- Hey everyone. It's David Bombal, really happy to have Neal Bridges, with me again. The last two videos
that I created with Neal have done really really well, got a lot of positive feedback but a lot of you've been asking questions. So today I'm going to
put Neal in the hot seat and ask him a bunch of questions. If the video gets too long I'll create subsequent videos with Neal. Neal, welcome. - Thank you so much, David. I'm so glad to be here again. - It's nice to meet someone
that I can put in the hot seat and ask all these questions
that I've been receiving over months and years. - I love the connection we have. You ask fantastic questions
and your audience is fantastic and they ask such in-depth questions. I I'm, I when you asked me to come back to answer questions
that you got in comments I was like, heck yes, let's do this. - That's brilliant. So let's ask you straight away. One of the top questions
that I've received, lots of people ask this
and it's quite funny because the ranges were quite wide. People were asking David,
I'm in my twenties, is it too late for me to
get into cybersecurity? David I'm in my thirties,
I'm in my forties, I'm in my fifties. - Oh, wow. - Yeah, is it too late for
me to get into this industry? So, question for you
then is, "Is it too late for someone twenties, thirties,
forties, fifties, whatever to get into cybersecurity?" - All right. So, hang on. This is going to be industry
crushing secrets right here. Everybody ready? The answer is no, you are not too old. And so that's the short answer, right? So you can cut the video right there. We're done no, the answer's no. Neal gave you the answer. The long answer to this is
like and I talk about this extensively is, there are
three and a half million, open cybersecurity jobs right now. It is no doubt that that people hear it and they talk about all the time. There is a lack of talent in the pipeline when it comes to cybersecurity. And so no, this is a career field where if you've got the desire to learn and you can put in the effort and you can get out there, you can absolutely start in cybersecurity at any age and succeed in it. Here's what I tell people and this is what I think
holds a lot of folks back is, and especially when you talk about folks who are transitioning
maybe a way from a career that maybe wasn't IT or wasn't
necessarily cyber into cyber, you have marketable skills
from the 10 or 15 or 14 years that you've been doing whatever
it was you you were doing before you decided to
go into cybersecurity. I do a ton of resume reviews on my stream. - I think we should do that. I think I can people, I think
I'm... I'll put a link below where people can submit some resumes and we can pick some out. - Yeah, absolutely. I think we should do that
because one of the things, I had a resume that I
reviewed not too long ago and on their experience
they had spent 14 years as a store manager for Arby's which in the States is like
a huge fast food chain. And they buried it so
far down on their resume. It was almost like they
were ashamed to have that experience there, but
they had a lot of cyber stuff that they had done and a
lot of IT helped us stuff that they had done on the top. And I was like, you should highlight that you've spent 14 years
managing a restaurant, doing resource management,
doing people management, all these other skills that
when we talk about soft skills are lacking so much in our industry, you can absolutely put those to work. And I think that that's a that's what's oftentimes overlooked
people who are like, am I too old to get into to cyber is you still have so many
years of useful experience that we need to get highlighted and get people to see that you have. - I think on the last
video you made a good point when you said there's a 10 to
one ratio of blue to red jobs. I think a lot of people,
and it was quite funny there was a comment on
one on the video like, 70,000 people have watched this video there's not enough jobs
for all these people. (laughing loudly) And it's, I think people just think they have to be the best
ethical hacker perhaps and not look at this there's
a whole range of jobs. Is that, do you agree with that? - 100%, when you look at
cybersecurity as an organization, and one of the analogies that I use and I use this analogy
frequently when I talk about the industry as a whole, when you look at the career field it's 10 miles wide, right. But it's also 10 miles deep
and almost every subject and so yeah, you can be on
just a small little section and we talked about ethical
hacking being that section. And you can go 10 miles
deep in ethical hacking, but then you've got blue team. And then even on the blue team you've got incident
response, threat hunting threat intelligence, security engineering where you work on all the tools. You've got all this stuff,
you've got fraud prevention you've got risk and compliance,
you've got governance. There's the cybersecurity field,
isn't just ethical hacking. And that's all we say there's
three and a half million open jobs in cybersecurity
across the globe. Yeah, I know we talked
about it before 10 to one blue team, red team,. Again ethical hacking is
sexy and everybody loves it but there's so much more to cybersecurity. And maybe your passion
when you're late in life, is I just want to be part of cybersecurity because it's so exciting. Let's look at the entire lake. Let's look at that
entire 10 mile wide lake. And let's find something
inside this industry that works for you because there is something here. - I mean, it was great points. I mean as an example, let's say I am 45. There were a lot of
people in their forties or in the late forties
that were I'm asking is it too late for them? And it sounds like what
you're highlighting is they mustn't focus on the
like Mr. Robot type stuff, where the guys are breaking into machines like offensive stuff. There's a whole range of skills that or opportunities in this field. So can you give us some
examples like I mean, give us some examples you
know of the range of skills that people could do for
