How to become a secure coder | Cyber Work Podcast

On today’s podcast Infosec Skills author Chrys Thorsen talks about founding IT Without Borders, a humanitarian organization built to empower underserved communities through capacity building information and communications technology (ICT) skills and information access. She’s also a consultant and educator. And, for our purpose, she is the author of several learning paths on our Infosec Skills platform. She has written course paths for Writing Secure Code in Android and Writing Secure Code in iOS, as well as a forthcoming CertNexus Cyber Secure Coder path.

0:00 - Intro
2:43 - Thorsen’s origin story in cybersecurity
4:53 - Gaining about 40 certifications
6:20 - Cross certification knowledge
7:25 - Great certification combos
8:45 - How useful are certifications?
11:12 - Collecting certifications
13:01 - Changing training landscape
14:20 - How teaching changed
16:36 - In-demand cybersecurity skills
17:48 - What is secure coding?
19:34 - Secure coders versus coders
20:31 - Secure coding in iOS versus Android
22:39 - CertNexus secure coder certification
24:13 - Secure coding before coding
24:42 - Secure coding curriculum
26:27 - Recommended studies post secure coding
26:50 - Benefits to skills-based education
27:43 - Tips for lifelong learning
29:29 - Cybersecurity education’s future
30:54 - IT Without Borders
33:38 - Outro

– Join the monthly challenge: https://www.infosecinstitute.com/challenge
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • View transcript
    • EPISODE 209

      [INTRODUCTION]

      [00:00:01] CS: Infosec Skills is releasing a new free challenge every month with three hands on labs to put your cyber skills to the test. October’s challenge, celebrate Cybersecurity Awareness Week featuring a bundle of three labs that provide hands on training with in demand cyber skills. Level one, get hands on experience with the metabolic framework and investigate systemic vulnerabilities like the professional ethical hackers do.

      Level two, leverage pseudo to set up user permissions and explore the harmful side effects of improper implementation. And for your boss level challenge, you’ll head over to our secure coding cyber range to correct secure coding errors commonly found in Python. Complete all three challenges, download your certificate of completion, upload it to LinkedIn and tag Infosec for your chance to win a $100 amazon gift card and Infosec hoodie and a one-year subscription to Infosec Skills so you can keep on learning. Just go to infosecinstitute.com/ challenge and kickstart your cybersecurity career skills today.

      Today on Cyber Work, our guest is InfoSec skills author Chrys Thorsen. Chrys teaches secure coding fundamentals and has almost 40 certifications herself. We talked about studying for certs and the true benefit of studying for certs, how secure coding sets the table for a variety of career tracks, and we talk about her work with IT without borders bringing IT and tech training to underdeveloped countries. That’s all today on Cyber Work.

      [INTERVIEW]

      [00:01:34] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of Infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry.

      Chrys Thorsen joins joins us as this week’s guest on Cyber Work. She’s the founder of IT Without Borders, a humanitarian organization built to empower underserved communities through capacity building ICT skills, and information access. She’s also a consultant and an educator, and for our purposes, she is the author of several learning paths on our InfoSec skills platform. She’s written course paths for writing secure code in Android and writing secure code in iOS, as well as a forthcoming cert Nexus cyber secure coder path. Because we’re going to be getting so many new learning paths built into our InfoSec skills platform in the coming months, and we also have a monthly skills challenge that’s ramping up, I want to talk to Chrys about her cybersecurity journey, the practice of secure coding, IT Without Borders, and the practice of earning certifications, of which Chrys has quite a number. Chrys, thank you for joining me today. Welcome to Cyber Work.

      [00:02:40] CT: Chris, thanks for having me. It’s great to be here.

      [00:02:43] CS: My pleasure. So, we always like to start by breaking the ice and getting the story of our guest’s cybersecurity journey in their own words. So, how did you first get interested in computers in tech? And what was the first spark that made you excited about computers and coding and all the other things that you’re involved in?

