The growing threat of cyberattacks shows just how much a concern the worldwide shortage of cybersecurity professionals is.
The upside is that more people are joining and looking to enter the industry. However, that does not mean that anyone interested in a cybersecurity career can land a job.
If you look at most cybersecurity job openings, entry-level positions typically require three years of relevant work experience, but, and here’s the chicken-and-egg question of the day: how do you gain experience if there are no opportunities to do so?
Our guest this week is Dr. Gerald Auger, an industry veteran who is passionate about helping people get started on their cybersecurity careers. In addition to his full-time job and teaching duties, Dr. Auger has co-authored a book and built thriving communities on LinkedIn and on his Discord server for aspiring cybersecurity professionals to network, share ideas and receive advice for their careers in cybersecurity.
Join our host, co-founder, and CEO of Horangi, Paul Hadjy, and Dr. Gerald Auger as they provide practical advice and tips for a career in cybersecurity.
Tune in to this episode of Ask A CISO to hear:
- how to gain experience when you have none to land an entry-level position
- what a cybersecurity job entails and if it’s right for you
- where you can train without breaking the bank
- what you need to keep working at even after you land a cybersecurity job
- what he thinks employers can do better to keep good employees
About The Guest: Dr. Gerald Auger
He is also the co-author of Cybersecurity Career Master Plan, a book offering proven techniques and effective tips to help cybersecurity professionals advance their careers.
Dr. Auger has been in the cybersecurity field for 17 years and hails from South Carolina in the United States of America. He likes to talk about cybersecurity, ethical hacking, and information security.
About The Host: Paul Hady
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
All right, good afternoon, everyone. Just want to welcome my esteemed guest Dr. Gerald Auger, the host and chief content creator of Simply Cyber, an information security YouTube channel designed to help individuals go further faster in the information security field.
He's also the co-author of Cybersecurity Career Master Plan, a book offering proven techniques and effective tips to help cybersecurity professionals advance their careers.
Dr. Auger has been in the cybersecurity field for 17 years and hails from South Carolina in the United States of America. He likes to talk about cybersecurity, ethical hacking, and information security.
Welcome, Dr. Gerald Auger, great to have you!
Dr. Gerald Auger
Yeah, thank you very much for the invitation.
Of course. Did I miss anything there? Anything you want to highlight for the guests?
Dr. Gerald Auger
I'm also (an) adjunct faculty at the Citadel Military College and I'm a full-time Information Security Officer at a 750 million dollars manufacturing company so I stay busy, but I do love cybersecurity so it doesn't seem like I have four jobs.
Nice, yeah, I mean, definitely, I think (it’s) good to get out there and expand your expertise and teaching at Citadel is no small feat I imagine, but exciting stuff!
So how did you get started in cybersecurity?
Dr. Gerald Auger
Yeah, I originally came up in a more traditional path or, you know, what used to be considered traditional. I went to a university, got a computer science degree, started doing software development because that's what I thought you're supposed to do with the computer science degree, so I knew databases, networking, operating systems, all these things, but I thought it was all to just facilitate software.
And my code got audited for cyber, you know, for information security, basically like the pre-FISMA compliance which is like a U.S. Federal standard, and I was kind of stunned that my code did so poorly, but I was building it to requirements which is what I thought I was supposed to do, and these security requirements were new so I kind of dug in a little bit on that and began to understand. like. oh man, there's like an entire. you know, field here of being able to break stuff. and then the tipping point was very early on. I found something called the vulnerability scanner, which is like a pretty standard tool in our industry at this point, but, you know, you put it on a network and it scans it, and it tells you all of the hosts on the network and all of the bad, you know, weaknesses of those hosts, and I was just dumbfounded that, like, I thought that was the hard part.
You had to find and then hack things to be good at security. In reality, there's these tools, so at that point, I was tipped over as far as, like, how can everybody not be hacked all the time, but there's a tool like this out there and I wanted to answer that question, and then I just, you know, I jumped headfirst into the rabbit hole.
Great! Yeah, I think, a similar path to me, definitely. Studied more network communications management side of things but a lot of, like, sort of UNIX, Linux stuff and then end up joining a small company after working for the government for a couple of years, called Palantir at the time, but it's an exciting journey for myself as well in very similar paths so quite interesting, yeah. It seems like we're, like, similar sort of experience paths so quite cool!