different organizations because I think a lot of people just see like the hacking piece. They don't see like all the companies on the blue team or
products that people use perhaps to protect their networks. - Yeah, absolutely. Because and the other thing
that I want to highlight on this too, right is everybody thinks that
like when they get into cyber that they have to get into cyber
on the ground floor, right? So you gotta be like a
security analyst layer one. But if you've been managing
something like a business, I've reviewed another resume of a of a guy who had started his own marketing company and had run a successful
marketing company for 10 years. That's a guy who has
leadership experience. He has, he's run a successful business and had a successful exit. There's nothing wrong with
going to get, maybe CISSP or going to get one or
two small technical certs just to kind of say that you got those technical certs under your belt. Maybe you do some hands-on
stuff just to kind of familiarize yourself with the technology and then simply turn around
and apply for a SOC manager. Just go run a security operation center or go get into the risk
and compliance organization and start doing risk assessments. One of the conversations
that I have with folks especially when we talk
about risk and compliance versus pen testing, when I say the word risk assessments and I want to say like
crisp and compliance, everybody goes,oOoh that's yucky. That's paperwork. That sounds boring. I want to go do pen testing. And I'm like, do you
realize that the difference between a risk acceptance
in a lot of organizations and a penetration test
really just boils down to putting your hands on a
keyboard and executing it? When you're doing a risk assessment you're still evaluating vulnerabilities, susceptibility to being
hacked and breached into, where they fit into the organization. The only thing you're
missing is the actual putting your hands on keyboard. And so it's not uncommon if you were to think about
the long game in cybersecurity and even if you're 45,
you've got two years until or 20 years until retirement, you could spend five years
doing risk assessments where you understand risk,
you understand governance you understand how to look at a system, how to look at vulnerabilities, how to look at it in the enterprise. And then if you're doing
to the point that I made in last video, a lot of
the TryHackMe, Hack The Box a lot of the technical stuff because you ultimately want
to go do ethical hacking. And then you spend five
years doing risk assessments, you have the perfect in road
into doing ethical hacking because you've been spending
five years looking at risk, talking a business language,
taking your 20 or 30 years of running a business and applying it in a soft skill type fashion. You have a fantastic transition. I think people aren't
looking at the big picture when they think about getting into a cybersecurity organization. They're just like, I want
to do ethical hacking and that's where they think
they have to get into. - I think it's great points. I mean, I'll have to bring in Gary V again because we mentioned that previously. - If I could just change your perspective, if I could just get you to realize you have a whole another life to live. I need you to understand
something, you have so much time. You as 50 year olds are gonna
live dramatically longer and healthier than your parents
and grandparents generation. So you secure a 50. - He created a video
in which I'll link here where he talks about you're not too old. And I think he just hit it there. When you he said, if you're
45 you still got 20 years. And I mean, he's actually saying, I mean Gary's in his forties as well. He was saying that he's
got like many years before he's gonna retire. You mustn't forget all the
experience that you've got. And it's the same thing in Silicon Valley. A lot of people think
that startups are made by like 20 year olds. But most successful startups
are created by people in their forties. I think is the altar of the best age. Because you've got experience. You're not gonna make all
the same stupid mistakes that you might've made previously because you've learnt in life what to do and what not to do. And I'll also say this and I need to hand it back to you, Neal. But if you're in business the only way you survive is to have sales. So if you've got, if you're in a sales job perhaps you selling some unrelated product but all that sales
knowledge can be applied to a cybersecurity environment. So I mean, you deal with a lot of vendors. And I mean, they must have sales teams, they'll have presales teams,
technical guys, et cetera. Is that right? - That is correct. Yeah I mean and I mentor them
the same way that I mentor an ethical hacker, right. Is let's talk about how
we develop your skillset. Let's talk about how
we develop your ability to talk to CSOs. And let's talk about your ability to because most of them, most
of these folks in sales that I talked to or that I mentor, they they're in sales because
they need to make a paycheck but they ultimately want
to move out of sales into risk and governance. So they want to move out of
sales into security operations or some of them you want to
be CSOs and things like that. And so we talk about how do
you take that sales stuff and that ability to have those soft skills that are really important
to an organization and apply those soft skills
to your future learning to get to your future career. - Yeah I mean, it's funny
because I think about sales guys and technical guys and in another way, I think in some ways I'd
rather be the sales guy. 'Cause you're on the golf
course, making a sale and I'm stuck busy fixing a network at three o'clock in the morning. But I mean, it's like you
got to do what you love. Okay, so that so you've
made some important points that you've said that number
one, I'll repeat it here. When are you too old? - You're never too old. And I wanna I want to flip
another Gary V one back on you on that whole you're never too old. He's got a fantastic quote
that he says he's like, "You're not too old you're
just late to the process." - That's great.
