Cybersecurity startups and minority representation

Ron Gula, president of Gula Tech Adventures and co-founder of Tenable Network Security, talks about the evolution of cybersecurity and security awareness, his career shift from the NSA to growing Tenable to funding other cybersecurity startups, and a variety of other topics.

Chris Sienko: Hello and welcome to today's edition of the Infosec Institute weekly video series. Today we will be talking to Ron Gula about his time at Tenable Network Security, his career in security awareness, and his new project Gula Tech Adventures. Ron Gula has started his cybersecurity career as a network penetration tester for the NSA. At BBN he developed network honeypots to lure hackers, ran the US internet working's team of penetration testers, and incident responders. As CTO of Network Security Wizards, Ron pioneered the art of network security monitoring, and produce the dragon intrusion detection system, which was recognized as a market leader by Gartner in 2001.

As CEO and co-founder of Tenable Network Security, Ron led the company's rapid growth and product vision from 2002 through 2016. He helped them scale to more than 20,000 customers worldwide, raised 300 million in venture capital and achieve revenues in excess of $100 million annually. Ron is the president at Gula Tech Adventures, which focuses on investing and an advisement of cybersecurity companies. Ron was honored and humbled to receive the 2017 Beta Award, to be named a 2016 Baltimore Tech 10 Leader, and a 2013 Maryland Entrepreneur of the Year by Ernst and Young. Ron Gula thank you for being with us today.

Ron Gula: Hey, thank you very much.

Chris: Great. So you started out as a penetration tester for the NSA. How has the cybersecurity landscape changed since you first got involved in the business?

Ron: Well, the biggest thing that's changed is the technology. We're using the cloud today. We have IOT devices, self driving, cars, robots, drones, et cetera. In the late nineties it was traditional IT, servers, networks. We didn't have wireless back then. What hasn't changed is confidentiality, integrity and availability. Right? We learned those lessons really, really well. And every time we invent new technology, we seem to forget to apply those things.

Chris: So what are some of the smart security awareness strategies? I guess you said that right now, but what were some of the things that are commonplace now, but it was impossible to get your clients to go along with back in-

Ron: Yeah, so it's no secret the NSA has a lot of people with clearances, top secret clearances and higher. An objection that I often got when we did a penetration test was "Hey, the person next to me, the person I trust has a top secret clearance. Why can't I share my password with them?" And I thought this was a really cool thing back then. But obviously we had a lot of insiders and most recently we had Reality Winner. But what I was surprised about when I left that type of customer and I went into banking and I went to education people had the same excuse. "I trust the right next to me. Why do I have to have good cyber practices?" So, that hasn't changed at all.

Chris: Right. So there's the social engineering element of it where people just assume that they're going to be safe because they're smart and the person next to them is smart. They can't imagine anything going wrong at this point.

Ron: Security is hard. Pick any sub category like encryption, authentication, intrusion detection, good network design. It's hard, if it's done well, it looks easy. But just because something looks easy and it's easy to use doesn't mean it's secure.

Chris: Okay. So, what are some of the security awareness strategies you learned while being a pen tester for the NSA?

Ron: A lot of the things you probably covered, right? Social engineering is an easy thing. Micro hygiene is hard to do. Breaking in and getting in is really a matter of effort and will, and not a binary. No one has ever done enough that they couldn't stop somebody from getting in by spending enough. So those things haven't changed over the years. They just moved on to new technologies.

Chris: And did these experiences lead you to go into business for yourself or was that other factors?

Ron: My job at the NSA was on the defensive side, so I wasn't one of these people hacking into the bad guys or the terrorist or anything like that. I was looking after the good guys, the NSA has a great practice of securing the president's communications all the way down to the DOD and different parts of the government. So I got exposed to a lot of different government programs. Some of them was civilian government, and they really were pretty advanced types of networks. So when I left government service, I started seeing a lot of the biggest networks in the world. And that gave me a sense of scale, such that when terms like big data came around, I was like, I think I've seen some bigger data than what people are calling big data here. It gave me perspective and it's one of the reasons I like to invest in companies where the technology or the founders have a certain sense of the size of the problem and they've probably come out of the U S government.

Chris: So you've seen information security obviously from many different perspectives now, you've worked for the NSA, you've started your own company and now you've started a tech startup advocacy and financial assurance organization. What do you think in general about the current state of information security, and do you think that security awareness is becoming more prominent on the IS landscape?