So how's cybersecurity kind of changed between like when you first started and what it is today?
Dr. Gerald Auger
Wow, it’s changed in so many dynamics.
I'll give you two that are kind of, like, really different, just to kind of have a funner conversation. So, one from the technical perspective right? So, the tooling has gotten so much better, the adversaries have gotten so much better as far as, like, what resources they have.
I don't want to say, like, the level, the depth of knowledge has gotten better but there's just so much information out there for people to consume to be, you know, on the offensive side or the defensive side, and to be able to, you know, responsibly disclose vulnerabilities.
That whole thing is kind of new to the industry so the attack surfaces are getting huge and cloud introduced a million new attack services, so from a technical perspective the challenge of properly defending an organization has increased tenfold, which is why you're seeing such a dramatic demand for skilled workers in the field right now, because it's just an explosive field of need, really.
The other thing I wanted to share that is a significant change in the last, you know, whatever, 10 — 15 years, is the way that the business perceives information security.
Like, in the business we call it information security, like, the business isn't going to call it really cybersecurity and a lot of people, you know, and Paul, you may, if you have the similar background that I had coming in, you may have seen this too.
Like, a lot of information security, cybersecurity professionals see the technical side of everything and they like to get their hands dirty, hands-on keyboard, engineer cool solutions, zero-days, and stuff like that, but at the end of the day you have to remember your paycheck is being signed by a business, a business that makes product or delivers service or does something.
In all reality, they care about money coming in, and revenue generation, and stuff like that, things that most of us don't care about, but what we do needs to map to that business.
So back in the day, to bring it, back in the day, the business didn't care. You were a cost center. You maybe were part of IT, like if you even existed, right, and now there's Chief Information Security Officers, there's entire budgets allocated to information security, you know, the board who is typically the ones that are kind of guiding the big decisions for business.
They want to hear what are we doing about ransomware, like, they're asking that question. It used to be you'd have to bring that information to them and somehow hopefully pitch it in a way that sounds interesting enough to get them to listen and now they're coming to your desk and asking you what are we doing, or how are we protected, and what do you need. Do you need money in order to do it so that's a significant change, you know, really, in the last, like, five, six years, ransomware, for all that ransomware is terrible, it did do that for us, so we can thank that.
Yeah, definitely, and I think, you know, one point you mentioned there which I 100 percent agree with is ultimately, cybersecurity is business risk. It’s up to the business owners to kind of make the decisions about what risk they're comfortable with and what risk they're not. I think that differs like, kind of, across industries, but it is very important too.
I mean essentially if there's no business there's no need for cybersecurity and sometimes if cybersecurity is not being taken care of, there may not be a business as well, so I think it's important for executives and security people to understand that, so I think it's a great point.
You also mentioned the skill gap which is, like, you know, definitely, you know, having come from America and having worked there half my career, I definitely saw that in America, but when I came to Asia, I was actually surprised that it's even worse here, so I'm curious to hear what your organization or you are doing to, kind of, sort of, help with that gap and train people and get them up to speed on cyber.
Dr. Gerald Auger
Yeah, there's a whole host of initiatives, you know.
Again, most of my focus is around the United States. It is transferable. The Simply Cyber YouTube channel that I have, and all the kind of tentacles that come out of that is country agnostic, so we do have members of our community that are from Asia, and from Africa, and Europe, and Australia.
At the end of the day, people, at least I found, this is why I wrote the book Cybersecurity Career Master Plan. It wasn't for making money or anything like that. I feel like there is a ton of people who are intrigued and interested in cybersecurity.
You hear about it in the news all the time, it seems really cool in movies, but where do you start, and the most telling thing is when, and I'm sure you guys get this: when someone says, “Hey, I want to work in cybersecurity,” and the very next thing that a professional would say to them is, “okay, that's cool. What do you want to do?” and then they don't know the answer to that because they don't realize even at the simplest level that there's, but there's fields within information security itself that if you want to be on the offensive side, like spending time learning about GRC and auditing and stuff, yeah it can help you a little bit, but it's not going to propel you.
It's not the most valuable time commitment for your return on investment to be able to get that job as a pen-tester or as a red teamred team member, so I feel understanding what the career options are, kind of laying it out as a taxonomy, that to me is a really important first step.
Again, it's like when you're gonna go on a long hike or a three-day camping trip or something like that, into the mountains, you don't just start walking and then figure out what you should be doing as you're passing the first-mile post.
