- This is what I (laughs)
I'm laughing now. This is-
- Get on your- - No, no, I can't, I can't. Oh, God! - Come on. Get on it.
- So. (energetic music) Hey, everyone, it's David Bombal. Really excited about this,
back with Neal Bridges. Neal, it's been years since we met, man. So.
- Wow! (Neal laughs) So I think we need to talk about that. How did we meet? - It's been a year. It has been a year. I cannot even believe
that literally a year ago, Richard came to me and said,
"Do you know David Bombal?" And I said, "I have no idea who that is." (Neal and David laughing) I felt really bad. I had no idea you were. And- - That's okay. - He was like, "David's done some courses for us in the past." You did some Cisco courses,
I guess, for INE in the past. - Yeah, like one course, yeah. - Like one course, yeah. He was really impressed with you, and I was like, "Yeah,
I'd love to meet the guy." And I remember you and I
getting on the conversation that first time and we just,
we hit it off just like that. And it was just, I could just tell that there's
this like instant chemistry of us being able to just sit
down and chat with each other, and I don't even remember
what we were trying to talk about during that conversation, but I know the next day you called me up and you were like, "Hey, INE, aside," 'cause I wasn't working
for INE at the time. INE said, "Do you wanna
do a video together?" And I was like, "Yeah, duh, I'd love "to do a video with you." I was so impressed with
the quality of production and I was so impressed with
just the conversation we had that I was just humbled. I was incredibly humbled that you'd asked to do a video with me. I thought it was awesome. I don't know what your impression was. (Neal laughs) - No, no, it was great,
'cause I remember at that time I was looking to give advice for people entering, 'cause
I got all these questions, and I wanted to find someone,
and you met all the criteria. someone who's very experienced, someone who can give a very clear roadmap, and we created that first
video about a year ago. I remember it was hilarious because we met on the, I think it was a
Tuesday evening, my time. - Yeah. - Then I sent you some
messages or something, we communicated, and then on the Wednesday we had an interview, and
then on the Thursday, we published that first video. It was great. - It was. And I think that you
mentioned the helping people. And I think that that's
something that you and I share in common, right? Is that we have a mission to
try to bring as much visibility and education and awareness
about topics to everybody that we can. I have got to say that INE has
never ever paid you a dime, but the fact that you have
allowed me to come on this show on your stream, on your
YouTube channel multiple times, allowed me to talk about not just myself, my career, what I've got going on at work. this was before I was at
INE, when I've been at INE, I couldn't even be more grateful to you, just because we share
this common goal of trying to make people smarter and give them as much education as possible. And listen, it's been a year. I can't wait to do more with you in '22. - I'm looking forward to it. - I wanna thank you from
the bottom of my heart that you've been a really great friend and a really great
partner and collaborator for the last year, and I can't wait to do more
stuff with you his year. - Great, Neal. From my point of view, it's so hard to find
someone who can articulate and is very knowledgeable
and knows what to do to help so many people. And I know you've spoken to
a lot of people individually. You have a YouTube channel
and I'll link that below for those of you wanna get a
lot more information from Neal. It's been fantastic, just to
try and extract your knowledge, to help people who are starting out. And I will, I will put a disclaimer, I did create a course as
we mentioned, for INE, so I have received payment from INE for that course in royalty payments. But yeah, it's important to
say that INE have never paid me for any advertising. These videos are just you
and I trying to help people. - Absolutely. - So let's get to it. - Yeah, let's do it. What knowledge would you
like to extract today, David? - No, we need to get comments below. What do you want me to ask Neal in 2022? (Neal laughs) But for me, beginning of 2022
now, in the beginning of 2021, I asked you, "Neal, what's a roadmap?" And you articulated that really well. So I've interviewed
John Hammond and he kind of like surprised me with, he sort of take on what people should do,
but I wanna get your opinion. Have you changed your
opinions since last year? Or can you give us Neal's three things, or whatever it's gonna be this time? What should I do if I wanna get into? - It's hard to tell if
they've changed or not. This year has been an interesting year, and we've now been on the second side of the COVID argument, right? Or year two of the code COVID argument. Would I say that my opinions have changed? Maybe a little bit, but they may be, may
just be different takes on the same ideas. Let me let's talk about it, right? So let's get to the brass tacks, right? Three things that if you
wanna be in cybersecurity, that I think you need to do
in 2022, if you didn't do them in '21, you can carry over and do a '22. If you're hearing this
video for the first time, you can do them again in '22, right? So first and foremost, networking, right? I have seen so many
people in the last year since you and I did, since
you and I literally out of thin air created the 1,000 Connect challenge. - Yeah. - 1,000 Meaningful Connect Challenge, I've seen so many people
become so incredibly successful by doing the 1,000 Connect
Meaningful Challenge, so much so that I put a video together that actually articulated steps to do to make meaningful connections, and I wanna harp on that because apparently there's
some people out there that got the wrong
impression, that thought that we were just chasing numbers with that 1,000 Connect Challenge, and it's always been about
finding meaningful connections in a space that you wanna be employed in, and becoming friends with them, making those connections
meaningful as you're participating in this journey towards cybersecurity. And so my number one thing, and I believe that more now in
the last year that we've got a year's worth of
experimentation under our belt since we talked about this last year. - [David] Yeah. - Networking. And I mean using LinkedIn
to your advantage to work the system to get
you into this career field. I think the second thing, right? That I would talk about
that if you wanna get into cybersecurity is
do the free stuff first. There is so much free
cyber security training that is out there. I think one of the things that as I harp on it more
and more throughout the year when I talk about it there
are people who are like, "Neal, do I have to have this cert? "Do I have to have this course? "I don't have the money to pay for this. "Can you give me a free
Try Hack Me voucher? "Can you give me a free INE premium pass? "Can you give me free this? "Can you give me for that?" They wanna ask you for