- Right? That's one that he has said explicitly and it's okay to be late, right. You're you're doing it at your own time and your own pace and that's okay. It's like the guy, he
what's it Colonel Sanders who started KFC when he was
in his seventies or whatever when he I think when he started. He mustn't so I think that the takeaway of what you've given here
is you mustn't forget about all your experience. Like that example with the
retail was, Arby's was it? - With the Arby's yeah, with
the Arby'sstore manager. - So I mean, that kind of
management experience is actually in some ways more valuable to a company. Sales is very valuable to a company than just pure technical skills. Because there's like
pre-sales is a good example. If you want to sell a
product to a customer and you need to have a
technical understanding you have to have both soft
skills and sales skills as well as technical skills. And the best sales guys are the
guys who actually understand how stuff works rather than
just making it up on the fly. So, okay. So, I'm in my forties, let's say and I want to go from whatever
I'm doing into this field. Give me the path again, Neal and I'm going to push you on this. We had some questions about
certs on the last video. So I'm gonna push you as well on certs. What would you recommend someone
do if they're a bit older? Is it the same path, like
go and do basic networking go and get some of the basic search. Well, what would you recommend? And so I think I'd go
back to some of the stuff that we talked about last time, right? Which is really evaluate what
it is that you want to do in the industry. Let's say, let's go back to
our 45 year old example, right? You've spent, you're 45. You spent the last 20 years doing something business related, right. Whether it's a lawyer,
whether it's an accountant, whether it's some other
non IT related skill but you're 45 now doing a car mechanic, it doesn't really matter. You have skills that are transferable. I think you have to
look at at the industry and you have to find
out what does excite you about the industry. Because I still think that
that's key for who you are, right. Do you like blue teaming? Do you like hunting bad
guys inside the network? Do you like ethical hacking? Would you like to go break stuff? Maybe you actually just
enjoy the strategic mindset of looking at organization. So you look at something like risk and risk and compliance and governance. Maybe you like to build,
maybe you're an architect type where you actually like to build things. So I do think I do still
think you have to identify what's important to you
and where you wanna go inside the industry. So I don't think you
can get away from that when you're looking at your career path. And so then from there, yes,
I would definitely look at certs that help you
credentialize yourself. That says, yeah I know
I've been doing a non cyber or a non IT skill for 20 years. Yes, I'm gonna talk
about all the accolades and all the great things that
I did in my business career, on my non IT career. But also let me show you that
I do have transferable skills when it comes to the
cyber side or the IT side. I've gone out and I've taken CISSP or I've gone out and taken CySA or I've gone out and taken CySA. Maybe if you're on the pen testing side you're looking at PTS for Miami or you're looking at AAPT
from that perspective or you're looking at a CCNA
from a networking side, right. Look at those baseline certs, right. That really just kind of say, yeah I'm not a complete I'm
not completely uneducated when it comes to the career
field that I'm going into. And then on that resume, the same resume tips that I gave last time I would still say apply here. Highlight that stuff, highlight your 20 years
in your non IT role. Show that you have that management role and then make sure that
you're applying for the job that matches that skillset, right? If you spent 20 years leading a business, it's okay to say that
you have the skillset to go lead a risk and
compliance organization. Maybe you can go be a
risk assessment manager. Maybe you can go be an
IT audit manager, right. Or a senior IT auditor
or something like that. Those get you the foot in the door and then you have to then
strategically look at how do you take that foot in the door and then say in five years I'm going to keep doing these things and I'll have an easy
path into pen testing or have an easy path into threat hunting. Or maybe you just continue to go up and you ultimately ended
up becoming a director of those organizations or a CSO. - I mean, I think you've
highlighted something really important there. And I think you've been
listening to Gary V too much. Because he also makes the same point about don't expect it to happen tomorrow. - Yeah. - Guys say, think okay,
today I'm gonna get my cert. Tomorrow I'm gonna get a job paying a 100K or whatever 200K whatever crazy amount. There's a road, there's a journey. And if you're 17 and you
start your journey at 17, you have the advantage of age but you have the disadvantage of youth. So I mean, there's when you get older, you have the disadvantage that you've age but you have the advantage of
maturity perhaps, hopefully. So there's swings and roundabouts
as they say in the UK. There's good and bad no
matter what age you start. But I think you you've highlighted
the point that it's not you're not gonna just turn that on. It's a process and you
have to give yourself time and space to get (indistinct)- - That's something that I
struggled with as youth. And that's something
that if I were to go back and talk to my younger self I wish I could beat that into my head. And I would definitely
highlight that for the for folks who are early
in the process, right. That are listening right now is, you have to think in terms of paths. After the last videos
that we've done together, my DMS were also exploding with like, if I get this cert can
I get a pen testing job? If I get this cert can I get this job? And you have to look at it like a path and you have to think about what are the milestones
that you need to get to, to get to that path? A cert doesn't equal a job. I think one of the folks who DMD me I think I told him I said, such certs aren't gonna get you a pen testing job. Hands-on experience is gonna
get you a pen testing job, right. - Yeah. - You can't get a cert that has
hands-on experience like OCP and then turn around and get
your first pen testing job. Maybe you can, maybe you get
lucky and you can do that. But you have to think
in terms of the process and the processes, get cognitive knowledge put your hands on keyboard and then show people that you've done it. That's how you're gonna get your job and I think the same thing as is very true when we talk about our 45
year olds or 17 year olds is, you've got your hands on
experience, leading businesses, even if you're a car mechanic, right. You've got critical thinking skills. You've got hard work and discipline. You've got, you're troubleshooting a car like this is coming from a nerd. If my car were to break down right now, I'm calling USAA and I'm
getting a tow truck out here and I'm taking it to like that's just not a skill that I have. And so you have a level
of troubleshooting skills that I'll never be able to
achieve in my entire life from working on a car. You should highlight that. - And can I just interject now? Sorry to interrupt you. It's funny because I
see all of these videos where the guys do physical pen testing. - Yeah. - And I mean, if you've got
skills working with cars and like you're really
good with your hands that's another whole like
world that you can get into. Isn't it? I mean (indistinct)- - Hardware hacking?