Ron: Yeah, there's a number of very interesting angles on that. So as an investor you've probably read that there could be a bubble, there could be a certain sense of too much money rushing in and there's some people who could say that stuff. But the reality is the problem is so broad and so deep. I think we're going to be working on cyber for a very, very long time now. Clearly from a technologist point of view, we haven't solved everything. We haven't solved authentication and intrusion detection. We can't even solve voter security. And it's not like people aren't trying, it's just the technology is moving so different fast. So it's moving so fast, your definition of security and my definition of security are a little different, which makes it difficult to have one size fits all.

Chris: So you said that there're fears that the money is rushing in too fast. What is the issue there? Just that there's too many companies starting up too quickly without proper coverage of the problem?

Ron: Well, as technology moves on, there's always new people solving confidentiality, integrity, and availability in these new forms. You see that right now, most recently in the cloud as people move their development and their web applications to the cloud, there's a whole new set of problems in that space when you trust the cloud providers. There's some people who still do this on prem so to speak. And that just adds a lot of complexity to that. Another big opportunity for investing is just this shortage of smart people that we have a. There's only so many cyber people, I don't know if the number is a million or 3 million, they throw down a lot, but I know a lot of people who are looking for cyber experts out there and we're not going to be able to train all those people. So I'm a big fan of any type of cyber program that helps automate a process, makes it easy for a human to do their jobs better.

Chris: So it really is a learner's market right now then it sounds like. There's more openings than there are people to fill them and so forth.

Ron: It's an opportunity for many, many, many, many levels. If you're an organization and you haven't invested in good cyber hygiene and good network design and you're having people, staff, maybe it's a good time to think about your entire approach to IT and information management in general. At the same time, if you're reading this video, watching this video, and you're 18 leaving high school and getting into college and you're thinking, "Hey, I don't like programming," there's still like 20 or 30 other career fields you can do in cybersecurity and IT. So it's a great time for many people.

Chris: You said something about possibly changing your entire security portfolio. Is that in regards to current companies and stuff? What are some of your recommendations for tightening up someone's security program, or based on what are the wrong emphases and what could be done about them?

Ron: If you're a business owner or you're working at a small business and you still have an email server, I actually still run into people who are doing that. You're really missing out on the ability to embrace the cloud. It doesn't matter which vendor you choose, Google, Microsoft, or other types of providers. They all do a better job than you can do on your own. And that's something I try to tell people to do. And that might mean not only moving your email to the cloud, but embracing things like Google Chromebooks where the cost of managing those things is a lot different than managing a Microsoft desktop and the attacks are just a lot smaller.

Chris: Do you think people are holding onto their old email servers and stuff just because that's the way they've always done it, or because they can see the tangible object there, and they're not sure about the cloud because you can't really see it or what-

Ron: Yeah, without having an entire conversation on SMB and outsource IT, a lot of small offices outsource their IT to something called an IT service provider, a managed service provider, not necessarily [inaudible 00:09:26] security service provider, but somebody whose job is just to make IT run really well. And the key to doing that is trying to do as much as you can with as few resources as possible. So a lot of times we do see people cutting costs, maybe not doing the best job they could be doing that you might get in an enterprise network and we will see one way to save costs is to run your own email server and not pay whatever the Office 365 is charging this way. Not saying the entire industry is doing that. I'm saying that's an opportunity for improvement.

If you're in cyber and you're watching this and you're going to the dentist office, mention it to your dentist. "Hey, who's doing your service? Have you considered just trusting Google or Amazon to do it?" Flip this conversation around and we talk about this from the enterprise point of view, it's almost completely different. People are still worried about how cloud lock-in. Maybe because of GDPR, they want to bring back the data center and have much, much more control over their data. Maybe they want to have the control over that data because they're too experiencing flaws from third party risks. Any big company is probably doing business with hundreds if not thousands of other partners. They need visibility into that. So things become a lot more complex for large enterprises.

Chris: That's really interesting. You said talk to your dentist about what they're doing. I mean it seems like you're really putting the onus on everyone, who's hearing this, like to get the word out that this is something that all sorts of industries are behind on, whether it's healthcare, or whether it's law enforcement, or whatever. So do you think that's something people should be doing in general? Just keeping abreast of their community's cyber programs?

