- It's so nice to hear
stories, like real stories because it's like you said,
we can talk and talk and talk, but it's good when you hear that people are actually applying it, and changing their lives applying it. So, that's great. - I had a different
background than most people. I grew up in foster homes and group homes and orphanages, homeless. And so I didn't finish high school. - I have to tell a story on this so you can decide where
you want to cut this out. - I like stories, go for it. - Well, this is actually
pretty recent story. We're talking like last Wednesday. He listened to our advice
when it came to LinkedIn, he listened to our advice
when it came to networking and he started his LinkedIn challenge that you and I put forth in January. And within 30 days, he had achieved his thousand connections in the first 30 days. - That's well done.
- It is well done. So then he listened to our advice when it came to getting
his first cybersecurity job in the sense that he reached
out to the hiring manager and he showed the hiring
manager his portfolio of try hack, these hack the boxes, the stuff that he had been working on, and he bypassed the HR person and got an interview
from the hiring manager and got an internship
in doing ethical hacking for this company by following our advice. And I legitimately teared up and got super emotional on stream about it because it is a testament that, you know, this may sound like a bunch of old
dinosaur stuff at time, this may sound like you got two
old guys like David and Neil who were just like
talking out their butts, we haven't been in the career field in God knows how long,
what do we have to know? But when I saw this message
show up on my screen that the moderators had pushed, I legitimately got emotional because that's exactly what it is that you and I keep telling people is that do these things and
your probability for success goes up dramatically because this is how the industry works. - So, did he have any experience before this position?
- No. - So, he had zero experience. - Zero experience. (energetic music) - Neil we've spoken previously about certs that people
should perhaps look at getting or, you know, how to get experience. That's all great but what is the first job if someone's brand new to this field? What's a good position to look for if you're trying to break
into cyber security? - I think that the first
job that you want to do when you look into cybersecurity
is a SOC analyst role. I think that's easiest one to get into. But I want to say a second thing because this came up on
an interview on my stream that I think is actually
absolutely brilliant. I had Joel Fulton who is
the former CISO of Splunk, these guys back here, right? He's now running his own called Lucidum. And we had him on the stream
maybe three weeks ago. And this is a guy who
legitimately grew up homeless, out of sheer power and will
pulled himself up out of that, got a PhD in cybersecurity for no other reason other
than he just wanted to, and he turned into a CISO at Splunk, which is one of the biggest
brand name organizations that you get out there in
the cybersecurity space, and now he's running his own company. - I had a different
background than most people. I grew up in foster homes and group homes and orphanages, homeless. And so, I didn't finish high school. I got a job working in a wood mill and used that to earn my GED while I was taking the firefighter test. And I was number 11, they hired 10 and the wood mill shut down. And so they did, through
the unemployment department, they did this worker retraining program and they made you take these
tests, aptitude tests, right? Your Myers-Brigg, your
aptitude, that sort of thing. So, I'm a guy that had
gone to work every day wearing overalls and come home
with splinters in my hands. And my routine when I came home was take two casserole dishes and fill them with about a
half an inch of rubbing alcohol and just soak my hands in them for about a half hour watching TV 'cause it drew the splinters out. - Wow.
