CYBERWIDE PANEL – LEVELUP SERIES – INFOSEC CERTIFICATION SOUP

Jason Dion:                        
Hello and welcome to the Your Cyber Path podcast. Today we’re going to be going and doing something a little bit different because Kip’s actually not here with me during the introduction, but he is going to be with me for the rest of this episode. Now that’s because this episode is actually going to be a little bit longer than normal because we’re going to share with you a recording from a live webinar that we recently did for the North Texas Information System Security Association.

As part of their webinar series, they invited Kip and I to join them for the cyber wide panel to discuss how you can level up in your career and answer questions about hiring, resumes, and of course certifications because the panel’s name was the information certification suit. So as we go through this webinar, we are going to try to debunk some of the myths around certifications and the hiring process. Now we have a ton of great insights to share with you during this presentation and I think you’re really going to get a lot out of it and really enjoy it. So without further ado, let’s hear what Kip and I had to say about information security hiring practices and certifications in this episode of Your Cyber Path.

Marie Garcia:                    
Welcome, we’re really grateful that you guys are here. My name is Marie Garcia. I’m the Vice President for the North Texas chapter of ISSA, that’s the Information System Security Association. And this session’s being brought to you by the North Texas ISSA, special interest group called Cyber Wide, where we’re working for inclusion, diversity and equity in cyber security. The name of this session, part of the Level Up series and it’s called Making Sense of Infotech Certification Soup, which is a mouthful and I can’t think of two better people to be on the panel than Kip Boyle and Jason Dion from the Your Cyber Path podcast. Now let’s just start with you guys telling us a little bit about yourself and how you got started in cyber security.

Jason Dion:                      
You go first.

Kip Boyle:                           
Oh, you’re going to let me go first. Okay, cool. I’ll take it. So I started out as a trainee pilot in the Air Force. I graduated from college and then I went to undergraduate pilot training and it’s a 12-month program. And after about five months of going through the program, I soloed the trainer jet and I landed and I was like, I’m not doing this forever. This is a bad idea. So I raised my hand and I said, Uncle Sam, can I please go do something else? And so Uncle sent me off to do computer work on highly classified air to air weapons systems development. And so I had to learn how to do data security and computer security just to be able to do my job. And I know Jason knows all about what I’m talking about. And if you can ever imagine if you’ve never done this before, it’s kind of weird.

But I used to go to work every day and the door to my office was a bank vault door with a three position combination lock on it. And so I literally worked in a vault and to give you an idea of just how much security I had to navigate and I liked it, I was one of those weird, nerdy people who thought this security stuff was really cool. Everybody else made me do all the additional duty because they hated it. And I was like, Sure, I’ll do it, whatever. And then I got out into the private sector and that’s where I’ve worked ever since. And so in a way you could say I’ve been living my plan B.

Marie Garcia:                     
Great. I didn’t know about the vault. I have not heard you mention that I don’t think, on the podcast yet.

Kip Boyle:                           
No, I haven’t. I got to save some tidbits for the live events.

Marie Garcia:                    
Much appreciated. All right, Jason?

Jason Dion:                        
Yeah, so I’m Jason Dion. I am the lead instructor and owner of Dion Training. We are a small cybersecurity training company. We’ve got about 25 people on staff right now. I’m actually sitting in our offices in Orlando and I’ve been doing this cybersecurity stuff and IT and computers in general since about the early nineties. I started programming when I was eight years old because I’m just a traditional computer nerd. By the time I left high school, I already programmed 15 languages, went to college to go be a computer science guy, got really bored and dropped out within the first 18 months because for those who have gone to college, you know the first 18 months is really English and Psychology, and nothing new with computers. And then even when I got to the computer science course, I’m like, I already know this. I program in a bunch of languages. So I got really bored and dropped out and then 9/11 happened, I got patriotic and I joined the military. I was not the Air Force like Kip, I was the Navy.

Kip Boyle:                           
That’s okay. I still like you.

Jason Dion:                        
I still like you too, Kip. You got out of the chair force around sometimes.

Kip Boyle:                           
That’s right.

Jason Dion: :                        
I’ve been to Lawsons Plains, it’s great. But yeah, so I worked in the Navy for several years. I started out as a nuclear reactor operator, then I went to officer candidate school and I was also a flight officer, like Kip. Did that for about a year, realized I hated it as well and said, Hey, can I change? And they said, Well, put in your resume, tell us what you’ve done before you got in the Navy. We’ll see if we have a good fit for you. Showed them my resume. They’re like, Oh, you’re a computer guy. We got the perfect thing for you. And so I became a IP officer, which is what’s known as an Information Professional in the Navy, which is basically cybersecurity network operations and satellite focused folks.

And I was doing that since 2005, 2006 timeframe. I worked in and around the government for the last 20 years and I just fully retired from that world, and now I work in my own civilian company and partner with Kip on Your Cyber Path podcast. And really our focus is helping people. My focus is getting people certified, getting them into jobs. And then with your Your Cyber Path, we really try to help people on the hiring manager front. Kip is an experienced hiring manager, something he didn’t bring up in his intro, as well as between the two of us, we’ve definitely hired at least 100 or 200 people into cybersecurity roles over the years. So we know what it takes.

Kip is much more focused on the commercial sector. I’ve been much more focused on the world of government and military contracting because that’s where I come from. And so that’s one of the reason why we paired up together was we bring the two sides of information security to our audience. His side and his very commercial sector, banking and finance and insurance companies and sports teams and things like that because he hasn’t really touched the government side for about 15, 20 years, right Kip. And I’ve been doing that for the last 15, 20 years. That’s all I was doing, was government contracting and government work. So give you the prefect from both sides as we answer the questions today.

Marie Garcia:                    
All right, cool. Well thank you guys both for your service first and foremost. So a hooah for the Air Force and a hooyah for the Navy. I’ve got military men for my family serving right now, so that really means a lot to me. So thank you guys for your service. All right, so let’s get started. So I know for me when I’m out and about with ISSA functions and whatnot, the number one question I get, and I’m pretty sure you guys probably get the same one or something very similar is, Hey, I want to get into cybersecurity. How do I go about doing that? What certs do I need? And that seems like a really simple question, but it’s not. So before I, I’m going to take the viewpoint of the person trying to break in. So before I spend any time, money, effort, blood, sweat and tears on trying to figure out what cert I need to go get, is there anything I can do, any advice you can offer in terms of how do I make sure I’m a fit for cybersecurity?

Jason Dion:                        
Yeah. I would say one of the biggest misconceptions in cybersecurity is this idea of entry level cybersecurity. And I really do blame a lot of the camps and the colleges that have the for-profit side of their programs that aren’t a computer science degree or cyber security degree. They have these certificate programs and if you’re on Facebook or LinkedIn, you’re probably seeing them a hundred times a day, go to University of Miami, six month program, advanced certificate in cybersecurity and blah blah blah blah. The problem with that is that that assumes that there are entry level cybersecurity jobs and Kip and I have talked about this on our podcast before. He uses the great example of an airplane pilot. If I’m going to fly from Orlando to London on a 787, which is a huge jumbo jet, the pilot on there is not an entry level pilot.

They’ve been doing this for 10, 15, 20 years and they started out in the small little [inaudible] that holds four people, then they went to an executive jet, then they went to a regional jet and then they went to a Southwest jet and they kept going bigger and bigger and now they’re there. So you say what does an entry level 787 pilot look like? It’s somebody with 10 or 15 years of experience. What does an entry level cyber security person look like? Generally they have somewhere between two to five years of IT related experience or they have two to five years in a related field. And I would classify that as things like accounting and bookkeeping, especially if you’re going to the auditing side in PCIDSS, which is credit card audits and processing or doing any kind of Sarbanes-Oxley compliance.

That all ties into the cybersecurity world as well. I have a couple of friends who came from the accounting world, they got their CISA and now they’re doing auditing, as somebody who came from the auditing world and the accounting side financial, now they’re doing it in cyber security. So I think that’s the first thing is you have to understand where you are and realize that if you are applying for an entry level cyber security job, they’re really not entry level, they’re already expecting a couple of years of experience under your belt to make it work. And then we can start talking about what certs matter. So if you’re talking about which certs matter to get a job in the help desk or field services that obviously going to be A+, but just hardware and software from CompTIA. If you’re going to go into networking, Network+ or CCNA, Cisco certified network associate.

And once you get to security, kind of the last one of that in the system admin level before you move into security is going to be your Security+. And I saw in the comments that Justin says he took the CompTIA courses and got a Security+. That’s exactly the right step. If you look across the board at these different job postings, I’d say that 80 to 90% of them are asking for Security+. And in my world, in the government world, out of all the positions they have, about 75, 80% of the positions require Security+. And if you don’t have it, you have to get it within six months, or they fire you. So it’s really important in this government contracting world or government civilian world.

So that’s kind of my recommendation is start with Security+. It’s going to give you a good foundation across the board and then we can start talking about where you go ahead of that in the certification statement. Generally the next step would be CYSA+, which is Cybersecurity Analyst Plus, which is where you start doing entry level, SOC level work. Somebody has zero to two years of experience working in a security operations center. Kip, what are your thoughts on that?

Kip Boyle:                           
Well I think you’re exactly right and the fact that you quoted me is how I know that you’re right. And I’ll just add that there’s another dimension to this as well, which is how do I know that cybersecurity is a good choice for me? Okay, well you have to spent some time I think getting to know yourself and who are you as a person and what are your work preferences. And you can do a disc D-I-S-C profile, you can go find free disc profiles on the internet and if you do one, it’s going to help you understand what your work preferences are. So just quick example, if you are the kind of person who likes to interact with people, you like to talk to people, you like to spend time with people, but then you go get a cybersecurity job and you become a pen tester, you’re in big trouble because pen testers don’t spend the day talking to other people.