Ron: It used to be if you were in cyber and you had an opinion, what you didn't want to do is get called over to your neighbor's house on the weekend because they had an antivirus or back in the 90s, because their hard drive needed to be reformatted. So the industry I guess has improved in those things. I think a lot of times people just don't want to get too involved because cyber is a very personal thing. Where do you put your data, where you put your email, who do you communicate, where do you go on the internet? But the reality is that we're all intertwined, and if you have an opinion about something, I do think it's okay to ask and suggest alternatives.

Chris: Going back to your old company, Tenable Network versus Gula Tech Adventures. It seems like you're financially facilitating up and coming startups, and providing consulting work and stuff versus being the actual security provider. So what caused the shift in your thinking and your strategy? Do you feel like finances are the primary setback or information, or what's holding small companies back these days?

Ron: So I really enjoy cybersecurity. I enjoy the trade offs you have to make from an engineering point of view. I enjoy the different personalities that are out there innovating. And frankly, I got into it, not really by accident. I actually really ended up enjoying it. My last few years as CEO at Tenable Network Security I had done a couple investments, and we saw a couple of exits where we got a really good return. But it gave me a lot more knowledge of the market, seeing who the acquirers were, seeing who the customers were, seeing who the founders were not only did we make lifelong friends and contacts, but we really enjoy this space.

And I had a great experience with the investors at Tenable with [Excel 00:12:59] and Insight and I saw a really lack on the seed side, the smaller side, people investing a million dollars, half a million, just get people going to their first million dollars in revenue. I saw a really big gap there. So rather than starting at just one more company, I really thought I wanted to meet as many people as possible, and be involved with financially and directly with these companies.

Chris: So it sounds like there's an awful lot of startup companies that have good ideas, but are being held back due to lack of financial support or what have you.

Ron: It's very accurate, and as much as I like to say, "Hey, we've been fairly proleptic, we'd done more than two dozen investments," we probably said no to almost 500 companies. A lot of companies are 5% better than the current solution. The CTO, Tenable Renaud Deraison, he talks about that a lot where there might be a current market leader out there, and maybe somebody's got a better way to build that mousetrap. But it's 5% better and you need to switch out that old mousetrap, that's hard to do. The other cool thing is something that's really, really disruptive that nobody else is doing. You're going to look crazy for investing very early on, until it catches on. So I like living in that area where in some cases we are making technologies incrementally better. In other cases, we're really, really [inaudible 00:00:14:25].

Chris: So there's also that excitement of this could not work out or this is like a big risk, or we're we're really trying something new and untested.

Ron: A big thing is in all these new technologies you also have markets. So we talked about the SMB market for example. You don't see a lot of endpoint competition in the SMB market. That's pretty much antivirus endpoints. So companies that we look at in that space that can disrupt market, which is primarily with cost savings. That's pretty cool. The trick is do they have a business model that can generate revenue and acquire customers and hopefully have an exit for an investor.

Chris: Of the 500 that you say no to on a regular basis, what are some of the main things that they're doing wrong? For those of us who were possibly looking to talk to Google tech down there.

Ron: So there's a design pattern of I sense something. Sniffing packets, logs from the cloud, wireless signals, and then I dump that, and I do some artificial intelligence and machine learning on that data, and then maybe I enrich it with perhaps [RET 00:15:31] data or other industry types of data to produce an output. That's the solution that's really, really hard to sell to an enterprise who already has Palo Alto and Splunk and [Q1 00:15:43] radar and a whole bunch of endpoint products out there like Carbon Black or CrowdStrike, or even Tenable. So that's one type of product that's hard to get excited about.

Anytime you have a market leader somebody like a CyberArk, a Splunk, who's really entrenched out there it and has a lot of customers who are using it. They might not be entirely happy with it, but they're using it. That means you've got to replace that, if you get it in there. So products, you said, "Hey, we can do a job better," then some would say, "They better do a job more than 5% better than nothing." Those types of things.

Chris: and quickly too I'd imagine.

Ron: Yeah, that's right. And then the last thing is there's just a lot of technology that I just don't believe it. I'll get pitched technology where maybe we're going to disrupt the identity market by embracing the home market and putting users in charge of their identity. As a privacy advocate. I like that. But when I talk to [Cisco 00:16:40], I say, "Hey, do you want your employees authenticating to something in an employee's or in a personal cloud" or, "Oh no, we have to be sovereign with our..."