- Yeah. - You can do hardware hacking. I mean, a mechanic to hardware hacking, that's all you're close to that. If you've been working
on cars for 15 years, let's talk about getting
you a car hacking job. - Exactly, yeah. So I interrupted you
I'm really bad at that. Sorry Neal, what were you saying? - That's okay, I'm pretty sure I forgot my thought process by then. - I'm sorry. So, okay Neal, so that's great. But I think last time we didn't cover it in a lot of details. I want to push you on
it now, baseline skills. What are the foundations? 'Cause I mean, it's okay
to say I'm gonna use Nmap or it's okay to so many
use this application whatever it is to try and hack. But what baseline skills does someone of any age need to get? I think and this is incredibly subjective but when I'll tell you
how I look at resumes when I'm evaluating folks from
a baseline skill perspective, right. And take this in the sense
of, I go back to kind of those domains that we talked about from a cybersecurity organization
perspective, right? You've got security operations, you've got security architecture, you've got risk and compliance, right. And then you've got policy, governance and policy organization. - It just assumed, we
assumed that people watching don't know all of that. So it's great if you
mentioned that in like explain the button then
tell us the skills, yeah. - Yeah, so in those four domains, if we break a cybersecurity
organization up in those four domains, right. Security operations would typically be pen testing, incident
response, threat hunting, threat intelligence, all that stuff that goes into mostly defending
an organization, right. You've got security
architecture which are your, they're your architects. So they're building, right. They're building the
cybersecurity orientation. They're choosing the technologies. They're choosing the network designs. They're investigating technologies like CASB versus some
other type of technology. CASB is a cloud access security broker type of technology, right. You've got risk and compliance which are folks who are
doing risk assessments, folks who are trying to make
sure that you are compliant to whatever regulatory body
that you're beholden to. So if you're in the industry, you've got PCI which is
the Payment Card Industry. You have to pay attention to their regulatory compliance
stuff to be compliant and organization if you're in the EU GDPR is huge as well, right? And then you've got your
governance and your policy which are very much
your strategic thinkers who are helping to guide the organization and write the policies. And so if you use those four and when we talk about baseline skills, the baseline skills when you
look across all four of those is vastly different, right? Oftentimes we get so hung
up on baseline IT serves CCNA, CH, EDPT, right whatever it is we talk about because we're focused in
on the technical side. But if you are in that planning
process and you're that you're looking to get into a
cybersecurity organization, maybe that baseline skill
is actually some stuff that's more soft skill. Maybe it's a PMP like a
project management cert. Maybe it's a CySA which I
probably should know about that. - I'll put the links on that last call. I thought I'll just put the I'll just put the acronyms on the video. So don't worry. You just use that. - Okay, so you got CySA
right from ISC squared, which is a very baseline soft skill compliance type certification. And so I think when you look at, when you look at those
baseline credentials those baseline activities, yeah you have to you really need
to take into consideration which path you're trying to get into and which path you're trying to take. Because I do, I think if you're a if you're on the it side,
if you're currently do, if you are currently
doing it work right now you have all the baseline skills that you need to be successful in the technical side of the industry. You don't need A+ to prove
that you are doing networking or computer work or IT helped
us, or things like that. That's just a piece of paper
that says that you're doing it. We hear about Sec Plus
and things like that. Those are all just pieces of paper that says that you're qualified to do it. But if you've been working in help desk for five years, right. And you're stuck in a help
desk job for five years, you've probably been
doing all of those stuff that they would teach
you inside of a cert. So you have the baseline skillset. And that's what I would focus on is, when you look at those
entries into the career field look at those baseline skill sets whether they're technical or
whether they're soft skills and highlight those and
focus those skill sets. - That's great advice. I mean, I think what you've, what I really like about the
discussions we have is that you are broadening the discussion from Mr. Robot ethical hacking
to a much broader discussion. And you basically saying that
the industries are much bigger than people realize. And like you mentioned there's like three and a half million
unfold positions or something. - Let me get on a small soap box. - I love your soap box, go for it. (laughing loudly) - When you look at the
mission of a company and think about some of the
biggest companies that you got whether they're overseas or
whether they're in the States, right. You've got Unilever, Abbott
Laboratories, AstraZeneca, Apple, Google. Think about these big companies. Mr. Robot, if we were to use that analogy about ethical hacking and Mr. Robot, they represent such a small
piece of what an organization like that is all about,
their cybersecurity team. But even so the Mr. Robots in those teams are there for the defense
of the organization. And so risk and compliance,
policy and governance, security architecture, right? All of those functions in a
cyber security organization, they do more collaboratively collectively in a cybersecurity organization than one Mr. Robot will ever do. And this isn't to take away from ethical. I can remember I come from that background I spent 10, 15 years in that
space doing that type of stuff. And this is coming from an ex
hacker and an ex red teamer, or an ex pen tester, you know? Yeah, it was fun to do that
stuff, and it is exciting. But when you look at a
cybersecurity organization there's so much that goes
into doing more to protect a big company than one
little Mr. Robot that that's in there hacking away on vulnerabilities. That again, soapbox moment
as an ethical hacker and I was having this conversation
on my stream on Monday with a pen tester on Monday. Most ethical hackers are
so consumed with the rush of getting domain admin
or getting rude on a box that they that their mentality is, is that if I post an organization, if I get domain admin
and rude, then I win. I'm the best hacker in the world. And most organizations could care less and it's not that they suck. And it's not that they don't care about their vulnerabilities in their network, but they're a fortune 100 company. They make $50 billion a year. One windows XP machine that you popped. - XP I love it. - Yeah, isn't going to, isn't
gonna rattle their cages, Right. You've got to start thinking big picture. And I think that that's
the mentality I try to get to whether you're an ethical hacker, whether you want to get
into space of ethical hacker or red teamer or pen
tester or a threat hunter or risk and governance is, you have to look at the big picture and not just that, that
tiny little slot of skills. That's there. Soap box moment over.