      [00:02:59] CT: Well, it’s actually a long journey. I have both engineering and teaching in my background. Dad was an aerospace engineer and Mom was a high school English teacher. So, that combination together sort of created me. Always interested in tinkering. I mean, Mom tells the story of when I was two, I took the handlebars off of my tricycle. And then I went under my crib and unscrewed all the thumb screws. So, when she tried to put in the bottom, dropped off. That’s my tinkering.

      Okay, anyway. But out of high school, a buddy and I had a repair business, electronics repair business. We’d both studied electronics extensively. So, we were fixing VCRs, and TVs and guitar amps and that sort of thing. One of our customers was a Novell certified instructor, CNI. He said, I only know the buzzword, JTPA. But it’s a federal program that retrains people to get into IT.

      So, I signed up, had to wait in line a little bit. And my very first experience was, I mean, I didn’t know really anything about computers. I knew a whole lot about electronics, but not computers. So, I was learning to be a Microsoft Certified Systems Engineer. MCSC in NT 40, with Windows 95 as the client. Can you imagine? This was like in 1996.

      [00:04:20] CS: Yeah, I love it.

      [00:04:21] CT: I got the certification and that was with SQL 65 database as an elective. Database, what’s that? There was a, paper MCSC. I didn’t know a thing about the practical implementation. But it got me started. And from there, I was hired by a business college to teach of all things A plus. But tearing apart computers and putting it back together was not a far step from tearing apart VCRs and TVs. So, that’s how it got started. That was my kickoff.

      [00:04:52] CS: Okay, so I want to – speaking of A plus and I’ll and MCSC so early on. On your LinkedIn profile you list somewhere around 35 certifications. Can you tell me about your educational journey in terms of getting all of these certs? How long has this been – I guess it’s been, it’s part of your whole adult life, right?

      [00:05:12] CT: Yeah, it has been. Actually, that’s probably up to about 40 now. To be very honest, I got certifications as my job demanded it. Okay. So, early on, I became a Microsoft certified trainer. I was teaching. Microsoft is putting out new products. I had to learn about the product, so that I could turn around and teach it. However, I got to tell you, it wasn’t just for teaching because I found that it was really useful in other ways.

      So, for example, I had to teach Lync, okay, Microsoft Lync. And I went to Africa, which I’ve done a lot of, and friend of mine, I barely stepped off the plane. A friend of mine said, “Hey, I have to set up a Lync server for this country, this little third world countries equivalent of the Department of Transportation. He says, “I have no idea how to do it.” Well, I had taught the class I was certified, so here was my first opportunity to put it in production.

      [00:06:08] CS: Real field experience.

      [00:06:10] CT: It worked. So, it’s not only been for teaching, and I’ve been able to utilize a lot of this stuff outside the classroom as well.

      [00:06:21] CS: Yeah. Can you talk about some of the sort of cross certification knowledge, the way that certain ones maybe surprised you in the way that they sort of spoke to each other? So, I imagine its kind of like learning languages where, after a while, if you’re studying Spanish, and they say it’s party Portuguese, you’re like, “Oh, these two, have these cross points and that builds on the next one, the next one, and so forth.” But what were some of the more surprising ways that your certs studies were in communication with each other?

      [00:06:49] CT: Well, for one thing, maybe an application developer doesn’t realize that they really actually need to understand the operating system and networking, to understand how to protect data as it’s traveling across the network. It surprises me how many app devs they’re working on their laptop, but they don’t understand the bigger infrastructure. And thus, they don’t understand the business case, or they don’t understand the vulnerabilities to their application because they don’t understand penetration testing or something like that. So, there really is a lot of dovetailing and crossover really, in everything.

      [00:07:26] CS: If there’s like a superfood of like getting like two certs or three certs where it’s like, if you get this plus this plus this, you can do this sort of thing? Do you have any sort of like simple mixtures like that, that you can suggest?

      [00:07:42] CT: Well, I’m okay. I think – so, Chris, I’ve got a siren in the background. Do you want to pause for one second?

      [00:07:51] CS: No, we can’t hear it. It’s fine.