They spend the day sitting and staring at a computer, not saying anything and typing. And that’s what that job is like. And just like I didn’t find flying airplanes as a good fit for me, who I was a person and what I thought was interesting work, you are going to find yourself frustrated because you’re in a job that is not playing to your strengths and is not giving you energy. And the reverse can be true. If you are a person who gets energy by being alone, reading a good book or something like that and you get a cybersecurity job where you’ve got to answer phones all day long because you are the cybersecurity help desk person and you’re resetting passwords and talking to people, you are going to hate life, because that is not who you are. So I think it’s very wise to ask yourself who am I and what cybersecurity job makes sense for me?

Jason Dion:                        
Yeah, I think that’s a great point Kip, because one of my last jobs with the government, I was in a position I had worked my way up and I was very senior level. I was in charge of defense for global cyber operations at US Cyber Cop in the J35. And the big problem was it was so strategic that when I made a decision or made a choice, it was like playing chess. I was making a decision today that wouldn’t be implemented for 18 to 24 months because that’s how long it takes to get throughout the entire DOD, across seven continents and 30 to 40 countries. And so for me, I hated it. That job was probably the worst job I’d ever had in the 20 years I worked with the government because it was so high level and so focused on this high level frameworks. And it was such a long time arriving.

I love when I ran a soc, I love when I ran an IT network and there was problems and trouble tickets coming in and things going down because my days went really fast. If I had to sit down on a keyboard and do strategy for eight hours a day, I’d go insane. It’s just not for me. And I have a friend who, he loves that stuff and he hates doing the day-to-day stuff. And so it is important to know yourself and what you like to get the right role. And then the other thing you said, you mentioned a pen tester role. I think the other thing is a lot of times people don’t know what’s involved with a given role. So everybody says, I want to be a pen tester when they go into cybersecurity. I hear that all the time.

Well I’ll tell you right now, there are four jobs for cyber security analysts, for every one job there is for pen testers. So people say, Should I go blue team or red team? Well you probably should go blue team because there’s four times as many jobs out there and you’ll make more money and have an easier time. But if you like puzzles, then maybe that’s more your style is going pen test. And then the other thing I think with pen test is, and Kip does pen test in his organization with his team, is 90% of the time a pen test is not hands on keyboard hacking something. It’s doing the reports, it’s gathering the information, doing the reconnaissance, and it’s a lot of prep to hit the one button. It’s not like what you see in a movie where they’re like, hold on, half the Pentagon, shut down the work desk. It takes months and months to get ready to do that execution.

Kip Boyle:                           
Yeah, that’s right. So I would recommend cyberseek.org. That is a great place to go to learn about the different options that are available, the different types of cybersecurity jobs. There’s so much available that people just don’t even know about. And then I would also recommend that you go to my LinkedIn. I made an account on LinkedIn, it’s called @Cyberpathmaker and pinned to the top of that feed is a mind map that shows you all the different roles at a high level blue team, red team, builder, breaker, defender. And it really gives you a good sense of what’s the landscape. So go take a look at that and go study it and that should help you.

Marie Garcia:                    
Yeah, that’s a great segue for me because yes, so I’m trying to break in to the security world. I’ve got the aptitude, I’ve got the personality, I get those baseline certs that Jason rattled off, the A+, the Network+, the Security+. So I got that foundational certification layer taken care of. I was going to ask, it seems like SOC analysts and pen tester are the only jobs out there, but they’re not, right? There’s technical and non-technical, and I love that you brought up builder breaker and defender because that was from episode 10 and I loved that because I’m very visual and that’s a spreadsheet for me. So I’m like, Oh, builder, so I had a no bucket.

So I’ve got that foundation, I’ve got the aptitude. Now I know if I’m going to be a builder, a breaker or a defender, so I wanna specialize. So are all certifications valued equally? What other factors should I be thinking about before I go spend money on something for PMP versus PRINCE2? Or what is it, CEH versus OSCP?

Kip Boyle:                           
Oh my god, you’ve invited the right person. Look at him. He’s just clawing, he can’t wait.

Marie Garcia:                    
Are they valued equally, is my thing. What should I-

Jason Dion:                        
So no, they’re not. And here’s the funny thing is some of the ones that are more valued by employers are actually not as good certifications. The other thing is I just threw in the chat as well for the audience, I recommend checking out Your Cyber Path episode 31, which is just yourcyberpath.com/31. That title of that one is all the jobs in a large security organization. It was a series that kicked in before I joined the podcast, with him and his previous co-host Wes. And they went in that episode in about 45 minutes, talked a little bit about each of the different jobs in a SOC, and then over the next five to 10 episodes, they spent basically an hour talking with somebody in that job. So hey, if you are the Service Manager, what does that look like? If you are an Analyst, what does that look like?

If you are a GRC person, what does that look like? You get an idea from a real world person who does this on a daily basis what it’s like, so you can figure out what you like. So I just want to put that plug in there, but now let me answer your question, which was are all certifications equal? No, of course not. There’s actually over 1800 certifications out there right now in the IT. And one of the things I always tell my students is they’re not Pokemons, they’re not baseball cards. You don’t need to collect them. You need to figure out the ones that are right for your role and you need to get a few key certifications. So for example, if you’re trying to be a cybersecurity analyst, you need to get your Security+ and your CYSA+. And oddly enough, I’m going to tell you this, you should also get your ITIL 4 foundation and he will ask me why should I get my ITIL 4 foundation?

Well, if you’re going to go work as a cyber security analyst, you’re going to be working at a big company and you’re going to be working across different departments from security to IT. And for some reason, oh, I know why, but a lot of these organizations, especially Fortune 500, they all run on ITIL. And so that will set you apart because there are so many people who have Security+. If you go look at cyberseek.org, you’ll see that there are five people who have Security+ for every one job that requires it. And so to stand out by getting that ITIL, you’re going to be that person that stands out and gets picked because that’s a key word that they’re looking for. So those are kind of the three basic ones that I would do if you’re going to try breaking into this IT cyber security world.

Now as far as which certification should you get outside of that based on the role? The number one piece of advice I’ll give you is look in your area at LinkedIn, Monster, Dice and other job sites. By looking at those things that are being posted by employers in your area, you’ll see what they value. For example, you mentioned project management with PRINCE 2 or PMP. That’s a really good example. Here in the United States, PRINCE 2 is not that popular yet. It’s getting there, but it’s not as popular as PMP. So if I was going to go for a project management job, I guarantee that 90% of the jobs in America are asking for PMP, not PRINCE 2.

Now on the other hand, if you go over to Europe and you go over to Asia, specifically the UK, Europe or Asia, they’re going to be asking for PRINCE 2. They don’t care as much about PMP. Now if you go to someplace in the Middle East, it depends. Is there main company in the Middle East US-based or Canadian-based or UK-based? And that will decide which of the two it is. So again, looking at those things in your area is really important. And I always have to preface that because I teach a worldwide audience and I have people from India, Pakistan and the UK and everything else. They go, What cert should I get? And I go, Well it depends. What job do you want, where do you live, what are employers asking for?

Great example, you’re talking about Pen testing, there’s really four big Pen testing certs out there. There is CEH, which has been around since like 2000, 2001. So they’re most well known. I will tell you they are the easiest to pass. They are the most expensive. Also, they charged like $1,200 for the exam and it’s really not that hard. If you could pass Security+, it’s basically Security+ with a little more. That’s all it is. And then if you look at the second one is PenTest+. That came out in 2018 by Comptia, and that was as a competitor to CEH. It is more than CEH, it has practical hands on stuff. It has a lot more in depth analysis. It’s a much better look for server, and it’s a third or fourth of the price. The problem is here we are in 2023 as we’re recording this and doing this live, and even here in 2023, you’re not seeing PenTest+ asked for on every single job application. And so while PenTest+ I know it’s a better certification, Kip knows is a better certification and we would hire you with it, over CEH.

Not every employer does that because what happens a lot of times is hiring managers will say, Let me grab the last time we did a job and pull out that post date. And if it was five years ago, they’re only going to know about CEH. And then the third one you hear a lot about is OSCP, which is Offensive Security Certified Professional, which is from the makers of [inaudible]. If you can pass OSCP, you’re showing me you can have it, you can pen test, right? The problem is, again, not every job looks for it. Not every job knows about it, especially in the government contracting rope. OSEP was not allowed, it wasn’t considered adequate because it was a taking a certification over 24 hours and you could have open book and stuff. I think that’s changed recently.

But up until about a year ago, it was not on the 8570 list for the DOD. So you had to still go get your CEH or PenTest+. And then the other one that’s that’s kind of popular, especially over in Europe and the UK is one known as CREST, C-R-E-S-T. Here in the US, nobody cares. But over there, they care about it. And that’s actually more important than CEH. But over here, CEH or PenTest+ is going to your biggest one and what I was telling you is if you go for PenTest+ and you can pass PenTest+, you can definitely pass CEH, and a little tip on your resume. If you get PenTest+ instead of CEH, I would put Certified Comptia PenTest+ (equivalent to CEH).

Marie Garcia:                    
Ah, that gets you past the ATS.

Jason Dion:                      
What’s going to happen is when you apply for jobs, ATS is looking for keywords and they’ll now see CEH and you’ll actually make it in there. And we all know it’s equivalent, but the HR guy or girl who wrote the position, probably doesn’t.

Marie Garcia:                    
Okay. And then as a hiring manager, I can definitely be on the lookout for the different levels or quality of the certifications and maybe help my HR person.

Jason Dion:                        
That’s the long term fix. Plus has made a lot of progress in this. When I start teaching it in 2018 when the first version came out, nobody knew what it was, nobody was asking for it. Now I would say about half the jobs, we’ll say CEH 4, PenTest+, and the other half still only say CEH because HR is still recycling old job descriptions from five years ago. And so until that changes and the hiring manager like Kip goes, Hey, I’m willing to take CEH or PenTest+. And he probably is, but he may not have told that to HR yet, so didn’t make it into the posting, which is why I say put, equivalent to.