the stuff that's paid for, they wanna ask you that for free, but they haven't exactly gone out there and done the free training
that is available out there, whether that's INE Starter pass, whether that's watching YouTube videos on different types of
tools and techniques, whether that's taking,
watching for all the giveaways that you do, all the giveaways that I do, all the giveaways that
everybody else does, that's out there. That's
a content creator, whether it's looking for that, they're not actually going
out there and looking for actively participating
in that free stuff. And so my second thing is
if you wanna get a career in cybersecurity, you need
to be out there taking the free stuff. There's so much free training out there, there's no reason not to do it. I think the third thing
I would still say, well, this is a tough one because
now like I had that third thing in my mind and then like
another one rushed in and said, but wait, Neal, wait,
Neal, I wanna be third. I wanna be third. - We can do four, it doesn't matter. You can expand it. - I'll stick with my third one. I think my third one is still
getting the hands-on stuff. Now I, my definition of
hands-on has changed slightly. And this is a video that I wanted to do. I'll kind of give a preview for it here on your show and kind of talk through it, but I talked last year, I think was about getting your hands on stuff with the Try Hack Me, the
Hack The Box, the RangeForce, all the different types of
programs that are out there with getting your hands on the tools, the tactics, techniques,
procedures that come along with cybersecurity, whether
it's Red Team, Blue Team, whatever the case is. A question that I get asked frequently on my stream talks about
getting the hands-on experience. And I actually demonstrated to
folks on my stream one time, how easy it was to go
to bug-bounty platforms, like Bugcrowd, like HackerOne, and actually sign up to
be a security researcher or bug bounty hunter for those platforms. And they're like, well, "Neal,
I'm never gonna get paid "because I'm never going to find a bug." And I had to remind people, I'm like, "But you're pen-testing
real organizations. "You go to HackerOne, you're
pen-testing real companies. "Just like any other pen
tester, you may not find a bug. "You may not find a vulnerability, "that just makes that pen
test an unpaid pen test." - Yeah. - But there are ways that we
can hack the LinkedIn system so that you as a security researcher can put your bug bounty
experience on there to show that you do have experience, actual real-world working experience doing penetration testing,
that doesn't require you to, whether you're a fresher or whether you're an entry-level person, whatever the case is, doesn't require you to get that first job that
requires two to three years of experience from those
really terrible job postings that we see. And so I think that that if you're looking for, if you're looking for three, I think that those are three
things that anybody out there in the world, if you
call yourself a hacker, if you want to be a hacker, if you want to be in cybersecurity, those are three things that
whether you're Red Team, Blue Team, you can do
those three things today. You don't have to wait until next week, you don't have to wait
until the next giveaway, you don't have to wait
until David's next video or my next live stream. You don't have to wait for anything. You could literally do those things today, and that is the easiest
cheapest, most effective way to get started in cybersecurity. eJPT from INE. - [Neal] Mm-hmm. - Some people have said
that's not free anymore. Is that true, and is it still free? These starter passes? - So starter a pass is still free. Start a pass is still free. eJPT, which is the
certification that comes from Pen Tester Student, so Pen Tester Student is
the content that's free in the starter pass, the
eJPT is the certification that you get once you take
the PTS, that is not free. That is $200 as of now. But the content that you
need to take is free. Now, before you go on that, I wanna make, I make
that distinguishing point because one of the concepts
that I struggle with, right? Is this concept of certifications. If I learned something today
and I take a cert tomorrow, I think it is highly unfair
and inaccurate to say, you didn't gain that knowledge because you didn't pass the cert. A cert is a trophy that's
in our trophy case, and it should be something
that helps give you validation, whether that's to yourself
or to an employee, that you gained that knowledge. But that doesn't mean you
didn't gain that knowledge. Some people can't take tests. Some people get test anxiety. I for one was a terrible test
taker coming up this school. And so there's a misconception
that I think when I talk to people about this,
it's like, well, Neal, I still have to pay for the eJPT. Yeah, but you can get
the knowledge for free. And so one of the things
I like to remind people is you should chase knowledge, not certs. If you chase knowledge,
you will find a job, you will get into this career space. You will be meaningful
as a content creator or as a contributor to this
community by gaining knowledge. The same can't be said
for chasing the cert. - I mean, the problem with
assert has been anyone who's done an exam at any
point in the lights knows that once you've done that, you often start forgetting things very, very quickly once you get that cert. So, okay. So you've got the starter pass on INE. That's a good place to
start, is that right? So if I was starting and
I had zero knowledge, would you recommend I
go there or do I need to get something before I go there? Maybe I might find the security path on INE Startup Pass difficult, is there something else that can help me with like basic knowledge
or what would you suggest? - So there is some basic
knowledge on the starter pass. So when we built starter pass, right? We built starter pass with
the idea that if you wanted to get into IT in general, you could go to the starter
pass and you could play around with the different concepts
that INE teaches, right? So we have networking curriculum, which you've been a part of, we've got cyber curriculum now,
we've got plowed curriculum. We've made some strategic
acquisitions on the cloud side. We're about to release our first cloud certification for that. We got a huge drop that's
going to happen in January. Everybody's gonna be excited for that one. We've got data science that we're delving into to
development programming, right? And so the idea behind starter pass is that you can kind
of go and you can play with these topics, these,
I don't wanna call them entry-level topics, but
these topics that are kind of at that foundational level of the content, to kind
of see where you're at, what you need to learn, is this a topic that you're interested in? And by the way, is INE a
platform that you can choose to learn that topic from? And so what I'd say is that
if you go to start pass, you're gonna get some networking basics, you're gonna get some programming basics, you're gonna get some
