Ask an expert: How to start and advance your cybersecurity career

Chris Sienko: Warm welcome to another episode of the Cyber Work With Infosec podcast, the weekly podcast where we sit down with a different industry thought leader each week to discuss the latest cybersecurity trends and how these trends are affecting the work of Infosec professionals as well as tips for those trying to break in or move up the ladder in the cybersecurity industry.Today's episode is a webinar released on July 17th of 2019 and it features Infosec instructor and managing partner at KM Cyber Security, Keatron Evans. During the course of this webinar, Keatron will answer your most pressing questions about how to start and advance your cybersecurity career. If you're feeling stuck in your current position or you're looking to get started, Keatron's extensive knowledge and experience in cybersecurity will provide you with a needed boost as you decide on your next steps. And now let's listen to this one hour episode titled, Ask an Expert How to Start and Advance your Cybersecurity Career featuring Keatron Evans and moderator Camille DuPuis.

Camille DuPuis: Hello there everybody, and thank you for joining today's webinar. Today we're going to ask the expert how to start and advance your cybersecurity career. My name is Camille DuPuis and I am the marketing events manager at Infosec. And today we have with us Keatron Evans. Let's go ahead and meet our guest. So today we have Keatron Evans and Keatron is an Infosec instructor as well as a managing partner at KM Cyber Security. Great to have you with us Keatron. You've done a couple of webinars with us before and always a fantastic guest for us. So thanks for joining. And as I said, my name is Camille DuPuis and I'll be the moderator today. So I'm going to go ahead and kind of as we go here turn it over to Keatron but first want to let everyone know that this is of course going to be a very interactive webinar.

This is a time for everyone to ask questions. Anything related to advancing your cybersecurity career or questions you kind of have getting into the industry. Anything from specific to broad will get to as many of those questions as we can today. So Keatron I'm going to kind of turn it over to you and see if you would share some of your backgrounds, some of how you got started in the industry, perhaps education, experience, certification, some stuff kind of in that realm.

Keatron Evans: Yeah, sure. I mean, there's always a lot of that stuff, but I'm just going to try to focus on this stuff that actually contributed to IT because I mess around with music and stuff like that early on as a potential career field. But essentially what happened was I was working for a small city in Mississippi as an assistant to the city engineer and at that point they decided they needed computers and I was the only one that was under the age of 50 at the time. So they were like, "Yeah, that's your job now is to get us two computers and get them set up." So it really started for me just going to a local computer shop, buying a computer, coming back and getting it set up. And from that it graduated into other things.

Like there was a certification that used to be popular back in the day called the Novell C and E. So I got my first certification, this is all the way back in 1998. I think I was like 18 or so Novell got their CNE certification and set up my very first network. And from that a year later everybody was like, "Oh, Novell is going away and now you have to learn Microsoft." So I went the MCSC route just to learn how to do what it is I was supposed to be doing. And that was really the start for me and kind of wanted the good points of that is it was a really small city. I've also learned too that my foray in the cybersecurity or IT security was when I was working for a small company as well.

So for those of you that are looking to try to go land that first cyber job in a big company, you might want to reconsider that some because there's advantages also to doing it with a small company because they're more apt to, you can get approvals for training and stuff like that a lot easier if the small company is going to pay for it because you might be the person that's responsible for everything. And I think that was what happened to me. I was in charge of everything, computers and eventually everything computers, including security. So, it allowed me to be able to get that training and get into certifications and stuff. When certifications was really brand new, it was really no one in the game, but Microsoft and Novell. So that's how I started.

Got tired of that job. I figured I could do more. So I moved to Chicago interviewed at a few places and got a job right away, doing just basic break, fix, replace hard drives, that type thing. And the company I was working for, it didn't have anybody but me. It was a pretty engineering firm of about 20 people and they had me doing most of their computer stuff they called it back then. And what ended up happening is I was like, "Okay, well I'm tired of this. I want to do something that is a little more exciting to me." So I still have an Excel sheet that I created. This is in 2000 or I kind of listed out certifications and things that I wanted to learn. And this was all based on just what I knew about the industry so far, CSSP, CEH was brand new, it had just come out.