Marie Garcia:                   
It’s a great tip. Yeah, that’s a great tip. Okay, so now I have all these push slides certifications. I’m starting to rack them up. Do I list all of them on my resume or just in my LinkedIn profile or just some of them? Is there any negative impact-

Jason Dion:
Yes.

Marie Garcia: 
To my… Okay sweet, elaborate please.

Jason Dion:
So I filled with a lot of hiring managers over the years, especially in the government contracting world. And you will see that people will get overtime 10, 15, 20, 30 certifications because they’ve gone in different roles. So let’s say for instance you’ve gone through the whole [inaudible]. You have your A+, your Net+, your Security+, your CYSA+, your PenTest+ and your Cast+. Do you still need to list your A+? No, your Cast+ certified, nobody cares about your A+ anymore. You needed that 20 years ago. I got my A+ back in 2000 the first time. So it’s been 23 years and things have changed a little bit since then and nobody cares about it, especially in my role as a very Senior IT Director or CISO or CIO or analyst or anything like that.

So once you grow up in your career, you’re going to want to start chopping some of those things off. The big thing to realize is when a hiring manager is looking at your resume, it goes through the applicant tracking system first. And that’s an automated process. So there might be a thousand people who apply for my job. I as a hiring manager, may get 50 of those applications through the ATS. Now out of those 50, I have to read all 50. I got a real job to do too. I don’t have right to fawn over your resume and read every single word. I’ve seen people put in 15 page resumes. Don’t do that. Your resume should be on one page, front and back at most. If you go into the third page, I’m not going to have time to read it.

Most hiring managers will spend between six and 60 seconds. So imagine how quickly that is. 1, 2, 3, 4, 5, 6. That’s what you need to grab. So when you’re writing your resume, you need to write with that in mind. Don’t use paragraphs. Kip, you give a lot of advice on resumes. What are some suggestions you have of how people can stand out with their resume and still keep it brief and short?

Kip Boyle:
Well first of all, I’ll tell you that while Jason was giving you all this great insight, in the chat I put in a link to a YouTube video that I did last summer. I did it with Jason Blanchard who is affiliated with Black Hills Information Security and the anti siphon program that they have. And I talk for about an hour about how to tailor your resume to get noticed and I cover all this stuff and a whole lot more, so go watch that. But the thing that I’ll tell you right now is you’ve got to hook the hiring manager right away. And so that’s what I talk about in this video. And so think of your resume as a newspaper article or as a news article and think about how news articles are written. First of all, there’s a headline. If you don’t think the headline’s interesting, you’re not going to read that article.

So your resume has to start off with a headline that hooks me and gets me to be interested and is going spend more than 60 seconds looking at it. And so in the newspaper story after the headline is the first paragraph. If you read the first paragraph and you’re like, Ooh, this is really interesting, you’ll read more. But if you read the first paragraph and you’re like, Whatever. Then you’re going to move on. And resumes for hiring managers is exactly the same as a news story. You want to hook people and you want to get them to read the next thing. And then the goal of that is to get them to read the next thing. And the goal of that is to get them to read the next thing.

We lay all this out in the video that I shared with you and we’ve got a resume template and we’ve got podcast. In fact, we’ve got a series, I think four or five podcasts way back in the beginning where we break down every piece of the resume and spend a whole 45 minutes telling you exactly how to do this, how to hook a hiring manager and get them to read your entire resume. So you should go get that podcast series and listen to it.

Marie Garcia: 
I think people have realized why this is one of my favorite podcasts.

Jason Dion:
The other thing I would say is I saw a couple of things in chat I wanted to address real quick. One is from Leah. She said she’s looking sad now because she feels like her CEH is worthless. Don’t feel that way. I will tell you most hiring managers know what CEH is and they’re okay with it. The idea is that it’s a basic level of knowledge. But I will tell you that if I see CEH and I see PenTest+, I know the PenTest+ person is more knowledgeable because it’s a harder test to pass. It doesn’t mean your CEH is worthless. In fact, your CEH has a lot of value just because of the word CEH on your resume and the fact that some hiring managers get mad when they see things like, equivalent to.

I would still do it for things like PenTest+ if you don’t have CEH. But I went into a story on one of our podcasts about when I was hiring for a position and we said, you have to have CISSP because there’s a government contract and they told us you had to have it. And when I got my applications from HR, there was 82 resumes. All of them had the word CISSP. Three of them were certified. The other 79 had attended a boot camp two years ago, planning to take my CISSP next year, read a book on it, whenever it was. And in my mind as a hiring manager, A, you lied to me and wasted my time ’cause I told you you needed CISSP. B, I’m a busy guy, I’m in the middle of running a IT team across six countries.

And now I’m going to spend my time going through 82 resumes because HR wasn’t smart enough to go, they’re not certified. Let me just show you the three that are. And so the people who got the interview were the three who were certified, and the other ones I threw away because they didn’t meet my position criteria. So it is kind of a funny thing you have to be aware of. And then the second thing I wanted to mention was Nathaniel had said for ATS, you can create a single line of text with one size font at the bottom with white coloring and a single line of space word like CEH, PenTest+, or whatever at the bottom to try to trick ATS. That technique used to work really well about five years ago. It doesn’t work so well in 2022 and 2023. And the reason is we’re using a lot more ML and a lot more AI, and just Yahoo and Google for SEO used to like the keyword stuff.

Now they penalize you for it and ATS systems for the most part are doing that as well. So if they see that one point font, they see that in the XML of the document that you upload and they can then see, oh, this person’s trying to trick me. And they put that as negative marks against you. So again, not every system, but most of the new modern ones will. I can tell you I use an ATS system that Kip and I use when we do our hire training and I use it in my own company. And when you put your resume in and apply for my job, it scans it for keywords. It does it based on not just the keywords, but also the context. And then it gives me a report that says candidate A is a 97% match, candidate B is an 80% match, candidate C is a 20% match.

And then I can say, show me everybody who’s 80% and above and now I’ll actually read those, and I’m not going to read the other 80% because I don’t care about those because they were 80 or lower. And so that’s a way that hiring managers try and maximize their time. And this all stems from the fact that when I was applying for my first job, you did it on paper and you brought in your resume, talked to a human or you mailed it in. Now you can go online and with one click you can apply using your LinkedIn profile. The problem with that is people get flooded with resumes now. So I’m a small company and when I put up a job posting, I get 100 to 500 people applying for one job. Out of 100 to 500 people, I would say probably 20 are qualified. But now I got to figure out of those 20 who’s the best fit. And I totally imagine it’s even worse when you go to a Microsoft, a Google, Facebook or whatever.

Marie Garcia: 
Yeah. Okay, so now I’ve got these certs down and let’s say I’m still not getting any bites from employers ’cause I don’t have any experience. Are there any skill based certs that are out there or challenges that I should be thinking about to maybe augment that lack of experience, or is there anything else I should be thinking about?

Jason Dion:
Yeah, definitely. So I would say the two big things that we probably want to talk about there is going to be Capture the Flag competitions. And the other one would be skill-based training with places like Antisyphon. And I’ll let Kip talk about Antisyphon and I’ll talk about the CTFs. But a lot of people say, Hey, how do I get experience if nobody will hire me. One of the ways is to do CTFs. Go to ctftime.org. There are defense ones and there are attack ones. And you can go through and do those challenges. And A, if you place in the top leaderboard of let’s say the top 5, or the top 10, put that on your resume. Participated in Capture the Flags, Santa Christmas competition 2022, scored in second place out of 500 people. And honestly it’s not hard to score in the top 10 because a lot of people will sign up for these and they won’t even do that.

Or they’ll do one challenge and then they’ll get busy with life and they’ll go off to do something else. So you can use that as bragging rights and go, Look, I know what I’m talking about. I beat out 500 people who do this as well. And a lot of them are free or very cheap that you can do them from home. So it’s a great way to do it. Another great way to get experience is Cyber Patriot, which is one of the organizations that’s crossed schools and a lot of the junior colleges. And you can go volunteer as a mentor for these high schoolers because you only have to be one step ahead of them.

So if you know how to use [inaudible], you’re probably already a step ahead of them and now you’re going to train them and they’re going to go do the Capture the Flags. But again, if you put that on your resume, it shows me you’re serious about cybersecurity, you care about this, you’re knowledgeable about it, and you’re sharing your passion with others. Kip, do you want to talk about the skills-based training for a moment with John Strand and Antisyphon?

Kip Boyle:
Yeah, definitely. So I teach for Antisyphon. I’ve got two courses up there. One is A Hiring Handbook course. This is meant for cybersecurity hiring managers to help them do a better job of reaching out to candidates and actually making it easier for them to go through the hiring process. The other course I teach is called How to Be Irresistible to Hiring Managers. And that’s meant for people who are trying to either get their first job in cybersecurity or maybe get promoted by changing employers. And so that one is available, but set my courses aside for a second. The reason I teach for Antisyphon is because it’s a very hands-on certification program. Also, John Strand is a self-admitted worst capitalist ever.

And I can tell you that that’s true in many other ways. But what he means when he says it is that he’s not out there charging the most he can charge for his courses. A lot of their courses are pay what you can. And so if you can pay $30, you can pay $30, you can pay $0, you pay $0. If you can afford 100, 200, it’s whatever you can do. And my God, the value of the courses that they publish is extremely high. And so if it were me, and if I was starting over again, I wouldn’t go to college to help me get a cybersecurity job. I might go for other reasons, but I would spend my time and my treasure taking skills-based courses and doing skills-based certifications so that I could show hiring managers that I can solve problems, real problems that they have on day one, I can start being productive.

And that’s really what hiring managers are looking for these days. They’re not that interested in how you figured out how to do that, whether it was through college or a bootcamp or whatever. It’s that you can show that you can do that and that’s really what they’re looking for.