      [00:07:52] CT: Oh, okay. Very good. Okay, so edit up my comment there. I think that just about anybody should have some understanding of networking, right off the off. Because everything we do is on a network, right? Even applications generally don’t run on their own. They often connect to a website or they connect to something else. People log on to them remotely. So, some understanding of networking is really good.

      And then probably just in general, like maybe a CompTIA Security Plus, just so you understand security from a very broad spectrum. I think everybody needs to have sort of that background. And then with just sort of those base foundational things, from there, then build on whatever your specialty is.

      [00:08:45] CS: Gotcha. So yeah, speaking in more of a higher-level philosophical sense, what are your thoughts on certifications and certs studies? Because we get a wide range on the show, from hiring managers who say it’s unimportant as long as you demonstrate the skills over to well, it’s completely crucial in all ways. So, where do you see certs fitting into the modern cybersecurity landscape, especially as regards to attempting to rapidly upskill people in cybersecurity amidst our so-called skills gap?

      [00:09:12] CT: Okay, so here’s the thing. If you get a certification in something, you have learned what the vendor or the organization deems important. You’ll learn a broad spectrum, maybe not super deeply, or how to apply it in a real-world context. But you will learn a very broad spectrum of stuff. Real world experience, and I have 20 years of both, 25 years of both, real world experience gives you deep dive into specific silos. So, I have lots of friends and colleagues who they’ve been at the same company for 20 years or 10 years or whatever, and they’ve only worked with X.

      I mean, I have a coworker right now, who bemoans the fact that he’s never had to work with Cisco devices. And right now, I’m working with managing Cisco devices using Python to send Cisco commands across a network. Okay, talk about a whole cross discipline there. So, you can learn things really deeply. But I’ve seen just fresh out of certification school. I’m a paper something, that person will be able to answer question that a longtime veteran who never had to touch that feature, knew nothing about.

      So, you need both. You need the broad background, and then you start building in the deep dives. But with upskilling people, and when we need so many people in IT now, we cannot wait years for you to get enough deep skill in a broad enough range. So, come to us with a broad background. I remember, I had this kid as an intern, where I work right now and he came in and he had studied a bunch of different things. He had studied CCNA and stuff in college. He’d never implemented any of that stuff. But I was able to say, but now don’t forget, didn’t you learn about this? And here’s how we’re going to apply it. And he just caught on immediately, because he already had the background.

      [00:11:12] CS: Right. I guess I want to speak to that, in the sense of you hear the the sort of concept of the cert collector, like, which I think is kind of like the cybersecurity equivalent of like, the perpetual student. They just kind of keep almost getting Master’s Degrees, just because they’re interested in learning stuff. Looking at your 40 plus certifications, you might look like a certain collector, but in fact, like you said, you got them all as part of tools and job requirements and stuff. So, can you speak to sort of like the sort of mindset of the cert collector versus someone who knows enough to use it for practical purposes, and you might just have to get a lot of them?

      [00:11:54] CT: Well, I mean, the cert collector is going to have a very broad initiation into concepts and technology. I mean, heaven knows, like I said, for me, it’s been so cross disciplinary, that if I have to tackle something that’s maybe network oriented, maybe I can write a script to automate it. 10, 15, 20 years ago, we wouldn’t even have thought of that. So, now I’m looking at containerized, virtual machines, and containerized apps that we’re talking to a virtual machine that is not a whole operating system is just one app. But we have to do constant improvement on it and automating that. I mean, all these disciplines all come together.

      So, right now, I’m working, I’m going to just create just a really simple little app that uses global positioning to identify where all of our assets are, and just dump them into little table. I’ve been talking to our project manager about that. So, it’s all cross disciplinary. It all feeds together, it gives you this whole big, rich landscape.

      [00:13:01] CS: Yeah. Now, you said you’ve been an educator for 20 years. Some of that, I’m sure is in cybersecurity as well, or good part a portion of it. How has the training landscape changed in the time since you began?

      [00:13:14] CT: Oh, well, I mean, CompTIA started Security Plus in 2002. I mean, when I very first started out, it was all about functionality. Server does this, the network does that. Then we started worrying about security. Microsoft made some spectacular mistakes with some of their operating systems, that were just the glory days of hacking, I’ll tell you.