- No, I love it. I think it's really
important what you've said because there's too much
focus it seems on the, like you said, the rush of breaking in. And there's all this focus in the sort of ethical
hacking community on like, I can type faster on Linux
and I mean as you get older, it's like, who cares? It's like you said, there's a big picture. I broke into your but I'm
not so behind like you Neal. I'm using windows eight
and T Oh, no, sorry. That's also no, no. I mean like if you break
into windows 10 box, great. So well done, but there's
from a business point of view and that's what pays salaries. It's like you said that
there's a much bigger picture. Okay, but now I need to push you. I think we gotta, I I'll
do it in a separate video puts you about tTHcause I
want to talk about that. Let's talk about something
that we mentioned offline previously. Neal, it's fine to say this,
I've got 10 years experience managing a restaurant or a small business. You say all that stuff,
but I don't feel worthy. Can you address that? Because it's like, imposter
syndrome is a major problem. - I'm so glad you brought this up. And on the latest stream that
I did on the latest stream that I dropped on YouTube. I actually covered this
in depth because I think and I've said this and
I've taken the bold step of saying this out loud is that, I think imposter syndrome
is the mental health issue of our cybersecurity or IT community. I can't even stress enough how real it is. And I think as with any
other type of mental illness or any other type of conditions
that we've got acknowledging it is really kind of the huge key. And so what imposter
syndrome is, is really the difference between your
outwardly facing persona and what you keep internally and what you kind of internalize
when it comes to feelings. And I'll give you some
very real world examples. And I have no problem sharing
my real world examples because they are very real to me. I I've been an instructor
a large portion of my life. I built the air forces first
functional training unit around cyber. I spent years training all the hackers that went into the
national security agency in the mid to late 2010 and 11s and 12s before I got out of the air force. I was the sands instructor for five years. I've spent a large portion of my life teaching and
educating for folks. And even after years and
years and years of being seen as an experts in and I've
got metals from the military, accolades, awards and things like that for the things that I've
done requested by name from the Federal Bureau of Investigation to consult with their cyber experts. Every time I get up in
front of a presentation at a conference or whenever
I taught a class for sands, that imposter syndrome always hit me because you're up there being the expert. And you wonder in your mind am I still giving people
relevant information? Am I still relevant in this industry? Is any of this information any valuable or do people really even care that I'm up here saying this stuff? And so that that's that imposter
syndrome hits everybody. I don't care how many years you've gotten in this industry or how it's everywhere. - Yeah. - I on my stream video that I dropped, I outlined four very specific
things that everybody can do. And this is, we talk about it
in the sense of IT and cyber, but I think there are these four things about imposter syndrome, literally anybody can apply themselves to, right. And so the first one is
reframing your mind, right? Is taking a moment to
reframe your thought process. Just like I we talked about here is, recognizing that imposter syndrome, right is real and really reframing your mind around the fact of what it, don't worry about the things
you can't control, right? You can't control that you
didn't start ethical hacking when you were 17 years old right? You can't control that your life choices that your life circumstances forced you to be a store manager at Arby's, right. You can't control that. That was what happened in your life. What you can control
right now is emotionally, mentally, how you deal with the challenges that are in front of you right now. So you have to reframe your mind. The second thing I talk about
very specifically as well is,, is take action. One of the biggest things that
that imposter syndrome feeds on, is our innate desire to procrastinate. And I'll give you a
real-world example, right? Is starting my own stream. When I had the idea during COVID last year to start my own stream, I kind of say, well let's think about this for a little while. Let's see if this is even necessary. And I could see my imposter
syndrome taking over. Well there's all these other
streamers that are doing this. You've got this streamer who's got tens of thousands of
views and he's doing this. You've got all these
content creators on YouTube that are doing this. What value could you ever possibly bring to the community by starting a stream? - And I glad you overcame it because now we are learning about you. - Absolutely and that's why
I enjoy talking about it. So you have to take action
when you have that thought that you want to do
something, take action. - Yeah, (indistinct) - The third thing that
I talk about as well in imposter syndrome, is
acknowledging your contributions. And this is another story like value. You'll notice this videos get
longer when you have Neal on because we talk about stories. - Well, we haven't, well, I
will just ask the audience if you don't like the videos, let us know. But I'm assuming that
based on the feedback that I've received today,
people are enjoying it. So go for it. - So the third thing, right is acknowledging your contributions. And I had an incident responder
who worked for me one time and we had a pretty significant
incident at the company. And he was at the same level as several of his parents at responders. And at one point in time, the
incident had gotten so severe that some of the instant
responders had actually taken it to the next level. And they were reverse engineering Some malware, they were D decoding and reverse engineering. Some put some PowerShell
script that had been dropped onto a box. And this incident responder
was watching all of this go on. And he was like, he
was so down on himself. He was getting so far down on himself that he called me up and he was like, Neal, I just don't think
I'm good in this industry. I just can't do what it
is that these guys do. I need to go back to school. I need to take more certs. I need to do all this other stuff. He was really, really down on himself. And when you challenged him
a little bit you were like, well, while they were doing that who was documenting and
keeping the incident on track? Who is leading the teams? Who is making sure that
management was updated? Who is making sure that the
incident response process was followed? Who was the foundational structure around all these guys to make
sure that they were to get to the end and the completed
the answer response process? And when you said took a step back and looked at it and he was
like, yeah, that's actually me. That's me that's doing that. You have to take a step back and you have to acknowledge
those contributions you make, because that's that is
key to how we defeat that imposter syndrome. Go ahead.