Marie Garcia: 
Okay, cool. And then he also has the Wild West Hacking Fest each year I think as well.

Kip Boyle:
Yep.

Marie Garcia: 
It’s definitely worth checking that out.

Kip Boyle:
Yes, if you can go to a Wild West Hacking Fest, there’s one in Deadwood every fall, and then there’s another one that kind of moves around. They’ve called it Way West, and that happens in the spring. And I think they’re thinking of doing one in Orlando in 2023 or 2024. But if you can go to one of those in person, I highly recommend it. Think of it as everything that’s great about Defcon, but it smells better.

Marie Garcia: 
That’s fantastic. Okay, but what about, shifting gears a little bit. What about programming? Should I be worried about programming in addition to these certs? Where does that fit into all of this when I’m trying to break in?

Jason Dion:
So I can tell you I don’t do a lot of programming these days and I really haven’t in the last 10 or 15 years with the exception of I oversee my development team at my company. But I will tell you the only role that really digs into programming a lot is a pen tester. Security analysts don’t really do it as much. Maybe a little python scripting here and there to help you go through logs. But most of these things now have such good single painted glass tools that the front end interface, you could just query what you want. Things like Splunk and elastic search, stuff like that. So it’s not as important as it used to be. You don’t have to be a computer science major to be a cybersecurity person. You don’t have to be a math wizard to be a cyber security person.

It’s not like that. Most of the stuff that we do as cybersecurity, people, especially at the entry and mid-level, is using tools and knowing how to operate those tools properly. You’re not being asked to create the tools and identify your own thing. The exception of that might be a pen tester where you might be asked to print your own exploits and then you need to be able to code. Or if you’re a web application security person, yeah, you’re going to need to understand JavaScript because if you’re reviewing somebody else’s code, you have to know what you’re reading to be able to figure out how to break it. So there are roles where programming is important, but it’s not as important as people make it out to be, to be quite honest. Kip, what are your thoughts? You look like you disagree.

Kip Boyle:
So I just want to share a couple of things. One is that you will hear a lot of very militant, highly technical cybersecurity people say that Jason’s as wrong as he can be. He couldn’t be more wrong. And if you can’t program, you suck and you don’t belong. Don’t buy into that. Having said that, I will tell you that if you go to work at a company that uses infrastructure as a service and they’re using Terraform or anything like that, then you’re going to have to get comfortable scripting at the very least because that’s how you’re going to actually implement your controls is by scripting different parts of the infrastructure to be built. And so I think scripting at a minimum is likely if you’re going to work on a blue team in a heavy IT role, but you can work in a GRC role or you can work in a people management role or you can work in a cybersecurity project manager or program manager role and you won’t have to deal with programming or scripting at all.

Marie Garcia: 
Agreed. All right. So got these third… Oh, go ahead.

Richa Tiwari:
No, can we just break quickly for questions because we have a couple coming and I want to-

Marie Garcia: 
Go for it.

Richa Tiwari:
Cool. So the first one I have is from Jason Lawson and he said, with all the different roles out there, some of the roles that do not require talking to people, how important are soft skills, communication skills, during the hiring processes?

Jason Dion:
So soft skills are critically important. Even if you are a solitary role where you’re not working with other people, to get that role you still need to have some soft skills. People want to work with people and hire people they know they like or they trust. And so if somebody doesn’t know you, they have to at least like you when they sit in the room with you. So when we go through the hiring process, generally you’re going to have two to three interviews. At least two is what I normally see. One is more of a cultural bit based interview and one is more of a technical interview. Generally they’re done in either order, depends on the organization. I see a lot that do the technical interview first. That may be a combination of an assessment exam online, plus having you come in and speaking to you for an hour, giving you questions like, Hey, you’re acting if you’re applying for a pen tester role, you’re a pen tester and you see this thing in the logs, what does this mean?

Hey, you’re a pen tester. I want you to write me a three line snippet of code of how you do a port scan, or whatever those things are. And that really, if you’re a introvert, you’ll be fine with that because they’ll give you a whiteboard or paper and you can answer those questions. The harder one is more of a cultural fit role. And I would say don’t try to force yourself to fit into a cultural fit role and to pass an interview that you’re not going to be caught. And the reason for that is if you’re a very introverted person and you go to this cultural fit and you just put on the smiles and you be all soft skills and you’re all friendly and you act extroverted, you may get the job. But then when they actually have you in the job, you may be miserable because you’re not a good fit in that organization.

For instance, I hate working in open floor plan offices where there’s noise around, I get distracted, I can’t focus, I’ll start talking to people and I’ll waste four hours. Kip knows this. I can get along with it, as you can see here. So there’s a reason when I built my offices, I’m in an office that’s by myself and I have an area that’s open and I can go to if I want to collaborate, but I still can go in here and shut the door and get my work done. It’s knowing yourself and making sure it works. Kip, what are your thoughts? ‘Cause I know I tend to be a little more extroverted, you tend to be a lot more introverted and you’ve still have been successful in this career field.

Kip Boyle:                           
Oh yeah. So a couple of thoughts. First thought is that I do get drained of my energy by being around other people. And to me that’s what being an introvert is. It’s not about being shy or anything, it’s just about where you get your energy. And I know there’s people who get energized by being with other people and they can’t stand it when the club closes because they start losing their energy. And I can’t make it past midnight in the club. So just know yourself. This goes back to the know yourself thing. Now, as a hiring manager, one thing I can’t stand, and Jason touched on this, is that you come to the interviews and you present as an extrovert and then I hire you and then you show up as an introvert. And then I’m like, Where the hell’s the person I interviewed? Who are you? I didn’t hire you. I hired that other person.

And that’s not going to help you get off on the right foot. And to Jason’s point, that’s also going to exhaust you because you’re going to be asked to work outside of your comfort zone, past your tolerance levels, and you’re going to be a grumpy, miserable SOB and everyone’s going to not like you and not want to be around you. So you’re setting yourself up for failure. Now having said that, I made the decision when I became a CISO, everybody wanted time with me. And so I would come to work and from eight to five it would just be back to back meetings and a line of people out my door and I had to decide right then and there, am I going to cut the amount of time that I’m available to other people in half because that’s all I can handle from an energy perspective, or am I going to try to do something else to accommodate this?

And I decided that I was going to try to increase my stamina so that I could be with other people longer than I could normally. And I was able to do it. And so now I can spend eight hours in a row, meeting after meeting after meeting. And yes, I’ll be tired and yes, I’ll go home and don’t talk to me because I need the rest of the night to recover. But I believe that you can increase your stamina just like you can build muscles if you really want to. But that’s a big choice. And I’m not going to say it’s easy or that it’s right for everybody. But again, it’s about knowing yourself and it’s about being intentional about how you’re going to spend your time and what kind of job you’re going to have.

Jason Dion:
I think it’s also important to define soft skills because a lot of people think soft skills just means how well you communicate with other people, but it’s more encompassing that. When I’m talking about soft skills with people I’m looking to hire, it’s what is your work ethic? What kind of working hours do you like to keep? Are you somebody who likes to work in the evenings or the mornings? Do you like to work on the weekends or not? I will tell you myself, I am not a Monday morning person. I hate it. And in my company we have a Monday morning staff meeting at 9:00 AM and that means I have to wake up at 8:30 to make sure I make it to the meeting on time and all that kind of good stuff on Zoom. And honestly, I’m the boss and I made that time and I hate it. It’s horrible, but it worked best ’cause I have a team across the entire globe in about seven different time zones. And that was the one that made most sense.

Me, I would’ve rather done it at 9:00 PM to be quite honest. I’m a night owl, so for me, I start working at 6:00 PM generally and I’ll work ’til midnight and I’m really energized then. But this morning I came into work at 8:00 AM ’cause I had a bunch of meetings today and I was really groggy and you probably see me pounding my soda to try to stay awake, because it’s just not me. And so knowing yourself and knowing what you are is good. Also knowing if you’re more of a checklist style person, I know some people that they do great work. If I tell you, here’s the 10 things I need you to do today, Kip, they’ll get done. But if I just say, Hey Kip, I want you to go make me a video on this, they’ll just get paralyzed because there’s so much openness and creativity involved in that request.

And so knowing yourself and knowing what works is really important as well. And figuring out that cultural fit is really figuring out are you a good fit for the organization and is the the organization a good fit for you. I will tell you, if I was going to get a job today, I would not want to go work for the military again because I hated waking up at 5:00 AM to drive an hour into work to go to the public security agency or wherever I was stationed at the time, and have to fight traffic and fight the parking lot and walk into the office to be in an open cubicle where I’m going to be working 10-hour days. And it was exhausting to me. By the time I got out of work at four in the afternoon, I just felt like I was going to crash into a wall driving home. So it’s important to understand yourself and soft skills go into all of that.

Marie Garcia: 
For me too, soft skills include even things like writing those reports, running a meeting, making sure emails are professional, even collaboration platform etiquette. If I’m not good at those and they’re now search for those kind of things, is this where I can start looking to mentors to help me through some of these things? And if that’s the case, how do I pick one?

Jason Dion:
Yeah, definitely. I will say that is probably the number one thing that has been a drawback to this work from home culture that we’ve now moved to after the pandemic. And one of the reasons why a lot of companies are trying to go back to the office, some of that is because bosses feel like if you’re not in front of them, you’re not working. And those are just toxic bosses and I don’t like those kind of bosses. But there is a value in people being in the office at least some time. I will tell you in my company, we are a hybrid organization. There is about five of us that are here in Orlando and the other 20 of us are located all over the world. Those 20 people are not coming into the office once a week. Even the people in Orlando don’t come into the office every day.

