- It's always a problem. How do I get in? How do I get experience without a job to give me experience? And you've basically given
us the roadmap for that. - Yes. - I mean, that's fantastic
because it sounds like what you're giving
everyone who's watching is a way to break in without
making the mistake, and I think a lot of
people make this mistake. They think they have to leave their job and be unemployed to get a degree or get a cert before they
can actually break in. - That's absolutely not the case. I am vehemently opposed to that. I think cyber security
is an amazing industry and, you know I've found gold and I wanna share it
with literally everybody because it's not outside the region. And I'll tell you this you can cut it in or out if you want to. I didn't get accepted into college. When I graduated high school I got turned down to go into college - But tell me, how do I do this? Gimme the path. - And here are Neil's top three things. Neil's top three things are... (playful electronic music) Hi, everyone, it's David Bombal. I haven't done one of these in a while, but I've been asked so many times to talk about the top
certifications to get if you wanna get into ethical hacking. And to help me answer that
question, I've got Neil. Neil, welcome. - Thank you. Thank you,
David, it's good to be here. - So Neil, tell us a bit about yourself. I mean, you've told me a little bit about who you are, we've recently met, but you know give us the,
sort of the quick overview of your experience and why you
can talk about the subject. - Yeah, absolutely. And thanks very much for having me on, it's an honor to be here. My name is Neil Bridges. I've been 20 years plus in
the cybersecurity space. 10 years of that, I spent
doing offensive hacking for the United States Air Force as part of the National Security Agency. I've built the first
functional training unit for Air Force Cyber basically training all of the hackers that have gone to the NSA to go be
hackers over at the NSA. Since being out of the Air Force I've had multiple gigs as
building up a pen testing of red teams with Fortune 100 companies. I've been a consultant for
PricewaterhouseCoopers, one of the largest consulting firms in the world where I led a lot of their incident threat
management out of the Midwest. And I've built multiple
security operations teams for Fortune 100 companies. Spent five years as a SANS instructor. I'm a notable author. I've done appearances on Bloomberg, and I've spoken at numerous,
numerous conferences and by invitation, guest
for a lot of the vendors and vendor events inside
the cybersecurity arena. - Yeah. I mean, didn't
you speak at Black Hat? Is that right? - I did speak at Black Hat. I've also spoken at DEFCON. I've spoken at BSides, spoken at a lot of smaller
events and things like that. I've been asked to come
and consult with the FBI. Been keynote for a lot of vendor events, such as Proofpoint, Carbon Black, Splunk and things like that. - Yeah. I mean, that's really great. When I was thinking about this today I was thinking one of the great things that I really like about you
is you're not just working on like the Black Hat side, if you like. So you're not all the, you
know, the penetration testing. You're not trying to just break in. You're also working with companies, you're working with the NSA, you're working with
government organizations to protect themselves, is that right? - That is, and one of the
things that, you know, I've always been into
hacking and I've always loved the offensive side of things. One of the things I quickly realized is everybody loves the offensive hacking. It really is the cool,
sexy about our industry and about what it is that we do. But at the same time, you know, the thing that helps most organizations is the ability to protect those
organizations from hackers. And there's not enough
of those unsung heroes, and so I give a lot of credit and I try to spend a lot of
my time working on the defense of networks and putting
that hacker mindset to work, to defend networks, to help blue teams, to train threat hunting teams, to help try to protect a lot
of these larger organizations because we're lacking that
mindset on the blue side because everybody wants to gravitate over to the ethical hacking piece of things. - Now, I wanna bring the
level down on this video because I wanna give
people who are starting on a path to get into this industry. And as I said to you earlier,
I want to show them how they can get to where you are, you know, learn your knowledge. So first thing is what's a blue team, what's a red team, can you just
explain some of the basics? And, you know, you've mentioned that term. - 100%, so when you're
talking about ethical hacking, when you're talking
about the ability to look for vulnerabilities inside of systems, and whether those systems are people or computers, buildings,
if you're talking about physical penetration testing, when you're looking at those systems, a red team or the red side of
our cybersecurity industry is oftentimes looking for ways
to find those vulnerabilities and then to turn those
vulnerabilities into access, if you will, for the bad guy, whether that's in the term of like set of physical penetration tests where you're looking for
access to a building, whether you're, you know,
penetrating a computer, trying to gain access to systems or data that's oftentimes what we refer to on the red side or the offensive side. On the blue side, those are really the network defenders, and I'm not just talking
about the IT folks who are sitting in the NOC or the network operation
center doing, you know, routing and switching and firewalling. When we think about blue
teamers, we're really talking about folks who sit inside of
a security operation center. These are your incident responders. These are your threat hunters. These are folks who are, you