- Go ahead. - No, go ahead. - I was just gonna say, I mean it's you go further as a team. - Right. - And I think people forget
that everyone is unique and there's no one like you and everyone can bring
something to the table. - Everybody. - If they willing to
everyone can bring something, yeah. Everybody, I don't care who you are. I don't care where
you're at in the process. I don't care if you're new to this field or you've been in this field for 20 years. I'll take new people just the same that I'll
take people who've been in this industry for 20 years because everybody brings
something to the table and that's so important. - So I mean, I'll come back to that 'cause I want to mention
some more about that but I think you've done
two out of the four. I think you- - I've done three out of the four the fourth one, the last one. Yeah, the last one is keep pushing, right. I know it's easy. Again, we talked about at the
beginning of the video about, the process of getting into cybersecurity. Your process is long, right, in this career field, and you
just have to keep pushing. You have to keep pushing mentally. You have to keep trying,
you just have to keep at it. So I think those four things
just to re highlight, right? Reframe your mind, right? Take action. Acknowledge your contributions and keep pushing. Four simple steps that
anybody can do today to address their imposter syndrome. - I think that's great. I mean, you go through this in more detail on your YouTube channel. So I'll put a link below if that's okay. - Yeah, absolutely. Please do. - So yeah, go and have
a look at Neal's video if you want to get more detail. Neal, I think we need
to just address this. It doesn't matter who you are. It's funny people have this feeling, I'm too young to do something. Now I'm too old to do something. It's and no matter what
point in your life, someone's going to say and
don't listen to the haters, is what I like to say. - Don't listen to the haters.
- Yes. - Because the haters will
say, you're too young. You're too uneducated. Like in my example, I speak funny because I don't have an American accent. - Of course. - I'm from the wrong side
of the tracks or whatever. Someone's always gonna
hate you for something. Ignore those people because everyone can bring something to the table. We kind of mentioned it before. So I'll just go on my
high horse here as well. Is that, if you younger your perspective of the world is different
to someone who's older. Like my age, I have to try
and reframe my paradigm if you like, or the way I see the world to understand what someone
sees the world like when they 16 or 17. But you if you that age
can talk to people your age in a way that I can't. I mean, I can't dance on TikTOK. I mean Neal, we were talking about TikTok. You and I on TikTOK,
it's not going to work. So that's not something that
I'm gonna try and attempt but like a 17 year old could
do that and do it really well. But what a 17 year old perhaps
can't do which I can do is bring experience, bring knowledge, bring all the war stories that I've got. And I don't want to
sound like one of these. I love it when the young people say, Oh, the boomers who say that
they've they walked barefoot to school in the snow, walked
five miles or whatever. You don't want to be like those people but you can bring a level of experience that perhaps a younger
person doesn't have. So it's not about you're too young, you're too old, you're too different, I think everyone can bring
something to the table. - So I'm gonna, I'm going
to pull my soap box right up next to yours on this as well because I've got one for this one as well. And I talk about this pretty extensively. I'm pretty open about it. I've actually, I've written an article about this on LinkedIn
and about the toxicity inside of our cybersecurity industry. Now that one was geared towards
something that had happened around some of the security
conferences here in the States. But I do think there is a lot
of toxicity inside of cyber and in some cases probably
also the IT space. And I think that those
toxicities exist from folks who do think that like,
if you don't have CVEs, you're not good enough
to be in this space. You've got, you mentioned the boomer thing and the war stories, when you've got folks
that are in this space that their egos want them to be like, well I walked uphill to school
in snow, 15 miles every day. So therefore you should do it. And instead we'll look
at and be like, well no, I got a four wheel
drive car in the garage. I'm just gonna get in that and I'm gonna go to
school and that, right. We've got too many people in the industry and in their egos are at all levels. And what I don't think
a lot of the older folks in this industry realize is that their egos are also translating into egos of some of the younger folks. And that just breeds that
toxicity inside of our industry. I rail on offset for
this pretty extensively. I think that their try harder mentality, started with the best of intentions but they let the toxicity of
the cybersecurity industry and I've taken pen testing BackTrack, I've taken pen tests with Kali. So I've taken two OSCPs in my career. And I stopped going into the IRC channel because of the level of toxicity. It almost became a hazing ritual
and whatnot to go in there. And it didn't matter how
much effort you put into trying harder as they put it. You could ask the most
intellectually sound background founded question inside their IRC channel. And you'd get somebody out
there who was like, try harder. They didn't even read the question. They were just like, try harder. And I think that that try harder mentality and I talk about this
extensively on my stream and on my YouTube videos
that try harder mentality has created a level of toxicity that stops the younger
people in this generation from looking at things in our perspective and it stops the older generation from looking at things
in the youth perspective. - Yeah I mean, it's being
stuck in your paradigm, is a massive problem. It's difficult to sometimes look past what you've experienced and you need to. You need to try and understand where the other person comes from. But now let's let me give you
a difficult question, okay? So you've mentioned two
opposing things here. So let's put you in
the middle of the fire. - Go for it. - People who don't feel they worthy and people who are arrogant, how do you keep a balance between realizing that you're good enough, but not coming across as
and I can say BBB arrogant (indistinct) - That's a really good question. And I think that that
comes with maturity, right? I think that that's a maturity thing. I think you, and again I want to make something