There’s one person who comes to the office every day because that person has told me, I can’t work at home. I get too distracted, the TV’s there, my video games are there, I have to come to the office. I’m like, Great. Come to the office every day if you want. Here’s the keys. I come to the office a couple of times a week. My CMO comes usually once or twice a week. And that’s a choice we made. And we’re good with that because we know we can get most of our work done remotely. But then we have time to come together once a week, twice a week to get those things in person and that interaction. And so understanding that is important. The real downside is when you hire a new person and you’re hired into a remote only role, it’s really hard to get that mentorship and training.

You really have to force it. Almost like putting on your calendar. We’re going to do an hour long Zoom meeting at 3-4 every day with Kip to make sure that we get the mentorship we need. Whereas if we were in the office, there’s those natural things that happen as you’re going to the bathroom, going to the water fountain, going to the break room, you walk by his desk, all those things. And so that’s been one of the big struggles over the last three years is especially as new people are coming out of high school, college, going into this workforce and a lot of your members are trying to break into cybersecurity. You can break in and get a remote role and work for a company in San Diego or something while you’re in Texas, but they’re not going to be able to mentor you as well as if you are getting a job at a local company that you went into every day.

And so one of the things I always tell people, especially if you’re new is, try to find an in-person role for your first year. Get good at what you’re doing, then you can move to an online role because then it’s not as big of a deal. And the other thing is if you’re out of sight, sometimes you’re out of mind. And so while it’s great working from home, when it comes time for promotions and raises, people don’t think about you because they’re not used to seeing you. It’s different seeing you on this little Zoom window, than it is seeing you in the office all day, every day.

Marie Garcia: 
Yeah, that’s for sure.

Jason Dion:
Kip, do you have anything?

Marie Garcia: 
Yeah, Kip, anything on how to get a mentor or what I should… Is there a soft ask or how do I?

Kip Boyle:
Yeah. So the thing about mentoring is don’t walk up to somebody and go, Please will you be my mentor? That’s just too awkward and weird. So don’t do that. Go to them and say something like, I’m trying to figure something out and I could really use some perspective. Would you mind if I shared this problem with you? That’s really a better way to do it. So there’s your soft skills suggestion for the day. But there’s another thing that I would like to say, which is if you are sitting here right now and you’re like soft skills, what a waste of time. I can’t imagine.

So if your attitude is that soft skills are a waste of your time, please don’t get a mentor because you’re wasting your time. So if you’re going to be the kind of person who wants to get soft skills, you have to change your attitude. Now, if you can’t change your attitude and you just can’t deal with this, okay, go get a job where you’re behind two sets of double doors and you wear a white lab coat and you have earbuds in all day where nobody will ever talk to you, and that’s all right. I’m not going to make a value judgment on that, but I am going to tell you that if you have a bad attitude and you think you’re going to do it anyway, you’re not fooling anyone.

Marie Garcia: 
Now if I’m starting out, do I pick a mentor, maybe I pick a CISO or do I try to find somebody who’s closer to where I am? how do I identify someone who’d be a good fit maybe for me?

Kip Boyle:
You have to ask yourself, what is it that I want to get mentored in? Mentors are not one size fits all situations. And so if you want to get mentored in some technical tools, you’re not going to want to go to the CISO because that person’s not doing that kind of work anymore, probably. So that’s not a good choice. But if you want to get mentored on, how does our budget get set? Or, how do you actually talk to the other senior decision makers to get more budget? Then you want to go to the CISO. So think about what it is you want to know, and then think about who is available to you that knows that. And that’s how I use mentors. But Jason, how do you use mentors?

Jason Dion:
So when I was in the Navy, they actually had a formalized process in the information professional community for mentorship. And they always recommended you had at least two mentors. One was five to 10 years ahead of you in their career. So for me, if I was starting out, probably the CISO might be the right job or the IT director or the SOC director or something like that, if I’m a brand new person. And then the other one was somebody who was basically a year or two ahead of you. Now the reason for that is that person who is five to 10 years ahead you, knows what the whole career path will look like and they know the challenges you’re going to face in five years or 10 years. And some things, especially in the military world, if you don’t do this thing early on, you’re off path and you’ll never be able to get promoted because you’re going to miss that thing you need.

And so let’s say, you talk to Kip who’s a CISO. He’s like, Hey, you really need to understand budgeting and finance. Well it might take you a year to go take accounting courses to understand that. And if you want to be a CISO, a lot of it is budgeting and finance. It’s that MBA stuff. And so you might go, Oh, you know what, if that’s my goal, then over the next five years I need to get my MBA. And you can start working towards those things whereas, but today that advice isn’t going to help you do your job better today. And so having somebody who’s a year ahead of you who’s also an analyst or maybe a SOC supervisor or a SOC director, somebody who’s closer to you, they know more of what you’re doing and they can give you better advice on that.

When I first started out, they gave me one mentor who was 10 years ahead of me and when I asked them questions about my career path, they’re like, Oh, you should do this, this, and this. And I’m like, Those jobs don’t even exist anymore. We got rid of those. Oh, I didn’t know that. That existed 10 years ago. That’s what I did. And so there is some of that like, oh, you should just follow what I did. And that’s the other thing with mentorship. You see somebody who’s successfully, you like what they did, go after them and be like, Yo, can you be my mentor? But again, asking the way that Kip mentioned because that will help them follow the pack.

And then the other thing I would say is you should have a plan. I always tell people you should have an idea over the next five years. So you’re not just planning for this job and the next job, but it’s the job, where do I want to be in five years? I want to be the SOC Director. Okay, what do I need to do to be a SOC director? I need to get a job as a SOC Analyst. I need to move to a SOC Supervisor. I might need to get some management leadership training and then I might be able to get to be a SOC Director. And so knowing that, you kind of set yourself goals. Five years I want to be a SOC Director, two years I want to be a SOC Supervisor. Right now I need to learn this, this and this, once I’m a SOC Supervisor, I need this, this, and this. And that way you can move yourself for your path. But if you have no plans, you won’t know what certs you need get. You won’t know what integration you need to get.

You’re going to hit a roadblock and you’re going to be like, Oh, crap. Now I need a degree to get the next promotion. Well that’s a four-year commitment. I want to start that four years ago, not today if I’ll probably get the job then. So knowing that and that’s why I said, a long term and a short-term mentor helps. And then as Kip said, a mentor doesn’t have to be a one and done. It’s not like I’m picking Kip to be my mentor and I have to be with him for the next 20 years.

It may be I want to get once a year just to get that long-term vision and now I’m going to be able to use somebody else who I meet with once a month. And a mentor doesn’t have to be necessarily formal. It can be, Let’s grab a coffee, tell me about your career. That’s one of the two ways I found mentors is I go to somebody, I’ll be like, Hey Kip, can I buy you a cup of coffee and you can tell me about your job as a CIO. I’m really interested in how’d you get there? What do you do on a daily basis? This is something I might like and most people love talking about themselves. I obviously do. If you’re like, Hey, let’s grab a coffee. I’d be like, Sure, let’s do it.

Marie Garcia: 
So Kip, are you still doing the mentor note that you’re doing? I remember seeing him a while back. Are you still doing that? That can be a resource for some folk.

Jason Dion:
It looks like Kip froze ’cause I haven’t seen his eyes move in it.

Marie Garcia: 
Oh no, did he freeze?

Jason Dion:
Go to yourcybernet.com. And if you go to yourcybernet.com, on the homepage, you can put your email in and you’ll get the mentor notes. These are an email mailing list that Kip has and every two weeks he puts it out with different information about how to write your resumes, what the new cyber attacks are, thing like that. That’s really a helpful thing.

Marie Garcia: 
And really short, concise too. So I’d recommend those as well. They’re really quite nice. Okay, I want to shift gears a little bit. Is he back?

Jason Dion
He’s back now. He’s out of his chair but his chair is-

Marie Garcia: 
Where’s his chair?

Jason Dion:
We’ll keep going for now, but he’ll join us.

Marie Garcia: 
So I want to shift gears just a little bit and look at folks who are coming in this like a mid-career pivot. So maybe you were an IT or really honestly specifically veterans ’cause veterans are near and dear to my heart. So do I have to start all over again with my second career or-

Jason Dion:
No, no. It’s one of the biggest mistakes people make. You have experience from whatever job you’ve been doing. I’ll give you a couple examples that I think will help. So I work with a lot of military folks and it’s really easy if you were an IT in the military, you were already running, administrator, it’s pretty much a direct convert. You can go get a job as a contractor and they’ll hire you in pretty quickly. Where it’s harder is, let’s say you were a chef or you were a logistics person, you want to start getting into cyber security. Well that’s great, but a chef doesn’t necessarily have a lot of transferable skills or they might-

Marie Garcia: 
Yeah, that’s what I’m saying. How do you inventory that?

Jason Dion:
Exactly. And so doing a skills inventory is really important. For instance, I’ve heard of a lot of people who were cooks in the military and when we started digging into it, when they got to be a mid-level cook, they weren’t actually cooking anymore. They were doing budgeting, they were managing people, they were managing teams, they were responsible for… I was in the Navy, so a ship, if you’re getting the food for a ship, that’s like a million dollars every month or something like that, it’s a huge budget you’re dealing with.

So those are all transferable skills that you can bring over. And so if you were at that management level, maybe you’re going to get in as a cybersecurity manager, instead of an analyst and now you’re running a bunch. I will tell you most of the good cybersecurity managers I know, didn’t come from the tech world. They came from the management base because they know people, they know how to make sure the professional development, they know how to support their teams and make sure they’re working good. And I see Kip’s back, so that’s awesome.

Marie Garcia: 
Hi Kip.

Jason Dion:
So skills inventory is important. Identify relevant skills and then bring them over into what you’re doing. For instance, on my team, I have two other instructors that we hired last year. Both of them were military, both of them were Air Force, unfortunately. No, I’m just kidding. And one of them came from a traditional system administration role. He had been doing system administration cybersecurity for 10 to 12 years in the Air Force and now he works for us as one of our instructors.