cybersecurity based basics via the Pen Tester Student, you're gonna get some cloud basics. And the idea behind that is you can kind of test out the instructors,
you could test out the content, you could test out what
you do and don't know, and you kind of progress from there. To answer your question more specifically, I struggle with the, is
there something I should take before I go to the starter pass? And my style of learning
may not be different than your audience's style learning, so I'm gonna explain
this from my perspective when I think about my
style learning, right? - Yep. - I very much believed that I need to dive into something and figure
out what I don't know so that I know where to go from there. Right? So recently I started to move a lot of my
Honeypot infrastructure, a lot of my web infrastructure
out of DigitalOcean and over into AWS. And this is not a plug
for DigitalOcean or AWS. This was, I've been preaching cloud for well over a year now, my shows, and I've decided that I
needed to eat my own dog food and start putting a lot of
my infrastructure on cloud. And so I pulled my stuff over to AWS. I knew nothing. I didn't go take a course. I didn't take ACP. I didn't go take Amazon's
Architecture class or anything like that, I just said, "I'm just gonna start building
my infrastructure in Amazon "the same way I would try
to build it in DigitalOcean, "and I would see where the path took me, "and I would try to solve those challenges "as the path took me there." And so the biggest, I say
that to give a comparison to students that when they ask me, "Should I take some of
them to go take eJPT "or Pen Testing Student?" The answer is no. No. Because from my perspective, you should go take what you're
interested in at some level, that way you can start to
figure out what you don't know, and then you can then
reverse-engineer what you don't know and go find the content that helps you fill in
those knowledge gaps. Like I don't think A+, Sec+, Net+, I don't think those are
good entry-level certs. Right? Because I don't necessarily
think that you by default need to take that cert to be
good for cybersecurity. I think you should go
do Pen Tester Student. And if you don't know
anything about TCP/IP, then you should go take the
millions of free videos. They should go take your videos, David. Right? - It's a lot out there. A lot's out there. A lot's out there. - And learn about TCP/IP from that. Right? But I don't think you
should invariably assume that nobody knows anything about TCP/IP, because what you may learn in ICND 1, I don't know what it's called now, but. - CCNA, yeah, CCNA. - Yeah, yeah. Yeah, yeah. You may not need all of that information to be in cybersecurity
regardless of what job you take. - So that's interesting. So you're saying, like
if I starting today, I'm gonna go and register
for the startup course, take the cyber security course that's free on INE, that will
quickly tell me where I need to spend more time learning stuff. Like if I'm asked to
configure an IP address and I don't know what that is, then I need to go and do
Network+ or something else. If I'm asked to type commands in Linux and I have no idea what I'm doing, then I need to go and
get like Network Chucks and Linux course on YouTube, or go and watch free
Linux video somewhere, learn a bit about Linux. So you're saying use that
as sort of a measuring stick of my knowledge, and then from there dive into something else, yeah? - Yeah, yeah. And I think, and remind everybody, right? Most people who wanna
jump into cybersecurity want to be hackers. Hackers love to solve problems. Like that's the whole reason
that the term was coined. That's the whole reason
that this entire movement about the critical thinking
and the solving the challenges has played out over the years, but most people don't wanna solve their own challenge of learning. What they want is they want
somebody to give them a roadmap. And while I'm all about
giving you a roadmap for your career, there is a piece of the mental puzzle that we have to unlock
together to get you there. And so what I think is INE Starter Passes, that mental critical
thinking unlocking mechanism, super magical unlocking mechanism, if you will, whereby go
and take a piece of content and map, right? And you're asked to put in an
IP address and you're like, well, it's 192, 168.1.1, I don't know what that IP address is, I don't know anything about IP addresses, I should go find a course on IP addresses. And then you go to YouTube
and you take the free stuff on IP addresses, or you go over to INE, you take the network stuff that's in the starter pass on INE, or you go to Network Chuck,
or you go to David Bombal, or you go insert any creator here where got free content
available to teach you about IP addresses, because
IP addresses has been around for older than you and I, David. Right? (David laughs) - Exactly. And we're old. And we're very old. - Yeah. And so it's like there's no
shortage of free information about that stuff that's out there. So why pay somebody for
that type of knowledge when it's free? Come back, now IP addresses,
let's go do Metasploit. Ah, you don't know the
basics of Metasploit? You don't the fundamentals of Metasploit? So you can't do that particular exercise in Pen Tester Student? Cool. Go watch the plethora of
free Metasploit videos, 'cause there's, this is what
I (laughs) I'm laughing now. This is-
- Get on your- - No, no, I can't, I can't. Oh, God - Come on, get on it. So people like to believe, right? That if I take a
Metasploit class from INE, or I take a Metasploit
class from CBT Nuggets, or, and this is not me
bashing or promoting any other training
vendor that's out there, whatever, that I'm gonna
learn something so special and so unique. And I have to remind people
that Metasploit has been around for over a decade now. - Yeah. - There are so many free
Metasploit videos that talk about almost every possible
thing that you can do inside a Metasploit. - Now I'm gonna interrupt you right now because there's a new content
creator that I respect and a lot of us respect that's just joined your team. Can you tell us about him and shout out to his channel as well? - Yeah, Alexi, yeah. Alexi made a. We were obviously trying
to make, we're making a huge investment on an Instructor Cadre. Red Team instructors, particularly. We reached out to Alexi. He showed some interest in, wanted to come and join the INE team. After chatting with him,
his vision and views and desires aligned very,
very much with ours. He's a brilliant content
creator and yeah, absolutely, when we got to the, to the,
we brought Alexis over, and I have to say that it's
been absolutely amazing to have him on as a content creator. And it's always awesome to
work with content creators that are passionate
about creating content, but also share your view about learning. And he just got done recording probably about, I think it's
eight to 12 hours worth of Metasploit content alone for the new, for the brand new version
