Becoming an ethical hacker with Offensive Security CEO Ning Wang

[00:00:01] Chris Sienko: Today on Cyber Work, we have a great conversation with Ning Wang, CEO of offensive security in which we speak about learning to be a white hat hacker. We talked about her transition from physics into cyber security education, the rigors of the OSCP certification and Offsec’s try harder mindset, and how Ripped from the Headlines cybercrime stories can drive concerned citizens into their new dream job. That's all today on Cyber Work.

But first, I want to point your attention to an all new ebook published by Infosec. It's titled Developing Cybersecurity Talent and Teams and it's free to read if you just go to infosecinstitute.com/ebook. It contains practical team development ideas for industry leaders, sourced from professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more. Did I mention it's free? You know it is. Infosecinstitute.com/ebook to learn more. And now on with the show.

[INTERVIEW]

[00:01:03] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry. As CEO of Offensive Security, Ning Wang is responsible for the company's culture, vision, strategy and execution. She joins Offsec with 20 plus years of experience having held COO, CFO and CTO roles at several fast growing companies, including HackerOne and lynda.com. Ning has extensive experience in leadership, company building, operations, fundraising and M&A. She is passionate about building great companies through high-performing teams, narrowing the talent gap in security and promoting and nurturing women in tech and security. Ning has a PhD in physics from UC Berkeley and has worked at McKinsey and Company.

So we're going to talk today about Ning’s cybersecurity journey, her direction at Offsec, and the ways in which white hat hackers can be recruited into the industry possibly writing the interest of big news stories like the Colonial Pipeline hack or the water poisoning in Oldsmar, Florida.

Ning, thank you very much for joining me, and welcome to Cyber Work.

[00:02:18] Ning Wang: Thank you for having me, Chris. Really delighted to be here.

[00:02:22] CS: Delight to have you. So we'd like to start the show always by finding out more about our guest’s cybersecurity journey. So you've had a fascinating and multifaceted career. You started out, as I mentioned, studying physics, and getting your PhD in physics. From there, you moved into chief financial and Chief Operations Officer roles before becoming CFO, COO at lynda.com in 2008, which is pretty cool. You've been a strong hand through several startups before becoming COO, CFO at HackerOne in 2015. And now CEO at Offensive Security since 2019. Can you talk about your relationship with cybersecurity in tech? Because moving from physics in your schooling, what drew you to cyber security, and specifically to education around cyber security based on that?

[00:03:09] NW: Such a good question, Chris. I was really reflecting back about my journeys in your question. Obviously, I have been asked this many times. I want to say to the audience that I started early on. What drove me really was I loved challenges. When people told me I couldn't do something. Being a girl in science, and I had plenty of people who were very supportive. But I also have a lot of people who told me I couldn't do it because I was a girl, or it was good enough for me and I didn't have to try harder and strive for something higher. So that drove me all the way to getting a PhD in physics. And I never questioned anything else. I just tried to prove to the world that I could do anything I wanted to do if I set my mind to do it.

It wasn't until I got to Berkeley that I first start asking myself what actually is my passion, what I love doing, that I will do it even if it's not a job, because I really love doing it. And I spent about four or five years trying to figure out what my passion was. And I finished my PhD. I did two postdocs. And it was after that that got me to McKinsey. I realized one day I want to either build and start or run a company and doing something, products or services other people can use that I will feel really good about out of the work I do. So that's what got me to business. And because of that kind of a mindset, I have always taken every opportunity to learn and solve problems. And especially in the problems that we solve in business that has much bigger impact to the society and the community in which we live in.

So lynda.com was one such example seeing how the Lynda training really changed the lives of so many people. They did a training, they were able to get a job. And it was so satisfying to work on something like that. And then HackerOne was another one where cybersecurity, increasingly, it is such a huge problem in the digital world. We’re not only working, but living in. So those kinds of opportunities, and trying to figure out a way to solve it that will benefit not just in building a company or business, but really will benefit the society. And those are the things that actually drove me to some of those opportunities.

[00:05:33] CS: Yeah. To sort of contrast that with physics, did you feel like – I mean, obviously, you loved physics. And you strove and did very well in it. Was there something different? Because you say, like I wanted to create tangible things that people could use. Did you feel like within physics that there were maybe not as many opportunities to create sort of tangible things that you were sort of either had become a teacher or were just sort of like working in someone else's area of expertise?

