How to begin your own cybersecurity consulting business
On today's podcast, Kyle McNulty of Secure Ventures talks about interviewing the people behind the most up-and-coming cybersecurity startups. We discuss the best advice he's received on the show, how to get your own podcast off the ground and his own security startup, ConsultPlace.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- 0:00 - Intro
- 2:40 - Getting into cybersecurity
- 6:00 - McNulty's education and career
- 9:50 - Getting into consulting and startups
- 14:08 - Secure Ventures podcast
- 17:45 - Best insight from a podcast guest
- 20:13 - Startup stories
- 22:10 - Startups during COVID
- 23:42 - Advice for startups
- 25:22 - How to begin a podcast
- 33:25 - Tips for cybersecurity newcomers
- 35:04 - Upcoming podcasts
- 36:15 - ConsultPlace work
- 38:00 - Find more about McNulty
- 38:42 - Outro
[00:00:01] CS: Today on Cyber Work, it is a podcast swap. Kyle McNulty of the podcast Secure Ventures joins me to talk about interviewing the people behind the most up and coming cybersecurity startups. We discussed the best advice he's received on the show, how to get your own podcast off the ground, and his own security startup consult place all that and more today on cyber work.
[00:00:26] CS: Welcome to this week's episode of the cyber work with Infosec podcast. Each week, we talk with different industry thought leaders about cybersecurity trends, the way those trends affect the work of Infosec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry.
Kyle McNulty is a cybersecurity jack of all trades. He has worked in consulting for several years, most recently leading the cloud security and DevSecOps practices for CDW and Focal Point. He also has his own podcast, Secure Ventures, where he interviews CEOs and founders in the space. Additionally, he's a founder himself building a cybersecurity consulting marketplace, which is called Consult Place to solve problems he has faced firsthand. So, it's always fun to have a fellow podcaster on the show and we've had a few. And Kyle has interviewed a bunch of great guests on Secure Ventures. So, I'm looking forward to learning about what he's learned in doing the show and what He has planned for the future. Kyle, welcome to Cyber Work.
[00:01:21] KM: Yeah, thanks for having me. I mean, same goes for me as well. I always enjoy talking to other podcasters, hearing about some of their experiences, and it's great to be on the other side of the mic here.
[00:01:33] CS: Absolutely. Yeah, it is. It makes a nice change. So, the thing I always like to ask at the start is to just get a sense of your cybersecurity journey. When did you first get interested in computers and tech and what got you first excited about cybersecurity? What was the initial draw?
[00:01:51] KM: Yeah, computers was definitely very young. I grew up in an age where everyone was playing video games from a pretty early age. And then one of my first experiences with cybersecurity, which didn't even really occur to me as a cybersecurity kind of scenario until later, but was hacking a video game that I played with my brother growing up. So, I was able to find like, some basic exploits online, wasn't anything groundbreaking that I was doing, per se, but certainly just an interesting experience playing around. And then later in college, I discovered Batman's Kitchen, which was a hacking student group at the University of Washington, and was basically just blown away by the complete lack of knowledge that I had about the space and was really interested to learn more, and so that just kind of carried on from there.
[00:02:40] CS: Can you talk about that group? I mean, did they act as sort of mentors to you? Was it sort of a friendly rivalry? Did they welcome you in?
[00:02:49] KM: Yeah, it was definitely an interesting, I think culture within that group. And the first meeting that I went to, there was a presentation from extra hop. And I remember knowing not even 40% of what was discussed in that meeting. I kind of picked up after I went to more and more meetings that there were a lot of other people that kind of stumbled upon this group, but then would just kind of move on. And so, because it was so daunting, I think there was kind of an understanding that, okay, only a select few are actually going to kind of continue on and be a part of this very kind of close-knit group.
And admittedly, I never made it into that extremely close-knit group. They were doing all sorts of capture the flag competitions. But I did keep going and over time, I think they realized, like, “Okay, this guy's actually here to stay like maybe he's not going to fully dive in and become like one of our key contributors in the competitions themselves, but he's clearly interested in the space and wants to contribute.” So, they were great about just kind of welcoming me and showing me the ropes on some of the the easier Capture the Flag problems and bearing with my very novice level questions. But it was a good experience all in all, and certainly my introduction to the more technical aspects of cybersecurity and penetration testing in particular.