really clear, right? Arrogance and ego are different, right? I know what it is that I know. I know what I've done in my career. You know what you've done
in your career, right. You know what you're good at, right? And there's a there is
an arrogance that comes with what it is that that we've
accomplished in our career. But I'm not out there
whenever somebody says, hey, I obviously my DMS have blown up since our last couple of videos and folks who have generally said, how do I get into this space? Or how do you help me? Hopefully, nobody who's
received a DM for me has gotten a try harder. When I responded that DM I've tried to always outline a path and give you an idea that's there. And I think that it's part
of that mentality shift that as you mature, and you
look at who you're talking to that you put yourself
into their positions. If you're in this industry, you are viewed with a certain amount of clouds that people who want
to be in this industry have when they look at this industry. And so you have to put yourself into their position and say, if I were back in that role, if I were getting back
into the cybersecurity for the first time,
and I had this question what I want somebody to
tell me to try harder or what I want somebody to
say, well, did you try this? Or did you try that? Or have you looked at this as an option? Or have you looked at that as an option? We have to stop thinking
that because I walked up Hill in the snow, miles, both ways. Yeah. - You are too young for that. - Too young for that, right? You just, but just because I did it doesn't mean you have
to, the world's changed. And so I think that that's
the difference between being confident and arrogant
in what it is that know and exuding a level of
egotistical toxicity that that makes the industry hate you. And I would actually encourage and again I go back to my four things
on imposter syndrome. Number three was acknowledging
your contributions and part of acknowledging
your contributions yes, it's taking pride in them. Taking pride in the search
that you hang up on the wall and the military awards
and things like this that you've gotten throughout your career, take pride in those things. Right. But in every video that we
have, I'm not saying, well I'm certified this, I'm certified that I've got 14 different medals
of honor and things like that. It's take pride in it, but
don't let that consume you in a toxic manner. And instead, take that and say,
I want to share it with you. And here's how I think it's
best for you to accomplish that and achieve the exact same
things that I've achieved. - Can now, now I'm
going to push you though because other side of the coin, yeah. On my discord I see this many times, so on my discord and on the
DMS and on YouTube videos, you can you get comments. There's the other side to this where people don't make
the effort themselves. It's that whole thing. Let me Google that for you. - How do we contend with the
people who just don't know how to Google that themselves? - Yeah, it's like, how
do you encourage someone to help themselves? Because I think off the
half the thing I've learned over the years is that the,
my ability to use Google is probably one of my top abilities. Because if you know
how to find information you're at a huge advantage. Because you can't
remember every, everything you can't know everything. You just need to learn how to find it. So how do you as an older person, like you your DMS are blowing up and
I'm sure you've had this issue. It's like that guys will ask questions without making the effort themselves. So what would you say to, how
would you handle that kind of situation where someone is, I get this from my discord moderators. The guys want to get into ethical hacking, but they don't have a good foundation. And that's why I was telling you what kind of foundation do you need? It's like, you can't use Nmap. If you don't understand
what a port number is. - right. - Or an IP address. You've got to put in the work I think is what it's gonna boil
down, to how do you handle- - No, that's a fantastic question. And I and I'm I wanna answer it kind of in two different ways, right? And kind of it's this, isn't a deflection. I'm going to get direct to
how I specifically handle it but I want to set a
foundational answer for this. I think as an industry
and as a cybersecurity cultural entity, we have
failed in our videos and our content production
in our mentorship, in our education, in our ability to talk about the things that
we love in our industry. We failed to teach critical thinking. Instead, what we've done is we've said if you don't have critical thinking you don't belong in this industry and boom we're right back into that toxicity. You can't go out there. You can't find a video on Udemy on how to develop critical
thinking in ethical hacking. You can't find an ethical hacking video. This is the first step to being an ethical hacker
is critical thinking. And here let me teach you how to do that. And then even if that's, of
course, you're going to cry. We could talk about that. Maybe we'll do another collab
on undoing that course. But to your point, I mean I think lesson number one is let's talk about how to use Google and let's talk about the value of Google. And so I don't I think
we've gone straight into, I want to be Mr. Robot, teach
me how to use Nmap, right. But we have failed to teach
the folks who are coming up in this industry, that critical thinking. And I carry this back over
to old dog new tricks. We said we didn't have
Google when I learned how to build my first password
brute force her in basic. And so since I didn't
have Google and you do, you have no business asking me how to write a password brute force it because you can just
go to Google and do it but we haven't taught
people how to do that. So I think that that's I think that's a failure that
we need to acknowledge first. Now second more direct to your question, it's it I I'm not gonna lie. It's a lot of patients, I think it's you have to have patients with people that are out
there and it is frustrating. It is and I wouldn't
be honest if I weren't, if I didn't sit here and say, hey, how do I get into pen testing? And it's like well, I just
did a collab with David that had no here's how you get
started at ethical hacking. And you're asking me how to get started in ethical hacking. And so it's more about working
with those people and say, well, let me ask you, right? Think about the questions
that you ask them. Don't say, well I just
told you how to go do it. Instead look at the comment and be like, did you go do this first
step that I did over here? You saw, you came to me
because you saw David's video. And I gave you an outline on