know, looking at your alerting and monitoring on your SIEM system or your security information
and event management system. Something like Splunk, QRadar, or LogRhythm or something like that. These are the guys, and I equate this, and when I talk to CSO's
and CIO's and CEO's on the regular, you know
I equate the blue teamers. You know, those are
your frontline soldiers. Those are the folks who are on the battlefield on a day-to-day basis actively fighting the adversaries that are attacking corporations. They're looking at alerts, they're running down malware, they're, you know,
hunting for the adversary inside of your corporate network. And so while red team is very sexy and everybody loves to do red team because we've created
kind of a hype culture around the coolness of hacking. It truly is the frontline
soldiers, the blue team that make a company tick. - And I mean, what about jobs? 'Cause I mean, at the end of the day you wanna be paid to do this stuff. Do you see that there's more jobs for the blue team like for companies or are there more jobs
for like offensive stuff? - There are way more jobs for blue team. As a matter of fact, in every organization the amount of blue, you know, the ratio between blue jobs of red jobs is almost 10 to one. I've built some of the largest
security operations teams you know, in the United States of America, and I can tell you that
even on some of those teams you struggle to have one or two pen testers engaged full time. Pen testing is often remanded to a lot of the consulting agencies, so like your PWC's, your
KPMG's, your EY's, maybe an Accenture or something like that if you're familiar with Accenture. And sure they do a lot of engagement but you're going to be as part of that consulting ecosystem. If you have aspirations
of working for Microsoft or Google or an Amazon or an Apple or somebody like that, of course, they do employ pen testers and those pen testing jobs are there, but those are also very, very hard to get to and to achieve. - Is it possible for someone to start out as a blue team member and then move to the red team once they, you know, learn more skills and get more well-known? - 100%, absolutely, that is
one of the biggest things that I mentor folks on all the time. And, as a matter of
fact, it is not uncommon. And one of the things that I talk about when we talk about teaching students, and we talk about bringing
people into this career field is you'll get an individual who's
come right out of college or maybe if he doesn't
even have any college, just come out of high school with some experience
or some you know, maybe a handful of certifications
where they've taken videos like yours, David, or, you
know other videos on YouTube to learn about cybersecurity
or ethical hacking, but they can only either
get like a help desk job or maybe like a very, very
junior level security analyst sitting on a blue team
looking at alerts on a SIEM. They'll come in, they'll see
their first penetration tester or they'll see their
first penetration test inside that company, and
they'll immediately gravitate to that and be like how do I
get into this career field? You absolutely, you can absolutely go from security analyst on a blue team. You can go from help desk. Trust me when I tell you
that I've seen people go from construction workers
and business degrees and law degrees to
penetration testing as well. And there's, you know, there's no end to where you can get
into this career field as long as you've got the mindset and you've got the heart to do it. - Okay, so now I've got to
ask you a number of things 'cause you've mentioned
a few things there. Firstly, do we need degrees? And then the big question
that I wanted to talk about is certifications
and which certifications. So do I need a degree, first thing. Secondly, do I need certifications? And if so, which certifications
would you recommend? - Do you need a degree? No, this is the biggest
thing that I love to debunk. I've talked to several recruiters. I'm gonna give you an
opportunity to cut something here if you want to. - No, go for it, just go for it. - I've had several recruiters that I've interviewed on my stream before. We've talked about the way the industry is going when it comes to
certifications versus degrees versus experience, and
the industry as a whole is very much moving away
from the need for degrees. As a matter of fact, if you start to look at a
lot of the job descriptions, especially in some of the
higher technical skilled roles, especially on the ethical hacking side on the incident response side,
on the threat hunting side, you'll see that a lot of the
job descriptions are changing from four year degree or certifications or some combination of
those and experience, and so that's a huge shift. As a matter of fact, if you
look across the tech industry you'll see companies like
PricewaterhouseCoopers, KPMG, EY, they're all starting to drop their four year degree requirement to start to bring in more talent who may have a vocational degree, may have an associates degree,
may not have any degree, but some certifications, or even may not have any certifications and has just been able to prove themselves through, you know, heart
and the interview process that they're capable and qualified to be sitting in that role. - So I'm gonna get to the
certifications in a moment, but you mentioned you've
got a Twitch stream. Can you, you know, at this point tell us a bit about, you
know, what are you doing on Twitch and what's your, you know, how can people contact you 'cause I'm assuming you're on Twitter, places like that as well? - Yeah, absolutely. So we run a Twitch stream
called Cyber_Insecurity. It's just cyber underscore insecurity if you go to Twitch.TV. We stream every Monday,
Wednesday, and Saturday seven central in the U.S.