- So that's the kind of guy that I was, right? I wasn't feeling sorry for
myself, it's just what you did. So, I took these tests and they said you'd be great at computers. And I thought, there's just no way. I'm gonna be the guy in mom's basement with the bare bulb burning overhead and the pile Twinkie wrappers. "Mom, I'm trying to work
here, keep the noise." Like that is not what I wanted. (laughter) Then, they turned the
sheet over and they said, "Here's the salary potential." And I thought, "I could
learn to love Twinkies." (laughter) - So, that was the flip. - But he said, you know,
he talks about a concept which is this concept of garbage jobs. And when people think about garbage jobs, they think about the jobs
that nobody else wants inside of a cybersecurity organization. And when you talk to, I'm sure most of your audience
would agree with this, the red team is as sexy as hell, blue team is the next sexiest
thing that's out there, but those jobs are highly competitive. And so, Joel talks about garbage jobs in a cyber security organization, jobs that nobody wants to do, but they're jobs that, you know, because nobody wants to do them, they're easy to get into. And if you crush them
while you're in there, you literally have this aura
of awesomeness about you because you were able to do an awesome job at something that nobody wants to do. And so when we talk about garbage jobs, we're talking about things
like risk and compliance, doing risk assessments, writing policies, even starting even lower
than like a SOC analyst and going to like a vulnerability
management analysts, where you're just doing
vulnerability analysis. Look for those jobs that may
not necessarily appeal to you, but those jobs are actually
probably easier to get into in a cyber security organization than say a red team or blue team job. And I give an example of this because I've seen this in a lot
of the Fortune 100 companies that I've worked at. IT audit, right? Nobody wants to do audit work. Audit work is so miserable, right? But I've seen more people in my career start off doing IT audit work and transition out of IT audit into the cyber security organization than I've seen jump
straight into SOC analysts and straight into red team jobs. - Okay, Neil, so, have you got examples? I think you've mentioned a
few of job types or positions that I would search for on
LinkedIn to get my first job. And then once I've got that job, what's the next job that I'd look for? Basically, what are the steps
to get where I want to go which may be red team, but I want to just break in because I don't have any experience? - So, I think if we're talking somebody who is trying to get into a
cybersecurity career field or somebody who's trying to get into a cybersecurity organization, when you look at the job titles, and we could probably do
an entire stream, David, on what the composition of a cybersecurity
organization looks like, and we can get in crazy with some visuals and things like that, we
could talk about that, but when you think about the job titles, red teamer is actually typically
not an entry level title that you're going to
find in most job wrecks on LinkedIn or Indeed
or anything like that. Typically, the entry level jobs that you're gonna find in a
cybersecurity organization are a thing like SOC analyst. And usually it'll be like SOC analyst one, junior SOC analysts,
entry-level SOC analysts, some type of SOC analyst level one. You'll see vulnerability
analysis as an entry level job. You'll see a risk assessment specialist as an entry level job. You'll see things like a policy
and standards specialists. Those are very common entry-level
jobs into an organization. And so, I would encourage folks who are looking for that ground floor, don't get so focused on,
"I want to be red team, "so I need to look for a
red team entry level job." Cybersecurity organizations
just don't work like that. Red team is a goal. And so, as goal, there's multiple steps that gets you between where you are today and where that goal is. And I would encourage you to
look for that SOC analyst one, look for that IT audit, specialist, look for that SOC analyst role, I think I said that one already, look for that a risk assessor role, and use that as your
foothold in the organization. Now, what I encourage people to do once they get into that role, I mean, be open and honest with yourself. You're taking a role that, you know, I don't know if your audience will recognize this analogy or not. There was a transformers
movie, "Dark Side of the Moon", "Transformers Dark Side of the Moon" that came out a number of years ago. - I'm sure a lot of
people will recognize it. - Okay, just making
sure, just making sure. You know, you've got the
lead character in there, who's the kid who saves the world with the transformers multiple times. And he graduates college
and he goes into the company and he interviews and he's talking about how he's
got an Ivy League education and he's saved the world two times, and he just wants a job that matters. And the guys like, "Cool, go
down, work in the mail room." Right? And I think we can all relate to that. 'Cause it's like, "That's
not the job that I want. "The job that I want
is the job that I want. "I don't want to go down
and work in the mail room." But what I think is actually
a pretty apt life lesson out of that movie is the guy who hired him
looked at him and said, "This isn't the job that you want. "You want the job that
comes after this job, "but this is the job that
you have to do first." And I think oftentimes
people forget that step in their career progression, that there are jobs that
you have to do first before you can get to the
job that you wanted to do. I went into the military
wanting to do offensive hacking. But I can guarantee you that
the day that I showed up at my first duty station, offensive hacking was
not my first job title. Okay? It took me a couple of years before I actually got
to sit at that console and do the offensive hacking mission. Right? And so, remember, there's
probably some garbage jobs that you need to do between whatever it is you're doing now and whatever it is you want to do. - So the term garbage job, is that because it's a job