No, you research, okay, like what's the weather conditions like, what's it going to be like at night, what do I need, a tent. Do I need a heavy bag, light bag, what clothes do I need, what food, how much provisions? You don't want to bring so much food so it's all about prepping and understanding what you're doing.
So then when you execute on getting the education, or getting the skills, or getting the experience, you are equipped to be able to take it in, and you're executing on a plan versus just haphazardly.
That's a problem. So many people just jump in haphazardly because they see a really cool hack or something, and, my, they just do that but it doesn't really ground you to anything.
I mean, definitely, I struggled at the beginning of my career and luckily, I was able to study in a degree that was somewhat near to cybersecurity and then subsequently got interested in it because of that, but I think not everyone has that chance, and I think it sounds like a great book and something I'll have to to check out personally like what are the different types of journeys that people take and how they can get into it.
I stumbled upon it but I think a lot of people at least these days, things have changed quite a bit as I think. Interesting to see those pass and kind of is this what motivated you to set up Simply Cyber, or is there another reason behind that?
Dr. Gerald Auger
So the genesis of Simply Cyber’s interesting.
So I did a podcast kind of similar to this one for about two years where I, for lack of a better term, studied under a guy named Steven Cardinal, who’s a great friend of mine, great practitioner, and he had done a bunch of podcasting and stuff, so he knew about, you know, like, setting up a podcast seems easy but there is like audio and video stuff you’ve got to handle with, and processing and files and all this stuff.
So I did his podcast for two years and learned how to do it so when the podcast ended, I was kind of excited about wanting to do another project, another podcast, and YouTube as a video format, I find, it was just an audio podcast before, a video podcast to me has such value because I'm a really animated person and, you know, I just feel like you can show demos, you can show your own expressions, like there's a million other, like, there's a bunch of benefits to the video piece of it.
So I started Simply Cyber and really the goal was always to deliver value at scale because a lot of people come to me and ask me like we covered it in the intro, I have multiple jobs, I encounter people all the time of different walks and backgrounds, and they always ask me questions and which is fine, I'm here to help.
But if you get asked the same question over and over and over and over again, yes you're willing to help, but like my time is valuable, so if I can make a video that answers that question which I've done and someone says, “Hey Gerry, I want to get into cybersecurity.”
“Okay, what do you want to do in cybersecurity?”
“I don't know. What options are there?”
“Hey, check this video out, it's gonna answer that question, probably a couple of others you're gonna have after that, and then get back to me and I'm happy to talk to you, but just do me the service of watching the video because it's got the answer.”
And then what ends up happening is those people go off and answer that answer and then I'd say like 80 percent of them, they don't come back because they start getting into the weeds of all the videos and all the questions answered and stuff like that, and they'll eventually come back and saying hey thanks that was really awesome or they'll become part of the Simply Cyber community which we could talk about later, which is its own thing that's pretty awesome.
But I'm able to scale mentorship and to me, I'm like it's the best of both worlds. I get to mentor many many people and I get my time to be able to work four jobs or do my own personal projects and stuff like that so that's why I started the YouTube channel and I'll tell you just as a quick aside: I never imagined it to be as big as it is today. I mean there's some huge cybersecurity YouTube channels, don't get me wrong, I'm not saying like mine's the Colossus of Rhodes here, but it's taken on a life of its own and the people that make up the community are definitely part of that identity.
Yeah, that's awesome and the next question I was going to ask you is, well, first congratulating you on hitting 25,000 subscribers! It is quite an achievement and you answered my second question which was like did you ever imagine that? What's next for you?
Dr. Gerald Auger
Yeah, so like I said the Simply Cyber community, so there's a Discord server which is kind of like the home base of the Simply Cyber community, and there's a lot of people championing other people's situations and stories. People are in there like “I got another interview”, “Oh, like i'm doing this training,” “Oh, like I built this home lab or whatever.”
So it's a support group. At the end of the day, it's a support group and it's really inspired me to keep pushing. I started doing… I've changed a little bit, so Simply Cyber has been around for two years.
Now, I'm doing more live streams. Every morning at 8 AM Eastern Standard Time, I do a live threat briefing 'cause I do it anyways for my job. I just decided like a month ago why don't I just turn on the camera since I'm literally doing this already, and it can add value? So I started doing that so I'm doing a lot more live streams.