[00:06:03] NW: Yeah, that's a good question. In physics, especially in experimental physics during my PhD time, what I learned the most is how to solve problems. And then we apply that to the particular area of a research we do. In my case, I was looking for dark matter particles. So you are an extreme expert in a very narrow field, and there're probably a couple of hundred people that are doing in the whole world. And once you find those kinds of truths about the universe and things, it's pretty profound, but it takes many, many years to advance our understanding and knowledge at the fundamental science level. Me being an impatient person, and I was looking at the research I was doing, which I really enjoyed building those instruments and looking for the particles. But at the same time, I really missed the practical application of things, okay?

And also in research, you work with a small group usually. And I really loved working with people and working in a team. And so I will say having the practical aspect of it and where you can talk to the people you meet every day about what you do, what it means, how I impact them. Those were what drove me from physics to business. But even as I got into the business, if you think about it, business is about solving problems. You're solving a problem. That's how you create a product. That's how you create a company, right? You solve it well for certain types of people. So in that sense, the approach and methodology and the thinking, the mindset is very similar. Just the application of it is a little different.

[00:07:46] CS: That's fantastic. So I want to pivot that to sort of some practical examples, because a lot of our listeners are just getting their feet wet in cyber security. And they might find it hard to even imagine like where their first job is going to be or how they're going to get out of a help desk position. But let alone imagine rising so high in the ranks of organizations. Can you tell us about the skills or education or projects that you learned along the way that helped you take on these increasingly complex and challenging positions?

[00:08:15] NW: Yes. What I want to say to people first is that, really, figuring out what your passion is, because when you do things you're passionate about, it doesn't feel like a job. It makes it easier for you to get through the tough time. Because no matter what job you do, there are tough moments. And it takes that perseverance and not giving up. And when you do what you love, it's just so much easier. And I think Steve Jobs said something similar. And I couldn't agree more on that.

And then the next thing is that, in fact, in our everyday work and job, there are so many opportunities that they present themselves to you and then have the attitude where grab those opportunities when they present to you. So for example, you are doing helpdesk, and an issue came up that you haven't been trained for. Okay, there's Google, and go figure it out and see if you can find a solution. Because by doing that, you just become somebody who can figure things out. And when you grab on these opportunities, you develop your personal brand, you build your reputation, and more opportunities will come your way.

So I give you an example. After McKinsey, I joined a first startup, and it's carparse.com. I went in – My role was a Senior Director for doing strategy and business development. So not engineering. Not building products. And I really wanted to build products. Because remember, I went into business thinking I would build products and build companies one day. I don't just want to do strategy, right? So I told the CEO. The CEO told me I wasn't qualified because I didn't have the training and product management, web development. I wasn't qualified to do that.

So what I found out is that because I always like to ask questions, I like to ask a lot of why's. And if there's something that didn't make sense to me in my head, I will ask people and I wouldn't be scared asking I call stupid questions. So over lunch, I would ask the director of database and the developers, and I will look at our website and I will say, “Why you make the user experience this way? Because you ask them for the car information. On the next page, why do you ask them the same information again? It's another good user experience.” And they will say, “Hey, that's because the database. The database are not integrated.” I said, “Just integrate them.” And they will say Ning, “It doesn't work that way.” I said, “Explain to me how it works.” So one thing led to another. I got so involved on the side as my spare time learning and chatting with the developers, with the directors, with the people on the engineering team. The next thing I knew, they will come to me and ask for my opinion about their design, about the new feature about how they will do it. And the next thing I knew, the CEO wanted me to take on the CTO role, which initially I actually thought. But that's how I got into engineering. Meeting the entire engineering and product team, because it wasn't my job, but I was interested. So I kept on learning and asking questions and offer my help anywhere I could doing testing, even though it wasn't my job. One thing led to another. And that's why I say to people, when opportunities present to you, take them. When there's something you're interested, take the time to learn. If it’s not during your working hours, it could be the weekends and evening, because learning makes life interesting and give you so many more opportunities.

[00:11:46] CS: And I think that's a really good lesson. I completely agree with all of that, and the importance of continuous learning is crucial. But also, I mean, you can imagine another person hearing that same story and saying, “Well, the databases don't integrate,” and saying, “Well, I don't know how to do that either.” You're like, “Well, too bad for them.” But like that was a pretty like big scary chance that you took there. You said like this is something I don't know anything about, and I'm going to throw myself headlong into it. And I think that's a really good lesson for our listeners, is sort of stretch yourself past your comfort point.