[00:04:12] CS: I mentioned also the sort of the community of it, that you had all these people who are very excited about this one thing, and even if the newcomer is sort of – they sort of sniff the perimeter a little bit, they're they're all excited about this one thing and they want to make sure that you're bonafide before you jump in as well and that's kind of cool.
[00:04:33] KM: Yeah, I mean, it was definitely interesting. Seeing something that was still kind of an academic focus that a lot of people were excited enough about to spend like their Friday and Saturday nights doing these competitions. I mean, certainly was a very kind of eye-opening experience about just the industry as a whole and, and how excited a lot of people really are about it.
[00:04:54] CS: Okay, so I like to start my research on my guests by looking through their LinkedIn profile and you get a sense of their – it’s a really good way to sort of get a sense of the the career arc and the journey. So, you graduated from University of Washington with a Bachelor of Science in Informatics and Cybersecurity. You had a few internships, as you said that were, just to have an internship or get through the holidays or whatever. But one was a summer internship for healthcare cybersecurity startup and you were the VP of communication for ISACA University of Washington branch, is that right? Before landing a job with KPMG.
So, I think we get a lot of comments in YouTube, comments after episodes and saying, “I've got this cert, I've got this degree, and I'm just not getting bites.” And I think there's this sort of notion that, like, once I graduate, like a limo is going to come up to my front door, and whisk me off to my dream job. But can you talk about this period of learning and gaining experience and networking, how it influenced your current career path?
[00:05:54] KM: Yeah, sure. I mean, I think, for me, and being able to reflect on it being on the other side of it as well, it's kind of easier to point to some of the things that maybe at the time, I didn't even realize I was kind of doing right, but then ended up paying dividends later on. And I think the the position at ISACA, definitely helped that was just a student group within the University of Washington, but being able to demonstrate the leadership capabilities that then translated well towards consulting. But even more so I think, and this is kind of the broader theme, being able to demonstrate that you have an interest in cybersecurity outside of classwork itself, right?
There's a lot of people that have taken a cybersecurity class, maybe that class leads to a certification. And at the end of the day, if that's just a part of a degree, it doesn't say as much to someone who's looking to hire you that you're genuinely interested in the field and passionate about it. Like we already talked about, right? There's a lot of people that are really excited about this field. And ultimately, the people who are excited about it are the people who are going to put in the time to learn and grow within the field.
What I've learned so far my experiences, practically none of the knowledge from my undergraduate studies in cybersecurity actually translate very well to the real world. A good example would be security operations centers, for example. I had never heard of that in college. And then sure enough, all of a sudden, I learned that companies are spending tens of millions of dollars on a security operation center every single year, maybe a few million dollars just for the technology stack within their security operation center. And so, you do have to have that kind of desire to learn about new capabilities within security. And I think different side projects, for example, or, again, getting involved with student groups, maybe it's even a cybersecurity specific internship. In my case, again, it was software development, but for a cybersecurity company, and you're able to kind of tell that story about your interest in the space that really sets you out from the crowd.
[00:07:47] CS: Yeah. Did you get a sense in your early interviews like that, that they were looking at these sorts of extracurriculars and seeing that you had this extra interest?
[00:07:57] KM: Yeah, definitely. I mean, I think another piece in particular was being able to talk about different security events that were going on around the time that I was interviewing. I think there's a lot of folks that were just kind of interested again in the space and we're always hoping to learn more even that we're interviewing. It's hard to stay on top of all the different cybersecurity news that's going on every day. And so, when you're able to talk about some event that your interviewer hasn't even heard of, make it relevant to the position that you're actually applying for and ask an insightful question. The interviewer is just going to immediately think, “Oh, wow, that's really interesting, something I hadn't considered before this person is clearly bringing some new perspective to the table. And they're clearly spending time in industry because they're able to go find all these different events that are occurring.”