central standard time. And we regularly have guests from all across the industry
appear on the stream. We've had the chief strategist from Anomaly Threat Intelligence
appear on the stream. We've had the chief strategist from VMware, Carbon Black
appear on the stream. We've had a former
two-star general who ran cyber command appear on the stream. And we talk about everything
from red team to blue team. It's tailored for whether
you're tactical level, whether you're at the CSO level, whether you're trying to get into CSO, we've done on-stream resume reviews, we've done on-stream report reviews, actual pen testing reports. And we've talked about how, you know, pen testing reports get
interpreted at the CSO level, at the board level and how
you can tweak your writing so that you can write better for the folks who are
gonna read your audience. And so it's a very well-rounded stream that kind of seeks to try to do a lot of on-stream mentorship for a lot of folks in the industry as well. We cover the latest and
greatest in news and topics, and we bring industry
experts on to do that. So Cyber_Insecurity on Twitch, and you can follow me
on Twitter at IT Junkie. - So I'm gonna recommend
that all of you, you know, go and follow Neil's Twitch stream and follow him on Twitter. But just going back now. So I'm 17 years old, or I wish, but if I - (chuckles) - let's say I'm 17 years old. - Man, here we go, we're going 17 again. - Yeah, there we go. - (laughing) - We can dream. Okay. What do you recommend? I wanna get into this field. I wanna perhaps go red
team, blue team, whatever. Degree, you're saying don't do that or get a certification or
just try and get experience because I'll just preface it with this. I've seen guys bash degrees. I've seen guys bash certifications. So what would you advise me? I'm trying to get into this industry. I might be young. I might be old. Like you said, it's
great to hear the stories of like construction workers
getting into this field, but let's say I'm trying
to break into this field. What would you recommend I do in 2021? - Absolutely. So in 2021,
let me make one thing clear. I'm not bashing a degree at all. You don't need a degree, but, you know, I've got folks that I
mentor that are going for a master's degree. I've got one guy that I mentioned that's going for a PhD in cybersecurity. They all know that they
don't have to do that. As a matter of fact, they're not gonna make any more money by simply going for a
master's degree or a PhD. It is about personal goals and
personal objectives for them. And so what I would tell you
if you were 17 years old is if you want a degree, if
that is a passion of yours to have a degree and to be able
to have that piece of paper then I absolutely think
you should achieve one, but don't ever feel like
you have to have one to be inside of this field, I think those two points
are vastly different. What I would tell you, if you
wanna break into this field, HR folks and recruiters
are looking for folks who have hands-on experience. And so, you know, if you're
familiar with, you know, like what David talks about when he does some of his demonstrations
of ethical hacking or, you know, any of the other, you know, technical stuff that he does, building your own home
lab, doing your own type of think tanky type stuff
is absolutely critical. Make sure you're going out there and you're participating
in capture the flags especially on the ethical hacking side. David, I don't know if you
wanna mention CTF time.org, but that's a great website
where people can go and find a huge central location of capture the flags that are out there. And you don't have to have
any level of knowledge. You can literally just start there and just start that learning
process and just keep track of the CTF's that you do. Go out there and participate
in the communities, in the discords, make your name out there. Start to network with folks like David and other peers in your organization. And then as you develop
that learning skill, yes, start to pursue
certifications at the same time. And when you look at these certifications, look at certifications and
I may sound a little cynical when I say this, but you have to realize that there are certifications that help you get knowledge
and make you smarter. And there are certifications that help you get past
the gatekeepers in HR. And I've spoken frequently
on the gatekeepers of HR, and it is something that is a reality, we all have to acknowledge that HR is a gatekeeper in this industry. And so I'm not a fan of CEH. I've taken multiple CEH's
throughout my career. I won't bash EC-Council,
you know, openly like this, you know there are definitely
better things out there, but it is a language that HR speaks that I think is an inevitable reality. OSCP, you know, is a
good cert, but, you know, there are better certs out
there, and there are better hands on labs out there, but it is
a language that HR speaks. And so I think when you
look at certifications you have to divide your
time, money, and effort up between the ones that are
gonna help you get past HR as a gatekeeper and the
ones that are actually gonna make you smart and
marketable in this industry. And I think that those two things are vastly different in this industry. - I think that's a great point. I mean, so give me first certification. If I'm starting out,
what should I do first? What should I do second? I mean, is there kind of a
path or a roadmap of sorts that you would recommend? I mean, some guys I'd
say, just go and do OSCP. But to me that seems
like too much of a jump for a lot of people - It is a jump. And I don't necessarily recommend people to jump straight to OSCP. The people who say go straight
to OSCP are the people that know that OSCP is a gatekeeper for some of the most
prestigious organizations that are out there that are
looking for penetration testers. But if you're looking to
get in on the ground floor, you know, you can go take
something like the INE, the former eLearn Security,
penetration testing student or junior penetration testing course. And those courses will not
only give you a certification but they will also give
you the hands-on skills and cognitive knowledge that you need to not only get past the gatekeepers, but to also make you incredibly successful when you land on the field. And so I think if you're starting out, you've got to get as much
knowledge into your head. You've got to realize that
it may be two to three years before you get that first
job as a penetration tester. And so whether you go to college or not is really irrelevant, you've
still got to go out there and you've got to get the degree, or no, not to get the
degree, get the cert, work on the labs, work on
building your knowledge set up so that you can get that first job. I wanna make that really clear. You're not gonna be able to say one day I wanna be an ethical
hacker and therefore go out and get you a junior
level ethical hacker job. You're gonna have to put in a year, two or three, get, you know, an INE, eLearn Security, you know, certification. You know, potentially
