to salary, is continuing investing in the employees. And I find that if you look at the average employee in our industry and you try to guess their training budgets applied to that employee, it is so tiny. It's such a small part of actually the organization's investment in people. I'm thinking that that organizations need to be thinking that this needs to be 30, 40% of the employees actually value that they're getting salary should be invested back in because that will help you definitely grow, make sure the employee's actually going to be retained.

Because I think that's one of the things that we're missing, is to make sure that we don't forget that this is not a job that stands still. This is a job that is continuously evolving. The threats change, we need to continually, as we do digital transformation, as we do cloud, we do cloud workloads and different platforms, different technologies get introduced, we need to make sure we stay up to date with that. In organizations who don't invest in employees over time, your organization's, the risk is going to keep increasing if you're not investing correctly. So I'd like to get thoughts, Chloe, on your thoughts around the lack of investment that companies do in employees when they're on board.

Chloe Messdaghi:

Yeah, exactly. I will do so, but I just want to quickly... I just looked up, it's Gravity Payments is the company and his name was Dan Price, the person who did all his CEO cuts so then everyone could make at least a minimum 70k. Awesome person to follow and-

Joseph Carson:

That's a pretty impressive guy. Absolutely.

Chloe Messdaghi:

Yeah. He sticks to his values, which we need in leadership. That's how you build trust, is when leaders show their value by doing the things that they talk about, they take actions on it. And that brings me to my first point. So I'm going to tell you about a case, and this is a very common case. I'm not going to mention the company or anything like that. So there's this company where a good number of their individuals on their security team use Cybrary for themselves outside of work because their boss didn't want to give it to them. So the boss basically said or has this case that, "If I train them, they will leave." After talking to his colleagues that are using Cybrary for themselves, they're all planning to leave that's why they're on the platform, because he's not investing in their future. So that just shows you. How often is this, Chloe? Oh my god, I would like to tell you it's every single day.

Every time I go to a conference, I bring up a conversation with certain CISOs about like, "Hey, what about training your team?" They're always like, "They're going to leave if I invest in them." And then I'm like, "Okay, so what are you doing for your risk audits? What about cyber security insurance? Because if you have a breach, they're not going to cover you if you're not making sure that your team is up-to-date on your training." And that's one of the things that it's, I remember when I joined Cybrary and I went to RSA Conference, and how, for the first time in my life I started hearing that myth and it drove me up the wall.

Because even in DEI, the whole practice is if you want to keep people, continue their education. And we have so many leaders that are afraid to provide because they're like, "They're going to leave if I do." Which then is disheartening to think of because there's not a single piece of evidence out there that that is actually a true thing. If anything, if they invests in their future and their education, they're going to stay.

Joseph Carson:

Absolutely. And people will always stay around people who value them and invest in them. That's where you get loyalty from, is when you find that people's investing back and spending the time, you want to stay, you want to keep doing that. Phil, any thoughts from you around this area as well as from the training and imbalance that we have, and how do make sure we keep employees, investing in them?

Phil Wylie:

Sure. And one of the comments I'd like to make to start out is the fact that if you're not training these employees, they don't have these needed capabilities down the road. I had a friend that worked for a friend that worked for a company and they got heavy into cloud. No one on the team had any training on cloud pen-testing. They had a all-hands meeting and the CISO was berating people for not advancing and learning. But whenever your budgets constantly being canceled, you're not providing in guidance. We need to do more than just, I think you should give the employees freedom to pick what they want to, but also give them some guidance, "Here. You've got this amount of budget, take whatever you want. Here's this other budget. We're moving towards cloud, we're going to use Azure, so we recommend you get some Azure security training or Azure training."

Guide them because a lot of cases, some people need the mentoring and help, especially early in their career to guide them on what to learn to help them grow. But whenever you don't train the employees, I forget who the quote come from, I think it was Steve Jobs or something where they said, "If you pay them, what if they leave?" And he says, "What if they don't?" And so if you keep people that are not growing and getting better then you're just falling behind.