[00:08:42] CS: Yeah, no. Okay, so let's talk about people bringing things to the industry. So, as I say, at the start of the show, we invited Kyle to the show because I like talking to fellow cybersecurity podcasters. So, Kyle hosts Secure Ventures in which he interviews, to use his own words, “Cutting edge founders in the cybersecurity space.” As that suggests, the emphasis has greatly on startup creators and entrepreneurs and how they got to where they are. And I see that you're also the co-founder of Consult Place at startup aimed at building marketplace solutions to address long standing issues and security consulting purchasing. So, first off, how did you get involved in the co-creation of Consult Place? And what is your interest in cyber startups in general?
[00:09:25] KM: Yeah, there's a lot to unpack there, to be sure. I mean, for Consult Place in particular, just the kind of ongoing experience that I've had in cybersecurity consulting over the last several years has exposed a couple of kind of common challenges that have occurred within the purchasing process like you mentioned in the little description there, right? In particular, most people when they go to look to purchase cybersecurity consulting services, they're going to look to their immediate network. Who did they know that used to work at x consultancy? Who on their team maybe used to work at y consultancy? And they're going to send out in RFP to request for proposal to maybe three firms.
Now, when they get those back, they'll go ahead and make a kind of triage decision based on what's been provided. But at the end of the day, reaching out to three firms probably isn't going to give you a full look into the market and what's really available to you. It's certainly not going to give you a competitive advantage in terms of price. A lot of times firms have varying capabilities across different domains.
So, for example, a firm that really excels in application security might not have the best security operations team. That's just the nature of the cybersecurity industry today is a lot of times people are very specialized. And so, you have different folks delivering these different projects and different focuses within a firm. So, the whole idea behind Consult Place was providing additional visibility into the entire cybersecurity consulting market and allowing these buyers to find the consultancies that are actually going to provide the most value for them.
On the seller side, it's also helping consultancies, generate brand awareness, when they're able to deliver valuable services to their clients, they're able to get rewarded for that in the market that's getting increasingly congested.
[00:11:08] CS: Okay, so do you have active sort of clients that sort of work with the space to sort of advertise their consultancy? And then you have kind of like a search capability or whatever? Is that more or less how it works?
[00:11:22] KM: Yep, you're on the right track. You can think of it sort of as like a Yelp for cybersecurity consulting at this point, where it's very review driven. And so, when someone goes and works with a cybersecurity consultancy, they can leave a review about the type of project that they had the value –
[00:11:36] CS: So, it’s more Yelp that Upwork then, basically.
[00:11:38] KM: Exactly.
[00:11:40] CS: You're not doing like the direct purchase through it then. You're just getting a sense of the scenery.
[00:11:47] KM: Exactly. So, making it a completely free service, got all these different folks that are looking for that additional visibility and looking to inform some of those purchasing decisions.
[00:11:55] CS: Okay. Do you get feedback from people who have used the service? It seems like it’s really helping people out, because, you know, I think you really hit on a nice point there where I think there's so many things that people have to do in their day to day job in cybersecurity or otherwise, where you're given the task of like, get a consultant, and you're like, I don't know where to begin with that. I don't even have a sense of what the landscape is like, let me just reach out to LinkedIn, people who have the right title in their name, or whatever. So, have you heard from people who have said that this sort of like opened up their strategies?
[00:12:27] KM: Yeah, we've gotten a lot of really positive feedback from all the different folks that we've shown it to. I mean, admittedly, the product still pretty early on in its lifecycle, and we launched fairly recently. And so, we're still really building out that catalog of reviews there. That can be a little shout out to the audience here. If you work with cybersecurity consultancies and want to help contribute to this kind of community-based platform, please do go leave a review. I'm sure we can drop the link in the show notes here. But again, a lot of the folks that we've talked to are seeing exactly what you just said, we completely identify with this problem and we're supporting it as much as we can.
[00:13:01] CS: Okay, so tell us about Secure Ventures and what listeners will hear when they tune in. So, what is an episode that would make an excellent intro to the podcast in general, either because it's so entertaining, or just encompasses the ethos of the show?