start looking at your OSCP, start to build out your
extracurricular activities whether it's your home lab, whether it's working on Try
Hack Me's or Hack the Box's, participating in CTF's. But if I saw a resume today, and here's what I tell folks all the time, if I'm hiring for pen tester job, and I had a junior pen tester on my team or a pen tester level one on my team, and I saw an INE eLearn security degree and then nothing else but hands-on, Hack the Box, Try Hack Me, CTF
time, home labs on a resume, I'd hire that kid in a heartbeat. Absolutely 100%, because
it's the hands on stuff that isn't being taught
outside of just a handful of certifications, you know,
that are going on out there. - That's great advice. I mean, it's, if I was hiring someone for a network position,
it's the same thing. You wanna have examples of
knowledge and of workin'. Hands-on is always gonna be much better. So I'm gonna push you on
this now, so forgive me. - Go for it. - So the eJPT from INE, are you saying that's the first certification that you would recommend
someone would get? - Or would it be like CEH? Or what about like CompTia Security Plus? what would you suggest? I mean, this is your opinion. - Yeah. - So what would you
suggest me to go and do if I wanna break into this field? - And again, my opinion, I think eJPT, most people can do, eJPT. What I would even say is INE offers their PTS or their pen-testing student which is really kind of
the super entry level. It's almost the, you know, I
don't wanna degrade the PTS by saying it's the CEH
of the career field, but, you know they've recognized that there's a need to have a
truly entry-level, you know, certification that's completely free. You can go to the INE website today, you can sign up, and you can take the PTS completely and totally free from INE. - Right. - Yeah. And so that gets you, you know, kind of to your point,
the SEC Plus the Net Plus, the CEH kind of fundamentals foundational, and then, you know, then after that you can graduate up into like the eJPT which then helps you start to build on top of that foundation and
continue to grow up from there. But there's no reason why
you have to go take a CEH and pay for that course when
there's content out there especially through INE that
you can take without, you know without paying for. - Is that as well known in the industry? So, I mean, we spoke about
gatekeepers and recruiters, I mean, that's normally the big problem. If you do a search on a job
website, will recruiters be looking for that cert or
are they actually gonna be looking for CEH or something else? - So that's the tricky part. Most recruiters are going
to be looking for CEH because that's what they know. What I get, I have to
table myself on this, 'cause I can go on a high
horse about bashing HR, and we've had several recruiters on stream and we have gone on tangents on bashing HR because HR doesn't know the difference between CHE, eJPT, or anything else. What HR does is HR asks the hiring manager what are you looking for? That's why people jump
straight into OSCP is because most hiring managers say, well, I know OSCP, so
OSCP is the bar to entry. But quite honestly, if they make it to HR because there's so few pen testers, just the sheer process of,
you know, getting to HR. Most HR folks will either
have a conversation with you so that you can come to
an interview and say, well, no, I don't have
CEH, but I have eJPT, PTS, and all of these other things, and the recruiter doesn't know enough. He just says, well, this looks good enough and I need to fill this rec. And so they're gonna pass your rec on over to the hiring manager anyway. And so I hate to be a little flippant and a little cynical about that, but... - Well, this is a technical audience so be as be as real as you can. So if you have to swear at HR that's fine because - (laughing) - Let's be honest, we're trying to help all the viewers
here try and break in. So tell us, don't mince
your words as they say, - (laughing) - tell us exactly what do I need to do to get past these guys. And I'm sure there'll be a
lot of comments about HR. How do I get past these wonderful people? - These wonderful human
resources (chuckling). - To get that job. And I mean, I'm really glad, you know, that you've had all this
experience with the military. We need to talk about NSA
'cause that's very interesting. - Absolutely. - We need to talk about like corporate, but if I wanna break into this field, I mean, I might wanna go and
work for a corporate first and then perhaps later
go to the NSA or military or go red team, but tell
me, how do I do this? Give me the path. - And here are Neil's top three things. Neil's top three things are go
to INE, get in the ecosystem, start to take the stuff that's available to you that's on INE. They've IT essentials that you can take. They've got, you know, a
pen testing essentials. They've got a networking essentials. They've got a lot of
foundational level course, a lot of fundamental courses, - And that's free, yeah? - And that's free, that
you can go and you can take that will help you build up a
good basis set of knowledge. From there, I would then advise you to continue your certification
or your degree journey, whatever your heart's content is. And if that means go to eJPT next, if that means go to OSCP next, if that means go to any of
the blue team certifications blue team ranges like Cyber Blue Range or something like that and get some of the hands on skill there, proceed down that route. But at the same time, you should be doing the hands-on piece. And this is where the Hack the Box, the Try Hack Me's, the
CTF times, all of these put your hands on
mechanisms come into play and document that hands on mechanism because I can tell you the HR folks and hiring managers are looking
for that hands on mechanisms in their new entry, in
their junior level folks. And then the third thing, the thing that you can't, you know, you're not gonna be able
to find at any organization this is something that
you've got to do yourself. You have to network. I can tell you that most of the jobs, entry level to senior level that happen in the cybersecurity industry,
come with you networking. And I can tell you that I've
had people reach out to me on LinkedIn and, you know, I've welcomed them into the community. I'm like, hey, I see that you're... I actually have a campaign where I go out and I look for people who are
brand new to cybersecurity, and I invite them into my
LinkedIn network to try to help provide them with mentoring. And, you know, oftentimes
their idea of mentoring is they simply send me a message like, hey, I'm two years from graduating. Can you help me find a job? (chuckling) - That's not networking. That's not networking. This industry is so close knit that most people know each other. Most people, when they're
looking for stuff, you pick up the phone