Joseph Carson:

And that comes up that another great point as well is that if you've got people that's been staying around for 10, 15 years and you're not investing in them, you could find actually people who's got a one or two years experience that is state of the date, that's current with the latest technologies. And actually their value might be much greater today with somebody who has one or two years experience with cloud security or CASB or access controls than somebody who's been around for 15 years who's just not invested in themselves or had the company invest in them either. So that's some of the things that we also have to look at as well, is that sometimes getting somebody with only a few years experience might significantly add a lot of value to the business as well.

Phil Wylie:

And I think you want to encourage that culture of learning. If there's no training budget there, there's no encouragement to learn, then they're not going to learn. And a good example of what I saw that someone's doing this the right way, is I was listening to Rob Fuller's talk at Texas Cyber Summit recently, and he was talking about his red team. Every Friday towards the end of the day, they get on Hack The Box and they practice doing CTF challenges on there to help hone their skills. So I mean this is a creative way outside of just taking a course, they're constantly practicing and learning new skills and they're doing this during business hours.

Joseph Carson:

And that's fantastic. I think that's what all companies should be doing. Absolutely. Chloe, any thoughts as well?

Chloe Messdaghi:

Oh yes. When it comes to education, you need to have a good strategy. What Phil mentioned, doing Fridays afternoons as your training hold, that's really good. Also tie in why they need to do it. So if you just like, "Okay everyone, you're going to take this course," it's like, "Cool, what does that have to do with me and what I do?" So you have to find something that engages people because no one wants to learn something that they don't want to learn, especially if you're someone who's like, "I need that dopamine hit to be able to learn something."

If we can't get that dopamine hit, we're not going to want to learn something. So make it out as if it's a mission for them to learn it, but why? You got to tell them why and then set it up for success as like, "Here's some KPIs of getting it through, how this is going to matter to our team, our security in the long run. Now how this will go back to your job and tie it into your role." And always open the floor up and ask them, "What do you think we need to learn as well?" And I think what Phil mentioned, which is doing practical exercises like CTFs, those are great because you're gamifying what you just learned. I think that's really good.

Joseph Carson:

I love CTFs, it's my thing. I spent a lot of time in them. And Phil, to your point, one of the things I really liked what you said as well, doing that simulations, that's a great way for team building. And one of the things is that this industry is very stressful. There's a lot of burnout, there's a lot of stress, long hours. When incidents happen, it's chaos. It's basically working long hours, long days and sometimes sleepless nights. And I think we really need to bring in a lot of fun and team building. And I like those types of things where you bring the team together and have them train together, especially if you've got even red teams or blue teams and actually mixing that or you're assimilating an instance and stuff. And it can make it a lot more fun. And at same time, it actually gets you simulations and gets the team practicing real events. I really think organizations should be doing a lot more of that style of activities.

Phil Wylie:

And I think something that's very cost-effective is cross-training true, to let people go shadow someone else for a week or two to see how their job is. Because if you're passionate about what you're doing, you're going to be passionate to learn, motivated to improve. And so maybe someone finds out what their true interest is. There was a guy that was on my team a while back at this bank I worked for. He was an IT and he was taking some SANS courses for digital forensics and he decided one day, "I think I'm going to take a pen-testing course to help make me a better digital forensics person." And when he took that, he found out he liked pen-testing a lot more and he totally switched careers. And now he is got a ton of, not saying you have to have a ton of certifications to be a pentester, but he's got a lot because he's invested that much time in his education.

Joseph Carson:

Absolutely. And that brings me to the important point as well is that one of the things I love about the BSides events is when they do the pairing experienced speakers with new speakers. What I'd love to see in our industry a lot more better organization of basically matchmaking of mentors and new entry, people who's looking to get in the industry. I haven't seen anything really official around it. I've seen bits and pieces of it. I do mentoring of speakers for some of the BSides events, I've done a few other hackathons and so forth. But I'd really love to see a much more well organized establishment of those who, like myself and you, Phil and Chloe, having a way for us to give more back into the community and mentor and have a way of matching and getting mentors in certain areas.

Maybe somebody's looking to get into Capture The Flag or somebody's looking to get into pen-testing or digital forensics or education, or whatever it might be. Because even today, I have my own mentor that I've been going to in the industry for a long time, but I would love the opportunity to mentor a lot more people. So any thoughts around, and I know Phil, you've done quite a lot of mentoring as well with the students... anything that we can do as an industry to make that much more, I'd say easier for those new people that whether they're starting their career or mid-career, looking to really accelerate and get guidance as well.