And that was really my connection with InfoSec at that point because that time there was really two places doing the training. And I met Jack and took the class from him and shortly after I taught a few classes and he was like, "Yeah, you're teaching from now and I'm not doing it because I don't get emails as good as yours. So it doesn't make sense for me to do it." And that's kind of how I started with that side of it. But the certifications definitely opened the doors to meeting people to get other opportunities. I tell people sometimes you can take a five-day certification class and out of that five days you only learn maybe one thing that's valuable to you, but sometimes that one thing is really, really valuable. It really takes you to that next level.

So that's kind of how I got started with it. I didn't go to a big fancy university, went to small Mississippi universities. It was no Harvard, MIT, none of that kind of stuff. And I just kind of kept digging to just do better and do better and do better to get to that next step. And that kind of one of the things that I wanted to point out too, because this is a question that I know is going to come up, is people they will go get certifications, get degrees and say, "Yeah, I've got these degrees. I got these certs and I've interviewed at 10 places and I didn't get the job. So you guys are saying that there's all these jobs in IT security and cybersecurity, why am I getting passed over?"

And what I would say to that is, first of all you need to get out of the mindset that because you have a cert and because you have a degree, you're absolutely going to get that job that you're applying for. You have to actually be good at it. You have to put the work in to make yourself good at what you're doing. Just having the paper doesn't really guarantee you the job. Now, there are some jobs where they'll hire people just because of the cert because they need that button, the seat with that cert, some compliance criteria or something like that. But the jobs that a lot of people are going for, where you actually doing hands on pen testing and hands on threat hunting and stuff like that, you actually have to be good at it. Because just like you're applying for it with all your certs, you're in a line of other people with certs applying for it.

And even though there's lots of jobs out there, we're going to pick the people that can actually demonstrate that they have the skills better. So, getting the certs... What I'm saying is don't count on getting the job because you have the certs, but you can almost count on not getting a job if you don't have the certs. So, kind of like one of those things, you have to do it, but you have to do that plus actually put the time in to become good at what it is you're trying to do. And the way I have always looked at it and when I found out about security is every time I figured out how to do a hack or how to do something that I didn't know how to do, I felt like I had been kind of running a marathon.

And it seems like every mile someone hands me $1,000. So imagine how hard it is to run a marathon. But imagine how much easier it'd be if every mile someone just handed you $1,000 cash.

Camille: I think I'd turn into a runner pretty quickly.

Keatron: Exactly. You'd push yourself to that point. And that's exactly, I kind of get that same feeling every time I figured out something that I didn't know how to do security related, I feel as if someone just handed me $1,000, not a million, because I would retire at that point, but I feel like someone's handing me $1,000. And that kind of drives me to just keep learning and keep going and keep finding out new things. And what I would say to people is if you're in this industry and you don't get that feeling when you figure out something, or when you solve a puzzle, or when you commit that first hack, then reconsider. Maybe this is not the thing that you should be doing if you don't enjoy what you're doing to the point that you get that kind of euphoric feeling when you jump that plateau and move on to a level that you weren't at before.

Camille: Right. Oh, that's a fantastic analogy Keatron. I really like that just and seeing this is an industry that doesn't stop changing, right? So, you have unlimited potential to keep running that marathon and keep earning those $1000. Right? Because there's going to be something new that someone needs to figure out every day. So really, really great analogy there.

So let's kind of move on. Thanks for the kind of the background. So the guests here kind of know who they are privileged to speak with today. For the guests that just joined please use the Q&A panel to start submitting questions. We're going to now move on to questions that were submitted through the registration process and I see from the attendee list, I think there's some of the folks live on here that submitted some questions. So we picked some out that people pre-submitted for the webinar and then we're going to save time at the end as well to answer questions here in the live session.

So, starting out from this question from Michelle T. and Keatron this is kind of pertinent because you said that you actually went into thinking about other careers. So, Michelle said, "What is your advice for someone going from a teaching career into a new or second career in various cybersecurity roles?" She has a bachelor's and a master's degree, but they are in music and Italian language. Would she have to go back to school or would she just work on certifications?

Keatron: Well, I would probably advise initially working on certifications to get yourself in the door of somewhere that will then pay for whatever else you need to get. Because the thing is, if you look at a lot of the IT security and the cybersecurity jobs, they don't necessarily say you need a degree in computer science or even anything technical. Most of them will say you must have a bachelor's degree. And that's the first step that you need to meet for a lot of these jobs. So, if you have a bachelor's degree that qualifies you to interview for a lot of positions. And then on top of that they'll say, and you must have this certification, this one and this one. So, they usually append it with, you can have a bachelor's degree in whatever, but you need these certifications to prove that you actually know about something about this industry.