of Pen Tester Student that's going to be coming out soon. And while I'm not gonna say that you're not gonna find
that content anywhere else, if you like his style, if you like the way he explains things, if you want to see how he has
used it in real war pen test, sprinkle in some of
Josh Mason's influence, my own influence and things like that, then I think that that's the reason why you would go take courses
from a content creator like that because you like their style, you like the knowledge
that's in their head, you wanna see that knowledge
put out onto some content that you can digest, but I'm not gonna say that,
like you're gonna learn how to use some super lit
sauce secret narrative that, of Metasploit
that is only uncoverable through this video, and I think anybody who tells you that, I think that that's the sign of content that might be blown out of proportion. - Yes, he's got so many
videos on his channel anyway, so I'll link that below as well. Go and have a look at
these videos as well. There's here's a lot of free stuff out there. So your advice, free content. The good thing about starter
pass is it gives you kind of like a structured path rather than just random YouTube videos, and you can jump off that to topics that you're not sure about. Neal, it's very surprising
because you last time, made a big, or put a big
emphasis on like Hack The Box stuff like that, and now you kind of like, I'm not saying downplaying that, but you're like not
emphasizing it as much. Why is that? - I think that there's still
value in hands-on training. Absolutely, 100%. I think in this day and age, you can't be marketable
without hands-on experience. - So Capture the Flags, yeah? - Yeah, Capture the Flags,
Try Hack Me, Hack The Box things like that. I think what I've realized
over the last year is that there is a next level that we can take that hands-on piece to, and that's why I've been an
advocate for people going to HackerOne and Bugcrowd is signing up and being bug bounty hunters
or researchers there. I've given talks on my stream
about gig work via some of the big four consulting
companies that are out there. And I think that I've taken
the hands-on experience piece of it, I think everybody's
gotten the message over the last year. I think you and I succeeded, high five. We succeeded in telling everybody that Try Hack Me, Hack Box, hands-on stuff is incredibly important. For '22, if I were to,
to enhance that message, I think the enhanced message is there are opportunities
for you to find unpaid work out there, gig work out there that I do think gets you experience when you figure out
how to hack the system. - To another word you do, you
still do Capture the Flags, but you don't just stop there, you go and do bug bounty, you
basically provide services. Hopefully you get paid for some of that, but if you're just starting out, you're not gonna resign your job. You're gonna use do this part-time and that's how you're
gonna get experience. So that whole thing
that we've said before, the some chicken-and-egg thing, how do I get experience
without experience? This is sort of a way to get
proper real-world experience without having to go through a gatekeeper to get that experience. Is that right? - Absolutely. Absolutely. And I'm not trying to say
that the hands-on stuff through Hack The Box and Try Hack Me, I still am an advocate for that and I still am an advocate for
putting that on your resume and I'm still an advocate
for calling that experience. As a matter of fact, if that works for you and
that's the level of commitment that you commit to, totally approve. But I think if we're
looking for, like we talk about threes, right? Neal's, what's Neal's three's for this, Neal's three's for that? There's a good, better, best. I think we taught everybody
last year that this was good. If you did Try Hack Me,
Hack The Box, that was good. I think what I think would like
for '22 to be for you and I, David, is to talk about some of the better and the best ways. I think a better way is you need to start putting yourself
out there for some of these. And again, I'm not an
advocate for unpaid labor. This is not Neal, out that you should take
unpaid internships, right? But sometimes there are
sacrifices that need to be made. And if you really want to solve that experience problem, there are opportunities
out there for you to solve that experience problem. Hopefully you get paid, but if not, I wouldn't turn my nose up at him. I've elaborated a little
bit more on my definition of experience, especially
on the Red Team side. This is a little bit harder
to do on the Blue Team side, but on the Red Team side, for folks who are trying
to get into pen testing, it did amaze me, the more I answered this
question over the last year, the more I realized that
people just weren't aware that their definition of
experience might be slightly skewed versus how to manipulate the system to recognize that experience. And I say that very intently, right? Because we talk, we love to be hackers. We all wanna be hackers, but we're afraid to hack the system. Right? My 1,000 Connect Challenge
is a way to hack the system. Right? And I do that very intently. I think signing up for bug bounty programs like Bugcrowd and HackerOne where you can immediately gain access to pen testing opportunities
under the guise of doing the bug bounties for a company like Bugcrowd and HackerOne, as long as you're following
the rules that are laid out, the scope that's been provided
for you in those platforms, I'm not advocating for
doing anything out of scope, but that is effectively a
structured apprenticeship in doing unpaid web
application penetration testing by doing those bug bounty programs. And again, back to free resources, there are tons of free resources
out there that teach you how to run certain automations, look for certain API vulnerabilities, look for certain web vulnerabilities. And I speak especially to the pen testers that are trying to fight
that experience side, because I do think it's harder
for pen testers than it is for Blue Teamers, and I'll kind of expand upon
that one here in a little bit. And so I found it
surprising how fewer people could think outside of that
box and start to pursue that bug bounty stuff. I do think that the bug
bounty stuff is still valuable for Blue Teamers, because I do believe
that Blue Teamers benefit from having the education of
the adversary of the Red Team, of the attackers. And so I do think that if you're not sure where you wanna go, if
you're definitively sure you know you wanna do pen
testing and Red Teaming, if you think you want to go Blue Teaming, I would still advise that
route because it's good to have that knowledge
to those adversaries when you go into that Blue Team job. - There's a few things
I wanted to ask you, and I'll put a menu
below so people can jump to the specific topics. I wondered, last year, I asked you, and I wanna ask these kinda
important questions again, is it necessary for me
to give up my job and try and study full-time to
break into this field, or can I do it part-time?