Phil Wylie:

Yeah, I would encourage anyone to reach out to people whether they're actively saying they're looking for people to mentor. My mentoring style is I like to mentor a lot of people and I'll spend more time upfront, and then just periodically we'll exchange text messages or emails or calls just to discuss things. But just help them get set up with, "Here's some good materials to study, here's some good things, some good conferences, different groups to join," and get them started. But definitely reach out. Some people don't have enough bandwidth to mentor people, but most people have 15 minutes or an hour. And one of the things I would encourage is the way diversity is good for organizations, is good for the industry, diversity in mentors is good too. Not only gender, race, belief and all this, is just having a diverse number, having multiple mentors and not just really depending on one.

I think that way you're getting the different opinions, the different resources and things that you may learn better from one than the other. But I would highly encourage you to reach out to anyone. And for me, I've got at least a little bit of time for anyone that wants the time. And also wanting to encourage anyone out there that if you're not mentoring, do some mentoring. That doesn't mean that you have to spend an hour a week each week, just whatever time you can do. I mean one of the things that on Twitter, there's the cyber mentoring Monday that they do periodically, that they send out the tweet on Monday and people looking for mentors will reply. So if someone's interesting in mentoring, just monitor that and see who needs help with some mentoring and help out because I mean, it's a very rewarding experience. And if you haven't mentored, I highly recommend it. At least give it a try just from the experience of helping others. Like they say, it's better to give than receive, and you just get tenfold of what you're giving when you help others.

Joseph Carson:

Absolutely. Chloe, any thoughts around mentoring?

Chloe Messdaghi:

Yeah. So my co-founder and I for We Open Tech, we did a talk at RSA conference that breaks down what does mentorship, how does it work, how does best practices. So I really encourage people that if they want to go into mentoring they themselves, to check it out. It's really important that we learn best practices because I'm one of those unfortunate people with other people that had a mentor at one point or a couple mentors at one point that were using it to boast themselves up in their career. So basically, they use you and your image to increase their opportunities or they want to have a relationship or romantic relationship with you. So it's one of those issues that I have found and other people I know have gone through. And so I took a break from getting mentored by anyone because I was so afraid that those things would happen again. So one thing I really recommend is checking out a couple different organizations.

So Cyversity has a mentorship program, Diana Initiative has a mentorship program, Cyberjutsu, WiCyS. These are great organizations to get involved, so then you can be matched with someone. But also, internally you should all have a mentorship program because it could be really good for everyone at the end of the day. It's not just like, "We just need to mentor woman." No, it's for everyone to participate. If they want to learn something new from one of their colleagues or somebody that's across their department, this gives them an opportunity to learn from you. And also, if you're reaching out to people for mentoring, please don't send a message saying, "Hey, I would love for you to be my mentor." Tell me why I should invest in my time with you, why are you coming to me in particular? What is it that you're looking to get out of it? So when you do send those emails and everything, make sure that you are being direct about what you're looking for and reach out to people and state why them in particular. That will help you out a lot.

Joseph Carson:

Absolutely. Be very clear in what you're looking for, that that definitely makes it a lot more easier to make sure you're getting the right person and the time is being valued. So absolutely. I'd like to cover some of the, as people are coming down this path and they're going into their career, and one of the things... I come from old school education, really the industrial side of education, that's my background. But I was always one for reading and learning and learning from others and spending time trying to find new ways. Is there new startups or new techniques or new methods that's really helping accelerate the path into the industry as well? Is there something that we're starting to see? What I've really enjoyed, Philip mentioned earlier about the gamification platforms, the bug bounty platforms. Then there's different levels of entry and bug bounties as well, you can go for some easy wins versus some of the more complex ones.

Is there any new technologies or training methods that's really helping make sure that we can accelerate where we need to be? Because I just feel that every year, we're falling that slightly a bit behind with getting the diversity, getting people from different backgrounds as well. People who are good at communicating, people who are good at psychology, who can talk to users much better. Because cyber security and our industry, it's not just about technology. That's what we sometimes we have to remember, it's not just about the tech. It's about processes, it's about business, it's about people, and we have to make sure that we go beyond that. So I'm just interested, both Phil and Chloe, just is there any new ways that we can start looking at that can help make sure we're accelerating and closing that gap in the future?