I'd like to get to 50,000 subscribers by the end of 2022. I'd love to host a bunch of, like, I'm actually working on this idea right now, of hosting a bunch of people who have gotten jobs, broken into the industry this year, and have them tell their stories and it’s almost like an anthology type format.
That's an idea that I'm working on. It's going to involve a lot of people obviously. So that's where it is, I mean, it's just me continuing to double down and deliver. I'm trying to deliver value to people who want to break in in the industry but now that so many of those people are broken in and they're still part of the community, I want to make sure that I'm continuing to deliver value on how to be a great practitioner or how to be a CISO.
It's not all about people breaking in. There's people who are in that don't know how to pivot around. You're an offensive security person and you want to become a blue or you want to be a CISO at some point. How do you do that?
And I don't want to say marginalize, but I don't want to discount those people's needs with the mass of people who are trying to break in, because I've spent two years helping those people and there's an opportunity here, so that's really that's why I'm doing the threat briefings morning because it helps people comprehend what's going on in the industry, but also if you’re a practitioner, it feeds you for your day of here's what you need to know, and how you might be able to, I don't want to say weaponize it, but how you might be able to leverage it to help your end-user community or your business.
That's really cool, and I think, you know, one thing you mentioned as an idea is pretty interesting, which is talking to people who've broken into the field and seeing how they did it and what was their experience like, which I think is super interesting, especially for those who are trying to get into it, and in that, like, what is kind of like advice you would have to people who are kind of trying to break into the industry 'cause a lot of companies are looking for experience, of course, but if you don't have it, how do you take that first step?
Dr. Gerald Auger
So there's really two great pieces of information that your listener should take away:
The first one seems obvious, you just mentioned it — lack of experience. Catch-22: how do you get the one to three years of experience for an entry-level job unless you have the entry-level job? I would advise folks to really, you need to go above and beyond, just like university or whatever boot camp.
Do TryHackMe, do hack the lab, do RangeForce. There's so many SaaS providers that do lab-type work and I just featured on Simply Cyber last week — John Strand, who runs Black Hills Information Security, which is a really great outfit out of the United States. They offer a pay-what-you-can training model for three different courses and they do it quarterly, so in one quarter you could take all three courses and those classes, I mean, you can literally take 'em for free and you get hands on keyboard skill that you can demonstrate and speak to and be confident going into an interview.
So then it gets tricky: how do you massage your resume to be able to highlight that education or experience so it gets through HR because the hiring manager is going to understand what it means. HR doesn't understand. They're just like is this one to three years, yes or no, so that's an art form all by itself.
The other thing I would tell people that's not obvious and I think it is the most important thing so like you know, mark tape on this one, the most important thing that you can possibly do is network within the community.
I can't emphasize this enough. There's so many jobs that never get posted online — they're never available and here's a harsh reality. So like I hire people from my information security team. If I have funding for a new position, like, let's just say that I just got approved for an entry-level SOC Analyst or incident responder, whatever you want to call it.
The very first thing I'm going do is I'm going to look at my professional network for people who fit that need because, and this is why it's a harsh truth: my time is important, so if I know someone who can do the work, that means I can get them in, get them interviewed, and validate that they're clear and then get them hired, and I can go from an opening that I need filled, I need to execute on my mission, I got an opening to fill in like three or four weeks if I have to go through posting it online and going through, you know, open for two weeks, resumes come in, I then have to sift through and interview, it's like a two-month process and I know that that's the way it works normally.
But I'm telling you: if people know people, they're going to go with them, which is why it's so important to join and get engaged in professional networking. That's why something like the Simply Cyber Discord server, I'm not plugging it because you're gonna get a job there, I'm just saying that is one venue where you can network professionally.
It's not all about just having some pithy comment on LinkedIn. It's about being a person and contributing, and listening, and having thoughtful, deliberate conversations about real topics. That's what it's about, and that, I swear to God, if you do that piece, you unlock like 50 percent more jobs.
And, Paul, not to go on a tangent here, but the one thing that I always tell people is: it definitely will work if you network but I cannot give you a timebox. A lot of people misunderstand that “OK, I'll network, and in two weeks I'll get a job, Gerry? Three weeks, I get a job? What is it? And it's like, no, you can't, there's no time to it. It will happen, though. I just can't you can't timebox and then if you're if you're approaching it as I'm doing this exclusively to get a job you will be disingenuous, your contributions will not be sound, and people will smell it, and I can't explain how you smell it, it's like a human sixth sense but disingenuous is not a good look on anyone.