So you try to test these things and there're technologies that I don't even like and I like the people, but I talked to customers and they say "We won't buy that." So it's a complex dance, but it's a lot of fun.

Chris: Going in the other direction to the companies that you said yes to, what is your process at Gula Tech Adventures for improving gear clients' business? Do you have like a common thing that you work with them or does each one have its its own case?

Ron: So we do Gula Tech right now it's just me and my wife. And, she was at the first company intrusion detection [inaudible 00:17:22] wizards. She ran that. Tenable she had a lot of operational stuff.

So between us we've got like 40 years of just working in cyber. So most of our companies when they run into a problem, we can give them a lot of perspective. Knowing that we give them a lot of perspective and 15 minutes. We don't need a board meeting, we don't need to do a study or anything like that. We're not always right, but we have a lot to offer in a very succinct point of view. And a lot of our companies are different levels. So if you look at something like a ThreatConnect or Flashpoint, these companies are series B, series C, they're very sophisticated. I get to talk to the management team there, not every day, whereas other companies that are C, it's very important that we talk to these people almost weekly, run the product, test the product.

And so the level of feedback and interaction is really commensurate with where they're at. And the best calls are the ones that come at dinner time in the evening when there's a problem. Perhaps we lost a sales person. Perhaps we've hired a salesperson, perhaps the number one competitor in the market just got funded $50 million. So it's nice to be able to get perspective to those folks. I like to get people profitable as quickly as possible. And that means working with customers. The more you can work with a customer, the better the customer is going to tell you about the market. I can pontificate all days about what I think is going to happen. But as soon as you have paying customers, that's a much more important source of not only way to fund your company, but to guide what you're doing and validate what you're doing.

Chris: So what is the most common mistake that up and coming startups that you've worked with are making?

Ron: It's the fact that they want to do everything themselves. And I get this. At Network Security Wizards I felt like every decision had to be mine. Every line of code I had to review. Took me a really long time to even let other people write signatures and write code in there. And I thought I learned a bit of that when I went to Tenable, I was still writing code from day one. But the biggest thing that you can do is to not just trust people. It's easy to trust people, but to make sure you're hiring and surrounding yourself with the right people. So, for example, a ton of the co founders or Jack Huffard, Renaud Deraison, and Tenable would not be where it was today without some of those decisions that we had to make along those ways.

And then of course, Tenable went public. There's a whole set of senior managers in there that we brought onto the company about three, four years ago that really set it going. So it's not just a matter of scaling and trusting the people is hiring and selecting this right people. And then of course, if you don't have the right person making making that change. That's the biggest mistake I see founders make. They have too many co-founders, they try to do too much themselves. They don't have a vision of what the org chart is going to look like two years or three years from now, and even what those people are doing. And that's the biggest place I tried to get perspective to the companies we're working with.

Chris: Is that a loyalty thing where everyone had a little hand in this, and so therefore everyone's got to be on the masthead.

Ron: Yeah, and you can manage that. So when you're a founder, you have found your equity, you found your cred, found your whatever you want to call it, but maybe that founder is really a CTO and three years from now we're going to put a CEO in charge of that company. Maybe, the founder really is a CEO, but his co-developer doesn't like people, doesn't have people skills, yet he coded the first versions, two, three versions of that. That's something that you need to address really, really early on. You don't want to be going out for an A round and having a venture capital firm meet your co-founder, and realize that this person can't hold a conversation at dinner. And none of our portfolio companies are like that.

Chris: Of course.

Ron: They were some of the ones that we didn't invest in. So, that kind of soft people skills is really important.

Chris: Yeah. And that's been coming up in just about every video we've done so far is that it's fun to do the coding and do the incident response and the threat hunting and stuff. But you really have to know how to explain it to your board, or how to explain it to your clients and things like that.

Ron: The thing I've always asked people, anytime I've ever hired somebody, anytime I invest in a company, I ask a really, really difficult question, which is what do you want? And sometimes knowing what people want and trying to somehow manage that with what everybody else's want, that's hard to do. We're all different, we're all made differently, we all have different goals, we're all motivated by different things, but it's important to know that. And that's really important when you're starting out as a founder, you have to extrapolate into four years, three years down the road.

Chris: Infosec Institute, obviously we are a security training company and we give certification training in a variety of topics. But we also launched security IQ, which aims at a security awareness training for people at all levels of the company. And I was just wondering, what do you see the role of security education versus security companies providing solutions for their vendors. What's the balance between the two and where do you think this great education can fit into that?