      [00:13:37] CS: Can you speak to that a little bit?

      [00:13:38] CT: Yeah. Windows 2000. Unicode exploit is built right into iOS 5-0. DICOM buffer overflows that take no effort. Stuff that to this day still exist. I mean, right. I was at an organization that creates medical instruments. They create eye examination things, and this is a really well-known brand and they were still using Windows 2003 for the operating system for some of their instruments. I was like, “You guys, Microsoft, is no longer patching Windows 2003, you might want to reconsider your foundation.”

      [00:14:23] CS: But going back to the sort of educational landscape, like you said, you started with CompTIA back in the day. The sort of methodology of teaching obviously, the last year, it changed an awful lot. But can you sort of talk about the way and the sort of concepts that you’re teaching and so forth in the last two decades?

      [00:14:41] CT: Well, it has tracked along with the complexity and the growth of the technologies itself. So, in the beginning, it started out with, “Oh, we’re just going to scan a network and there are a few little things in the operating system.” Now, it’s like let’s go into the applications. Let’s see the API’s. Let’s see where the vulnerabilities are. Let’s identify when we cross one trust zone to another.

      So, it’s grown in complexity to track along with the technologies, as well as the industry interest. For the longest time, industry was just not interested in security. It was always something that people scrambled to deal with, after there was some major incident. Security, application developers, even to this day, were quickly trying to pound something out to go to market, so they could be a competitor.

      But now, if you look at Forrester, that research firm, they put out their 2021 report, and where they were asking, a couple thousand different organizations, what is your most important tactical focus for the next 12 months for cybersecurity? And they said, secure application development. So, this is like the the number one thing. Companies are starting to pay attention, gone are the days of, “I’m a cowboy, I hack it till it works” kind of thing. Well, training has also gone to that, not just simply, well, we’re going to scan this and we’re going to ping that. No, now we’re getting far more complex. We’re trying to become hold advanced, persistent threats, where when we manage to break into something, we’re going to leave a backdoor that calls back to us. I mean, it’s just gotten more complex to track the complexity of how the world has changed.

      [00:16:35] CS: Right. That makes total sense. Now, in your opinion, speaking outside of specific secure coding or whatever, what are the cybersecurity skills that are most in demand these days in which are most likely to accelerate your career? And specifically, to that point, what are some skills that people overlook in their studies in preparation that you think, everyone – I know you mentioned networking before, that’s probably one of them. But can you speak to that a little bit?

      [00:16:58] CT: Yeah, sure. So, for the things that are most in demand, data analysis, with artificial intelligence. So, AI data analysis, I think, it’s going to become a bigger and bigger and bigger thing, because we’re using AI for so much stuff. We’re using AI for so much data crunching. I think that’s going to be the big thing. And then any data science where you’re finding a way to make data become more practical and valuable to an organization. So, I think those are going to be the big ones. But there’s also development behind that, there’s infrastructure behind that. It’s not just the data science. It’s all the stuff that goes with it. So, can you be an app dev and support data science or AI? Absolutely. You’re going to have to write applications that take advantage of AI.

      [00:17:49] CT: Okay. Yeah. I think it’s the first I’ve heard of that. So, I’m glad you mentioned it. Everyone’s taking notes out there, hopefully. So, as listeners in the show, description, and from my intro at the top, today’s main topic is secure coding and your InfoSec skills path covering this topic. So, we have people listening, who have zero years in cybersecurity, 4 years, 10 years. But people who are coming to this podcast interested in learning more about different cybersecurity jobs and careers. Could you explain what secure coding is and what the job of secure coder is within a cybersecurity team?

      [00:18:25] CT: Once upon a time, when we went to college, or we picked up a book, we tried to create a little app that did something with a little game or with a calculator, or something. We were only interested in its functionality. Secure coding simply means that as I create this app, I am going to make sure that from the get go, from my design, and the requirements that the client gives me or what I think the requirements will be if I’m creating a game to sell with something. From the get go, I am going to do security by design. Because right now, insecure, vulnerable apps is one of our biggest vectors into data breaches, hacks.