So I would say probably start off with the certifications because for one they're cheaper, you can get them faster and it gives you an opportunity to get into doors to places a lot sooner. And also, since you have a teaching background talk to InfoSec about coming on as an instructor after you get a few good certifications under your belt because they're always looking for good instructors and people that have a good ability to teach. Teaching has also been a great way for me to learn those. Some of the basic fundamental stuff like how TCP works and all these things. A lot of times you can learn that stuff and remember it better after you've taught it to somebody else a thousand times. So teaching is also a good way to learn.

Camille: Right. And I think that's an interesting point to consider Keatron, like you said a lot of times people or hiring companies will request a bachelor's or a master's degree. And I think a lot of times what they're requesting is that's showing that somebody's got the ability and willingness to learn. And then pursuing that with certification. So even if it's not directly in the field you're going into I think I've heard some stories of different individuals who have gotten into cybersecurity from very different careers. But it's just those individuals that really have the willingness and interest in learning new skills, which they can prove then by certifications instead of degree necessarily.

Keatron: Absolutely. The best pen tester I have on my team, she didn't come from a technical background. She didn't have a comp science degree or any technical degrees. She was actually major in drama, but she was interested in computers and hacking and technology and we kind of just mentored her and I would give her a little projects to go and practice on and she would take it to the next level. And once I saw it, I was like, okay, she's going to be really good at it because she's really digging into it and doing way more than I asked to stop the problem. But she's learning a whole lot while doing it. And now she's literally the top pen tester that I have and she's got the least amount of actual technical experience of everybody else, so.

Camille: Wow. Very cool. It's so cool to see how people can transition in this industry and really come from anywhere and be successful.

Keatron: Absolutely.

Camille: So, here's a question that was submitted. "What projects do you do on your own to learn more about cybersecurity and kind of where do you get started? And that question's from Parabin." So, I think kind of interested in like you said, you just kind of started playing around with different computer strategies and that kind of thing. How did you know where to start?

Keatron: Yeah, that's a good question because back then in 98 when I was starting, there was no really Internet. It didn't exist like it does today. So, you really had to read books. I would go to the local computer store because there was only one for 100 mile radius of where I grew up. There was the computer store for that entire part of Mississippi.

So, I would go there and when you would go to buy things, I'd go buy cables and new network cards and different pieces. And while you're in there, you have conversations with the people that work there. Because at that point in time, the culture was different, the computer store was where you went. It's like your hub. That was kind of like your Internet to get information about technical things because those people had access, they were trying to sell stuff, they knew what was coming out in the near future.

So, I actually got into networking and stuff like that just by hanging out there. But now I would say definitely join some groups on LinkedIn, like jumping to some of the cybersecurity groups and they're all rated so you can find the ones that are really good. From that point definitely just start doing some hands-on projects, like get on there to see what people are doing, but you're going to have to actually get some hands on stuff yourself. So I would recommend downloading a few VMs like Kali because we all use that in the industry, it's on some level. Download [inaudible 00:16:18] audible so that you can start practicing how to exploit things. And there is a lot of other careers in cybersecurity or other than pen testing, other than hacking. But I still think it's one of the best places to start practicing because it builds so many different types of skill sets other than just pen testing.

I mean, you're going to get very solid with Linux. You've got to get solid with some scripting. You're going to get solid with just how operating systems and how networks work. It requires you to kind to get a good mastery of all those things. So, I still think that just diving in to looking at like Security+, even if you don't take a class, just look at the syllabus and just go learn those things, practice those things. Same thing with CEH, go look at the syllabus and then learn those things and then maybe take a class after that after you've studied it enough on your own to justify spending that money.

Camille: Right. And now follow up to that. A question that kind of came through was these are two big certs in the security world. And someone was wondering what the difference kind of is between pen testing and ethical hacking.

Keatron: Yeah, so it's really not that much of a difference. Really pen testing is a form of ethical hacking, right? So pen testing is generally a professional service that we provide to customers and it is a form of ethical hacking that we get paid for. Now, you see different definitions of it in industry. Some people say, well, if I hack into chase.com or bankofamerica.com but I don't take anything and I just do that to show them what their vulnerabilities are, that's ethical hacking. But you have to be careful with that because maybe your intent is to be ethical, but still you just broke the law and you still could go to jail for doing that without a signed contract. So, I think the definition is kind of gray there. But generally speaking, I would say that pen testing is just a form of ethical hacking that's been morphed into a professional service that we sign contracts and get paid for.