Ron: Yeah, so personally we need to train people. If we train people twice as much or three times... from an awareness point of view that somehow they're going to magically be twice as more secure, or three times as more secure. So I like balancing training and awareness with actual engagement. If somebody reports something, make them stand up and say, "Hey Sally over here in accounting had a fishing attack that perhaps got through, but she reported it to IT, And guess what? That saved the company half a million dollars." So I really believe in rewarding people as well.

Chris: Positive reinforcement.

Ron: I love testing. I mean Tenable is all about auditing, pen testing is what I started with as another form of testing. I think you can bring that into security awareness training. So the big fans of Fishy, [NoteB4 00:23:34] [Juan 00:23:35], I love all that stuff, and I think it's really good to know that you're being audited. It does take enterprises. All enterprise security is going to go into privacy. But pretty much the more you can put in front of people, the more you can do that.

Chris: At the risk of giving away your product for free, can you give us some security awareness tips for new small businesses?

Ron: So I think if you're a small business, you need to think about how your business is growing, where your data is, what your IT budgets going to be. If you're outsourcing things, there's probably things you could be asking for that you're not asking for. So you need to think about where your data is, who has it, and what the likelihood that you're going to be compromised with. Your small business like I said, Google, Amazon, they are going to do a much better job protecting your email and your data than you can. Don't forget about physical security. If your data center and your office is only protected by a lock and key then a lock and keys all it takes for somebody to come in. And never underestimate somebody hiring away one of your employees and taking some interesting data with you.

Chris: Recently Infosec Institute instituted a set of four scholarships to facilitate the education of more women, minority, veteran, and college students in the study of security related courses. And I know that Gula Tech Adventures is similarly committed to diversifying the security workplace. And I'd like to know what the barriers are at this point to more women and minority hires in cybersecurity, and what you and your company are doing to combat this.

Ron: Yeah, personally, so we're located in Maryland, close to Baltimore. We become involved with a program called Year Up and another one called EmPOWER, which targets black minority, a lot of women are in this program too, and it really tries to expose them people who might not otherwise have ever heard of the [Sans 00:25:24] or your company or just dumb training online, and basically puts a crash course through them to show them that. But what I really like about these programs, again in Baltimore focused, they do internships with T Rowe Price with Exelon, with Underarmour. And that type of program where you can actually go from education to employment I think is really, really good. I'm also an advocate of startups. In Maryland, Virginia, we have a lot of people who do services companies and that's great.

I think a product company is a great way to employ a very diverse group of people, not just cyber experts, but also accountants and lawyers and salespeople, and facilities people. And, that's a really big thing as well. A good bit of our companies have a lot of women involved in that. For example, we used to invest in a company called Inky. Both the head of sales, the head of marketing are female. I come from a Star Trek universe. I'm very libertarian, so I tend to see a lot of diversity by default, but some big fans of that. And then lastly, the best way to get more women and minorities in my opinion, is to start young. It's great to hire experience, it's hard to learn 20 years of cyber expertise if you've only got two or three and you're retraining, you need to be open to that. But the best way I think to really fulfill that is to really start at the high school level. So we've been doing a lot of that as well.

Chris: How about for companies who may see the issue but haven't figured out a solution in their own organization to create a more diverse workspace? "I hiring the same people." What are some strategies you can do to break out of that?

Ron: So a couple of couple strategies. First of all, you got to be aware of it. So you should discuss it. You should discuss with your team, with your board, with your investors. If you think you have a consideration there you really have an opportunity. You don't really have a problem. There's a lot of great places to go. The hard part is this. If you're a bank for example and you've got five openings on your [sock 00:27:36] floor you want to have diversity involved, you want to be able to go and recruit. A lot of times you're having a hard time finding anybody.

So you try to have to reach out to other places you might not normally be going. So maybe change your recruiters, may work with you guys, may work with other online training places where you can segment them by race, by age, by state different things like that. We just got to be aware of it. If you're aware of it and you care, you're going to figure it out. And again what worked for banking might be different than education, might be different than a startup, but the very important thing is just to be aware and conscious that when you're interviewing these people.

Chris: And have you heard case studies? You've probably brought some more women and minorities into companies. Have you heard any reports of how it improves or changes the work culture or the tech culture or anything like that?