[00:12:19] NW: that's right. Actually, when we stretch ourselves, when we are doing things that we're not 100% comfortable, that is a time you learn. And for me, what has driven me all the way till now is I need challenges in my life. That's where I feel the livelihood. And then challenges present all the opportunities to learn. And don't be afraid to ask questions. And then be willing to put in the effort to learn and contribute and help out. And that's how opportunities come back to you again and again.

[00:12:49] CS: Fantastic. So for listeners who aren't familiar, I want to get a little info about your current company, Offensive Security. What is your organization's mission? And talk about Offensive Security’s certifications.

[00:13:04] NW: Offensive Security is a cybersecurity training and certifications company. And we're really big in giving back to the community. So maybe many people among the audience have heard Kali Linux, which is our open source operating system and are used by nearly everybody in cybersecurity. ExploitDB, VulnHub, these are the open source project we really make it 100% free to our community. And then on the business model side, what we do is our mission – We're a mission-driven company. Our mission is to empower the world fight cyber threats by inspiring the try harder mindset. There's no better way to defend against the cyber threats by thinking like the adversarial, by thinking like the cyber criminals, like attacker. If you know how they may attack you, you know so much better how to defend. That's our mission. And we train our people to have that kind of mindset, which is not easy. And we have developed the approach that has proven to really work, which is we do hands-on training using real world like systems, exploits, networks. And the idea is that not only we teach you the theory, but what's much more important is that we offer you the lab environment that's like the real world situation so you can see, “Can you figure out where the exploits are?” and then be able to penetrate. And that is how we teach our people to have that mindset.

And actually, I have also thought about – I haven't heard people talk in that kind of analogy, but I think it's so true. In the early part of the medical field, you train to be a doctor, the fact that you had to do rotation to real training. Part of the training is to work with real people in the beginning, 150 years ago, it was not the case. But now nobody thinks about they can become a doctor by not going to training seeing real patients, okay? You learn the theory, you've got to practice with an expert. You look side by side, whether it's a surgery or other specialty, you have to do that.

I think cybersecurity is a very much like that. Because then you can become an expert by reading books, by answering questions with a multiple choice, or by being able to know all the theory, but you don't know how to actually put in practice and find the exploit, you can do the security job. So cybersecurity in many ways, like the medicine world, you need to know the theory, but much more important, you need to learn the practice. You need to practice the theory so that that theory becomes your own wisdom, your own knowledge so that you can diagnose every situation that you see, because in cybersecurity, it's not like you can follow a playbook and do a great job. It doesn't work that way, because every threat is different. You have to be able to think on your feet and think critically, and with a creative solution, right?

[00:16:19] CS: Yeah, we hear that so much from hiring managers who have someone in who collects certifications or just reads the books and learns all the theory but don't know how to use even the most basic tools in any practical way. Can you talk about the try harder mindset? That's a really intriguing phrase. Can you sort of give me a like the elevator pitch of what try harder means in regards to your study and trading?

[00:16:46] NW: Yeah, our most famous certification from Offset is OSCP. And the training for that is a PWK, penetration testing with Kali Linux. And they we have an extended lab, and the lab has multiple networks, a lot of machines, different kind of real world exploits built in. But we don't tell you exactly where they are. Because in the real world, when you do the job, people don't tell you, “Go there. Go there.” And if you get stuck, here's a hint, or here's a walkthrough.

So what we're trying to show people is that this is what the real world is like, and see if you can figure out. And in the beginning, you may not know. And then when you solve a problem, like any problem you solve, physic is that way, cybersecurity is that way, go in with a hypothesis. And then you are going to either approve or disapprove your hypothesis. If you disapprove your hypothesis, then come up with another one. So the thing about try harder is that don't give up easily because you didn't accomplish what you set out to accomplish in the beginning. But at the same time, it does not mean do the exact same thing over and over again. That is not try harder.

And in fact, one of the things that I think is a habit people need to develop, and it takes time to realize that's an important habit. I go back to physics again. In physics, we often get stuck. We actually fail more often than we succeed. That's how we figure out the truth about something when we learn something that is so profound, the new knowledge, right? But when you get stuck, one thing I learned during grad school time is that we literally take a break, coffee break, lunch break. You go out with some fellow graduate students and you actually talk about and say, “I just got stuck with this experiment. And I wonder if you have run into that.” In that conversation, you never know what thoughts. And something someone mentioned or something you've heard just gave you another breakthrough idea for another hypothesis.