[00:13:15] KM: Yeah, I think the Bruce Schneier one in particular. He's probably the the biggest guest that we've had on the show so far, which was, again, I was a little surprised, actually, just when he responded saying that he was willing to hop on. But I mean, if you've listened to how I built this, for example, which probably a lot of folks here have, just because it's such a popular podcast, how I built this focuses more on entrepreneurs who have kind of already made it. So, if you think about like Drew Houston of Dropbox, for example. Drew's not getting a lot out of going on a podcast and sharing his story, right? That's just more him doing a favor to guy.
Whereas our goal is to interview founders, they're still in the trenches. So, these founders are working on cybersecurity companies. They're building from the ground up. They're trying to grow their sales pipelines, and I'm interviewing them to understand okay, what are some of the challenges that you've experienced so far? What was that transition? Like taking the leap into entrepreneurship full time? What are some of the unique wins that you've had in the cybersecurity space? And really, what's next for you moving forward? So, just try to be able to tell that founder story as much as possible here about their kind of career start in cybersecurity, like you kind of started this podcast off with and then how that transitioned into their endeavor today.
[00:14:31] CS: Yeah. Has your sort of approach to getting their story changed at all, just in the process of doing the podcast?
[00:14:41] KM: Yeah, good question. That's definitely something that I've been continuing to work on over time and try to be kind of liberal with tweaks as I just see different opportunities and get feedback from guests. One of the things in particular when I first started was I had a very kind of tight script, and so you can even see just listening back to some of the earlier episodes compared to some of the later ones, is it's very kind of like robotic, just reading through question by question, whereas – yup, exactly. And that's kind of easier and more comfortable to get started with, right? So, you have that kind of crutch to fall back on.
But then over time you kind of get the hang of it a little bit more and even just as you're going through, sometimes I'll just say, “Oh, well, that's interesting to me, like that point that you just touched on, and so that's probably interesting to the guests as well. So, let me just drill into that in a bit more detail and leave the conversations a lot more free flowing that way.” Generally, what I've heard is that's more enjoyable to listen to. So, I'll keep going that way. Keep going out of that way until I hear otherwise.
[00:15:35] CS: Yeah. And I think also, you probably have noticed as well. So, you started in January, is that right?
[00:15:39] KM: Yep, that's right.
[00:15:42] CS: Okay. I mean, for me anyway, like, I feel like I've learned so much more about the industry, just by the sort of getting a little insight from every guest also allows you to sort of ask the right questions a little better. Like you said, when you had that script, it's like I know I need to get these seven pieces of information out of them. But as you start hearing the same answers come up again, and again, that sort of brings up sort of new questions or new angles to nuance things out of people and stuff like that. So yeah, that's a very satisfying part of the job is hearing how sort of mechanical I found it the first couple of episodes and was just like gripping the script with both hands. “Please don't ask me any follow up questions. I don't know what you're talking about.” Anytime DNS security comes on the show, like my eyes, just go to test patterns. But it gets better as you do more of it.
So, what is the most surprising insight that a guest has imparted on your show? And also, what's the best piece of advice the guest is given, maybe something even that you've taken for yourself in your own career?
[00:16:48] KM: Yeah, in terms of maybe surprising insight, I've heard a lot of kind of mixed reviews on how challenging the venture capital process has been for these companies, and which maybe isn't surprising, if you're very kind of versed in the space. But typically, from an outsider's lens, it always sounds like this kind of impossible task of raising money, and especially at some of these valuations that these companies are bringing in. But there's a lot of founders that were able to get through it fairly easily, and able to kind of make that that leap into entrepreneurship, or immediately raise several million dollars, and be off with just an idea and start building a product.
So, it's been kind of incredible for me to hear, well, you don't need to actually have a full product already built out, you don't have to work without a salary for a year and a half to build a full product for this can actually be something feasible. There's a lot of people that are kind of midway through their life. They might have wife, kids, and they're able to still make this transition because of some of the different financing resources that are that are available out there.
In terms of the second half of your question, maybe the most valuable insight. I think there's so many different resources that I've learned from entrepreneurs on at this point. And I mean, Secure Ventures, I think is no exception to that. I mean, even just for me, as an interviewer, again, I hear these different stories. The biggest theme that really rings true for me is just the resilience that's required in order to build a successful startup.