- Absolutely not. - [David] Yeah. - You can absolutely do it part-time. - And these bug bounty
programs are part-time. Is that right? - Absolutely. Absolutely. It's I would never ever
advocate for somebody to quit their job to pursue a
new career in cybersecurity. Cybersecurity is hard. There's a supply and demand
issue in certain career fields, and in cybersecurity, I speak frequently about
the supply and demand issue on the pen testing side, right? There is more supply of pen
testers than there is demand at most companies for pen testers. Like it or not, that is
just the reality of it. In the hierarchy of cybersecurity defense, pen testing represents such
a small actual practicum of the overall enterprise
cybersecurity defense model. Like it or not, that's the way reality is. And so I think that if you're trying, if you really have your heart set on doing the Red Teaming stuff, you
should absolutely not quit because you've got a higher
mountain to climb than folks on the blue teaming side. Blue Teaming, GRC, anything else that's not basically pen testing, you've got a higher mountain to climb. And so I don't think that
you should quit at all. I think all the things that
I recommend are all things that you can do in your own time. And I think that that's a, I
wanna kind of make a mention of that, right? People are talking about like, well, you should be doing that anyway. Cybersecurity is the type of
career field where I hear this all the time. It's a passion thing. You should do a 24 by seven
because you love to do it. You should. And if you extrapolate that, it's like, you should burn yourself out
because you love to do it. You should neglect your family
because you love to do it. Cybersecurity is ever changing and the adversary is always
going to be one step ahead of you, so you should therefore adopt all of these unhealthy tactics, right? As a personal life perspective
so that you can be the best of the best of the best of the best of the best in cybersecurity. And that is a toxic
mentality in our industry that I do not subscribe to and I do not think is the key to success. Have I done that? Yes. Do I think it makes me more successful? Absolutely not, which is
why I'm an advocate for it. I think that that's how we lead to some of the toxic personalities that we have inside of cybersecurity. To just quickly explain red vs blue, and where are the jobs,
and why are the jobs there? - So the color wheel has expanded in the last couple of years. And I'm not even gonna be the first to go through the entire, Color
Scale of Cybersecurity. So I'm just gonna really talk
about kind of like the ones that you'll hear most frequently, right? So Red Teaming is the one
that almost everybody's very, very familiar with, which
is pen testing, Red Teaming. It's basically the art of
impersonating an adversary to test the security controls of an organization. And I wanna make that
distinction incredibly clear. It is impersonating the adversary to test the security controls. Most of your adversaries aren't doing what most
other pen testing courses are teaching you. There isn't an adversary
emulation out there where denial of service is the top of the
pyramid of the threat factor. It just, it's not. It's a reality. And so when people are
looking to evaluate content, make sure they're evaluating
content that is based on real-world pen testing examples and real-world pen testing scenarios, and not based off of, Hey, I saw this cool thing on
YouTube or Reddit and I did it, but it has no practical use in a Red Team engagement whatsoever. Blue Teaming is the art of basically cyber
defense incident response. When we think about Blue Teamers, we frequently think about
these are the soldiers on the frontline of cyber
defense day in and day out in an organization. These are your instant responders, your threat hunters,
your SOC analysts, right? These are the folks who
are actively trying to find the bad guy that is attacking
organizations everyday. I didn't realize the value of Blue Team. And I'll say this openly, right? I spent my entire career on the red side, on the offensive side, right? All the way through my military years, I wasn't in charge of my
first Blue Team until I built a security operations team
for a Fortune 100 company. That was when I truly learned
the value of what it's like to command soldiers that
are on the front lines of battle every single day. And so mad respect goes
out to the Blue Teamers. And I would argue that when you look at just those two categories, there are more jobs still to this day in the Blue Team side of things. And this is what I talked
about with supply and demand. When we talk about those, that mystical
3.3 million open jobs across the globe, those are
not 3.3 million Red Teamers. And I think that that's
what some people read when they see that headline. They're like, Ah, 3.3 million, I'm gonna go do Red Teaming 'cause there are 3.3
million jobs waiting for me. That's such a small, small
view of cybersecurity, I think that think that Red Team is
the only thing that it means to be in cybersecurity. There are 3.3 million open
jobs across the globe, but that is spread out across Blue Team, Red Team, risk and
governance, threat hunting, creating policy, IT
and cyber audit, right? It's all the things that go into defending an enterprise, where Red Teaming and pen
testing is such a small niche. And so I would encourage
folks that are looking to get into cybersecurity to consider that. If you're truly passionate about hacking, go forth and be awesome, but you need to consider just
like when you hack a network, that you may have to get
into a secretary's machine so that you can eventually
get to domain admin, you're gonna have to do that
with the job market too. We had an awesome guest on
the stream this last year. He's agreed to come back quarterly. His name's Joel Fulton. He's the former CISO of Splunk. He now runs a company called Lucidum! Fantastic individual. He's got an amazing
perspective on cybersecurity, I highly recommend consuming as much of his content as possible. He brought in his concept to our community called garbage jobs. - Yeah. - And for lack of a better explanation, garbage jobs are the jobs