      So, I’m not just going to make something that works and has a really cool interface and really beautiful something. Yes, I want to do that. But I want to make sure that all the data is encrypted, that I validate input that I filter unwanted characters that could possibly be interpreted as commands, and I want to do all that stuff and I want to think about it from the get go. I don’t want to just add it after the fact.

      [00:19:34] CS: So, that requires kind of a different mindset. Okay, I guess to break this out further, does that mean that there’s kind of a – are secure coders different from coders, I guess is my question? Is there someone who codes or is it that we want coders to become secure coders?

      [00:19:52] CT: We want coders to become secure coders.

      [00:19:54] CS: Got it.

      [00:19:55] CT: A secure coder is simply a coder who now has a mature mindset of I will make sure that I try to bypass and take care in advance potential vulnerabilities. I won’t just hack it till it works. So here you go, Mr. Customer, it’s all bitchin, but just compromised your data and now suddenly, you know a million customer records are on the internet. A secure coder is a coder who now has a level of maturity for what the customer really is going to need.

      [00:20:30] CS: Okay, got it. Okay, so, to that end, you teach secure coding for both iOS and Android platforms. Can you give me a quick description of how the working methods for secure coding differs within these two platforms?

      [00:20:43] CT: Not much.

      [00:20:45] CS: Really? Okay.

      [00:20:45] CT: Not much. I mean, yes, we have two different development environments. So, for iOS, for iPhone type devices, we’re going to use Xcode. For Android, we’re going to use Android Studio, some people use Eclipse. Okay, so the tools are different. All right, fine. The languages, we’re using Swift and Kotlin, which are the two new languages of the two platforms. But the approaches are really the same, the fundamentals are the same. So, it’s like, “Okay, we’re going to start out by going to OWASP and seeing the top 10 Mobile vulnerabilities and see which ones actually applied to this or that platform.” Now, let’s make sure that we can sanitize input. Okay, how do we do it in Swift? Well, this, how do we do it in Kotlin? Well, Kotlin has this little feature that does it automatically. Swift has that little feature.

      So, while there are minor differences, the approach, I deliberately made the approach as parallel as possible. Yes, it’s true that there are some differences, but for the most part, the underlying principles are exactly the same.

      [00:21:49] CS: Okay, so realistically, if you program in both, you do work in both platforms, if you learned in one platform, you would probably be able to sort of suss out the differences in the other on your own? Does that make sense?

      [00:22:04] CT: Yes, I mean, and the courses, I’ve aimed them also, so even if you don’t have much experience at all, in coding, or in that language, I explain what every line of code does in the activity. This part is going to do the hashing and why do we need hashing? Well, let’s see before and after. So, you can be a beginner and sort of get the gist of what’s going on. You can certainly understand the concepts even if you don’t fully understand the language.

      [00:22:32] CS: Got it. Okay. Now, could you tell me about the certain access secure coder cert? What does that cover? And what difficulty level is it? Is that the only secure coding certification out there?

      [00:22:44] CT: I went looking, and although there are universities that have diplomas and degrees in, secure this and secure that. Carnegie Mellon cert, even has a certification in secure C and C++ coding. I’m not sure how many people are going to want to pursue that. I don’t know.

      But there really aren’t. I mean, there are small groups that have their own little things. But the CertNexus one is like the only sort of industry standard, well recognized that I was able to find. So, the CSC 210, which is the exam right now, it was originally intended for the old coder who hacked it till it worked in whatever language, even if they did it in Visual Basic or something. And who had never had to think about programming from a security perspective. I did all the activities in Python, because it’s a fairly easy language. But you can be a beginner, because it’s all about the underlying principles. And then we do these really fairly simple activities.

      Okay, let’s hash a password. Well, that’s fairly simple. Okay, let’s make an SSL connection, as opposed to a plain text connection, few lines of code or an AI library. So, you don’t have to be a master coder. You can be beginning or intermediate.

      [00:24:13] CS: To that end, would it make almost more sense to do secure coding before you started learning coding?

      [00:24:20] CT: Yeah, definitely.