I mean, again, a lot of these founders are kind of still in the trenches, still building, but even just hearing the stories from the ones that are a bit further along, it's like, everyone's gone through some sort of difficult challenge. There's always something that's unexpected. And there's going to be a different way to solve each of those challenges for kind of every company, every founder team, but as long as you're able to just kind of say, “Okay, I understand that these challenges are going to come, how am I going to push through this, maybe it's a full product pivot even”, which sounds incredibly daunting, but as long as you're willing to just find some sort of strategy to keep moving forward, then you're going to keep on moving and you're going to succeed eventually.
[00:19:07] CS: Yeah, I was going to ask about that. I mean, that sounds like sort of a transition to my next question, but were there any particular stories that you've heard, where it seemed like, especially like, the cards were stacked against, the startup, but it's somehow whether by an extreme pivot or just sort of last minute intervention or something that they managed to still make it work?
[00:19:29] KM: Yeah, I mean, I think if you think about the timeline of when I've been interviewing some of these founders, there's probably no more concentrated time in history, for unexpected surprises and just poor timing, right? I've been talking to founders, again, kind of early 2021 here, and so they're telling me their stories of going through COVID in 2020, what that really did to their businesses and some of the different ways that they had to pivot.
Now, thankfully, cybersecurity is certainly less impacted industry than many others if you think about, like hospitality or retail or businesses like that. But certainly, a lot of challenges, especially, again, going back to the trying to raise money piece, trying to go through pitches without actually getting to meet these different venture capitalists in person, no longer being able to rely on those kinds of local connections as much. I mean, in terms of examples, in particular, secure stack, for example, completely pivoted their platform in the middle of COVID. And part just trying to find a new way to get traction with customers, get traction with investors. Another good example was in visit Dean Shapiro, they went ahead and pivoted from a B2B offering to B2C, at some point in there as well, or I think it was vice versa. It was originally B2C and then later transitioned to B2B, had a full name change within that as well, and just trying to capitalize on where they found their product was going to have the most fit.
[00:21:04] CS: Have you had a sense of whether just funding opportunities kind of got a little tighter during COVID? Because I know, some people, a lot of reports say that the companies that invested hard when everyone else was storing against future calamities or whatever, were the ones that really cashed out. Do you have a sense of whether people were taking wild chances on startups? Or were they keeping their cards a lot closer to their chest just because of the uncertainty of the future?
[00:21:35] KM: Yeah, I mean, ultimately, if you think about March, April, May last year, it certainly slowed down for a couple of months. There was just so much uncertainty in terms of what was really going on in the market, how some of these different startups were going to be able to succeed and kind of push through. But if you think about past those couple of months, it picked back up very quickly. And if you look at it just kind of year over year investment, if I remember correctly, 2020 actually had more startup investment, than like VC backed investment, than 2019 did, even. So, it certainly picked back up there. But again, it's really challenging for a company if you're trying to raise money in a kind of short timeframe, and then three months are just kind of wiped off of the board, and then there's kind of this backlog of companies that are trying to raise money, you increase competition. So, even though more money is being shelled out, part of that could also lend itself towards higher valuations, as opposed to supporting more companies. So, there's a lot of different factors that are at play there as well.
[00:22:35] CS: Okay, so since the focus of this specific program, your podcast is the ups and downs of startups and their creators, can you give our listeners some advice for someone who wants to get involved in a startup? I know, we all know the process of a startup is fraught and exhausting, and more so with COVID. But what are some hidden challenges that you didn't even plan for until they happened?
[00:22:58] KM: Yeah, I mean, we already talked about the resilience piece a little bit. Another one to kind of harp on that I think holds pretty true with a lot of these different organizations is around experiencing the problem yourself. And the idea of having this kind of hidden competitive advantage is something that Peter Thiel talks about a lot. But having this kind of earned advantage, where you've experienced some sort of problem, which gives you a unique insight that allows you to better solve that challenge and come up with more creative and kind of spot on solutions that actually address it.