Camille: Sure. Okay. I think that's helpful to kind of answer that question. I know that those are just two buzz words and someone who's starting out in the industry can see why there'd be some confusion on that. So, thank you.

Okay. So here's a question from Shaundra. She says she's already completed digital forensics and computer security course. And she has the room and a variety of equipment at home where she likes to test scenarios without destroying the network she actually uses for work. So this is kind of going back to the different ways to practice I think. She knows there are online games, hacking challenges, et cetera, but she'd like to have a system and a network where she can have a bit more control and access.

Keatron: Yeah, I think that's a good question too. And part of, I think what she's getting at there is she wants to be able to build the network because you actually learn a lot building your practice area. But Shaundra, what I would strongly recommend to that is kind of give all that equipment a break, go and set yourself up Amazon, AWS account or Microsoft Azure or Google Cloud account and go on there, set up some VMs, set up some virtual routers, start learning about virtual private clouds and software defined networking. Because the thing about it is if you look at what's happening in the world now, most companies, large and small now are rapidly migrating everything to cloud services. So there won't be as much of a need, I don't think in the near future for the skill sets to be able to work on actual hardware.

You're got to be much more valuable knowing how to navigate inside a cloud services environment. And if you build an environment of your own from scratch, that is the best way for you to get kind of leapfrog everybody else and have a leg up on that when you've tossed into that environment in a corporate situation to have to manage it, do security pen testing, whatever the case may be. So I would recommend doing that instead of, and then use that space and throw away, get all that equipment, sell it on eBay to someone that didn't watch this webinar, so they're still buying equipment and set yourself up a music room or something.

Camille: I like that. I like that tip there. That's fantastic. But it is interesting to see kind of how many companies and things are transitioning to the cloud. And as we said you just got to keep up with the industry to stay in the industry. So good recommendation on what's coming up. And I think that's important that people continue to watch for the future. Some certifications unfortunately, it might not be valuable in a few years. So definitely keeping up to speed is important with that.

Keatron: Yeah.

Camille: Perfect. Well, we've got a couple more submitted questions before we move on to questions from attendees. So, want to remind everyone to start submitting those. Feel free in the Q&A panel. But let's move on to the next question here. So, Keatron, maybe you could tell us a little bit about your certifications and how you plan those and then as well as the other part of the question is does experience outweigh certifications or vice versa and kind of what you see there?

Keatron: Yeah, so that's a really good question too. Currently, I've got over 70 different certifications in different things. And initially I did have a plan for how I would approach them. And it started out with just looking at what was out there and what they covered. And I looked at the time CSSP was kind of where I want it to be because it was looked at as if you get this, it's kind of the grandfather of all. But then what happened is, as I got into it, I learned what the certifications actually were and now I'd even recommend it to people. CSSP may be a good next logical point after Security+ or something like that because it covers a lot of different things very shallowly. And that allows you to get an idea of what it is you really want to do and specialize in because you kind of touch on all of it what something like CSSP or CISM.

I had a very solid, like I said, I have this big Excel sheet I had in their first a plus Network Plus. And the logic behind that was I needed to learn the basics first. And then after Network Plus I went to Security+ and all the Microsoft like MCSC. And then I moved into the security stuff after that. And that was kind of my plan was to make sure that once I got into the hacking, I actually knew how operating systems work, I knew how networking works because again, once you hack a system, go and get Metasploit Pro or whatever and you compromise a system. What are you going to do once you get on that system if you don't understand how the operating system works, if you don't understand how networks work?

So I was afraid of that. I've always been afraid of being under-prepared. So I always just stack and make sure I plan it out. The other reason I think this question is really good is because the whole experience outweighing certifications things. That's kind of a big argument in the industry and my take on it, what I always tell people is definitely if I'm hiring someone to do a specific job that requires a specific technical skill, if they've got a lot of experience doing that, that's probably going to be more important to me than having the certifications because I can get them certifications really quickly. But there's also the flip-sided argument, which is for yourself, for your own personal goals, Camille, if you were trying to do this, what I would say to you as well, experience is something that you get over time.