      [00:24:21] CS: Learn the fundamentals of the idea of it first, and then actually go in and – okay, that’s good to know.

      [00:24:26] CT: Yeah. Because with a CSC, you learn it. And yes, we’re doing activities in Python. But then, we kind of go over the same thing. But now take it into the language specific things when we do the iOS or the Android.

      [00:24:41] CS: Got it. So, for listeners who currently subscribe or decide to subscribe to skills based on today’s episode, can you walk us through the sort of curriculum of your secure coding classes at the end of the course, if they pass and retain all the knowledge what will they be able to do in a secure coding environment?

      [00:24:59] CT: You will already understand what causes software defects. You’ll know how to watch out for these problems with the language and the platform as it is now, and how to always be looking for new vulnerabilities that are discovered. You’ll understand the method and be able to apply it regardless of the language difference, the platform difference, the new technologies that come out, because those basic principles are going to be the same.

      [00:25:28] CS: Okay, so beyond studying for your skills path, certs, what are some other areas within this field, secure coding and coding and so forth that you’d recommend students study once they’ve completed these educational tracks? How far up in difficulty and complexity, the secure coding go is something to be learned, and then where can you apply it to?

      [00:25:50] CT: Well, I’m secure coding is really meant for beginning and intermediate students. Get yourself to an intermediate level on a fistful of languages, just so that you have a broad capability. Python, Java, if you’re going to do mobile app development, do the Swift Kotlin thing. If you’re not doing mobile app development, maybe some of the web app or your PHP, learn some, just sort of broad range to an intermediate level so that you have a good basic skill set that, “Oh, you can do this and that and that. Okay, you’re hired.”

      [00:26:26] CS: Nice. So, you’ve taught in many different environments, and probably even a few new ones in the last year here, but what are some benefits to the sort of specific skills-based education and training styles of other methods, degrees, or what have you, that people might not be aware of?

      [00:26:44] CS: The thing about skills-based training is that it focuses on what an employer is going to need right off the bat. So, I need to know that you can come in and join a team and quickly catch on to do X, as opposed to you have started like general knowledge. I’m not dissing the diplomas and that sort of thing. Because they’ll hopefully teach you critical thinking and analytical thinking. But employers would like to put you to work right away, and get you part of a team so that we can get this something, something game out the door. Or we can get this whatever it is, to market quickly. And so maybe you’re a junior developer, maybe you haven’t done much work in that particular language, maybe you start out just by doing something specific, but you are part of the team and they need you.

      [00:27:44] CS: Okay, so without a professor assigning weekly tasks, I think, it’s kind of hard for some people to stay on track to meet their learning objectives. I’m speaking to this guy here. But do you have any tips to help lifelong learners stay focused on training and accomplish their goals, when there isn’t necessarily a finish line at the end or a final exam?

      [00:28:03] CT: Well just realize that it’s a marathon, not a sprint. Give yourself a break. Sometimes, and I’ve certainly done this. I’ve gotten too focused on one particular discipline, and then you’re wearing a groove into your brain. You’ve got this rut. Do something totally different. Not too long ago, I was finding myself getting into that rut, and I decided that I was going to do something totally weird and funky. I was going to start taking apart old cell phones. I broke a bunch of them, but learning how they go together is the tinkering thing, right?

      Do something like very different. It will still keep your brain going. Give yourself a break. If you are lifelong learning, as so many of us do, realize that you don’t have to rush to any finish line. You just pursue things that are interesting to you. No way, are you going to be an excellent generalist anymore. There’s no such thing. You’re going to have to specialize in a few things. Pursue the things that are interesting to you. And if you need a break, if you’re studying, if you need to just get away, I’ve had students say, “Sorry, you haven’t seen me for a while, but I had to just get away from this for a while.” That’s okay. Go and do something very different. Play music. Play guitar.

      [00:29:26] CS: Yeah, absolutely. So, as we wrap up today, where do you see cybersecurity education going in the coming years, whether COVID or otherwise? What are some innovations we can expect on the horizon? What are some issues that you hope will be resolved?