So, in the cybersecurity space, as a result of that, you often see folks that are a bit older than you might expect, again, kind of starting some of these different companies, because they have that time in industry to experience a lot of those different challenges and then they decide to go out and solve them themselves. So, that's, again, just kind of one area in particular. If you're thinking about founding a startup, what are some of the challenges that you've actually experienced so far? And how could you brainstorm different solutions to go ahead and address that? And then how can you go forth and make sure that other people are experiencing this problem as well? You're not the only one just due to unique instances in your environment, and then just kind of build out from there.
[00:24:13] CS: Yeah. So, and a more meta level for listeners who might want to share their own insights in cybersecurity by creating a podcast, do you have any advice for podcast newcomers either technical aspects or the process of finding guests? How's it been for you in this first year?
[00:24:28] KM: Yeah, honestly, I would say do it. It was way easier than I ever expected that it was going to be and yeah, it sounds like you've had the same experience.
[00:24:37] CS: Yeah, start anywhere. Start anywhere, start at any level of technical competency, just start getting a steady schedule.
[00:24:46] KM: Yeah, exactly.
[00:24:48] CS: People know to look forward to you every week or whatever, they're going to start doing it.
[00:24:52] KM: Yep. I mean, I know my biggest concern when I was first kind of brainstorming on Secure Ventures and what that might look like. I was like, “Who is going to want to talk to me? What founders are going to be willing to share their time with me to go through these stories?” These are CEOs, executives, how are they going to have time to come talk to Kyle McNulty? Well, sure enough, I went ahead and built a list from Crunchbase of just different cybersecurity startups in the space and started DMing some founders on LinkedIn, just kind of hoping for the best. How to response after my first cold message on LinkedIn, within six minutes from Ari Jacoby saying that he was interested in he ended up becoming the first guest. And that was just an immediate change in perspective for me.
I just discovered that, “Okay, I thought this was going to take, I mean, weeks, maybe even longer, maybe this was going to totally fail before I even got started.” Instead, after six minutes, I'd validated that I was onto something here and that people were willing to come talk to me. So, like I mentioned earlier, there were certainly improvements from a technology standpoint. I think that those first couple episodes are recorded on air pods and now I've got a mic and a headset here. I'm still no mic like your setup. So, there's still ways to go.
[00:26:12] CS: I don’t know if this necessarily better. It's just what's happening next year. So, we'll just keep trying.
[00:26:17] KM: Yeah, exactly. But yeah, so just like being willing to get started, give it a shot, and it kind of goes back to what we were talking about earlier. The same kind of resilience that comes with building a startup. I mean, if you just apply that and think, okay, how am I going to just go for it and give it a shot, and then work through any challenges that came up. I mean, in terms of – I know, you mentioned the technology pieces as well, there are so many platforms that make it easy to manage every other aspect of the podcast, I personally use anchor for actually publishing the episodes and distributing it out to all the different platforms, completely free to use. I use a phonic to actually help with some of the post production editing. So, the work that I have to do from an editing standpoint, is fairly minimal, which is good, because I'm not a great audio editor by any means. So, having some of these different tools that are available, again, completely free, I don't monetize my podcast. It's just sharing the stories makes it much more feasible to actually move forward with all this.
[00:27:18] CS: Yeah, that's something I want to add too, is I think, especially if you're a company that wants to start a podcast, or whatever, to have reasonable expectations of what's going to happen at the outset, like do it to do it. If you're like, looking to make money off of it within three months, or six months, or whatever, that's a losing prospect. We started this, just because we wanted to have a podcast of the space and also, just something value added to our classes and so forth. It took off faster than we expected. But I think if we had like made ourselves these deadlines of if it's not great, after three months, we're pulling the plug. It's not going to work. It just sort of happens over a long period of time and a lot of grind, I think.
[00:28:04] KM: Yep. Exactly. Again, as long as you kind of put the time in and have that long-time horizon. I mean, I know, for me, I was definitely hoping the listener count was going to explode a little bit faster. But as long as you see kind of that steady growth, that's exciting –
[00:28:21] CS: You get a little lurches now and again.
[00:28:24] KM: Yeah, and again, like you mentioned, you're not in it for the listener account, you're not in it for the money. If that happens, at some point after that continuous growth. Great. But that's just kind of value add, I mean, as long as, again, for me, it's kind of sharing the stories of these different founders, learning directly from them, and learning more about what it looks like to be a founder in the cybersecurity space. That's all interesting enough for me.