The other person was actually an intelligence officer, didn’t touch cybersecurity, but he knew a lot about project management. He knew a lot about data gathering. He knew a lot about open source intelligence and so what’s he teaching for us? Data analytics, project management and open source intelligence. So he is, and now while he’s there, he’s also getting experience in Security+ and CYSA and all that, and he’s now building up his cybersecurity thing because he had an interest in it, but he never had it on paper, resume. I was a cybersecurity analyst, and so now we’re breaking him up to speed on that too. And that’s what happens a lot.

The other thing I would say with military people is if you are in the military, you most likely had at least a secret clearance. It’s very rare in the military to have a position that doesn’t have at least a secret clearance. There’s like one or two of them. I know in the Navy, like Boatswain’s Mates, people who paint the ship and tie us up to the pier and stuff like that. They’re the only ones that I know of that don’t really have a clearance. Even supply clerks have a clearance. Even our cooks have clearances a lot of times.

And so if you have that clearance, you can go get a job as a military contractor and you can do that with a security plus and a clearance and they will teach you how to do the job because the clearance can take nine to 18 months to get-

Marie Garcia: 
Yeah, and it’s expensive.

Jason Dion:
So it’s a lot faster for me to teach you for a month how to do your job. Than if it was super technical, like Kip for example, he no longer has a clearance. He hasn’t worked for the military in 20 years. I could hire him, but it might take me nine to 18 months before he can start his job and I’m paying him for that nine to 18 months, waiting for the clearance and there’s no guarantee he’s going to get his clearing. So companies will say, Forget that. Let me hire somebody who has the clearance and I’ll teach them the cybersecurity stuff.

So if you have that, that’s another way you can leverage it. I know you guys were in Texas, so Texas, there’s a lot of army bases, air force bases and so if you’re near one of those, get a job around there and using contracting, do that for a year. And maybe if you don’t really like the military aspect, you’re like, I got out of the military for a reason, I don’t want to do it. It’s a good way to leverage your experience because you have been. You’ve now got a year under your belt of being a cybersecurity analyst, and then go get a regular civilian job, which is essentially what Kip did. You worked for the military as a contractor for a little bit after you got out, and then you went and started working for banks, insurance companies and everything else, right?

Kip Boyle:
Yeah, so I actually transitioned out of the military. I went from being the director of enterprise, wide area networking security for the F22, which was a management job with teams and people. And then when I left I said, I want to return to an individual contributor position for a while because I don’t really know how private industry works. And so this idea that I’m going to be able to do some kind of a direct transfer to a director level job at a private company really didn’t make sense to me. I didn’t know anybody who had been able to do it unless they had gone to work for a defense contractor. But that really wasn’t what I wanted.

I saw myself as a citizen soldier and I was done being in the military and now I wanted to go back to my civilian life. I didn’t want to hang out in the fringes of the military world. That just wasn’t what I wanted. And so I returned to being an individual contributor and I loved it. It was a wonderful refresh from the grind and the burdens of being a people manager and a team manager. And eventually I worked my way back into that again. But I think it’s a good idea to look at the career choices that you’re about to make and just really think about, what are all the options here? And anyway, that worked for me really well.

Marie Garcia: 
Is there a… Oh go ahead.

Jason Dion:
Oh, sorry. I was going to say the one thing I would say when you’re thinking about your career, well I know when I was coming up in the industry, the idea was you move up, you eventually become a supervisor, you become a manager, you become an IT director, you become a CISO or CIO. And people did that because that’s how you got promoted and you made more money and all that. These days a lot of individual contributors are making just as much or more than their manager bosses. And so the idea that you have to go management to make more money is not true anymore. And if that was your goal of going to management, I would recommend not doing it. Management is a completely different skillset. I know so many people who were excellent, excellent technicians and then they go, Hey, you got moved to management and they start falling on their face because they’re not people people, they don’t care about their folks.

They’re caring about what can be done and they’re very checklist oriented or whatever those things are. I personally am a much happier individual attributor than I am a manager. And I’m saying that as somebody who is the CEO of a company and who has been an IT director and a CIO and all those things. And I did those jobs okay and I did I think pretty well. My boss has always said that they were happy with me, but I didn’t really enjoy it.

I much prefer being hands on keyboard and writing code or doing analysis or those kind of things. And so knowing yourself and knowing what is important to you as you’re transitioning into your next role. And that’s why I said that five year plan is really helpful. If you really like talking to people and mentoring them and professional development and overseeing other people’s work and you’re being judged based on the quality of your team’s work, not the quality of your work, then be a manager. If that’s not for you and you like to be, I do work, I get paid and if I fail, I fail because it’s my individual work, then you want to be an individual contributor as a pen tester, SOC analyst, whatever that happens to be. So keep that in mind as well as you try to pick your path.

Marie Garcia: 
Okay. I’m going to ask is there a tool or a methodology or some resource you can point us to that would help me inventory those skills? I would think like the person who was a chef maybe. Yeah, a management level for that battleship, how would they know, oh this works here but it also works over here. What’s available out there to help people transfer or identify those skills that transfer?

Jason Dion:
So I know the person who originally asked that question was a military person and there actually is a military tool for that. that will actually input your military if you’re in the Air Force or Army, your MOS. And you say, okay, I was a 91 20, which is a nuclear reactor operator. And they say, okay, based on that, here are your skills. You have management, you have accounting, you have chemistry, you have physics, blah blah, blah. And we’ll give you this whole thing. And then it would suggest, based on this, we think you’d be a good logistics manager, we think you’d be a good electrician, we think you’d be a good whatever. And so that can help identify those skills. That’s the tool I know in the military, it’s at military one stop. If you Google one stop, you could find that tool. Kip on the civilian side, do you know any good tools for that kind of thing? I have not come across any myself.

Kip Boyle:
Nothing I can think of. If anybody who’s in the session right now can think of something, please put it in the chat. I would love to be able to share this, but I’m not aware of anything.

Jason Dion:
I know when Kip and I are working with mentoring people one on one, we will ask them, Tell me about your job. What do you do on a daily basis? Doing that, I start writing down what I think I hear of different things that matter. And so you may be able to go to a friend who doesn’t know your job and say, Hey, I’m going to tell you about my job and I want you to write down what you think you hear are my skills.

So hey, I was a cook in the Navy and I was managing food for 5,000 sailors every day, three meals a day and I had a team of 20 employees that we were cooking and blah blah, blah, blah and break down, okay, time management, people skills, professional development, whatever. And then you kind of get your list that way. I think that would help. Or you can do it to yourself introspectively. Sometimes it’s a little harder to do it on yourself, but if you ask a a spouse, a girlfriend, a friend, whatever, they might be able to help you. Or if you have a mentor, a mentor can help you with that too.

Marie Garcia: 
Kip, I hear a newsletter in here somewhere on transferable skills.

Kip Boyle:
Well, it’s more than a newsletter. We actually have an entire podcast episode on that. So I’ll go ahead and put the link to that in the chat.

Marie Garcia: 
And I had a similar experience. There was a woman I was mentoring and she was basically one-stop shop for a private practice and she didn’t realize that she was doing vendor management network support and net ops kind of stuff. And she was telling me those things and I’m going, Oh, that’s this. She didn’t have that translation into the private sector enterprise bubble type stuff. So that was very insightful.

Jason Dion:
I can give one more story on transferrable skills. We had a student who was working with me directly with our mentorship program last year and she had a master’s degree in marketing. She had grades in marketing and she was trying to transfer into cybersecurity. When she was applying, she wasn’t getting any bites because she had a master degree in marketing scaring people off, and she basically had her Security+ and a master’s degree in marketing. And so we helped her with her resume where we basically downplayed her master’s degree. And then in the interview when she was there, they basically said, Oh, tell me about your education. She said, Well I did go to school for marketing, that’s why my last summer jobs are this. But she took out the term master’s degree because that scared them off because master’s degree indicates you’re looking for a hundred thousand dollars plus salary.

And doing that, they actually said, We don’t think you’re quite right for a pen tester role, but we would like you to be our security trainer person to work with our clients and figure out what their security plans are and how to change their passwords and all that stuff because you can use your marketing background in that. And then during that time for the next year, we’re going to train you up to be a junior pen tester and move you into that role and so she got into cybersecurity because of her marketing background, but she found what was similar. Kip and I, we like to refer to this as the two step. You may not be able to get hired directly into the SOC analyst role or the pen test role, but there may be something close and then you go from there. So let’s take your skills analysis and you were that chef and you had no skills but being a chef because you were just the guy or gal cooking dinner every day.

Well maybe you can get a job working at Google’s headquarters as a chef and now you’re around these other cyber security people, you can talk to them, you can network. And now they say, You know what? I know Jason and yes he’s a chef, but he’s really dedicated and he really wants to be in this field. Let’s give him an opportunity. And I’ve seen a lot of people do that too because proximity helps. In this world, really hard to do if you’re, again, this is why I say get a job in the building because you can now do those peripheral connections and networking.

Marie Garcia: 
Okay, cool. What’s the most unconventional path into cybersecurity that you guys have seen? Just curious. I have a favorite, one of your episodes, episode 82.

Jason Dion:
Oh, the truck driver? Yeah, truck driver, that was a good one. Yeah, I think that was a good one. And the other one I really liked was Edward. Edward. Last name starts with an S. I can’t remember his last name, but Edward was on our show twice now. The first time was when he got his first job. He’s out in Hawaii and he had a music degree and he was working in a bicycle shop, and then he met somebody through the local networking and got a job as a help desk technician all for the military as a contractor. While he was a help desk technician, he was working as a field service person. So he got promoted where he is going out to people’s offices. When he was doing that, going across the island and meeting a bunch of people on base, he was very personable. He had soft skills and he met somebody, they go, I think we can find you a role even though you don’t have the experience, go get your Security+ and we’ll hire you.