that's garbage basically? It's not a nice job, yeah? - It's not a nice job. We use that kind of
sarcastically, tongue in cheek. Because I mean, you know,
IT audit work is dull. And I hope I don't offend
any of the IT auditors that are out there, right? But you literally have a set of controls and you're like, "Do you use passwords?" "Yes." "Are you using firewalls?" "Yes." "Show me your policies,
let me read your policies." Check. Right? That's the level of mundaneness that can come with a job like IT audit. But think about, and let's use the IT
auditor's experience, right? What do you learn from that? Well, you learn about
cybersecurity controls, right? You learn about firewalls, you learn about password policies, you learn about antivirus, you learn about all these things that make up a cyber
security organization. You make friends at some of
the highest levels possible when you do audit work in
a corporate world, right? You make friends with the
Chief Audit Executive, you make friends with the CISO, you make friends with the CFO in most organizations
when you do audit work. And so, you have a lot of
high profile visibility. And so, you could legitimately, I know there are auditors who are within their first
three years of being audit work who have had more meetings
with CISOs, CIOs and CFOs than anybody else on the
cybersecurity organization. And those are the types of relationships that you want to build. And so, it's garbage jobs
because nobody wants to do them, because they're not cool,
sexy, like red team, but when you sit there and
you dissect the benefits that come out of that, they'll pay dividends over a red team job in your long-term career. - It's interesting that you said that because, I mean, networking is networking with high quality people. And if you're spending time
with people at that level, I mean, when you decide to change roles, you've made a lot of contacts. So, like we said, going back
to our LinkedIn stories, if you've made contact with
those people on LinkedIn and you post that you're
looking for a position, they're more likely to help
you because they know you. - I have to tell a story on this. So you can decide where
you want cut this out. - I like stories. Go for it. - Well, this is actually
a pretty recent story. We're talking like last Wednesday. But we've talked on your shows about LinkedIn strategies
and networking strategies and things like this. And and I harp on it pretty
frequently on my stream as well. We had a guy who I thank you
for because he came after, you know, in January when you
and I did our first interview. He came to the streams and he tuned in
religiously to the streams. There wasn't a stream that I did that this kid never showed up to. I mean, he was always there
and he was interactive. He asked questions, he dug deeper, you know, in terms of that
interaction with me on stream, which is one of the big benefits that I always encourage
folks about the stream. Is like you have direct access to me, at least for that two hour
time block to ask me questions and I'll try and do my
best to answer them. He listened to our advice
when it came to LinkedIn, he listened to our advice
when it came to networking and he started his LinkedIn challenge that you and I put forward in January. And within 30 days, he had achieved his thousand connections, in the first 30 days. - That's well done. - It is well done. So then he listened to our advice when it came to getting
his first cybersecurity job in the sense that he reached
out to the hiring manager and he showed the hiring
manager his portfolio of try hack, his hack the boxes, the stuff that he had been working on, and he bypassed the HR person and got an interview
from the hiring manager and got an internship
in doing ethical hacking for this company by following our advice. And he said it in stream. He came on the stream last Wednesday, he'd been holding this good
news into him for a week. And he came on the stream when we had the stream last Wednesday and announced it to our entire
viewership last Wednesday. And I legitimately teared up and got super emotional on stream about it because it is a testament that, you know, this may sound like a bunch of old
dinosaur stuff at times, this way sound like, you know, you got two old
guys like David and Neil who are just like talking out their butts, yet we haven't been in the career field in God knows how long,
what do we have to know? But when I saw this message show up on my screen that my
moderators had pushed, I legitimately got emotional because that's exactly what it is that you and I keep telling people. Is that do these things and
your probability for success goes up dramatically because this is how the industry works. - So, did he have any experience before this position?
- No. - So, he had zero experience. - Zero experience. - And he took your advice of hack the box, that's how he built up his
experiences, is that right? - That's right, that's exactly right. - And then how did he make
contact with the hiring manager? Again, just to emphasize, it was through LinkedIn, is that right?
- Yeah. It was through LinkedIn. He went out and researched the company that he wanted to be a part of. He found out who was working in the cybersecurity organization, he found out who the hiring manager was through his network and through the searching
that he had done, and he friended them on LinkedIn and then reached out to them on LinkedIn and made contact with them to get past HR for that internship. - That just shows you, I mean, it's so nice to hear
stories, like real stories, because it's like you said,
we can talk and talk and talk, but it's good when you hear that people are actually applying it and changing their lives applying it. So, that's great. - It is. And like I said, I'll put the video up as soon as I get done
editing it and whatnot, but if you put yourself
before I put mine up, you can go back and look at the VOD. I got crazy emotional
on it and actually like, you know, I actually broke
down into tears on stream 'cause I was so happy for the guy. He had achieved his dream
and he was so happy about it. (energetic music)