[00:28:47] CS: How far in advance do you have guests booked? And do you have any dream guests that you're dying to get on the show that we can shout out here?
[00:28:56] KM: I mean, in terms of booking out guests, it definitely fluctuates over time. I've had points earlier this year where the backlog has been like three and a half, four months, and I've had points where it drops down to one month. So typically, it'll be a significant period of time, because I only do episodes every other week, just to try to make sure that I'm able to balance all the other responsibilities going on with the full-time consulting gig, and then also all the consult place stuff.
But I mean, in terms of dream guests, honestly, I was thinking about this one a little bit more, and it would probably fall outside of security, but I'm going to go with it anyway. I think interviewing Elon Musk would probably be a super interesting conversation for me. It’s probably pretty basic, but just picking his brain on maybe some topics that he doesn't normally talk about, like health care, for example, like getting thoughts on what that might look like and maybe some of the technology driven solutions that he might have in mind for one of those spaces or finance again, outside of his kind of major – well, I guess he's starting to talk about finance a little bit more with all the dogecoin stuff, at least manipulating markets.
[00:30:09] CS: Have you sort of changed your questioning policy in terms of guests? Do you find that certain questions don't work and you sort of rotate them out? A surprising conversation and one interviewer will will sort of rotate into standard questions for future interviews?
[00:30:28] KM: Yeah, I think it's happened more kind of informally than formally. But certainly, over time, I recognize that there's certain questions are kind of areas of discussion, that might not be as interesting as I'd hoped when they're written up on paper. I mean, something to keep in mind, is a lot of times when folks are coming on to this podcast, they're doing so from kind of a brand and PR purpose So, they can't be 100% honest with everything that they talk about. So, it's kind of tempering, okay, how do we get at some of those interesting details without getting to the the components you're able to share?
A good example of that is I've had a lot of folks on the show who are ex-military, especially like ex Israeli military. And for me, I always wanted to hear, okay, what are some of those like crazy cybersecurity stories that probably got you especially interested in the field, in that kind of role? But ultimately, that's just a topic that these guests can't really talk about. So, I dropped that one entirely.
[00:31:32] CS: Yeah, I was going to ask. How hard are you willing to push? Have you had any pushback from guests in terms of you asking too personal questions or anything?
[00:31:42] KM: Yeah, I mean, I haven't had anything from a too personal standpoint.
[00:31:47] CS: Or too classified or whatever.
[00:31:48] KM: Yeah, from a too classified standpoint, I'll certainly just immediately back down, right? I'm not trying to have someone divulge information that they're not allowed to share. That's not my goal on the show here. I definitely want to make sure that my guests are comfortable. And I haven't run into any scenarios where they're hiding something where it seems like they should be very forthright, haven't run into any issues like that.
[00:32:14] CS: Yeah, not every podcast has to be an expose.
[00:32:17] KM: Yeah, exactly.
[00:32:17] CS: So, apart from potential startups and podcasts, for that matter, a lot of our listeners are just starting to think about careers in cybersecurity in general. Or they might be entry level positions, like, help desk and they're trying to take the next step. What tips do you have for newcomers who might feel intimidated about where they're at? Or how to start their job choices?
[00:32:37] KM: Yeah, I mean, I think these touches back on a couple of those different pieces that we talked about earlier, right? But another couple components that tie into that, is just understand that there's very much a need for cybersecurity professionals in the industry, right now. There's been negative unemployment in the space for several years. And so, companies are willing to bring in a lot of those junior level positions.
Now, look, not every company is willing to take in someone who has no hands-on cybersecurity experience. But there's more and more of these kinds of rotational programs that are spinning up just other opportunities to say, “Hey, if you're interested in cybersecurity, we'll give you the opportunity.” But this goes back to what I talked about earlier, is really demonstrating that you have that interest in cybersecurity, and that you're willing to put the time and the effort.