      [00:29:39] CT: Well, I hope that we can continue to bring coding into maybe countries or communities that are underserved, because it’s a great – you just need a laptop to get started. It’s a great way to start really developing a really in demand skill. So, I hope that we can continue to give the bandwidth and the tools, which are relatively small to communities that need it, that they’re underserved so that the playing field is more leveled. We have more folks from other countries that you wouldn’t expect, or more girls or more folks who traditionally, or disabled people or whatever, who we don’t traditionally think of. So, I’d like to see a lot of that. I only see cybersecurity and cybersecurity training for both developers, implementers, end users, I only see it getting more and more important, because cyber threats are getting more and more sophisticated.

      [00:30:52] CS: Well, that leads into the next question perfectly. I want to talk to you about IT Without Borders. How does this organization go about achieving its goals of bringing technical unification, innovation, and education in the underserved parts of the world?

      [00:31:06] CT: Well, I spent almost six years in Africa. One as a contractor, well, half of it as a contractor for the CDC, working on a health informatics program in southern Africa. So, my job was to develop a training and certification program, that was part of the larger accreditation required, so that you could legally dispense HIV drugs in that country. I had to train IT professionals, clinicians, trainers. So, that was really exciting.

      Some of my like core colleagues and students, we created sort of this little group, and pretty soon the next thing we knew we were training orphans and how to just use a computer and we were training housewives who’d never used a computer. In fact, one girl, I had this group called Cyber Engage. These are my most advanced students. In one time, they were just over on a Saturday and I had taken apart computers and putting it back together and this and that. And the housekeeper said, “I know some women, we’d really love to learn some of this.” And I thought, “Okay, well, what we’re doing now is too advanced for you.” But I had my students each take turns, coaching these women’s. So here, they were in the kitchen around one laptop, and wouldn’t you know what, I found out months later that one of those gals actually got a job as sort of like an administrative assistant, from what little computer knowledge learned from that. That is what it’s all about. That’s the thing that really just totally turns me on.

      I mean, right now, we’re kind of on hiatus because of COVID. I’ve got some of my students that and I’ve said to my students, I said, “I’ll teach you for free. But you are going to have to teach other people for the rest of your lives and make them teach other people, that’s the deal.”

      [00:33:02] CS: Well, to that end, are volunteers or other workers needed in the project seems? If so, where can listeners who are listening the show right now get involved?

      [00:33:10] CT: Right now, not, because COVID is just ravaging Africa terribly. I’m in the US doing a bunch of stuff. But you can see what we’re doing. Just find me on LinkedIn. Look me up on Facebook. I don’t get a lot of time to get on social media, but you can see what we have been doing. Send me a little note, and if we get stuff going again, and I get a chance to go back over there again, I’ll definitely want some volunteers.

      [00:33:38] CS: That’s awesome. So, speaking at the end here, if our listeners want to know more about you, Chrys Thorsen, or many other activities, where can they go online?

      [00:33:46] CT: Well, just go to – I don’t have a website right now. Just find me on social media. Find me on LinkedIn, find me on Facebook.

      [00:33:54] CS: People can contact you on LinkedIn, then?

      [00:33:56] CT: Yup.

      [00:33:57] CS: Okay, fantastic. And that’s C- H-R-Y-S Thorsen, T-H-O-R-S-E-N. All right. Well, Chrys, thank you so much for your time today. This was really illuminating.

      [00:34:06] CT: Well, I really appreciate you having me. And for all you guys who are out there studying, don’t ever give up. It’s a forever journey. Just always enjoy it. I mean, the moment it becomes a drag, do something different. Always keep it fun.

      [00:34:23] CS: Thank you so much again, Chrys. That’s awesome. It’s a great way to end.

      [OUTRO]

      [00:34:28] CS: As always, I’d like to thank everyone who is listening to our podcast at home, listening at work or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on YouTube, on video, and audio wherever you find podcasts are downloaded.

      I’m also excited to announce that our Infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you’ll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.

      Thank you once again to Chrys Thorsen and thank you all so much for watching and listening. We’ll speak to you next week.

      [END]

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.