Ron: I tend to think that if you're building a culture and you care about your culture, then you're going to be the best measurement of your own culture. I find the studies are somewhat bias. If you want to build a great culture and it's diverse and it's got a lot of different complexities to it, I think you're going to be stronger from those things. So I always like to tell people, look at their peers. If you emulate somebody who's really good, like if you look at a lot of boards from fortune 200 fortune 2000 type companies, you're going to see a lot of diversity. You can see a lot of different makeups, but the question is how did they get there and why did they get there? And that's important.

Chris: I completely agree. Looking to the future as cybersecurity and security awareness become a standard operating procedure for most industries, what are the big challenges you see a looming that need to be addressed or will need to be addressed as the tech changes as the threats increase and so forth?

Ron: Again, depending on where you are in the industry, if you're small business, if you're a home user or you're working in corporate IT, you're going to see some tremendous changes over the next couple of years. Corporate IT, large enterprise, it's going to become a lot more compliance driven, and that's, that's not a bad thing. Just give people a goal that they should obtain, but being compliant doesn't necessarily mean that you're secure. It's a minimum. That's a classic debate that's out there. When you move out of the enterprise business though you move into SMB and home business. There's no way we can keep up. So you're going to see security more and more be hidden from us. If there's a security update in a phone, if there's a security update in your DVD player, your TV it's going to be automated. It's going to be out of sight.

And I'm a big fan of science fiction, right? So, if you read Diamond Silicon. Oh my gosh, I can't believe I just flubbed a Neal Sephenson book Diamond Age. If you read that, if you read Ready Player One, if you read Neuro Mass, if you read these things about science fiction about the future, that's really where we're going, which means we are going to have a good bit of security. But we're going to have very little privacy and the things that we're giving our data to both corporate and advertisers, it's going to be really difficult to figure out who has what and who knows what about us. I mean, all you have to do is read... NPR had an article a week or two ago about ultrasonic tracking where apps on your phone are constantly listening a little to your microphone.

Ron: And if you walk into a store, there's a certain tone that we can't hear, but they're tracking you that there's in that store. And there's so many other nefarious in law enforcement and intelligence applications for, it's definitely interesting.

Chris: How do we stay ahead of these security challenges?

Ron: I think there's a couple ways. I think first of all, we have to understand that... I'm going to get deep on you here for a second.

Chris: Please.

Ron: That this security in general, it's really a collaboration between the people who make it, the people who use it, the governments who regulate it. So we have to fight for democracy. You do not have security when you go to a non democratic country and we have to realize that. So we're not just competing with China and Russia for people overseas in Africa and Southeast Asia and Europe. We're really competing for how we want to cover ourselves as a society.

So you'd be involved with your politicians, be involved at the local level, know who's running, know what those things are. It's really, really important and it's going to be much more important as we go forward. Second thing is you can't have an excuse. I mean, I'm sure there were farmers, and people who didn't adopt the automotive when it first came out. And it's irrelevant now, but the internet and the technology and what happens to our data is moving so fast. It's our responsibility not only to educate the youth, but to also educate the previous generations to make sure that they understand, and that they are not being taken advantage of the right ways. Teaching ethics, teaching those kinds of things.

And again it's all interrelated, but then the last one is personal responsibility. We need to understand that there are people out there right now who don't go to the cloud. They don't go to Facebook, they don't have a smartphone, because they don't trust anything. Now they might be the Luddites, but that might be the way things are going. If we have one or two breaches of one of the things Facebook, Amazon, Netflix, Google, whatever. That could be a very disruptive type of thing. So we need to watch those kinds of things.

Chris: And on that note, I think we will wrap up this week's episode. Thank you all for listening and watching. You can find more of these videos on our YouTube page. Just go to YouTube and type in InfoSec Institute, that's I-N-F-O-S-E-C and you'll find our page and lots more videos, like our video here with Ron Gula. If you'd rather have us in your ear during the Workday all of our videos are also available as podcasts. Just search for Cyber Speak with InfoSec Institute on Apple podcast, Stitcher, or wherever you get your podcasts. And if you'd like to read more about security awareness topics, please visit for thousands of articles, labs, videos, and more. And please check out security for our fish sim phishing simulator. You can do fake phishing on your friends and colleagues as well as AwareEd, which provides you with some security awareness training. So thank you again Ron Gula and thank you all for watching and listening and we'll talk to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.