Phil Wylie:

I think one of the platforms I really love is TryHackMe and Hack The Box, since it's hands-on. And when I talk about Hack The Box, their new Hack The Box academy, because the method they use in TryHackMe is similar. You'll go through and read a few paragraphs of how to do a certain task and then they give you the task to perform. So I've seen some things that are overwhelming, you're thrown into a CTF type scenario, a vulnerable VM or something.

They give you directions on what you're supposed to do, but no guidance on how to do it. But with these platforms, they'll show you how to do this first thing and they build on each one of those tasks up until you're doing a bigger task and you're actually performing a hands-on in a simulated environment. I think those are some of the best ways to do it. It makes it more interesting than just trying to read a 300 to 400 page book. Because one of the things that, when you mentioned, the older ways education I think fails is your traditional universities typically don't get much hands-on. It's mainly reading and theory.

Joseph Carson:

Academic, very much.

Phil Wylie:

Yes. And I ran into a student a few years ago back when I was first starting to teach and he was asking me, "Why do my friends with two-year degrees find jobs in technology or security easier than I do with a four-year degree?" And part of that is that usually the two-year degrees focus more on hands-on. You don't have as much time, but they'll use it, it's really lab-heavy and they're getting the hands-on. So that's one of the things that they're missing in the college level. And I think this is just really a good way to learn, is to make sure you're emphasizing using hands-on methods to actually learn the skills. The methodology is important, but we need to apply the methodology.

Joseph Carson:

Absolutely. Chloe, any thoughts around that as well?

Chloe Messdaghi:

Yeah, I would say apprentices programs are really good. Phil is mentioning when we have people that we can shadow and learn straight from, that's going to be really great. I think in having a day in a life where you go around with someone for a day or a week to get an idea of what that job entails and the things you need to learn, I think is great. I think one thing is that we are overwhelmed with all the things that we think we need to know before we get started or before we can become good at that area. And there's a lot of misinformation out there. You go on YouTube, you're going to watch videos that talks about, "This is the way of becoming a pentester." When in reality, Phil's book is probably the better one. And so it's really depends on the person and their learning style.

For me, I have to read it and experience it to know what to do. I can watch videos of people doing it, it's just giving me an idea but it's not training me on how to do those things. But being there physically with another person is much easier for me. I have to experience it to know it. So that's why labs are really important. Cybrary, we have labs on all our courses and that helps us from reading something or watching some video, to be able to know what do I do next. So I think it all depends on learning, but the more interactive, the better. The more gamify you do it, the better. Anyway that you can increase dopamine, everyone, is the way how you win the game.

Joseph Carson:

Absolutely. The more you make it community-based and gaming-based and you give people rewards back for the progress that they make, I think that really gets exciting. And for me, Phil, you mentioned about the TryHackMe. For entry level people, TryHackMe's fantastic because it just takes you step-by-step through the process to train you in those specific either tracks or certain areas. Chloe, to your point as well, is that the Cybrary platforms where you get the instructor led approach. Where you get the actually person training you and taking you through it as well. And then Hack The Box, which I would say is the bit more of advanced where it's the exploratory side of things. You're not given the exact steps, but you have to explore, and not every solution is the same. So there's very different ways of going through.

But at the end of the day, actually it's getting a gamification, getting a challenge. Either you team up or you decide to go solo, but it gives you progress, it gives you simulation. And a lot of times, there are various real world scenarios. Some of the things I also really like today is also, there's a whole new generation. I come from the old times of blogging where you write a blog and post it, or we're doing the podcast and we release it so people are going to listen to it while they're commuting. But I really love the new age and generation of content creators where they're spending an hour a week and just sharing their skills. I even think Hacking Esports is going to be taking off where people would be paying just to watch people hacking and showing off their skills and learning from that as well, and they also could become the mentors.

So I think there's a couple of definitely new ways that we've all looked at that will definitely, I think the more people that get involved in them, the more that people are aware that they're available. And I think also for those maybe that are interested in this area and they're going on YouTube and they're watching videos, and they're learning these skills and they might download Kali and they start playing around. I think the more they're aware that there's platforms that they can use, which is not going to make them illegal activities versus going and testing it on legitimate companies, I think that's one of the things that we have to make sure that people are aware of these before they start going down that path of illegal activities. So I think that's one of the things, more awareness of these capabilities and platforms before people take the wrong path.