Yeah, I think that's true and actually, in my experience, I got my first job, actually was an IT internship and I started working closely with the security people at the organization I was working at and then subsequently was able to transfer to a full-time role within security.
So, yeah I think what you said makes a lot of sense in networking and knowing people that you could potentially bring into the organization helps a lot and, of course, from the organization perspective, it's a lot faster and there's like hurdles that are already taken out of the way in terms of interviewing process.
Dr. Gerald Auger
You bring up another excellent point that I failed to mention. Not only look in my professional network but my internal network because now I don't even have to hire someone. They're already working there. They've already done all the HR stuff.
If I can bring someone from IT over into my office, that's a way easier lift so it's a great point: if you work somewhere and you want to get into cybersecurity, don't (I've had someone do this), don't go to the CISO and say I want a job, what do I do?
You have to talk to the CISO or the GRC lead at the company and say, “Hey, I work in-field support, or I work in networking and I want to help your office achieve its goals. How can you leverage me in my position to be a champion for you?” And once you do that and they take advantage of you, in a good way, it's not like you're being exploited, you can start delivering value in an Information Security capacity and now you are the next person in line like you basically make yourself the next person in line. It's awesome!
Yeah, it's pretty much what I did a long, long time ago. So, tell me a bit more about your book The Cybersecurity Career Master Plan.
Dr. Gerald Auger
Yes, so you can get it, I think, on Amazon. From Asia, I'm not 100 percent sure. I don't know; the publisher handles all the logistics (oh, you can, great!). Okay, so basically this book is designed really for anyone who wants to, it's aptly named Career Master Plan.
It's designed for anyone who wants to begin to explore or knows they want it and how to get a career in cybersecurity. The book is broken up into three parts; I was very, very thoughtful when I laid this book out.
It's broken into three parts.
Part one is do you even really want to work in cybersecurity? Because you have to be honest with yourself — like you have this money and there’s cool tech and stuff like that. If you go do a job that you don’t really like, it doesn’t matter how much they pay you, you’re going to hate your life. So, the first section is do you want to work in this field? If yes, go to Section 2. If not, you just spent $20 or whatever it is and found out you’re not going to waste a year of your life.
Section 2 is the meat. You definitely want to work in this industry, let's figure it out. Here's the taxonomy of all the different jobs, then we also go into here's a taxonomy of the different industries, because a lot of people don't realize a SOC Analyst who works in financial services is a much different life than a SOC Analyst that works in healthcare. It's just different.
Financial services is going to grind you. You'll get paid more, but you're going to get grinded. If you work in oil and gas and energy, you got some serious consequences there if the power goes out. People could die, basically.
So we go into all the different industries and talk about the pros and cons of each industry. I try to be objective in the book. I try to provide information and allow the reader to make their own choice, choose their own adventure, and then we get into what education would be appropriate, what certifications, we have a whole section on certifications — which ones mean what and where the value in the industry, how to get practical skills.
I have an entire chapter in there on how to build a Raspberry Pi lab with a vulnerable web application so you could build a home lab for, you know, whatever, like 70 bucks all in, and you could basically get OWASP Top 10OWASP Top 10 hacking skills.
Again, if you're going to be a GRC Analyst, it doesn't give you a ton of value but it is an awesome talking point in an interview, “Oh, I built a home lab, I've done this, I've done that,” and then section three, assuming section two, you've built yourself up and you're an awesome candidate, section three is how do you network within the community, how do you find that job, kind of going deeper into what we just spoke about and then how do you level up your career.
The last chapter is don't think that when you get the job you've finished the race.
Spoiler alert: once you get the job like now it's time to blossom like you've broken through as a seedling but now you can really blossom and shine, and that's what that final chapter is like — how to set realistic goals, what are some expectations for your first couple years in the industry, where you can go, how to pivot once you're in the industry, cause a lot of people don't understand: once you're in, you could just be a great entry-level pentesterpentester and the mid and then senior pentester, but you could be a mid pentester and then transfer over to the blue side using kind of purple teaming skills and be a completely reasonable transition into the defensive side of the house.
So there's techniques. It gets… I don't want to say complicated cause the book is designed to spell it all out for you but it can get complicated.