how to go be a pen tester. And you're asking me how to be a pen test. Or did you go watch David's video? Did you consume that content? Did you start to work on those
three things that we talked about inside of that video? And so I think you have to help people down the path and you have
to lead that horse to water if you will. Some people, they see
the content, they like it and they want to reach out to you because they want your specific take on it and you should actually feel humbled. And you should embrace that they want your specific take on it. I'm a flip that you
talked to me about this when in kind of our greenroom
site type session, right. Is maybe people want to
hear specifically from you. They don't want to hear what
you told 400,000 other people. And so apply a little bit
of that humility to yourself and be grateful that they
chose you to ask for that and say, let me help you. I'll help you get down here, right. And I find that, that
that's, what's lacking is is some of that compassion,
some of that patience. And then you're a hundred
percent right, David there are just people who
no matter what you do, just can't figure it out. And to those people, I would
say self reflected on yourself and ask yourself, why are
you having such a hard time doing something as simple as
what's being advised to you. You've probably watched a hundred videos on how to get into ethical hacking. What is stopping you from
taking the hundred pieces of advice, that you've
gotten in your video. And I think that, I think you
do have to take some ownership and own that yourself. - Yeah, I think that's really important. I mean, I like to hop on about this. We on soap boxes today. If you are responsible for your own life don't abdicate the responsibility for your own life to someone else. If you have responsibility,
what say with great power comes great responsibility type
thing is you're responsible for your own life. You can't change the past,
but you can change the future. And a lot of people are in
very difficult situations but what are you gonna do with who you are and where you are? Because it's amazing when people complain there's always in the back of my mind do you realize that there's someone who's in a much worse position than you and they've actually done something. So if self-pity is the destroyer
of dreams I like to say. If you feel sorry for yourself and you don't take ownership for yourself you might as well stop because
that's what you need to do. You need to take ownership yourself and you need to stop
feeling sorry for yourself. Just go to Africa and you very quickly realize that, just us having internet
connectivity and having access to our computers is a huge advantage. But I'll get off that soapbox for now. - Let me piggyback just
not so much on a soapbox, but I wanna kind of talk
about that a little bit when it comes to people
in hardship positions. And it gets back to what
you're saying, right. Is you do have to take
some responsibility. There was one, I remember
specifically several, I remember I it's hard
to remember all the DMS but I do remember one very specifically. There was a kid who was working for a big four consulting
company that had messaged me after our last video. And he was, you bring up Africa. He was in Africa and I don't want him to be
singled out and or anything. So I'll just kind of
leave out abroad of that. And he was talking about
how the culture there was it was a certain way
that it was really hard to get into cybersecurity. And he was taking
responsibility and he was like, what can I do that's above and beyond what I'm doing right now? And that's an example where
I took his hand and I said, let me help you get out of this
area where you're worse off than say somebody in the
UK or the US or Australia where we've got tons of to
your point broadband access. We've got access to
consume hours and hours and hours of YouTube content
without having to worry about our internet getting shut off. And I put him in contact with some folks that were pretty high up in this big four who could also help him get
out of this tough situation. And I think that when you
talk about to your point, people who are asking for help it is the responsibility of
us, people who come to us and are looking up to us
for our advice and our help to help make that responsible decision. That's like are you just too lazy to take responsibility yourself? Or are you truly in a hardship situation? And how can I truly help you get out of that hardship situation? And I don't think enough
people in IT and cyber security really do that. - And Neal, this is we're
gonna have to end off 'cause we this has got really long. But Neal, this has been, this is something I've been wondering that during this whole conversation is you've got on your shirt,
keep calm and what? (laughing loudly) There you go. Everyone who was wondering
what it was about. Go on. - So they don't sponsor
me at all on my content. They're just that they're a
company that I very much plug in and talk about every time
I every chance I get. a zero day clothing, Zero Day Clothing if you're a nerd and
you'd like cool shirts with cool little nerd slogans
and things like that on there you can go to Zero Day Clothing
and look at their stuff. They've got all sorts of they've got cute (indistinct) to QoS all packets are equal. You can see the logo up
here right here in the back for Zero Day Clothing. They do has to do shirts. They do backpacks, everything else. And they've got some, they
got some pretty cool stuff. So I'll put a link below
if you can't find it. But I mean, that's fantastic, Neal. Once again really want to thank
you for sharing your wisdom and I think it's good that
you get on your soap boxes because you addressing issues perhaps that other people avoid. And it's funny there was
someon on one of the, on one of one of our videos that said, I can guarantee you that
this guy has never worked at the NSA. It's funny when people say that because the point is that
you've got all this knowledge, you've got all this experience and you can talk from that vantage point. So thanks so much for sharing your experience and knowledge. - Thank you and I'll do it anytime. And again, I people who say that, there's always gonna be haters out there and it's like you said
earlier about the comment and here's the thing. I I'm cool. I know you exist out there. I hope you feel better about
yourself for hating on me. It doesn't really affect me. - You gotta ignore the haters there. - Yeah, exactly. Like pull story, bro. You can still catch me on my channel. You can still catch me on my YouTube. I'll still tell you
everything that's in my head whether you're gonna hate on me or not. - That's exactly the right attitude. So Neal, thanks again. - Thank you, David. (gentle upbeat music)