and you call a friend or you call a CSO or you call another red team operator or you call another penetration tester, and you say, hey, I need
a pen tester for this or I'm looking for an analyst for that. And so you have to build up that network and you have to participate. You truly have to embrace
that about our industry. And those are the three
things that I would say that if you're looking to break into this, that's your 2021 and your 2022 strategy is to focus on those things. I think if you're on LinkedIn
and you don't have, you know, 1,000 followers in the
cybersecurity industry by the end of 2021, you're
behind on the networking curve. - So I'm really glad 'cause
now you've changed the title of this video because
I was gonna talk about five top certifications,
but now we're gonna call it the top three things to
break into this industry or something like that. So can you just repeat that again so that it's clear for everyone? - Absolutely. - What are the top three
things they need to do? - So Neil's top three
things that they need to do to get into cybersecurity. First and foremost, you
need to go to, you know, INE's website and you need to sign up for the available training
that's there for free. That that'll get you the
basics for IT essentials. That'll get you the basis for
some networking essentials. That'll get you the basics for some penetration testing essentials. Don't waste your money on CEH. Don't waste your money on SEC plus, instead, go to INE
training and start there. Once you're done with that, you need to go out there
and you need to look for the hands on training that's available for free or for cheap, and that would be things
like Hack the Box, Try Hack Me, CTF time.org, which is a website that
aggregates capture the flags. - I'll put a whole bunch of links below so you can send me those after
the call, that'd be great. - Absolutely, Cyber Blue Range, all this stuff, get you
some hands on experience. Build yourself a home lab, start doing your own stuff at home that you can do pretty easily. There's tons of things out there that you can do yourself. So that's two things. The third thing is you need to network. If you are not on LinkedIn,
you need to be on LinkedIn. You need to have a
profile that is indicative of what you wanna do in
this professional world, and it needs to start to
look like your digital resume and you need to treat
your LinkedIn profile like your digital resume,
and then you need to start networking with
folks in this industry. And I'll tell you right now,
you can network with me. I'm sure you can network
with David on LinkedIn. - Definitely, yeah. - We'd love to have you. And then just start, you know, reaching out to folks that you know. Reaching out to, you know, folks inside the company
that you work for. Just start building that network. Start small, but build that
network out in this industry, and my goal for you, my goal for anybody who's listening is get you 1,000 connections
in LinkedIn in a year. In 2021, there's no
reason why you can't make 1,000 connections in 2021. As a matter of fact, I'll tell you this. You can do, I think,
it's 72 connections a day on LinkedIn is the max that you can do before LinkedIn starts
to raise a red flag. I know, 'cause I've kind of
tested that a little bit. (laughing) - And so there's no reason why you can't get you 1,000 solid connections by the end of 2021, and if you focus hard on the cybersecurity industry then when you've done all
of the other two things you'll have a network
of folks that would die to help you find a job in this industry. - That's great advice. So now I'm gonna play devil's
advocate, as they say, I'm gonna push it, so forgive me. Okay, so second thing
you said is, you know, we got to try Hack the Box. We've got to try these things. How do I document what I've done? So like you said, you
document what you've done, but now explain to me
the different websites. How do I actually document what I've done? - Absolutely. No, fantastic, and I've talked about
this on my stream before in the past as well. We've had recruiters on stream that have helped back this up, right? And when you look at a person who's come into this career field, if, to your point, right,
you're the 17 year old who's trying to decide how to
get into this career field. You don't have a whole
lot on your resume, right? If you think about a eight and
a half by 11 piece of paper you don't have a whole lot. - Or I'm 30, and I've been doing building or I've been a salesman
or whatever, you know, how do I break in? - Yeah, yeah, you don't have a lot of that cyber experience that you can put on that eight and a half by 11. And so when you look at that real estate, people oftentimes fill
it up with a lot of like you know, clickbaity-type stuff or word jargon where they're like I know Windows 3.1,
Windows NT, Windows 95, Windows XP, Windows 2008. - (laughing) You're showing your age. - (laughing) Yeah, exactly. They try to put all that stuff in there to try to get through
the computer filters. And I tell people when I
mentor people, I tell people strip all that stuff out of your resume, take all of that stuff out of your resume. What your resume can have instead is the Hack the Box, the CTF's,
the Try Hack Me website stuff. You can document those as
experiences on your resume the same way you would as
if you actually did a job where you did those things. So if you achieved level
9,000 for folks who are used to the Dragon Ball Z
9,000 reference, you know, if you achieved level 9,000 in Try Hack Me by the time you started to look for your first pen testing job, you should document, I am in the top 10% or I'm in the top 1% of all people on the Try Hack Me leaderboard. I've achieved level 9,000 on Try Hack Me. I've completed 4,000
challenges in Hack the Box. I've gone to, you know 16
capture the flag events this year and placed in the top five
in half of them, right? There are things that you
can put on your resume that show your outreach that I think have gone
completely unnoticed by, you know, folks who are trying to get into this industry. - So this is great because
I come from originally from a networking
background, and it's very difficult to prove experience
in a networking background. But what you're saying to people here is even if they've doing this part-time, so they're in sales or in some kind of job
that's totally different. Is this a way that you're
saying to build up experience without actually being in this industry? Is that kind of what we're doing? - Oh, 100%. When you look at some
of the entities that are coming up out there, you know, that are doing a lot of these labs online. Cyber Blue Range, Try
Hack Me, Hack the Box, even all the CTF's that are out there. Even this year, 2020 was
an unprecedented year with the pandemic, but
it was the first year that DEFCON had done all
of their capture the flags 100% virtual as part of DEFCON safe mode. And so this was a year where
you could have participated in the DEFCON capture the flags and documented that and
shown that as experience, and you didn't have to pay