I will leave you with this because I said this in a couple of interviews when we were doing the book promotion tour: I've been up and down the mountain a few times, I've got gray in my beard, so I'm like a sherpa, I can help anyone that comes to the mountain. You don't need to know what to pack in your bag or how heavy a bag to bring or what shoes to wear. I've done it a million times, I can tell you and that's what this book is, it's like I'll stand next to you. You just focus on developing yourself and I'll have all the nuances and things that you're not even thinking about all set up so when you reach that milestone or whatever, I'll hand you the right tool out of the bag and you can continue on your journey.
Yeah I think that's good information, and I think you touched on a couple of things in terms of certifications and things like that to help people in whatever sort of direction they're going in cybersecurity, and I think certifications are important that can help, but what I wanted to ask you is, outside of certifications and sort of studying and networking, what do you think are the actual qualities that make a good cybersecurity professional?
Dr. Gerald Auger
It depends a little bit on which role we're talking about because I think like a good offensive security, you know, penetration tester professional, I think those people, individuals, that have strong curiosity type attributes, people who really want to understand how something works, kind of, I don't want to call them mechanical engineers, but the kind of constructive mindset — I see it but I want to understand why.
I feel like those people naturally do better at offensive security because offensive security requires you to kind of like poke and prod and grind and there's not a fixed time box on how long it's going to take you if you even get it, right? So that's the offensive side.
I feel like the blue side or the defensive side of the house, those individuals are like, kind of, like order and kind of, like, standard and, you know, like the defensive side of the house, you basically set up the bowling pins and then you're making sure that a bowling ball doesn't hit the pins over, and if it does, you set the pins back up and maybe you throw the ball back, but, like, wanting order, wanting to, to protect and defend kind of that.
I don't want to call it a motherly or a maternal instinct, but that's kind of what it is. I mean you're constantly defending, and you have to have… this is a thing that isn't really talked about in the industry too much, it's getting a little bit more press lately, but the offense, the blue side, the defensive side, you've got to have some pretty thick skin because you could be working a 24, 36-hour shift. I don't mean thick skin from people making fun of you, I'm saying thick and, because you can grind, you can really grind.
On the offensive side, maybe you don't find anything and you punch out and go have a beer.
The blue side, if you're under attack, if you have threat actors in your environment, you don't punch out. That's not an option — you have to handle your business so that can handle people… and then I guess on the GRC side, that's also people who really like order.
GRC is more like governance, well it's governance, risk, and compliance, but it's more about everything left of boom, so blue team defense is right of boom like bad stuff happens, the blue team’s there. The GRC side is like you're setting things up so bad things happen less often, so if you like building programs and constructing LEGO sets and stuff like that, I feel the GRC side could be a good fit for you, plus the GRC side's a bit more gentle of an incline for people who lack some technical skills.
Yeah, definitely I think all that's good advice, and one thing I'd say to pretty much everyone that joins the company is constant learning is another thing that you just kind of have to be passionate about because otherwise they'll be left for dead pretty quickly in this industry.
I think things are rapidly changing enough to where if you're not like reading and interested in the subjects, you're not going to be very successful. You have to want to learn, you have to be interested, you have to keep kind of moving forward, otherwise, things will change faster than you realize.
Dr. Gerald Auger
Yeah, it's funny you say that, Paul.
I've been saying this maybe for about six months and I need a better zinger one-line response to this, I say cybersecurity is a lifestyle, it's like, it's not just a job. It's a lifestyle and when I say that, I mean, kind of see your point, like it's not you can't really punch out at five, right?
I mean you can, and you should get some decompression time and mental health time, and connect with the ones you love, but really it needs to be interesting to you because if you're not interested in the field, it's going to be very difficult to stay fresh and stay current, and like you said, your skills will get stale and that's no good for anyone.
Yeah, for sure, and kind of on the flip side of that, I think something relevant for both of us in our roles is what can employers actually do to retain good cybersecurity talent? So we talked a bit about getting in from the employee perspective, but also from the employer perspective, how do you retain talent, what can you do to keep people interested?
Dr. Gerald Auger
That's a really great question especially in today's current climate like 2022, the Great Resignation.