Chloe Messdaghi:

Yeah. Know your rights, which is, you don't have rights.

Phil Wylie:

Just one comment, I wanted to comment on the Hack The Box. Actually the Hack The Box Academy actually provides the step-by-step part of it now part of the academy.

Joseph Carson:

Yep. They have both options where you can the guided step where you can actually go through. A lot of the retired machines have the walkthroughs, but those active machines and the challenges, you either team up with people or you go down the path like I do sometimes. Some weekends where I'm looking at a challenge, I'm just like, "I have no idea." You'll have to go off and learn something. I think it was the last time I was hitting my head against the table it was a server-side template in jsonify flask.

I know nothing about flask, and that for me was something I had to go and teach myself. Install it, find out how the default configuration is and try to understand it by actually installing and going through the process myself and then starting to see... I would say, it's like looking at a house from the outside and trying to determine how the rims configured. And that's some of the things, you have the exploratory side and that gets you into the mindset as well. I think those are some of the good ways of challenging and learning.

For those who's listening in in the podcast and either they might be starting their career, this is their first interested, they're interested in learning, or they might have already got the basis of skillsets. They've been watching tons of YouTube and Twitch, and they might have watched a lot of videos with a cyber mentor or Ipsak or John Hammond or whatever it might be, they've been really interested and it's a path that they want to go on. Or somebody who's mid-career and maybe they're a CIS admin or maybe they're in IT or even maybe an accountant or somebody who's in psychology, in other areas. For those who's looking at this industry and considering getting into it, what wise paths would you recommend that they go and start off with or how to start looking for jobs, how to get into the industry and how to really evolve and get their career accelerated?

Phil Wylie:

So as you mentioned, some of those other resources like John Hammond and the cyber mentor, their content is really good. I would say look for the free and low cost type of content. And also too, I would say if you're wanting to be a pentester and that appeals to you, do that. But I would encourage you to check out the different areas of cyber security because you may find something that you like better than that. And if it's something you really like, you're going to be passionate and you're going to be willing to put in more time and effort to learn. So I'd definitely explore the different options instead of just being set on... If it's something you want to do, do it. But I would also encourage you to look at some other things. And if you go to, as you mentioned earlier, the BSides conferences, those are either free to very low cost, and you can go see some of the different talks there over the different disciplines and then maybe find an area that you'd be more interested in.

Joseph Carson:

Absolutely, very wise. Chloe, any thoughts as well?

Chloe Messdaghi:

Yes, read the first Tribe of Hackers book. I kid you not, that's going to give you a really good idea of what things that are going to be good for you or things that you may have a similar background as one of the people in the book, but also check out... So Cybrary, we did some webinars that are recorded and posted on our website that do role dives of various different roles to get into. And I think that's really good to know of what you need to know, what the everyday looks like for that role. I think that's the thing, is they're always like, "Come and join us." And then they're like, "You need to get certs," but then they don't know what job works for them. So for me, I'm always thinking first, think of your background. Are you one of those people that when you're playing chess, are you defensive or are you the opposite? Are you one of those people that wants to learn how things work and then how do you break it? Then maybe red teaming might be good for your pen-testing.

If you're someone who is more of like, "How do I protect this from someone who may try to break something," you might be a blue teamer. And then there's also purple team, which is when you're like, "Why can't I do both?" So there's so many options out there no matter what your background is. Even if you are in marketing and you're trying to get into something new and want to get a technical role, just apply for a job in marketing in cyber security. Get your foot in the door, learn everything you can about the industry and then start training to get that technical role. There's always a role in cyber security, and sometimes the fastest way to get there is first getting a role that's connected to the one you already have in a cyber security company and then moving over. So don't give up, enjoy your research, experience things, talk to people in that role and learn if that's a one for you. And if you do something and it didn't work out, cool, you try something else. Life is an experience.