The only way to get five years’ experience is to work for five years and it takes a minimum of five years. But the certifications you can get right now, so you got these two things. You got to get both. You got to have experience and you've got to have the certs. So why would you delay one when you can get that now while you're trying to wait until you get the opportunity to get the other? Because experience is definitely going to probably come from an opportunity that either someone gives you or an opportunity you create for yourself. But either way while you're provisioning that opportunity or waiting for it, you should still be getting the certifications because you can do that now and you can do that really quickly and increase your net worth as far as a cybersecurity career right away just by getting someone the certifications.

Camille: Right. That's a great point. I think there's a little bit of, again, a gray area in that space because like you said certifications, we get them so quick. Someone who has a little bit of knowledge and has some of those prerequisites they could sign up for a couple of courses right in a row and pass those and all of a sudden become so much more valuable. But also experience where they've done this hands-on work for several years is also of incredible value as well. So that is a really interesting question. I think it's really a paradigm of how that works in this industry.

Keatron: Yeah, it's definitely important because I can remember when I was taking Glenn through my Microsoft stuff, there was a service that Microsoft introduced I think with Windows 2000 when they went to Windows 2000 MCSC and it was something called Volume Shadow Copy Service. And what that means is anything on your system, if you right click it and turn on something called versioning what it does is if you were to delete a word document for example, or modify it or every time you make a change, Microwindows creates the previous version of that document.

So you can go into your computer, even with the versions of ones that we use now, right click any document, go to previous versions and if you have the shadow service on, you can see all the different versions and actually restore it. So if you modified a document the wrong way for the last five hours and you want to go back to where it was before, you can do that just within the operating system.

Whereas right before that, we would have to go get backup tapes and all kinds of stuff like that to restore those documents. And that was a service that was key because what happened for me is I went into an interview once where they gave a scenario on how would you go about restoring these documents if they got deleted. It was a network engineer position and everybody else I'd interviewed was what the manager told me was that they said, "Yeah, you would go into your backups and restore it from backup and do this, this and that." And I said, "Well, I would just make sure your Volume Shadow Copy Service is on and then I would just restore the previous version."

And they were like, "Well, what's a Volume Shadow Copy Service?" And I was like, "Well that came out.: So it let's a whole 20 minute conversation of me explaining to them what that was and showing them. And the only reason I knew it is because a month before I went and did the latest MCSC certification. And that was one of the new things that they added. So, it was a situation where I clearly got the job, there were people more experienced than me had more definitely more hands-on experience, but they didn't know that thing. And I knew that one thing because I was up on my certifications. So, I think it works both ways. And you really just want to try to have both on that you have control over that you can fix right now is a certification. The experience when you have less control over, you just have to wait and get that.

Camille: Right. Fantastic. Good answer. Okay. So, here's one more submitted question before we move on to the live questions. So, this person is currently working on the CompTIA Network+ and the IBM cloud application developer certifications at school. Should they be looking for a network analyst or cloud technician jobs first, then transfer to a cybersecurity field or should they start pursuing entry-level cybersecurity certifications such as Security+ and then look for a job in cybersecurity? So, this is again, kind of the interesting certifications versus experience questions. So really interested in what you think about this.

Keatron: Yeah, I mean, I would probably lean more towards getting a cybersecurity certification first and then trying to get an entry level job in cybersecurity somewhere and then you can still backfill the network skills and the cloud skills on your own. Or maybe as part of that job just to, because my thing is, if your eventual goal is to get into cybersecurity, you can still get into it and backfill the skill sets that you need to really be good at it. And I'm a proponent, like every webinar I've done, I've said to me, the best path is you become, you master networking and master operating systems and all these other things first and then you move into cybersecurity. But you can definitely do the opposite. You can get into cybersecurity in a very intro level fashion and then backfill, learn those other things.

So, I would say if you're really trying to make the jump now look at Security+, make some connections, see if you can get an entry level job and then move into cybersecurity and backfill on the other stuff. And keep in mind there are other cybersecurity roles to that, that don't even require so much of the networking and things like that because there is a lot of management jobs. There's a lot of jobs that aren't really technical at all. Compliance-based jobs where you just have to make sure organizations are compliant. So, I think a lot of that question here depends on what it is you're trying to do in cybersecurity. Are you trying to do a technical career or are you trying to just be in cybersecurity period? If it's just trying to be in their period, then I would say jump in and give yourself some time to explore.

And that's another thing too, I want to tell people, don't be afraid to start a career or start a path in cybersecurity and realize it's not for you and say, I don't like doing this. I want to do something else in cybersecurity. Absolutely don't be afraid of doing that because that's where you really got to excel is when you start doing stuff that you want to do.