I don't know if it's happening as much as it's happening in the United States and Asia but, right now there's been a power shift between the employers kind of dictating “you're lucky you work here” to staff being, “You know what? I've gotten three offers and I know I've only been here six months, but I don't need to take your crap,” so from an employer perspective, it does get a little tricky.
I mean all I could say is I think employers that identify, and I don't want to say humanize, but engage the cybersecurity staff, engage the Information Security staff on a personal levelI don't want to say humanize, but engage the cybersecurity staff, engage the Information Security staff on a personal level, understand that it is a grind especially most organizations have the defensive people so it can be exhausting, frankly, especially if you have poor information security controls so you're constantly under attack.
So employers that invest not just in the technology stacks but invest in their people. Nothing's more… most people, okay, let me get my soapbox out, most people want to do great work. Most people aren't just trying to slide under the radar and just get paid.
Most people want to do great work. If you don't empower me to do great work, how can I do it? It's frustrating for me, and I feel like it'll only go so long before I get frustrated and want to leave. And what does this look like in material? Let's say you're an Office 365 shop, and you're responsible for securing the mail, and let's say you have Windows Defender or something like that. If you don't train me on how to properly administer Exchange Online protection, and you don't train me in how to use Microsoft Defender, and you just leave me to the knowledge base articles, it's gonna be frustrating because I don't know what I'm doing.
Maybe I'm not doing the workflow to its fullest extent. Maybe I'm not getting the threat actors completely out. Maybe I'm just putting band-aids on stuff instead of actually fixing structural problems. And, yeah, you get some quick wins and it feels good, but if you know that you don't know what you're doing, it's frustrating.
So from an employer perspective, there's nothing like, no, I shouldn't say there's nothing as valuable, but training, giving training, proper training on the toolsets that you have is really valuable, because I feel a lot of employers just kind of throw people at the technology, and because they don't understand that, like you know Splunk versus Graylog versus Elk — yeah, they're all sims and you used to use a sim but they all have different interfaces, some of them have different query languages and stuff like that so you can't just expect your person to go figure it out or “hey, go google it”, you know, like, figure it out. To me that feels like you're not investing in me, you're not caring about me, and then it becomes much easier for me to go find someone else who, at least on the surface, appears to be caring about me
Yeah, I agree. I think one word you said repeatedly which is one word we focus on is training. It's just so important to train people just because of what I mentioned earlier, which is that constant learning, and if you're not enabling the employees to be able to train, you're kind of leaving them behind which subsequently is leading the company behind.
So that's one thing we focus on heavily is just training, but I would say it's still challenging even doing that, it is a competitive market out there.
Retention is always something that I think everyone struggles with a bit, but I mean it's good, I think it's good for the community because it means there's lots of people out there to sort of attract also, and lots of opportunities for individuals who try to get in the space which we touched on earlier.
Yes, so kind of to touch on trends a bit: what do you think are going to be issues in cybersecurity that we should pay attention to in the future, and then how do you think they affect the professionals in the space as well?
Dr. Gerald Auger
That's a great question. I did a couple of 2022 prediction podcasts recently.
I mean ransomware, if you're listening to this and you don't know what ransomware is, definitely google it because it's dominant in our space, it's dictating everything and, in fact, this is kind of a boring trend, so you know maybe hit 2x on your podcast player right now if you're not into this, but it's a real deal.
Cyber insurance, right? Boring topic. People don't like to talk about it except me. It's a real thing and it's been around for four or five years. The insurance companies were doing a massive land grab on it.
Well, guess what? Ransomware is dominating the space so badly now that insurance companies are losing money, frankly, at paying the policies out on ransomware incidents so two things are happening: one, insurance companies are now dictating the controls that a business needs in place which is unbelievable. So, literally, a third party insurance company is telling me what controls I need in my environment and the bosses because it's money, the bosses are like, oh yeah, they say we need privileged access management, put that in place, and it's like okay, you fund it, right, for starters.
Secondly, so that's a good win for us, but secondly, a lot of insurance providers are either moving out of the cyber insurance space altogether, or they are 4x, 8x-ing the premium in order to give you a coverage, in order for them to cover their own payouts from, you know, based on actuarial tables, so I think there's going to be a major issue where people aren't getting cyber insurance and then they're going to get ransomware and it's going to result in businesses going bankrupt and stuff.