Joseph Carson:

Absolutely. I mean, that's an important thing, is that cyber security is not just one role, it's so many different roles. To your point, that you could even be simply marketing that gets the entry point, that gets you familiar with the verbiage and the terminals and the content. To cryptography, which is more math-based, or to pen-testing. And to your point, you made me laugh about the chess side, because I myself, I'm a very aggressive attacker in chess. I'm always going straight for the checkmate, which is not always the best approach, but it's just my style. But to your point, absolutely that it's important also to find what you're passionate about and what you enjoy doing.

That's really important because a lot doing this, like myself, this is my hobby that I just happen to be doing as my job. And for you, anyone who's getting in the industry, I think also find your hobby, find what you enjoy doing and make a career out of it because that's where you start really getting passionate. But that's where you have fun. That's where you enjoy it, and that's where you yourself can make sure that you're surrounding yourself with like-minded people, and also people who don't. Diversity is also important as well. You want to get people who think differently than you, so you actually learn from them as well. So I think it's really important to make sure that find something you really enjoy doing.

And as Chloe mentioned, if you get into one thing and you might find that it's not for you, it doesn't mean to say that you need to leave cyber security industry and find something else. You might find something else in the same industry that might be more enjoyable, that might be more aligned to what you want to be doing. I think that's what's really critical here. So absolutely, it's been fantastic having you both on this session. I think this is a really critical thing. I think this discussion is an important topic for anyone who's looking to get in the industry. There's lots of great knowledge here, lots of great information.

I think Phil, you mentioned about there's lots of low cost options to get in the industry. You don't need to go and get a certification. It's not mandatory in the industry to get into the industry. You don't need a certification, you don't need years of experience. You just need to have an internet connection, a computer, or basically access to a community that's close to you, whether it being going to BSides or whether it being other similar types of events to really get access to people who can sometimes point you in the right path. So it's been fantastic having you both on the show. I think this is so vital. I'm really hoping that we can find a way to make sure that we get more people. And I think one of the critical things that both of you mentioned as well is even those who have went on the criminal path in the past, that we have to make sure that there's actually an opportunity for them to add good to the industry going forward.

I think that needs to be something that's critical. Many organizations, if there's one thing to take away is make sure that we give people the opportunity. That we give them the opportunity to use their skills and contribute to society and make the world a safer place. So Phil, it's been great having you on the show. Fantastic meeting you face-to-face. We've been communicating quite a lot on social media for a long time. It's so great to finally get to chat with you and hear your view. And Chloe, it's great to catch up with you again. So fantastic. Any final words of wisdom? Last comments?

Phil Wylie:

Yeah. One thing I'd like to share is, on your learning journey, be patient with yourself. Give yourself grace. It takes time to learn complex things. Don't give up. Just be persistent and be patient.

Joseph Carson:

Absolutely. Very wise words. And Chloe?

Chloe Messdaghi:

You're going to feel at times that you don't know anything and that you barely scratch the surface. And when you start thinking like that, that's actually a good sign. That means that you are aware of yourself, but also to note that there's so much information out there, always new things all the time. So just be kind to yourself because you're not going to be able to know everything. And so if you're dealing with imposter syndrome just remember, you're here right now, you've done successful things in your life, so why aren't you successful right now? Why are you thinking that way? And I guarantee you it's probably because, one, you feel there's a lack of representation, or it could also be the fact that there's so much information out there that you feel like you are not smart enough in that area. And I'm going to be honest with you, that's not the case. So be kind to yourself. You're a great person at the end of the day.

Joseph Carson:

Very wise. I think it's important, is take time to reward yourself. Take pause and look at your achievements, look at what you've done so far, and reward yourself with it. I think it's really important. I think one of the talks John Hammond gave recently, which I thought was impressive and you mentioned about imposter syndrome, is that you have a lot of knowledge to add that other people don't know. And that's the value that we have to add to be in it, and there's always continuous learning in that side.

So again, thanks very much for joining me in the episode today. For the audience, we've had awesome guests with Chloe back on as my co-host and Phil Wylie here who's really an industry pioneer and a huge person who adds a lot of knowledge to the industry and community. So again, thank you for being on the show. Everyone, tune in every two weeks. This is the 401 Access Denied Podcast with Joe, Chloe and Phillip today. And stay safe out there and I will see you on future episodes. So thank you and take care. All the best. Goodbye.