a dime for DEFCON this year. And so it would have been
something that you could have put that on your experience where you participated in the DEFCON CTF and you did whatever else it is. Those are things that show that you're not just trying
to get a cert, get a job, which is typically what
we see in this industry. You're trying to get a cert,
you're learning on your own, you're showing the passion for it, you're showing your ability to think outside of the
certification bubble, and that is what hiring
managers are looking for. - I mean, I just wanna emphasize this. I mean, this is a roadmap
for someone to get experience without actually having a full-time job, and I think that's fantastic 'cause that's very difficult to do in other sort of IT spheres. You know, how do you prove that you've got networking experience if you're not working
on corporate networks? But what you're saying here
is this is kind of a roadmap to get the relevant experience that someone like you
would use to hire someone without actually working full time. So I need to push you on this now. So if I was applying, well,
let's assume I'm 17 or 30, it doesn't matter, but
I'm new to this industry. I wanna get a job with you. You're recruiting for a corporate position or for the NSA or whatever,
but let's start with corporate. Are you saying that you
would hire me if I had just some basic certifications or none, but I could prove a
whole bunch of experience with Hack the Box and all the others? Are you saying that that's enough? - If we're stipulating
that I have an open job rec for penetration tester on my team, and I needed a penetration
tester on my team, would I hire somebody who is brand new to
the career field who had a cert and a ton of hands-on experience that was demonstrable inside the industry? 100%, I would do that today. - I mean, that's fantastic
because it sounds like what you're giving
everyone who's watching is a way to break in without
making the mistake, and I think a lot of
people make this mistake, they think they have to leave their job and be unemployed to get a degree or get a cert before they
can actually break in. - That's absolutely not the case. I am vehemently opposed to that. I think this is one... cyber security is an amazing industry, and it's an industry that
was born in technology, not to say that IT, you
know, networking was not born in technology,
but born with some people who are like, I want to
practice breaking into systems. It is illegal to break into
a system without permission. How do I actually practice
breaking into a system? And we, as a community
have built companies, we've built, you know,
freemium versions of things, we've built entire ecosystems that have challenged the community and been able to provide the community
with the ability to practice not only breaking into
systems in a legal, ethical, safe fashion that allows you to have fun and show your experience doing it, but also to defend systems
and be able to hunt for bad stuff inside of a network, to be able to practice the
network defense side of things in a safe easy to accomplish
type of hands-on almost OJT without actually having
the job type training. And there's no need, to your
point, David, quit your job, thinking about going back to
school for two to four years, you know, commit yourself to, you know, to the bane of trying to get, you know, 7,000 certs just to get
an entry level, you know, penetration tester job. That's not what this industry is about. - I'm really glad you said that because it's always a problem, how do I get experience without
a job to give me experience? And you've basically given
us the roadmap for that. - Yes. - So next thing, how do I network? 'Cause you said it's important to network. So tell me, you know, I'm
a very pragmatic person. Tell me, how would you suggest networking? You mentioned updating
LinkedIn profile here, and then like sending
you a connection request. Any other tips to sort of
network in this community? - Yeah, absolutely. I think, you know, and I wanna preface
something on networking. I think the younger generation, you know, if we use your 17 year or
30 year old example, right. I think the younger
generation has it easier on the networking side
than the older generation like myself and yourself, right. I think when I talk to folks
who have been accountants or lawyers or construction workers that wanna get into cyber security, they have a harder time
with the LinkedIn story and the networking side of it than the younger generation does. So I think the younger
generation knows how to use social media, but one of the things that I wanna focus everybody in on is when you look at social media, when you look at LinkedIn,
when you look at Twitter, you know, really focus in on, you know, what your goals and objectives are with that platform, right? LinkedIn is a platform
of professional people, and so your picture needs
to be not you playing at the beer pong table. - (laughing) - It needs to be, you know,
look nice, have a nice shirt on, look kind of professional, you know. and then when you talk about yourself you highlight your successes. You're a student at XYZ university or you're a graduate. Use the headlines to your advantage. Hey, I'm looking for my
first cybersecurity job. Talk about the things that
you've done, you know, really use that as a platform
to highlight, you know, that you're capable and
qualified to be in this field. And then when you do that you can participate in groups on LinkedIn. You can engage in other folks. When you see me post something, when you see David post something, when you see somebody
you follow post something that's cybersecurity related,
take an active effort to comment and to interact
and engage in those posts, so that people are used
to seeing your name. Your viewers, this may
not be an influencer that, you know, many of your
viewers may be familiar with, may not be familiar with, but there's a U.S. business
person called Gary Vaynerchuk. - I think he's very well known. - Okay, good, just making sure. I was kind of cynical there for that one, - No, go for it. - If you're not following
Gary V you should definitely follow Gary V 'cause he's
kinda got his strategy when it comes to growing your following on LinkedIn or Twitter. And he talks about, you
know, find, you know, six people who are in your industry, comment on all six of their posts every single time that
they make a comment. Those types of interactions show that you want to be in this community. You're not just here for
the bells and whistles, because it looks cool, because ethical hacking is the new sexy, but you're getting people to
see your opinion, you know, thank them for their
experience if you want to or say, this is interesting,
I never thought about this. Or if there's something that
you do have an opinion on like the solar winds thing
that just happened last month or the FireEye, you know,
incident that happened last month, if you have an opinion on those