If you work in a helpdesk, for example, you have to be able to tell that story of kind of why you're interested in cybersecurity, what you've done that relates to cybersecurity in some capacity, maybe how you're spending some of your free time outside of work in order to accomplish that, rather than just saying, “I work in the helpdesk. I've dealt with some cybersecurity focus tickets, and I want to do more cybersecurity.” That's not as compelling of a case. There's a lot of people who are trying to do that same transition. So, you have to go that little bit extra in order to kind of stand out from the crowd.
[00:33:56] CS: Yeah. So, as we wrap up today, can you sort of tease anything that's happening on the podcast that you're excited about that's coming up? Or is it all a secret?
[00:34:06] KM: No, it's definitely not all secret. I mean, I'm always excited about some of the different guests that I'm talking to. One of the things that I've been a bit more kind of lenient with over the past handful of months, and this goes back to just kind of general changes over time, is not interviewing strictly founders. So, Bruce Schneier is a good example of that, while he's founded, like his blog, for example, he hasn't founded a cybersecurity company. I interviewed Eric Cole, he actually, again founded like a cybersecurity consultancy, but the main topic that we discussed was him being an author.
And so, one of the episodes we'll be releasing shortly is me interviewing a chief information security officer at a major energy company. Again, kind of share a different perspective on the podcast, rather than just the founders themselves who have kind of built these companies. Well, what are some of the parallels that we can draw from a cybersecurity leader within a company in terms of how it might compare and building a team working towards different objectives, and having some of those different goals and the challenges that they've faced along the way.
[00:35:11] CS: Okay. We've talked about Consult Place a little bit, if you want to talk any more about some of your upcoming work with that, feel free. Also, I don't know, if you want, how about your work with Focal Point Data Risk at all?
[00:35:24] KM: Yeah. I mean, like I kind of alluded to earlier in the episode, from a Consult Place standpoint, if that's something that is interesting to you, again, if you work with cybersecurity consultants, and want to go ahead and leave a review on the platform, that's certainly helpful for us to continue growing if you're a consultancy, and is trying to grow, completely free. It only takes a minute. I've designed the the user experience to make sure it's as easy as possible to go ahead and leave a review. And again, if you're a consultancy, and you're trying to gain some brand awareness, either reach out to us or go ahead and talk with some of your different customers and get them to leave a review on the platform. It's free marketing for you that way, as well. So, there's no issues with that.
From a CDW/Focal Point side, I mean, I'm really excited with everything we've got going on from an attraction standpoint. Again, came from Focal Point Data Risk, we just got acquired by CDW just a couple of months ago. And then just in the last couple of weeks, they now acquired Sirius as well. So, CDW is really making a name for themselves. It's kind of the biggest player in cybersecurity reselling, and now they're making that transition into services as well. So, there's all kinds of growth opportunities. Again, I specialize in cloud security and DevSecOps. So, if you're interested in just having a conversation about some of the challenges that you're dealing with there, please feel free to just shoot me a message on LinkedIn and we can kind of get connected from there. There's no cost, no pressure, happy to just kind of share some insights and thoughts.
[00:36:54] CS: Nice. Alright. Well, that's last question for all the beans here. If our our listeners want to know more about you, Kyle McNulty, Secure Ventures podcast or any other things, you want to throw some URLs at us?
[00:37:04] KM: Yeah, sure. I mean, probably the number one place to go is just my LinkedIn profile and then you can kind of crawl out from there, but secureventures.io or Secure Ventures on any podcast app, wherever you're listening to Cyber Work here. Consult Places, just consult.place, pretty easy. And again, CDW, that's a very straightforward one. You'll probably get lost if you're trying to look at their website for more than like six seconds. But again, just shoot me an email and I'll get you whatever resources or conversation you need.
[00:37:35] CS: All right. Well, Kyle, thank you again for joining me today. This has been a lot of fun.
[00:37:39] KM: Yeah, thanks for having me, Chris.
[00:37:40] CS: And as always, I'd like to thank everyone at home listening or watching at home, at work, work from home. New episodes of the Cyber War podcast are available every Monday at 1 PM Central both on video at our YouTube page, and on audio wherever find podcasts are downloaded.
I'm also excited to announce that our Infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you'll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we're giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.
Thank you once again to Kyle McNulty and thank you all so much for watching and listening. We'll speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.