Camille: For sure. And I think that's an interesting point with doing stuff that you want to do. This industry has so many different portions of it. Like you said there's auditors, there's engineers, there's something that I think is an interesting job is people that develop security content for training like some people on our team and develop different security. Education I think is an interesting job that some people can go into if they don't necessarily like all of the hands on, but they have the experience and knowledge on how to develop this material to teach to others.

I think that that can be an interesting path to go down as well. And there's just so many different roles that need to be filled. I mean, if you go on any job website right now and kind of just keyword cybersecurity which I did that the other day just kind of working on a different project, looking at different roles that were available all across the country. There is so many different titles and so many different roles that are options.

Keatron: Yup. Absolutely.

Camille: All right. Cool. All right, well, now let's move on. Some questions are coming through the Q&A panel here and keep submitting those to all the attendees that are on with us today. So, first question is from Will and he kind of said, "What is the difference of CSSP and another certification? Which certification is more valuable for people who kind of want to have a fast track?" And that kind of touches on the question just previous. So, what are your thoughts there?

Keatron: I mean, I think if you're trying to fast track yourself into cyber, you have your usual suspects. CSSP, Security+, Network Plus, CEH, those ones are counter to ones that if you look at cyber jobs, I mean, I would bet you that it would be nearly impossible to do a search on Monster or CareerBuilder for a cybersecurity position and not see at least one of those three certifications requirement.

So I think getting those three or getting one of those three would be like your quickest way to at least be, get the attention of some people are recruiting for cyber positions. But again, the key there is make sure that you have an idea of what it is you want to do before you even embark on that mission because that's going to dictate several things. One, what you want to end up doing is going to dictate the order at which you get those certs in. And then secondly, what you want to end up doing is going to dictate which search you get after those three-primary certs.

So, I would say have an idea of what it is you want to end up doing before you try to fast track into cyber. Know what you want to do after you get in and then fast track in.

Camille: Right. Okay. Very cool. Well, Will, thanks for the question. I hope that helped a little bit. Another question that kind of came through is this person is trying to transition into cybersecurity from their current career working in the public-school system. So, they recently got a Security+ certification and a bachelor of science degree in cybersecurity, but they don't have any professional or paid experience. So they've searched and found hundreds of cyber jobs in the metropolitan areas. But the entry level or tier one jobs generally require three years of experience from what this person has found. So he's being told that he doesn't have enough experience. How can he overcome this and convince employers that he can do the job? He or she, I'm not sure.

Keatron: Yeah, I would definitely say with that question, you probably want to make sure that you again have an idea of what it is you want to be doing. And when you go on these interviews and you run into that whole thing of experience over certifications, I think you kind of have to ask for why did they even call you in for the interview if they really... They had to be a reason that you even got called in all for the interview.

So there may be some other things that's going on that's dealing with it a little bit. That's you're not as attractive maybe look at the skill sets that you have, and then also one way to overcome that as you might have to do some volunteer work and things of that nature. Like go to your local nonprofit organization, one of your nonprofits and just volunteer to do a pen test or security auditors or some security consulting thing for them on the house kind of just so that you can have it on your resume that you've done these things and you've actually got a client that someone can call and reference and say that you've actually done these things.

That to me is one way to kind of get past that experience challenge because that is definitely a challenge that I even see it myself with employers. And I've even advised employers to kind of just take a look at least behind the curtain sometimes. Even if the person doesn't have the experience, take a look at it. Because again, I got my best pen tester. Now she's my best pen tester and she didn't have any experience that was required, but because of how she approached the interview, I kind of decided to take a shot and it was definitely worth it. So for you guys trying to get these jobs, definitely just continue to get the certs because again, the whole thing, if you run into employers that clearly value experience, there is no magic thing that you can do to get around that.

You just have to keep interviewing until you get somewhere where that's not the case. But the main thing is while you're doing that, while you're preparing for those interviews, keep preparing for certs, keep learning. Because again, to me, when that opportunity comes you better be able to hit the ground running. And the only way you're going to do that is to keep learning as if you already know you're going to get the job. So keep preparing for the job that you want to do and that will set you up for when that luck happens or when preparation and opportunity finally meets, you'll be prepared to take advantage of that opportunity. I think some people get frustrated with that conundrum and they stop preparing. So at that point they are not even prepared to take advantage of the opportunity when it does present itself or worse, they're not even aware that the opportunity is there because they unplug from cyber to where they're not familiar what's going on now.