that you don't want to do in cybersecurity, right? Regardless of where your heart stands, they're the jobs that you don't
wanna do in cybersecurity. Let's say you wanna get into pen testing. And again, I go back to my
supply and demand issue. There is more supply of pen
testers than there is demand. You might have to go take
a job that you don't want, AKA a garbage job, so that you
can get into an organization and get networked, back to
point number one that I made when you asked me my top three, you may have to get networked with folks in the cybersecurity team so that you can eventually
move over and do pen testing. And so you have to think like a hacker, which is that you may not
be able to go directly after the domain
controller right up front. Maybe you have to go
into a couple other boxes and pivot your way around into that. And it's amazing how people
forget that mentality when they're thinking about their careers, but they love to think
about that mentality when they're thinking about
how to pen test in network. - It's a valid point. You've said that there's
oversupply of Red Teamers. So the competition is a lot harder. And if you're just starting, you're making a life even
harder trying to go for that. But if it's your passion,
it's like you and I, Neal, the very first
job we did in our lives was definitely not what we do today. (Neal and David laugh) - Absolutely. 100%. - But, okay. So what's the first kind
of jobs would you think I should look of if I'm
brand new to this field? Perhaps I've gone through some content, I've done a bit of Hack
The Box, Try Hack Me and stuff like that, what kind of stuff do you
think I should look for? - I think the easiest roles
when you're looking at jobs on LinkedIn or Indeed or whatever job board is
that you're looking at, I think the easiest places
to find cybersecurity roles are in the SOC analyst, incident response, the Blue Team side of things. Those are where there is the, regrettably. I don't say this with any level of pride, there is the highest rate of burnout on the incident response
to the SOC analyst team. Being on the front lines
has its disadvantages. That's a very stressful type of job, but it is a fantastic place. You're gonna see more about
cybersecurity holistically your first year as a SOC analyst than I think that you'll see
in five years as a pen tester in my personal opinion, right? You'll see so much more about
security as a SOC analyst. You'll have a greater
appreciation for what happens in an enterprise when you go to do
enterprise-level cybersecurity. I think if we talk about, what I would consider garbage jobs, I'm definitely not
speaking for anything else, I'm just saying what Neal
thinks is a garbage job, anything that's an IT
audit, like as an auditor, or anything that's like a GRC analyst, governance, risk and compliance analyst, anything that is quality, anything that's on the
softer side of things, I think would be fantastic
first jobs for folks who are looking to get
their foot in the door with a cybersecurity
shops on their resume, and then eventually pivot into the roles that they wanna pivot into. - So when we spoke earlier, you said blue, red, and. - Yeah. So purple teaming is another concept that's, I wouldn't say is new, but it's starting to emerge
more and more in conversations, and that is kind of this joining of forces between red and blue. There's green teaming, there
is, there's yellow teaming. There's again, they really
have expanded the color wheel. One of my content creators on my team actually did a video
that talked about the colors and as has put that out there, I'll see if I can provide
that, that content for you so you can link to that
if you want to, but. - That'd be great, yeah. - Yeah, there's- - But red and blue are
the two big ones, yeah? - Yeah. Red and blue is all we
ever seem to talk about, but there are definitely
more colors out there that really encompass all the different
aspects of cybersecurity. - You're always a big advocate
of LinkedIn, and you spoke about the 1,000 Connect Challenge, and that I think kind of
started when you and I first met and we were talking. Can you give some tips about networking? And LinkedIn is a place. What about Twitter? What kind of tips would you give someone? I know for some people who have
watched the previous video, some of this is repeated, but I wanna make sure that
everything's up to date. So based on the last year,
what are your feelings? - Yeah. No, I think that's fair, right? And yeah, folks who
watched this last year, this is the stuff that we
talked about last year, but I've definitely, I've learned better ways
to communicate this message over the last year. For those who aren't aware, we now do monthly Resume
and LinkedIn reviews for the community. I've created with the help of two people from our community an actual rubric. I can give you the link to that as well, but there's actual rubric
on cyberinsecurity.tv where you can actually go and self-assess both your
Resume and your LinkedIn based on the criteria that, not just myself, but I've worked closely with
recruiting friends of mine to determine what makes a
good, better, best version of your LinkedIn profile and your resume. And so in the last year, for those who heard this speech last year, I was really just kind of
spit-balling with David about what I thought made
a good LinkedIn profile, what I thought made a good resume profile. In the last year, not
only have we matured that, but we've created a
model that is repeatable and given it back out to the community so you all can self-assess
your own LinkedIn profile as well as your own resume if you want. So I'll give you those resources. When you look at the criteria
that we've put together for your LinkedIn profile, and I've got an entire
branding video for hacking your LinkedIn, where it talks about the idea of personally
branding yourself. And I remind people, like I've
had people come into my DMs and they're like, Neal,
don't you find it terrible that we as hackers are supposed to be in the shadows and in the basements and with our hoodies on and
everything else, why on earth would we ever, ever,
ever have a social media? - Exactly. Oh, no! (David laughs) And I have to remind people, I'm like, "Well, you want a job, don't you?" - Yep. - And they're like, "Well,