So he got a Security+, they hired him in as a junior analyst. It’s been 18 months now and he’s already been promoted once or twice. He’s been getting salary changes. And that’s why we had him back on, to talk about his promotions. And so he’s had a very unique career blank from music degree at Berkeley, to bicycle shop in Hawaii, to field services stock analyst, to now a senior SOC analyst and keep continuing moving up. And again, a lot of that was because of his soft skills and people liked him. And were like, We’ll give you a chance because we like you, we like being around you.

Kip Boyle:
Yeah. So I dropped a link to episode 58, which is called How to Get Hired with No Experience and Ed Skip, Skipka is the name of the fellow that Jason’s talking about. And that’s the story that we tell in episode 58, is how he started in a bicycle shop and now he’s killing it. In fact, he came back because in episode 81 because he told this fantastic story about how he negotiated a pay raise for himself and I felt like he was the poster child for an irresistible job candidate because he had multiple hiring managers fighting over him.

Jason Dion:
And he’d only been there for 12, 18 months at that point. It wasn’t he’d been there for five or 10 years. So he had pretty little experience, but they’re still fighting for him.

Kip Boyle:
So it just shows you what’s possible. And I’ll tell you the person that I thought had the most unconventional path into cybersecurity was a guy who I thought was the best crypto programmer I had ever met. He was really deep into it and he was excellent at what he did and he went to school to study cinematography.

Jason Dion:
It reminds me of the military. When I was a nuclear reactor operator, I was also a nuclear reactor instructor for officers and they had to have a degree to get in the program and they’d go through two years of training to become nuclear engineers, and the Navy didn’t really care what your degree was in as long as you had a year of calculus and a year of physics, they would take you. And so I had people who had a forestry degree, I had music degrees, I had film degrees, and those folks actually performed better than those who had a chemistry degree or a physics degree or a math degree. I was like, I don’t understand why, but for some reason these creative field were actually doing better in this nuclear engineering world than the engineers were. It was really strange to me.

Marie Garcia: 
Hey Ruth, do we have any questions? You want to jump in?

Richa Tiwari:
Yes. We do. So one of the questions, and I think we are just bringing up in a little bit, there’s some questions on the GRC roles, there’s some questions about the PenTest too. So maybe we can start with the PenTest question. And this question is by Leah Vieland, I hope I’m pronouncing your name right. She has a specific question saying, Can you elaborate on what sets PenTest+ apart? I know you said it was harder. Are you saying that PenTest+ covers things that the CEH doesn’t?

Jason Dion:
Yes. So it has everything CEH has and more. It’s about 20% more content if I had to put a number on it. And specifically I think some of the more complex parts of that is there’s an objective about script tape. So there’s one objective and it says, must be able to read and analyze the script. And then it says you must do that in Bash and Python and PowerShell and Java Script. And I think there’s one more, I think it’s four or five of them off the top of my head. But there’s four or five languages you have to know. You don’t have to be an expert, you don’t have to code it yourself, but if I give you a script that’s five or 10 lines you should be able to look at that and go, That’s a key logger, that’s an N map scanner, that is whatever, pcap capture tool, whatever.

And you could do that. And Python is where a lot of that comes from. And even on the exam I’ve seen some questions, they also have simulations. If you were taking a Comp T exam, they have the first three to five questions are PDQs or performance-based questions where you have to do something in an environment and they may ask you a question like, Hey, I want you to craft an nmap scan and so you’re actually going to type in nmap dash ss, here’s what are all the different command options you want based on what they’re telling you to do, to get the output that they gave you. And that way they know that you understand the tool in depth and you’re not just going, oh nmap. You actually know what it’s doing. Same thing with the stripping.

I’ve seen some questions where they might give you 10 blocks of code and you’ve got four holes and you need to pick the four blocks in the right order to make the strip run. None of it is coding it yourself, but it is recognizing, every bash shell starts with a hashtag, right? Sorry, not with the bank symbol, not the hashtag, the comments were all hashtags. So all that kind of stuff is stuff you have be able to do. So it goes a little bit more in depth. And then to combat that, what CEH did was they made CEH practical as a secondary exam that you could take after getting your CEH.

I will tell you, nobody cares. I’ve not seen a single hiring manager ask for CEH practical because it only came out in 2019 and again, you’ve already paid $1200 for CEH. Are you going to pay another $1000 to go take this online lab environment test? It was their attempt to try to decrease the amount people who are leaving for PenTest+ and leaving for OSCP. So they kind of said, Okay, we have our ABC questions and now we have this lab environment like OSCP and we want you to do.

Richa Tiwari:
Okay. Yeah, hopefully that answers your question. The next question we have is from Anthony Taylor, and this is more about the certs being discussed right now are great for direct SOC and analyst roles, but less so for governance and risk management strategies. Coming from a non-audit role, what is the best way to break into the GRC space when most companies are looking for people with certs that requires five years of audit experience such as a CISA or CIC risk?

Jason Dion:
So Kip, you want me to take this one?

Kip Boyle:
Go for it man. You’re on a roll.

Jason Dion:
I told you, like to hear my own voice. I would say the number one certification you can go after in the GRC space today that does not require previous experience would be PCIDSS Compliance. So many companies need PCIDSS compliance, which is all about credit cards and financial card holder data. There’s requirements to do quarterly scans and annual scans for external vendors and all of that. And so if you can get certified in that, that would be the way to go. I don’t remember the exact certification. I think you start PCIDSS, the main PCIDSS organization and they have their own certification. I think there’s two levels of it, the beginning and the middle, but neither of them require you to have the five plus experience like CISSP, CICA, CISM, C risk and those kind of things.

The other thing is here I would say, the NIST Cybersecurity Framework is a really important framework to understand from the GRC perspective. I will tell you there is no certifications out there for it yet. I know of a company that is doing it and it’s going to be coming out pretty soon, in the next six to nine months. And so I would recommend that. And Kit and I are both working with that company to get those things released. And then the one that’s coming out after that from that same company is the risk management framework and it’ll be a certification for that. And both of those will have a foundation or entry level, no experience, very definitional based, understand the concepts and then a practitioner level where it’s going to be very scenario focused, can you apply the cell? So the first level will be, can you define these things? How do they apply to the real world in GRC?

The second level will be based on this case study you’re looking at the educational technology company and blah blah, blah happened. What do you recommend they do? And so those would be my three suggestions. PCIDSS is a great way to get in. Lots of companies need it. The certification is already out there and exists and there’s a lot of good stuff around that. It’s a good way to get in because I will tell you a lot of people don’t like GRC. It’s a lot of paperwork, it’s a lot of auditing, it’s a lot of scanning and analyzing reports. And so a lot of people don’t like it because like I said, most people want to be pen testers. They think it’s cool ’cause they see it in the movies. And so it’s a good way to get into cybersecurity is to go in through GRC and then switch over into a SOC. So that would be my recommendations. Kip, do you have anything to add to that or did I get it good?

Kip Boyle:
I think you did great. I’ll just add a couple of things to it. One is that if you want to learn about the NIST Cybersecurity Framework, Jason and I actually have a course on Udemy that you can go and get. And we also have a course up there on the risk management framework. So those are two very GRC oriented courses that you can take and then you can actually put those on your LinkedIn profile as training that you’ve taken.

And so that can help position you as a GRC expert. Part two of my book, Fire Doesn’t Innovate, contains a lot of NIST Cybersecurity Framework applied, and so you could grab that as well as a supplement, or as a substitute for the Udemy course. The other thing that I want to mention is I know somebody who is a very prolific YouTuber and very focused on GRC as a career field, and I would like to give you his name. His name is Gerald Osher is how you say it. That’s not how you spell it, but I’m going to drop a link to his YouTube channel so that you can watch him and his videos and get an idea for all the different things that you can do since that’s what you want to focus on.

Jason Dion:
And I will say all the links that we’ve been talking about now, we’ve given you guys tons and tons of links. We plan on putting this out as a podcast episode on Your Cyber Path. It’ll be out in March and we will have in our episode notes links to all of these other episodes and all of these other resources as well as I think you guys are able to save the chat before you get out of the Zoom, to look at all those links too.

Richa Tiwari:
Awesome. Thank you. And I think that was super helpful. The next question we have is an interesting one. So this one is again from Anthony and he’s saying, How will the rise of AI automation change the SOC in the GRC spaces? As we see more products like mixed mode AI come out, I’m worried that it’ll change the SOC roles into glorified dev spaces managing the automation workhorses. Where does the human element comes to play?

Jason Dion:
So I’m not a futurist, but… Every time you try to predict the future, you’re probably going to be wrong, but I’ll give you my thoughts. I know a lot of people are worried about AI and ML taking away jobs from cyber security analysts and I don’t think that’s going to happen. There is the amount of volume we have is too much for analysts to do manually. We have to use automation. There’s no other way to protect ourself. But at the end of the day, the AI is only going to be so good. If anybody has played with ChatGBT, it does a really good job 90% of the time. The other 10% is completely and utterly wrong. And so I think it’s going to be the same thing with these soft-based AI and ML tools. They’re going to be used to say, this looks really suspicious to me and here’s why. Human look at this and tell me am I right? And then you would go in and do the analysis of it.

Similar to when I was running a SOC back in 2012 through 2016 or so, we had a lot of entry level analysts. It was really their goal was to go look for things that looked weird and they wouldn’t know if it was bad or not. They’d go, This looks weird, let me give it to a senior analyst and then they can look at it. But that way, we take a hundred people and they get that to the two really, really smart analysts who are looking really in depth at things. And that’s really those entry level jobs have now been replaced by machine learning and filters and searching capabilities and things like that. And I think we’re going to see more and more of that.