things, voice your opinion. Let people know your stance. Let people know what you've
researched on the matter, right. When you've gone out
there and read up on it. You know, really treat those
as interactive platforms, and that engagement right
there will draw people to you and will let them know that you're active and you're interested in this community. - That's great advice. I never thought I'd hear
Gary V on a call like this, - (laughing) - but there's no better person to follow on social media or how
to use social media. And I mean, I'll second that,
I mean, it's exactly that as Neil said, if you
wanna learn how to be good at social media, look at what he does, and he's got a few good books as well. So you've mentioned LinkedIn
and you've mentioned Twitter. Are there any other sort
of social media platforms that you would suggest someone join and get heavily involved in? - For the sole purpose of networking and cybersecurity, not necessarily. I think those two are really
the kind of the primary vectors that InfoSec uses to to do communication. You know, discords are, you know, I hate to talk about discords
being a dime a dozen, but discords are a dime
or dozen out there. Almost everybody and their brother's got a discord out there. Discords can be a little
bit of a sea of, you know how do I find the right people if you've got the emotional bandwidth and the mental fortitude
to trove through discords, I would definitely encourage that. And then obviously Reddit
is sometimes kind of like, you know, the the overly
cynical version of social media, but there's some really good subreddits that are out there that I think are worth,
you know, perusing through. But I think the majority
of InfoSec relies heavily on Twitter for their
primary social communication with their peers, but LinkedIn
is your digital resume. And so you need to make sure
that your digital persona of your professional image
is solid on LinkedIn. And then your engagement
is active over on Twitter. - Okay, so going back to the first one, because I wanna push you on this. Start with some INE free
certs, free training. And if I had to get one
certification to open the door it would be OSCP, is that right? - As of right now, I think
OSCP is the easiest one to get past the gatekeepers,
you know, that's out there. I think we'll see that change. You know, I think, you know, I
know this is a longer answer. I usually do yes or no's
for questions like this, this is longer. - No, that's great, that's great. No, go for it. - I think we'll see that change. SANS is starting to price
itself out of the industry. I've seen so many comments
in the Twitter verse and on LinkedIn and in my peer group, and having run security operations teams, I can tell you that paying
over $7,000 per person on top of travel and
expenses kind of pre-COVID, it crushes your training budget, it crushes your training budget. And so I think the tides are shifting and while I think OSCP
was the gold standard, I think INE, you know,
is going to surpass them if they haven't already just in terms of that name recognition. - I mean, that's great. I mean, I think we've got a great roadmap, three things that someone
can do very practically. And I think the most important piece that you've mentioned is the second part which is get practical
experience in your spare time. You don't have to, you
know, leave your job, get this on the side, and
then build up that experience. And then as you make more
and more connections, and that's a great challenge
that you gave, you know, get 1,000 followers or contacts
on LinkedIn, make 1,000. I've hit 30,000, so apologies to everyone who sends me a connection on LinkedIn. - (laughing) - I can't accept anymore
because they limit it at 30,000. It's terrible. Same on Facebook. I mean, I can't take Facebook
friends cause I've hit 5,000. - Oh, well. - I can't take anymore. It's amazing. So I wanna
talk about that briefly is and see if you agree with me, I used to hate social media
and I used to, you know, think I need to keep everything private. But as soon as I started
engaging with social media, as soon as I started using
it, the doors started opening. Have you had the same experience? - I have, and when I started my LinkedIn, I was in the military and I had a top secret security clearance, and I was doing cyber
work in the military. And you know, that was the
very paranoid OPSEC days, operational security,
days in the military. But I took a stance
that was like, you know, I'm going to control what
I put onto social media, so that the image that the
social world sees of me is the image that I want
social people to see of me. And especially when you take
that persona on LinkedIn and you realize that your LinkedIn is what your future boss is gonna look at, your future peers are gonna look at, people who are trying to evaluate whether they're going to hire you or not in the recruiting space. When recruiters are out
there looking for you, when you realize that that's
your audience on LinkedIn you want that to be a digital resume, a testament to how awesome
you are in this space, whether you're just starting out or whether you've been in
this space for 20 years you want that digital
footprint to look like that. I can tell you that since
I've been out of the military, since we're on the LinkedIn topic, I think I've gotten two
jobs since I've been out of the military by
actually looking for a job on a job board and sending out
a resume and applying for it. And that was the first
job I had when I got out of the military in 2013 and the job that I had
immediately after that. Those two jobs were the only two jobs that I've actually ever sent out a resume for that applied for. Everything else has come from
recruiters reaching out to me, has come from, you know, partners at a big four reaching out to me, CSO's at other companies
reaching out to me. That's how those jobs have come to me is reach-outs over LinkedIn and not actually by applying
for jobs in the space. - I mean, it's a great testament. I mean, I know you've taken
this to the next level. You've been on TV, is that right? - That's right, I've been on Bloomberg. - So I mean, they were quizzing you about, I didn't see the interview, they were quizzing you about something, I'm assuming some hack or something. - It's the solar winds hack, yeah. - Yeah, and I mean,
that obviously opens up a huge opportunity for you because if people see you on television, they're gonna wanna get you involved in their next project, it's exposure. - It is, it's 100% exposure. And make no mistake, I
feel ridiculously blessed. I count my blessings every day that I've been able to grow up, and I've been able to be
successful in this industry, but it's not, I tell
people this all the time, it's like, you know, I've found gold and I wanna share it
with literally everybody because it's not outside the region. And I'll tell you this, you can cut it in or out if you want to, I didn't get accepted into college. When I graduated high school I got turned down to go into college. I got my first jobs