So I think you just have to really just stay at it. But in the meantime, don't waste your time. Keep preparing, keep getting the skills so that when you do see somebody that will take a chance. Because me, for example, the thing that I look at the most is I always give technical interviews. So I will give you a laptop what the Kali CD and say, do these things. So when you run into somebody like me, that experience is not going to mean as much as you might think because you can have a lot of experience doing something the wrong way. You've been pen testing for five years, but you've been doing it terribly for five years, then I don't want to hire that person either.

But if you're kind of new to it, but you actually got some solid skills and I see that in your technical interview, then I'm definitely going to hire you over the person that's got experience. So I don't think that's going to necessarily make it easier for you. But just to encourage you there are some of us out here that look past that experience thing and we look for the actual skills because sometimes experiences is not always equal skill.

Camille: Right. And now going off of that, what percentage or in your experience when people are hiring for cybersecurity positions, how many of those include a technical interviewer or a time to showcase their skills? Or is it more specifically just kind of looking at that resume? Looking at that years of experience and looking at that list of certifications?

Keatron: Well, I think the list of certifications and that type of stuff is what's going to get you the interview. Once you get the interview, if they're expecting you to do pen testing, you're probably going have to do some technical stuff in your interview.

If they're expecting you to do a technical cyber job, I can't imagine a lot of places, not at least having you do a little test as to where you have to actually do things. So, I think that's more likely what you're going to see, when you go up to a technical interview. But if you're interviewing for an audit position, then don't expect to go in doing something technical either.

Camille: Sure. Okay. That sounds good. And then that makes sense with, again, just with the variety that there is so. Another question that came through is, Michelle again is asking she's interested in, likes the idea of potentially transitioning from her education career into education within InfoSec or within information security technical education. Is there a specific certification you would recommend for someone who's interested in teaching cybersecurity?

Keatron: Yeah. I would definitely say that if you want to teach it, like I said, cybersecurity is a very broad thing. So if you start off with broader certifications like security pluses on the lower end abroad and CSSP is on the higher end abroad. So those I think are two good starting points because it gives you visibility and insight into a lot of different things, cyber, and that sets you up as a good teacher for whatever specialization you want to go into teaching. Because now you can speak to other things that are to the right or to the left of what the main topic is without being off topic type of thing. And that to me makes you a much more fluid instructor. Is if you have the ability to kind of seamlessly go from one topic to the other, get off practice a little bit but not enough to distract people and get back on topic. So I think that would be some certifications that will be good to start there with.

Camille: Sure. Here's another question that came through on the Q&A. Kind of interesting about the location of cybersecurity jobs. So this person is asking, "It seems like companies in the Silicon Valley are looking for people with a lot of experience and are super competitive. Are there other areas of the country more open to taking a chance on someone without a lot of experience?" If so, any suggestions on a metro area that might be good for this person?

Keatron: Yeah, I don't think it's so much the metro areas. I think people have to just kind of lower somewhat their expectations of what job they're going to enter into cyber with. Like, you're not going to enter in with this dream pen testing job that you see people talking about on the Internet because they've probably done other things to work up to that job.

Also take some time to actually go and talk to places. I just did an experiment a few months ago. I went downtown Chicago and said, I'm going to spend the next two days six hours a day just walking into buildings because there are so many office buildings downtown. There's literally thousands and thousands of companies. And I went and just walked up and down knocked on doors, rung bells, walked into the receptionist and just asked if I could leave a resume because I'm looking for a position in cybersecurity.

I mean, I'm not really, it wasn't really my name on the resume because if they Googled it, they would be like, "Yeah, this guy can't possibly be looking for entry level position." So I had some fake stuff on there just to see. And it was amazing because within the first day, I think I dropped off probably 60 resumes that first day. And by that afternoon I had got about 17 calls and I specifically structured it to where the skills that I had, I had Security+ and I had on their studying for CEH, and I had some, just some very extremely basic skills on there. And I got 17 calls that first day from just walking in, I didn't do any LinkedIn. I didn't do any emailing. I literally just walked in to those places and just left resumes with the receptionist or whoever happened to be there saying, "Hey, I'm looking to do some entry-level cybersecurity work."