In cybersecurity, exactly the same thing. For example, we encourage our students, when you're working in the lab, or even when you're taking the exam, our exam is famous 24 hours long. When you get stuck, take a break. It’s actually important. Move away from the screen. Because by doing that, things can come to your mind in a very organic way that can give you a really good hint or idea and that direction you haven't thought about, an angle you haven't thought about. That's what we mean by try harder is to learn those techniques and develop those habits. Don't just give up. But don't be the dead horse either. I mean, if you keep on trying the same thing, is going to get the same result. But know when to walk away. By walking away taking a break, in fact, you can have new insights. That's what we mean by try harder.

[00:19:42] CS: So the OSCP certification in particular is pretty highly regarded in the industry. And in fact, we had a recent episode of our Cyber Work Live. It was an episode on red teaming as a profession. And our guests, Aymn Gilani and Curtis Brazzell specifically recommended the OSCP certification for ethical Hackers because of its extensive hands-on components and studying, testing, just like you said. So how was this approach developed in creating OSCP? How far back does this sort of try harder mentality go? Was it sort of the core of Offensive Security as a company?

[00:20:23] NW: It started really early on. The company started in 2006. Our founders, together with the early members of the team, they really developed the training and the mindset. And unlike a lot of training companies, people think about mostly how do I build a business? How can I get people to come and buy the training and do that?

Offsec, from the very beginning, the starting point is that what do we need to provide and teach and train so the person can really be great at doing that job? And then in our case, our PWK course really started targeting the penetration testers. So the idea is that what does it take for somebody to be able to do a good job in their penetration testing engagement? That was a starting point. And that's how the training, the content, the labs, and how extensive we make the labs. What kind of examples we put in? Do we provide pins or not? How much hand holding we do versus not? All of those were very intentionally designed, because the idea is that in the real world, there is nobody that you can just say, “Give me a hint.” Because when you're doing the job, people are expecting you to find the vulnerabilities in their networks, in their systems, right? So that was a starting point. It's very much of our DNA today as we talk about training, what we do, what we don't do, and especially how we do it.

And as our training and our cert is getting more and more popular, we have more and more people who don't have all the prerequisite and who want to take the course and want to get the cert. And then we're really questioning ourselves how much we help our people to get the prerequisite so they can do the training, but do it in the way that we still encourage them to think, to learn how to think? So that it's not just 1, 2, 3, follow the instructions. Do that. Because in cybersecurity, a lot of the manager will say, “I need somebody who can think because this situation is different.” And I don't know what you think about. In my case, a lot of the time when I interview candidates, I often give them a question. I even tell them, “I am not interested in you giving me the correct answers. I just want to know how you think.” Your thinking process is much more important to me than actually all the knowledge. Because you think in the right way, and that you are a quick learner, anything you don't know, you will pick up in no time.

[00:23:03] CS: And I imagine, even if it's like completely patently strange or whatever. Like if they give you a really radical thought process in terms of, “Well, I'll try this, and I'll try this, and I'll try this.” You're like, “Wow! Maybe I wouldn't have even thought of that or whatever.” But you said it’s that kind of exciting thinking that can make you stand out rather than saying, “Well, okay. Now, what did the rulebook tell me to do in this moment?”

[00:23:25] NW: That's right.

[00:23:27] CS: So the goal of this podcast is always to facilitate careers first and foremost and work for cybersecurity professionals. So our topic today, as you suggested it, is recruiting and preparing white hat hackers and related ethical hacking positions for the challenges of the future. You noted in our early correspondence that cybersecurity related news, like the Colonial Pipeline hack, or the hack of the water supply in Oldsmar, Florida, not only concretize the perils that our infrastructure and organizational security face from hackers, but can also serve as a recruitment tool possibly for potential ethical hackers. So we talk all the time about the skills gap in the employment gap in cyber security. And some of it is that there aren't enough people interested in these roles. So how do you think that these new stories can be leveraged in areas where ethical hacking professionals are scarce to drive more interest into the field?