I don’t think we’re going to necessarily be turning SOC analysts into devs, but I do think that we are going to see a lot more AI automation in these things because if attackers can use AI to attack, it’s going to be acting this fast. And if we’re trying to do everything manually, we’re acting hours or days, not this fast. And so to be able to compete, we’re going to have to do AI and ML. Kip, do you have any thoughts on that?

Kip Boyle:
Yeah, I would like you to think about AI and ML as the next killer app for your job. And I think it’s very similar to believe it or not, there was a time when a spreadsheet was a giant poster on a wall and people had to get on ladders in order to reach the rows and the columns at the top. And then spreadsheets were also these giant ledger books where you’d have to write in them and that’s where the bookkeeping was happening. And then along came VisiCalc, and then Lotus 1-2-3, and then Microsoft Excel and now spreadsheets are electronic and they’re all-

Jason Dion:
They’re cloud-based and all that stuff.

Kip Boyle:
That’s right. And that hasn’t eliminated the jobs of people who use spreadsheets, but it has required them to shift the way that they see their job and the tooling that they use. And so they do have to go kind of through a rethinking and I believe that ChatGPT and these other AI, ML tools are going to have a very similar effect on us in the near term where we are going to have to learn how to do our jobs with a different set of tooling and we have to because our competitors are doing it, whether that’s competitors in terms of cyber criminals or competitors in terms of other people that I’m competing with for this job that I want. And so in the near term, I think that’s a reasonable way to look at it.

Jason Dion:
I think the other part of that really is when we look at a lot of these AI tools that are being implemented, and we’re using ChatGPT and open AI with a customized training database that we’re training now as well, to do a lot of our work. The jobs that it replaces are the very [inaudible] jobs. And so what ends up happening is the people who remain and generally more of the people who remain are going to be higher tech and higher knowledge. And so they’re able to make more, this is actually a better paying job. If you are somebody who does not like to learn, cybersecurity’s not for you. This is a constantly changing field. ChatGPT has been a huge game changer for a lot of stuff we do.

If you email us a question and say, Jason, I want you to explain the CIA triad, I am not going to spend 10 minutes typing an answer to you on the CIA triad. I’m going to go to Chat GPT, and I’m going to type in, explain the CIA triad in 500 words to a student at the seventh grade level, and it’s going to pop me out two or three paragraphs. I’m going to read over those in 30 seconds and say they’re good, or I need to modify them a little bit, paste it back in the email, then send it to you. I now saved 10 minutes and made it a minute. That’s the kind of things that we’re going to see with AI and ML and we’re doing a lot of that, where I used to have a virtual assistant who would help with that and her job was to go find an answer online, write it up and summarize it, send it to me, I would approve it and then it would go out to the student. Now we’ve been able to replace that role with ChatGBT.

Richa Tiwari:
Yeah, and to your point, it’s always ever evolving the amount of tooling we have now and it keeps coming up with all these different companies solving different problems. So that’s definitely spot on. The question I have is get from Leah saying, What in your opinion does it take to be a good CISO?

Jason Dion:
I’ll leave that one for Kip, because I know he’s got lots of years of experience here.

Kip Boyle:                          
Yeah, I see people struggle to make the transition from individual contributor or even supervisor into CISO. And let me just tell you some of the things that I see them struggle with. One thing I see them struggle with is that they can’t keep their hands off the keyboard. They won’t stop doing technical work and you have to stop doing this. That’s a huge thing. And let me tell you why, because I know that some people are like, well, I don’t see the problem with it. Well, I’ll tell you what the problem with it is. Two things. First of all, you are stealing professional development opportunities from your team. Every time you do something that they should be doing, you are keeping them from getting smarter and more capable and you don’t want that. That is self-defeating. So that’s one reason.

The other reason is because there are duties that a CISO has to do that nobody else can do. And if you’re busy doing stuff that can be delegated, that means the stuff that you have to do that nobody else can do is not getting done and that is self-defeating. I’ll give you an example of what I’m talking about. I believe that one of the markers of success for a CISO is that when the organization you work for is thinking about making a major change, you’re going to hear about it one of two ways.

You’re either going to hear about it after it’s over and somebody comes to you and says, Hey Kip, why don’t you secure that thing that we just pushed into production? That is a fail indicator for you. A succeed indicator for you is when a senior decision maker comes to you and says, Kip, we’re thinking about making this huge change and we’d like your take on it. What do you think about this? That is a success indicator. Now how do you get that kind of success? Well, you have to go out and build relationships with other senior decision makers. And when they’re thinking about making a major change, they have to think of you as one of the people that is non-negotiable that they have to talk to, not because there’s a policy that says they have to do it. That’s not going to be the way. They’re going to do it because they know you, they like you, they trust you, and they believe that if they ask you the question, you’re going to give them valuable insights that are going to help them succeed with that change.

And the only way you’re going to do that is by going and talking to them and letting them know you as a person and helping them to succeed. If you’re screwing around with keyboards all day long, you’re not out there making those relationships and you can’t delegate that. So that’s you and you uniquely in your job. So these are the two things I see CISOs struggling with the most and the course that I teach for Antisyphon is called How to Build a Strong Team. And I cover these things in detail and I give you very specific tools and very specific recipes for dealing with this.

Marie Garcia: 
Awesome.

Jason Dion:
Agree 100%.

Marie Garcia:
All right, Ruth, we’re getting close on time. Did you want to do some prizes real quick or how do you want to proceed?

Richa Tiwari:
We just have one last question I think, and after that we can stop. We can pick up the prices. This one is from Victoria. She says, What skills do hiring managers look for, for OSINT and threat intel jobs? You can say that I’m not from the exact certification community, so I’m just trying to get through with it.

Jason Dion:
There’s really not a lot of certifications out there for OSINT or threat intelligence jobs. I will tell you that most people who got hired into those worlds at least in the last couple of years, came from the military because the military was really the number one place doing OSINT type work and intelligence against other advanced persistent threats and nation states. So I see a lot of that. There’s a couple of big companies out there that do that, McAfee and FireEye, which then became Mandiant, which I think that got bought by somebody else. And there’s a bunch of those threat intelligence feeds. And really what I see a lot with threat intelligence stuff is there’s a lot of open source research. There’s a couple of the courses on it that I’ve seen out there. I can’t remember the names on the top of my head, but there’s no real certifications except for SANS.

for most of us, we’re not going to be taking SANS courses because they are 8,000. And if you’re new, who’s got $8,000 spend on a five day course. The only people I know who take SANS course are people who already have their employer paying for it. Unless you go with one of the two programs that, it looks like Maria posted it in the notes, the SANS Diversity Academy, which is free if you get in, they look for people of color and minorities and it is a free program. It’s like three months long and they get you a whole bunch of their certifications.

And then the other one they have is the Vet Success Program for military veterans. And so you can look at that as well. SANS training, it is great. It is world-class training. But like I said, each course is like $8,000. And so that diversity training, it can easily cost 40, 50,000 dollars for four to six courses they give you, and they’ll give it to you for free as part of the diversity program. But it’s a lot of work. It’s basically a 40 hour every week.

Kip Boyle:
Okay. Now I want to tag onto that and I want to give you an approach that will work for anybody who’s trying to answer this question for any job. All right. What are hiring managers looking for? It’s actually really simple, but you have to do a little homework. The first step in your homework is you’ve got to be clear on what kind of company you want to work for. Do you want to be in the defense sector? Do you want to be in retail? Do you want to be in software, high tech? Whatever it is, go and grab that mind map that I mentioned in the beginning and figure out which industry, what size of company do you want to work in? Behemoth, mid-size, small?

Once you figure that out, I want you to go to LinkedIn jobs and I want you to pull job descriptions for the job you want at the kind of companies you want to work for. You want to look for four to six job descriptions, and then you’re going to grab them and you’re going to compare them and you’re going to start to look for what’s common, what are they all asking for? And that is how you’re going to get the answer to your question.

Marie Garcia: 
Agreed.

Richa Tiwari:
Awesome. And I think those were all the questions that we had. And if, everybody in the audience, if you guys have any more questions, you can message us on LinkedIn, shoot us an email, and we can definitely have Kip and Jason using ChatGPT, sounds like answering the [inaudible]

Marie Garcia: 
Yeah, I put both Jason and Kip’s Twitter handles and whatnot in there as well. So you guys just reach out to them and subscribe to their podcast.

Jason Dion:
Yeah, and like I said, ChatGPT is really good for basic questions, but if you’re asking for what is your advice on this versus that, it doesn’t do a really good job on that. And that’s where the idea of having a mentor to say, I’m looking at this job versus that job, what do you think? Which path should I go? And we’ve had a lot of those questions where I’ve got this job offer, this job offer, this one pays more, this one pays less. And we’re like, Actually, you should take the less job because it’s actually a better position to get you the career you want, where this one is more of a dead end and you’re already at the top level and yeah, you’re making an extra 10,000 a year, but you’re not going to go anywhere with the other one. You’re going to advance much quicker.

So those are the kind of things human mentors help with. Awesome.

Marie Garcia: 
Thank you Jason and Kip, really appreciate your time.

Jason Dion:
Thank you guys for having us. All right, we’re back. Again, I want to take just a moment and thank you for joining Kip and I again for another week and another great episode of Your Cyber Path. Now, if you’ve listened to the entire episode, you probably counted at least a dozen links in resources that we were listing during our discussion with that panel. So if you go over to yourcyberpath.com/93, that’s episode 93, you’re going to be able to find the notes for this episode, including all of those different links that we mentioned.

There is a lot of great stuff in there, so make sure you check that out because it really will help you. Now also, if you can do us a quick favor and go over to your favorite podcast listening platform and leave a review for us. Let us know what you think. Do you like the show? Do you hate the show? Is there more of something you want and less of other things? Tell us what you like and what you don’t, so we can make the show better for you. All right. With all that said, I just want to thank you again as we try to help you and others exceed in your cybersecurity careers, and we’ll see you again on the next episode of Your Cyber Path.