So I think for one, you have to make your expectations realistic as to what position you're trying to get and two, start thinking about doing some unconventional things to market and sell yourself including the way that you used to have to do it, which was like I just described, walk into places and actually say, "Hey, I'm looking to get into this field because you never know." You might walk into a place and they might be having a security incident or something or somebody just got a phishing email right then and run into that.

Camille: That's a very interesting experiment. I like that. I think when you first started saying you walked into different Chicago office buildings, I kind of first thought this was going to be an experiment on physical security. Seeing how many people would let you in or buzz you in without a pass or that kind of thing. Because even that's a little bit of a tie in to the cybersecurity field with who can get on your network or who can have access to the different businesses.

And that's always interesting to see as well. But I really liked that experiment of just kind of handing out the resumes and that's just a way to make yourself more memorable and make yourself noticed right away because it is so rare that a physical resume is given unless it's perhaps a job fair or something like that. So that's a really interesting tip I think. I think I would like to see more people try that. And if anyone has any cool stories to share, send them to me via email. That'd be interesting to hear about. It looks like we've got time for just a couple more questions before we move on. So another question is, "InfoSec and cybersecurity are such broad terms, and I'm specifically interested in digital forensics. Any suggestions for certifications that support a forensics path more than security and other preventative measures?"

Keatron: Well, yeah, there's definitely some certifications specific to digital forensics. I would say any of the like CHFI, the CCFP all of this stuff that you probably find on the InfoSec website specifically for digital forensics and then it's kind as a crossover, the incident response training. There's a lot of forensics involved in that training, in that certification as well because when you do technical response, a big part of it is actually doing some variations of forensics, whether it be network, host, memory, whatever the case may be.

So I think driving towards those certifications CHFI, CCFE, and then some of the incident response certifications would probably be where you would start if you're trying to do that type of thing. Now, as far as defense, because I think it said something about defensive in there as well. I think at that point it becomes a lot more vendor specific. If you're going to have an entire Cisco infrastructure, or Cisco firewalls, then you want to take and get Cisco defense certifications or Cisco security certifications. If you have Juniper, then you want to get their certifications.

Camille: Right. Really tailoring that to meet your needs. Sure. Very good. Well, as we get to kind of clips to the end of our hour here, we're going to go ahead and move on, but I just want to again thank everyone for the fantastic questions and everyone that submitted them in advance of the webinar as well as live today. And then of course for those who... For Keatron who joined us today, so appreciate you having us. With that, it actually looks like we've got a couple more minutes left. Keatron Would you mind sharing just a little bit about what you currently do and so you told us about kind of how you started in the industry. And I think this might relate to the one last question here, which is how do you start your own cyber consulting business? So I think that kind of ties in with how you've progressed throughout your career?

Keatron: Yeah, I think that that's a good question. And honestly for me, the thing that I think was most valuable is first of all, you need to become really good at doing cyber consulting. There's a whole lot of business concepts, but that stuff is not going to help you if you're not good at it but you have to become really good at what you're doing if you're going to do cyber consulting. And the best advice I would give is number one, focus on something like find a specialization in cyber consulting and focus on that and become very, very good at that. And then if you see opportunity to grow other areas, do that because I started specifically doing pen testing as my cyber practice and that grew into a whole lot of other different things that we do now.

But I was careful not to branch into other areas until we really had a lock on pen testing and then forensics and then incident response. And now threat hunting is become like the fastest growing business area for us. We get a lot of RFPs for that. So I think that doing it that way. And the other thing is make sure you see a lawyer, an accountant and an insurance person. See those three people first when you do your business because a lot of your questions will be answered just from talking to those two people.

Camille: Sure. Fantastic. Well, again, Keatron, thanks so much for joining us. Your insight is just always so valuable and helpful for those both already in the industry as well as those who are just starting out and kind of looking for a pathway. So definitely appreciate you joining us. With that, it looks like we're coming close to the end of our time here. So, we will wrap up and I hope everyone has a fantastic day.

Keatron: All right, thank you.

Camille: Thank you.

Chris: I hope you enjoyed today's episode. Just as a reminder, many of our podcasts also contain video components, which can be found at our YouTube page. Just go to youtube.com and type in Cyber Work with InfoSec to check out our collection of tutorials, interviews, and other webinars. And as ever, search cyber work with InfoSec in your podcast app of choice for more episodes. Thanks once again to Keatron Evans and moderator Camille DuPuis and thank you all for listening. We'll speak to you next week.