[00:24:18] NW: I have said in other talks I've given. I think the cyber threats or the cybersecurity issues is going to get worse before it gets better, because so many systems out there are antiquated, do not have the design with security in mind. So to fix them is not going to be quick. There's no silver bullet. And it's also true that there are so many job openings in cyber security. There aren't enough qualified people. So in a way, it presents a great opportunity. For anybody who is passionate about it, you have a great opportunity in front of you.

And then there I want to say is that what it takes to be a great cyber professional? I think it takes the following six traits of a person. First of all, you really have to have a curious mind. You have to have that curiosity and ask why. And then try to understand how things work. That curiosity is key. Secondly, you have to have a creative mind in solving problems, because you can't just brute force everything in cybersecurity. You don't have enough time or resources. Okay? So you have to be clever. You have to be creative to say, “If I want to prove or disprove this hypothesis, how can I do it in a really clever, quick way?”

Third, is that you can't give up easily. I mean, cybersecurity is not easy. If it were easy, everybody would be doing it because we wouldn’t have the skill gap as we see. So you can't give up easily. And you have to persevere, have that perseverance. And number four, is that even if you're really good, you can learn the craft, there is no shortcut to hard work. And Malcolm Gladwell talks about the 10,000 hour rule for a lot of specialties. And it was funny, I was talking to one of our top researchers in the company, and he was telling me how many years he spent becoming an expert and how many hours he spent every week. And I was calculating. I said, “Oh my god, it's like a you did the PhD that way.” And when I did my PhD, it’s s roughly the same number of hours. The 10,000-hour rule applies here. If you think by working three months, and you did a training, you can be somehow an expert in cybersecurity. Not realistic. You want to be good at it. You have to persevere and put in the effort.

You might be able to get a job, get your door into cybersecurity in six months or one year if you study and get training, get the certification. But to be really good at it, to move up that skill ladder, you have to have realistic expectations. And then the last two, I will say, this is a field like many other fields. Attention to detail really pays. You've got to have that habit, attention to details.

And then lastly, as you learn, as you do more, you're going to gain wisdom. And the wisdom will allow you to have a hypothesis to disapprove or approve in a much faster way. And you can only do that by actually trial and error and more by the things you try that didn't work than the things that did work. And over time, over the years, you will learn to have the wisdom. And if you have those traits as part of who you are, you don't know all the crafts, don't worry, you can learn in really no time.

At Offsec, for example, we have people that studied philosophy. They knew nothing about IT, but they have all the other characteristics of what it takes to be successful. And they are doing super well at Offset. They earned their OSCP. Similarly, I've seen people who worked in the mailroom. They didn't even know IT. And they decided to go into security. And they studied. They put in their sweat equity. And they are now so successful. And we have many people like that at Offsec.

[00:28:12] CS: Yeah, I want to sort of move back to some of the big ticket like stories, because we've had guests on the show, like Emily Miller of Mocana who talked about the Oldsmar water hack, and Dirk Schrader who talked about this, as he said, just acres of unprotected medical data out there and so forth. And as I hear all these stories, and the answers is like, “Frankly, we're terrified.” Not enough people even know that this is a problem, that, like you said, there's so many sort of open systems that are just sort of waiting for someone to pull the switch. And I feel like it needs to sort of drive employment and study in a way that almost suggests like a WPA kind of thing where there needs to be this kind of new generation of cybersecurity experts who are going to their local municipalities or their local cities and sort of finding the places where the city has open data that's waiting to be exploited and so forth. And I say, the big stories, the big news stories, the Colonial Pipeline and so forth, we're starting to see that it's a powder keg waiting to go off. But can you speak at all to sort of the – I mean, almost the civic responsibility of people in sort of ethical hacking positions now to – Every guest so far has said we don't know what the solution is. There're just not enough people. Can you talk about that at all?

[00:29:40] NW: I think the cybersecurity problem is so big. I think it really takes everyone to address it. First of all, I think we need to create so much more awareness just about cyber threats. So in a way, all these news, the bad news that came out, one thing it certainly achieved is on everybody's mind. We’ll read it and just say, “Oh my God! That can happen to any one of us. It's really true.” It's not a question of if. It's only a question of when. So if you are more aware and then the different techniques of social engineering, the phishing. So that is one area I think we need to do more.