yeah, I want a job." And I'm like, "Where do you
think most recruiters are?" I think I found a statistic when I did my 1,000
Connect Challenge video, that 80% of recruiters find
candidates via LinkedIn. So you're going to make
yourself invisible from 80% of the recruiting
workforce in cybersecurity. That's a fantastic
strategy to get you a job. - I think this is the disconnect,
perhaps between video, a movie, should have say, versus reality. And we're not advocating
like hacking into companies. We are advocating pen
testing, Red Teaming. So you want a job. (David laughs) You wanna be paid to do this stuff. That's the whole point. There was, some people were saying the 1,000 Connect Challenge
thing is not a good idea, but you kind of clarified
it in your video. You specifically said,
meaningful connections. So can you explain, how do I
get a meaningful connection? What does that mean? - Absolutely. And I wanna say that I think
this is what we meant last year when we said this, we said, we
meant meaningful connections. I didn't realize I bad on me
for assuming that the internet would take anything that we
say and immediately think the most positive of it. I don't know what I
was thinking out there. But yes, meaningful connections is what we've always meant by that, right? It's not a number. You shouldn't be racing to 1,000. It's not, who can get there the fastest? As a matter of fact, the thing with David and I
did it last year, we said, "You've got a year to do it." Take the year to make
meaningful connections. But when we talk about making
meaningful connections, and I outlined this in my video, there are three things that
you can do to really decide what it is makes a meaningful connection. Find companies that you want to work for. I'm sure we've all got
companies where it's like, God, I'd love to work for
Apple, I'd love to work for Google, right? I'd love to work for Cisco, right? I'd love to work for some company. If you find companies
that you want to work for, find people in those
companies that you admire. Right? And so just using those
two rules right there, you can find apple and
you can find the CISO. You can find the head
of security operations. You can find the head
of malware development. You can find the head of pen testing. You can find the head
of incident response. You can find all these people
all the way from the CISO, all the way down to the tactical level that you can make connections with. And these connections, hopefully these people have content, if they're producing content for LinkedIn, and that gives you an idea of what their day-to-day life is like. That gives you an idea of what
they're watching on the news. When they like something,
LinkedIn is gonna tell you, and then you're gonna be like, okay, good, the head of incident response
at apple loved this article, maybe I should read it. Maybe there's something
interesting for me to understand and gleam from knowing the same thing that the Head of Incident
Response at Apple knows. Right? - Yeah. And so you follow a pen tester, pick one of your, I'll pick my mentor when I started teaching for
SANS, Bryce Galbraith, right? Fantastic hacker, fantastic pen tester, one of the OGs in this space, right? If I'm following Bryce
and Bryce makes a post about a vulnerability, right? Or if he makes a post about a
piece of code that he puts up on GitHub, or if he makes a post about, insert topic here, right? That should be a key in
my mind that I should go consume that content because
it's probably beneficial to my knowledge, especially
if I'm emulating them. So find companies, find people that you're interested in being with or emulating or working
for and things like that. And then the third thing that I talk about when you're looking for meaningful connections
is find other people in the industry that you admire because they produce content, right? Because they produce meaningful content, and make connections with them, because if they're producing
content and you admire their content, then you
should probably be in tune with their professional acumen
so that you can then follow and adhere to their
professional acumen as well. And so using that formula three, I think it's really easy
for you to scour LinkedIn and find people that you genuinely want to convey the message to. Now, on the same video that I do, and this is, I think this
is what was lost on people when we talked about the
1,000 Connect Challenge, I talked about how do you make
the connection meaningful? And I actually give a good, better, best way to make the
connection meaningful, and I wanna elaborate on this
just a little bit, right? - Yup. - People get mad when they
receive connection requests that don't have a message. And that floors me. That floors me. As a recovering introvert,
if you will, right? To know that you're so open to say, if you can't get over
your own, introvertedness to put a message in a connect, I want nothing to do with you. Could you imagine if you or
I said that to our audience? Could you or I imagine that said that, I don't want you connecting with me unless you send
me a personalized message? - I think I can understand why it helps. - Understand why it helps. - I don't agree that you should
never accept a connection if it hasn't got a message, but it does mean a lot more when someone does write a message. So if you wanna get paused
my gatekeepers or get to me, you're gonna get, I will connect, the chances of me connecting with you is gonna be that much higher if you wrote something in
your connect, in your message. - Which is why am I video,
I did a good, better, best. - Yeah. - And I talked about, listen, the best form of a meaningful connection is a personalized message. And I go through in my video and I show, how do you just, it's very brief. It's not very in-depth, but it's like, how do you look at a profile? How do you figure out
what you can do to say to make that connection meaningful? That is truly the best version of that meaningful connection. I go through a good version
of a meaningful connection. But I also say, you know what? It's not ideal, but if
you're new to LinkedIn, if you're new to breaking
out of your shell, if you're new to breaking