based solely on the fact that I was a 18 year old
kid who had, you know, built some of the first web pages for North Carolina State University, built some of the first web pages for Wake County Public School systems. This is back in the 90's when
HTML was first kicking off. I was able to demonstrate for these people that I may
not have gone to college, but I demonstrated being
able to write HTML. I didn't get my degree until the Air Force handed me a degree, you know, some number of years ago. You know, just because you
did your time and service inside the Air Force. And so I don't have a formal,
you know, collegiate degree. And so I can do it. And I know that everybody
else out there can do it. And I know that everybody's
trying to push degrees and promote degrees
because that's the society that we live in, that you have to go to a higher education and you have to go get a degree and you have to be successful. But, you know, this industry is different than engineering, than
accounting, than legal, and all of those others out there that that's just not true. - You think I'm not gonna put that in. That's gonna be run in the beginning. - (laughing) - Neil, we're running out of time. I mean, this could go on for a long time and I wanted to quiz you about, you know, solar winds and stuff like that. But, you know, we've
only got a few minutes. So tell me, you did work for the NSA. - That's right. - And I think that's something a lot of people may aspire
to, or may aspire to be on the other side of the fence,
but let's not get into that. - (laughing) - So tell me, is the NSA
made of supermen and people who are just like out there intelligent or is it normal people? And you know, if I wanna
start out, is it possible for someone like me to
work towards working there? - So I'll start with the
second question first. Second question is
unequivocally yes, 100%. Whether it's the NSA, the FBI, CIA, any, I don't know anybody
at GCHQ, but, you know, I imagine GCHQ is obviously looking. Cyber is huge and the
governments are looking... - Big push in the UK. I'll just interject that. They're trying to get more
and more people involved. Yeah, big push. - Yeah. I mean, the governments recognize the value of getting more
people who come up in this space actively involved in offensive security. So, yes, the second question is easy. The NSA would absolutely hire you without you being a superstar. I don't mean that you... You shouldn't be a slacker, but, you know, you don't have to think that you're, you know, Kevin Mitnick reincarnate
to go work at the NSA. Trust me when I say you
don't have to break the law and get arrested and
then go work at the NSA. That's not a career path. That's not a career path. - You're not advocating that then. - I'm not advocating that. I know it's been televised,
but that's not a career path. (laughing) If you do the same
things that you would do, like what we're talking about, now the NSA being a government entity they're gonna push you
into a four year degree. I think the government is
working on trying to figure out how to solve that problem. On the U.S. side, that's
something that, you know, unfortunately, you may
have to fight the system when it comes to doing
something like that. You know, we're still not that mature as a cybersecurity industry. Now, to your first question, there are some crazy, crazy
smart people that work there. There's a team of folks, and when I was there, it
was a couple hundred folks who do all of the exploit
development, tool development, capability development, you know, D and T, you know, was the name
of it when I was there. Who does all of the
things that you read about or the things that you dream about or even some of the crazy
stuff that you see in TVs? That's that team. And these are probably some, and especially on the crypto side, not so much on the hacking side, but especially on the
math and crypto side. These are some guys who, if you've ever seen the
movie Rising Mercury with Bruce Willis and the kid, and you've got this kid, who's got autism but he looks at a page and can figure out that it's like the most complicated cryptographic algorithm out there, and he could break it
just by looking at it. They have people like that who, as soon as they turn the legal age of 18, the NSA plucked them right out and put them into a
building with no windows, fluorescent lights and a drop ceiling, and that's where they've spent the last 10 to 15 years of their life. And so, yes, they are ridiculously smart and ridiculously weird
all at the same time. - I'm sorry, everyone. We're running out of time. Neil's got another
meeting in a few minutes. So Neil, I'm afraid I'm gonna have to like twist your arm and get you back 'cause I want to twist your
arm to talk about solar winds. - Yeah. - Could I ask everyone to
put comments below, you know, what would you like Neil to talk about on another video? And should we do a live? I think he's big on Twitch, but I wanna get him on
the channel as well. Neil, I really wanna
thank you for your time. I mean, please mention your
social media accounts again for everyone so they can follow you. I'll put them below as well. And any closing words? - No, David, thank you so
very much for having me. It's an honor to be with
somebody like yourself. Your videos are amazing. - Thanks. - The content you put
out is really awesome. And so I'm super excited
that I had the opportunity to be part of this. Would welcome the opportunity
to come back on and do another and talk to your audience. For those who are looking for me, you can find me on Twitter
at ITJunkie, all one word. You can find me on LinkedIn
under Neil Bridges, or you can find me on Twitch
every Monday, Wednesday and Saturday at 7:00 p.m.,
central standard time in the U.S. at Cyber_Insecurity. Cyber underscore Insecurity. And just to give you a
little brief on that, it's a little play on some
of the imposter syndrome that is inherent inside
the cybersecurity industry. Let's you know that, you
know, anybody out there who's listening to this, imposter syndrome isn't
just related to you because you're new in the
industry or anything like that. I can tell you that I've been
in this industry for 20 years, and I can cite instances as
recently as a few months ago where I've had my own
cases of imposter syndrome. - It happens to us all. - It happens to us all, and so come join a community where we try to break down those barriers. We talk about all
aspects of cybersecurity, and you're welcome in a group of people that just wanna see you grow and be the best version of yourself inside this industry that you can be. - Neil, I really appreciate
that, man, that's fantastic. Speak to you later, cheers. - Absolutely, cheers, sir. (soft electronic music)
BTW, this guy was really employed by the US Air Force. So why did he do all this work for the NSA? That's because the NSA is part of the military. So when the NSA hacks you, it's really the US military.
Edward Snowden who?