Secondly is that cyber security problem is a people problem. It's not just a system problem. Is that we are all humans. Humans are not machines. We're not robots. We make mistakes. And the cyber criminals advantage of our humaneness and the mistakes we make as human so that they exploit it to their advantage. So what that means is that all the people whose job touches on whether it's a coding systems, developing systems, or orchestrating, or administering configuring systems and networks, those jobs need to be done with a security mindset. Those people also need security education and know how to do their job in a more secure way. And then the cybersecurity professionals or the ethical hackers, the white hat hackers, the penetration testers, the red team, blue team, purple team, what we need them to do is really not only be able to identify where the weaknesses are, but go in with a mindset, we need to partner not just to tell people a bad job they did because of the cyber vulnerabilities that they identified, but think as a partner. How we can help the people who do the job that had these vulnerabilities in a way so that they can have less of those? And then if there are vulnerabilities, how we can find them before they get exploited.

And then it's the mundane jobs that we do. For example, patching. When a new release come out, the operating system, all the open source tools. If you know your system is using those things, and it's a critical system, I hate to say, patch them as quickly as you can, because it is all of these things that matter. Our ethical hackers will help find the vulnerabilities. But when it is a critical one, prioritize them higher than the features you need to release. It takes all of that. And I want to also say, for the CEOs and the board members, and it takes them to put cybersecurity really on their agenda. Like they ask for financial results and audit report. I think they need to put cyber security at the board level as a regular item so that they can give focus and give investment, give resources so that we can have more teams that collaborate together to allow our ethical hackers to find it, the vulnerabilities, but also to allow the other team to fix them timely. It really takes all of those for us to gradually get our security posture in our everyday life, personal work life better. And I just don't see any shortcuts.

[00:33:11] CS: Right. I agree completely. So for people who are currently learning about or studying ethical hacking and related careers but aren't sure where to look for work or where to specialize, can you talk about some of the sub-specialties within ethical hacking? We mentioned red teaming and blue teaming and some of the different sort of “sides”. In speaking in regards to these sort of sub-specialties of white hat hacking, what types of people have you seen that excel at these different varieties of ethical hacking? What are some qualities that you think make someone better, say, a penetration tester, versus a red teamer, versus an engineer and things like that?

[00:33:50] NW: Yeah. I go back to the traits I talked about. I have read a lot of the blogs that our students pose after they have earned their OSCP. And some, it took them multiple tries. And then actually those people [inaudible 00:34:10], and I love their story, okay? And really what it is is that know what you want and then be willing to work hard. And then do not – For example, OSCP is very famous. And with that, it is true. They probably guarantee you, if not a job, definitely guarantee you’re an interview, because the hiring managers will notice. But do not study for the exam. Study because you want to learn the mindset. You want to learn how to work like a security professional, and those things show through during the interview. And then when you get stuck – There’s one thing really nice about the cybersecurity community, is that there are so many communities out there. Get involved. Either get involved there to ask questions and learn from the other fellow ethical hackers on their journey, or get involved as a way to share your learning. And when you are involved in the community – And you know what? A lot of the companies, a lot of the hiring managers, they are there too. They notice you.

So when you are yourself and you are really trying to apply these traits that are important to succeed, that is where you get noticed. And I cannot tell you how many people that we hired are from the community work that they have done, either a blog post, or a walk through the data to share with the community. We really reach out to those people. We actually recruit people like that, because we know those are the people that will succeed.

So I want to say to your listeners, that you want to do that. If you don't know IT and learn the basic it stuff. If you know the basic IT knowledge already, you can go earn one of the third, but study for the training, for the mindset, for the skills. Don't study for the exam. You will rob yourself of the opportunity to really learn something that will set you up for success. And when you learn for the right reason, you learn the right habit, it will show through during your interview. And that's how you get the job. The job can be a SOC analyst. It could be an incident responder. It could be a pen tester, but I also want to say pen testers require a lot more hands-on experience in network, in system admin. So if you haven't done any IT work, it's not realistic to think your first job into security is a penetration tester. So get your foot into the door. Do any job and keep on learning. If a penetration testing is what you want to do, you will get there in due time.

[00:36:50] CS: I love it. So to sort of flip that on the on the other side, those are great tips for first success. But can you sort of speak to some of the common obstacles that would be ethical hackers face and that you've seen have caused people to maybe give up or get frustrated? Like what are some tips for learners who might get overwhelmed at a certain point? How do you sort of get him back on the horse?