Most ransomware actors, the “good” ones, quote-unquote, the “good” ones, they do their research to figure out what is the tolerance for an organization to pay, like what's the number that they can pay without breaking them 'cause if you take over, let's say, you took over Exxonmobil, huge player and you ransomed them for 8 billion dollars, they're going to tell you no, right?
But if you ransom them for 120 million dollars, they'll probably write it out of petty cash and move on to the next thing. So they do their research, but okay, so having said all that, I think cyber insurance is poised to be front page news in 2022, which is great because now I'll have more people to talk to about it.
Yeah I mean, that's basically, I mean cloud, obviously, cloud is huge and cloud's going to continue to be pretty dominant in the space.
I will give you one last kind of prediction. I make it every year since 2019, and you know one of these years I'll get it right. Like, so, deep fake technology is where you can basically put someone's face on someone else and make it look real. I swear to God I do not understand why, I'm glad it hasn't happened, but there will be some type of deep fake situation where it's like a political figure or some type of well known, well connected, well funded, individual doing, like, Jeff Bezos, or you know, Richard Branson or something like that where it's a deep fake and it's going to cause some type of civil unrest or some legal, political movement type thing.
Yes, they'll be able to determine it was a deep fake but the damage will be done or the act of whatever the objective was of the deep fake will have been accomplished by the time they discover the deep fake itself so that's again I've been saying it for years, but I really feel like it's such a juicy opportunity that I don't understand why threat actors haven't taken advantage of it yet.
Yeah, no, I agree with you. I think, you know, something will happen in 2022, I'm sure. If not, it's definitely going to happen in the next five years…
Dr. Gerald Auger
Yeah, well, the next U.S. political election is kind of like where I'm targeting mentally where it would happen, but anyways…
Yeah, I wouldn't be surprised if that's the place where at least it gets that scale. So, last question for you: what's one piece of advice that you'd like to leave as a parting gift for the audience?
Dr. Gerald Auger
Yeah, you know, the field is so huge and there's so much opportunity that I kind of say fail fast, meaning, you know, dive into the field. If you're interested and start trying out stuff, the question is if you want to work in the field, what do you want to do well.
If you can't answer that question, you don't know it.
Try some stuff like stand up that web application Raspberry Pi platform, hack away at a little bit, do some Hack The Box, talk to people in the community about what they like, start filling your cup with knowledge about what's going on.
That way you can figure out, hey, I don't like red team, or hey, there's way more blue jobs than red jobs so even though I really like red, let me give blue a shot because I need a job and, frankly, there's more of them on the blue side so let me check that out, and if you don't like, you just absolutely hate the blue side, that's fine.
Go, you know, go do bug bounties and start building up that skill set but don't get frustrated. It's very easy to get frustrated. It's very easy to feel overwhelmed and I'm telling you: if you take the sandwich and you cut it up into tiny bites and you just eat a little bit each day and don't look at the big sandwich. Just look at what you're eating today and maybe what you might eat tomorrow, you're going to be more focused on what you're trying to accomplish instead of getting so overwhelmed that you just “what's the point? I'm not gonna do anything,” and the moment you start stagnating is not a good moment
Yeah, I think it's really interesting, and there's, like, one of my favorite phrases that is chop wood carry water which essentially is, like, before enlightenment, you chop wood and carry water, and after enlightenment, you keep chopping wood and carrying water, which is very true. You need just keep doing the repetitions of the things that build the good sort of habits, and you know, just sort of step by step getting through your career and your day as well because, in plenty of situations, I'm sure both of us have faced that, have been very difficult in our careers, and getting through them is basically exactly what you said: one bite at a time.
Well, thank you so much for the time. Any shout-outs you'd like to make at the end here?
Dr. Gerald Auger
No, I mean I'd love if you found value in this conversation and you're interested in getting connected to a community, come check out Simply Cyber. Like the YouTube channel is one thing, but if you connect with me on LinkedIn, it's fairly easy to get all the socials, but the Discord server really is a, it's like a living organism of a community of people who are all interested in either breaking in or advancing their careers in cybersecurity and, more importantly, helping other people do that, and I find I get a lot of, you know, not to get too like crazy, but, like, a lot of spiritual nourishment from what is happening in that Simply Cyber Discord community, so I think you could find value in it yourself.
Yeah, definitely, much appreciated. You definitely got a new subscriber on both the YouTube channel and the Discord channel. Also look forward to reading the content there and thank you again for speaking on the podcast, and look forward to doing it in the future as well.