out of your comfort zone, if you're trying, good is okay, don't let anybody in this
industry tell you that good is not okay, because everybody's at a different point in that social breakout. - It's easy when you look
back and you have experience, it looks obvious, but when you starting, stuff's not obvious. - Yeah. - So that's what I really
appreciate you sharing your thoughts and your. It's amazing, it's a year
and you've already changed some opinions and you've
learned things along the way. Life is about learning. You never stop learning, and the industry changes all the time, so it's great to get your input. What about creating content
if you're brand new? Would you recommend that or not? - Absolutely. Absolutely. No, I didn't include this, right? As something to do, because
this is different for everybody. I consider this to be like, if we go back to Neal's like good, better, best, right? I think you can be good
enough not producing content. And actually there's a
ton of people out there that are good enough
not producing content. I do think that content
creation is a differentiator, and I think that that content
creation differentiator means more at different areas
of your career progression and different career fields. Like GRC, you're probably
not gonna get the mileage out of content creation out
of producing GRC content. Now, that's not to say
don't produce GRC content, but you're probably not
gonna see the same mileage as somebody who aspires to be a Red Teamer and you're producing
Red Team content, right? You may see a mileage may
vary if you're entry-level versus if you're on your
way to being a CISO. I can tell you that I've,
most of the CISO interviews and things like that that I've done, they could care two craps
lefts about my content, right? And so mileage may vary, but that's why I think
it is a differentiator. And so yes, if you're in
the pen testing space, if you're in the Blue Teaming space, if you're in the GRC space to an extent, if you're in any of the tactical roles, I think that a good differentiator for you is to produce content. Now, when we talk about producing content, it is, it can be YouTube
videos, it doesn't have to be, it can be writing articles,
it doesn't have to be, it can be blog posts,
it doesn't have to be, produce what you're comfortable with from a content perspective. Don't find a medium that's popular. I think this is one of the misconceptions about content creations. - I'm gonna do TikTok, man, come on. (Neal laughs) - Yeah. The TikTok thing has been
interesting, over the last year. - TikTok is like the,
has overtaken Google now. - It has. It really has. - That's interesting. And I think I've seen TikTok videos that are doing amazingly well. - [Neal] Yeah. - Whether that leads to connections is dependent, I think. I've seen some people do
really well there and some not. But anyway, go on. I interrupted you. - No, no. No, no. And, yeah. But I think the point is is like I think I would start content
creation not necessarily based on which platform was popular, but based on which
content delivery mechanism brought the most value out of
me as a person and allowed me to be consistent. I'll give you an example, right? When you and I produce content, right? For YouTube, streaming, whatever it is, it is a lot of time that we have to put in to produce content. Right?
- Yup. - But it might be easy for us
to turn around and say, well, it'd actually only take me
10 minutes to just brain-dump an article out onto LinkedIn
and write an article about, or something like that. Right? - Yeah. - So you should find an outlet that allows you to be consistent and gets that creativity out
on you and gets it out there for the world to consume. - It's interesting. For me, it's like video is so much easier. I find writing hard,
'cause I find that people are a lot more forgiving
on me speaking incorrectly versus writing incorrectly. People sometimes are really hard on like simple grammar mistakes. So for me personally, video
is a preferred medium. And I think that's the thing. You've gotta find what works for yourself. Some people write better,
some people speak better. Just do what you, what you can. Neal, any like last thoughts? Or we can go on for hours, but I wanted to like open it for you in the next few minutes,
give us your best advice. - No, I think your best
advice is if you're listening to this video, you're
starting in the right place. Right? Consume content, right? I'll be here, David will be here, there's tons of content
creators out there, they're all awesome. I hold no ill regard
for any content creator that's out there. I don't care whether it's
somebody who's just jumping into cyber for the first time or somebody who has been into cyber 10 or 20 years. I think we're all bringing
something valuable. I think we're all trying
to do the right thing. I don't think that there's a
need to stress about, well, is this content better than this content? Is this better than that content? I think you should go out there and you should consume all the content. I do. I think that there's,
if somebody who wants to have all the knowledge of
things that are out there, go consume it. You'll decide, you'll
quickly know for yourself, whether it's good content or bad content, you'll know whether that content
creator resonates with you, you'll know whether that learning
mechanism resonates with you. Maybe you prefer more
cognitive-based learning versus hands-on-based learning. Maybe you prefer being
lectured all day long. Who knows? Right? You have to figure that out for yourself. Nobody else out there can tell
you what's right or wrong, and that's when I tell
people to go consume as much as they can. - So Neal, that's fantastic. Thanks so much for like
sharing your knowledge again. I really appreciate it. You put yourself out there
by sharing this stuff, and you don't have to. So I really thank you for
sharing your knowledge and experience with all of us. - Thank you as always, David. I appreciate it. - So just for everyone, once again, I'll put Neal's YouTube
links and other links below. Please, make sure that
you go and subscribe and go look at his stuff. There is so much free content out there, so make the most of it. Neal, cheers! - Cheers! (energetic music)