[00:37:13] NW: That's a good one. I have reached out to some of the students who they really didn't have all the prerequisite and then they start taking our course. And then they were literally overwhelmed, right? And I think there's so many good advice, and we are starting to provide more and more. And in fact that we're going to come out with some prerequisite level training content to help our students who are not ready for PWK to help them with that journey. And I would say if you know nothing about IT, learn the basics about, for example, how Linux and Window admin works. You need to know that before you can do security, right? Learn something how the coding works, software development works, how to write code, how to write scripts. And then know what network is. How does that work? But what is a firewall? Why you need that, right? These basic stuff lays the basic foundation of, in a way, the digital fabric that in which we work in, we live in, right? Once you know that, pick a training you want to do. And then in that training you do, it could be us. It could be the other vendors. But the key is learn the good habit.

There are a lot of CTF machines out there. If you learn to play those games and you just want to go get your flag and feel satisfied and have that high, and then you need that. In fact, it can be a bad habit. Because when you do a real job, it's not like the CTF machine is a real network, a real exploit. So you have to know not everything you do will have a guaranteed instant gratification. You have to be able to say, “Okay, I tried that. It didn't work. What did I learn? Let me step back and let me say where else I try.” Because in the real job, whether it's the defense side and offense side, that's what it takes to do the job. So if your goal is to get into cyber as a profession, then I say develop those habits early on and stay with it. And then you will you will eventually succeed.

[00:39:23] CS: Yeah. I added a lot of – We do we do a lot of VulnHub walkthroughs on our website. And I always think of that as we get to the end. It's like there's not always going to be a flag at the end of this for you to read. So you really have to be thinking of it in terms of like what did I learn along the way and what was the twist point that, “Oh, I see. Now I can do that.” Or what have you. So that's a good tip.

[00:39:45] NW: Yeah. I mean, that's exactly how we design our labs, is where sometimes we intentionally have a path where it's a dead end, because you know what? That is what real world is like. We want you to know. And if you can figure out the way to catch yourself, how would I know this is a dead end? If you can learn that earlier, that's a very important skill to develop as part of the training, right?

[00:40:10] CS: And also to realize that a dead end doesn't mean there's no correct solution to this or something like that. I think that's another one that you see sort of commonly is like, “Well, I couldn't do it. I guess it can't be done.” I want to talk to – We mentioned in your intro that you've worked with getting women insight in cybersecurity. And I wanted to talk about whether you have any tips or advice for reaching out to and hiring a more diverse pool of candidates. That's something we like to talk about here a lot. And I think it's incredibly important. Obviously, all of cybersecurity suffers from a lack of diversity, but especially in areas like ethical hacking and penetration testing, it seems still more crucial to learn from professionals with as wide a range of life experiences, gender neurodiversity, differently abled problem solvers as possible. So what have you seen in the industry's attempt to improving diversity and equity, and hiring, and promoting that's frustrated you? And what, if any, developments have you seen that might give you some hope?

[00:41:10] NW: And I think that awareness for diversity, to get more diverse people into cybersecurity. I think the awareness has really increased for, which I'm very happy to see. I think, as an industry, cybersecurity is still not as diverse as we would like it to be. So we still have a long way to go. And what I will say is that Offsec, there are two things we do that I think in our own way is helping in that direction. One is that we are completely distributed. And we hire people no matter where they are in the world. We just want them to be able to do the job. And then they are a fit to our culture.

So we have hired people from Africa, from South America, from different places. And many of those people, they literally transformed their lives by going through the OSCP journey. And then we proactively reach out to them sometimes, and they proactively reach out to us, because we say, “You have OSCP. We want to hire you.” So by doing that, we have been able to hire men and women in all parts of the world. Our students are in over 190 countries, okay? So our employees are already in over 30 countries, because we practice. No matter where you are, if you have the skill, you have the mindset, you are a fit to our culture, believe in what we do, you can be part of us.

The second thing is that I have been really trying to figure out how to get more women into tech and into cyber security. And the one thing I decided to do is to start at Offsec. So I literally reached out to every women working at Offsec and asking them what their aspirations are, what their challenges are, and what I, what Offsec can do to help them advance where they want to go with their aspirations. And in that process, I learned we need to be more encouraging. Because we have different style of communication, it could be our upbringing, it could be our culture. That doesn't mean the person is not good. It doesn't mean they don't know as much. So if we create that kind of awareness and then be more mindful and intentional by providing opportunities for our candidates, for our people, from a diverse background, I think little by little, we will have more and more role models. And those are relatable role model that's just like one of them. That's where we were going to see more diverse people coming in and be able to excel. So those are the things I would say that's what we're doing at Offsec.

[00:43:57] CS: That's great. I love to hear that. I'm so glad that it's so successful with your organization, and that you've made such sort of uncompromising steps there. I think that's really, really important in terms of not making it something we think about once in a while. And, “Oh, we should probably do something about that someday.” Or, “Oh, no.” You hear all the time, “Well, I want to hire more diversely, but no one applied. What am I going to do?” And so I think there's something to be said there for actively sort of seeking people out and seeking people of certain backgrounds out and so forth. So as we wrap up today, what are Offensive Security's plans for the future? What future direction do you plan to guide the company in over the next several years?

[00:44:41] NW: Offsec, it was off to such a great start with our reputation, our giving back to the community, the quality of our training, that recognition of our certifications, for which I am very grateful. And I love the opportunity that I'm given to lead this company. I think, looking at the cyber threats that we talked about, all the things we need to do and we must do to make the security posture of the society and the places we work and live to be better. I think there's so much more we need to do not just for the penetration testers, not just the offense side, but also the defense side, and not just the network kind of penetration, but also the web, and not as elite level or expert level, but also everyone who touches the IT aspect of the job to help them do their job in a more secure way. So we are coming up. We're innovating the learning training experience side. So we have something really exciting coming up. And also on the training content side, we want to be able to reach a lot more people to help them get into cybersecurity, to help them advance or get promoted and move up that ladder in the skill set, and also help people who do their job, but do it in a more secure way.

So I think we are barely scratching the surface. There's so much more exciting stuff that's coming up really soon from Offsec. So I’m very excited. Very excited about what we're doing. So we're innovating and we're giving back to the community. We're listening to our students and our customers, guiding us for where we can help train, their staff their workforce in a more effective, efficient way to help solve the cybersecurity problem that we all face.

[00:46:35] CS: Yeah, I have to imagine, with the hands-on process that you have that your students are giving you a lot of feedback, have you had any particular examples of sort of feedback or recommendation from students that like completely like changed the game for you?

[00:46:52] NW: I will say, they gave us feedback for what they like or what they don't like. And so that happens all the time. And then we also work closely with our customers who are enterprise organizations, who are government. And they all have this challenging job of training people to be able to do the job that they have openings for. So I hear a lot of security managers that they actually go out and sponsor training for people not necessarily on their team. Because by doing so, they enlarge the pool of the candidates that they can identify as somebody who can do the job for which they have an opening for. So there are just a lot of things that people in this industry are already so creative in trying to solve the skill gap problem, the lack of talent. So that's why I also wanted to say to your listeners, you want to get into this space, just put yourself out there and the learn, and really learn for the right reason. And then get involved with the community. Share your learning. Write the blogs. Because you never know who will notice you. And that is how opportunities knocks on your door.

[00:48:12] CS: Yeah. No energy expended has ever gone to waste, I don't think.

[00:48:16] NW: Yeah.

[00:48:17] CS: So this has been a great talk. And I want to thank you for your, Ning. One last question, if our listeners want to know more about Ning Wang or Offensive Security, where can they go online?

[00:48:27] NW: Our website is Offensive Security, offensive-security.com or offsec.co. That's our website. We have a pretty active Twitter account. We announced a lot of things there. Obviously, LinkedIn. So follow us and find out more. And we have a lot of exciting things coming up soon.

[00:48:48] CS: Well, Ning, , thank you so much for joining us today. It's been a real pleasure.

[00:48:51] NW: Thank you for having me. Great talking to you.

[00:48:54] CS: And as always, I'd like to thank everyone listening at home, or at work, or at work from home for listening today. All new episodes of the Cyber Work podcast are available every Monday at 1pm Central, both on video at our YouTube page and on audio wherever find podcasts are downloaded. To read Infosec’s latest free ebook, Developing Cybersecurity Talent and Teams, which flux practical team development, ideas compiled from industry leaders including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE, JPMorgan Chase and more, just go to infosecinstitute.com/ebook and start learning today.

Thank you once again to Ning Wang and Offensive Security, and thank you all for watching and listening. We'll speak to you next week.