How to keep your cybersecurity knowledge fresh

Chris Sienko: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listen and subscribe to both the audio podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with you more about all aspects of the cybersecurity industry. Celebrate this milestone. We have a very special offer for listeners of the podcast. We're giving 30 days of free training through our InfoSec skills platform. Go to infosecinstitute.com/skills and sign up for an account or just click the link in the description below while you're there. Enter the coupon code cyber work, one word all lower case "c-y-b-e-r-w-o-r-k" when signing up and you will get your free access, you'll get 30 days of unlimited projects to over 500 cybersecurity courses featuring cloud hosted cyber ranges, hands on projects, customizable certification, practice exams, skills assessments, and more. Again, check out the link in the description below and use the code "cyberwork", C - Y - B - E - R - W - O - R - K to get your free month of cybersecurity training today. And thank you once again for listening and watching. Now let's get to the episode. Hello and welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, offering tips for those trying to break in or move up the ladder in the cybersecurity industry. As you may have heard at the top of the show with our little promo InfoSec skills is going to be a big part of our educational offering for 2020 and beyond. Infosec Skills is an interactive learning platform that most 500 plus security courses featuring cloud hosted cyber ranges, hands on projects, customizable certification, practice exams, skills assessments, and lots more. Our guest today, Robert McMillan is an InfoSec skills course creator and has had some pretty extraordinary early experiences in it and consultants. But now he's decided to help future it aspirants through education and training. So we're gonna talk about all of those things and more with him today. Robert McMillen is the past president and founder of all tech one LLC, a Portland, Oregon based network consulting company. In 2017 the company was sold to black point it consulting based out of Seattle. Some of his higher profile jobs have been restoring email for the government to prosecute Enron executives during the network vulnerability assessment team for the U S Army and perform wireless security auditing for the state of Washington. NSA also requested an interview, but he decided he had had enough people looking over his shoulder for now. Robert, thank you for being on the podcast today. Thanks for having me. So you've teased us with some pretty fascinating sounding stories,which we'll get into in a moment, but I want to know sort of how and when you first got interested in computers and tech and security. Was this something that you're interested in since you were a kid or did it come later in life?

Robert McMillen: Well, I started out in the photography business. You know, I was really excited about being a photographer as a teenager. You know, I photographed for my high school and the newspaper and I was like, my first job was actually to ride my bike to go take a picture for the newspaper. So by the time I was 23, I was pretty, pretty good at it. I ended up, I had three stores and they were combination studios and one hour photos. You remember one hour photos, right?

Chris Sienko: I do, yeah, absolutely. Drop them off. Yeah.

Robert McMillen: Hopefully they're ready in an hour and then a week.

Chris Sienko: Yeah, that's right. And see if there's anything, if you shot anything worth, worth a name. That's right.

Robert McMillen: Well, one of my customers several years after I had started the the stores had brought me a sub one megapixel camera and he said that he didn't really need it and thought, you know, asked if I'd be interested in, and I bought it on the spot. It was, it was $900 back then.

Chris Sienko: What year would this have been?

Robert McMillen: This would have been 1994. It was pretty fuzzy, but I mean I had to, yeah. I had to see what this was about. I, you know, how is this going to affect my business because everything I was doing was film based. So I started to take pictures with it and I could really see its potential fairly quickly. And I knew that this was the beginning of the end of, of what, you know, I was basically in a wagon wheel business that was just that. It's last legs that you were yeah.

Chris Sienko: You were with the horseshoe man, combustion engines coming along.

Robert McMillen: So I made a decision, I decided to sell the assets of the stores, close them up, go back to college and learn computers and how they were going to change the world. So I completely went from, you know, taking pictures of weddings and developing pictures in the one hour to just going back to school to learn computers because I knew that was the way the future.

Chris Sienko: So that was like 94, 95 then.

Robert McMillen: Yup.

Chris Sienko: Do you still a photograph? Do you digitally?

Robert McMillen: You know, I had photographed 700 weddings.

Chris Sienko: Wow.

Robert McMillen: So I had to take a break, so I wouldn't even take pictures of family gathering.

Chris Sienko: I can imagine.

Robert McMillen: I let my wife do that. But now I've gotten back into it, and I really, I also enjoy the, the DSLRs because you know, you can do the video as well as pictures and so that, that's really a fun thing.

Chris Sienko: I don't want to dwell on that too long. But what do you, what do you think of the sort of like, you know, ever larger, you know, camera capabilities and ever smaller phones and stuff? How do you, how do you feel like that in regards to the sort of photographic landscape?

Robert McMillen: Well, they're obviously getting, you know, much better and I don't necessarily see them replacing professional grade equipment but I could, I could see people and you can actually see the sales of a camera's just going down, down, down. So I think it's pretty exciting. You know that it's happening and people are able to get better, you know, pictures especially, we need better pictures and videos of those UFOs that are coming.

Chris Sienko: Right. Exactly. They're always so fuzzy, yeah. Big foot, you know?

Robert McMillen: Yeah, yeah, yeah. I was going to say, we don't seem to ever get any clearer pictures just by having better cameras in our pockets.

Chris Sienko: Yeah. So, going back to the, what we sort of teased at the beginning there, you know, I've heard just the most abbreviated portion of some of these stories, tell me about the time you were called to restore emails for the Enron investigation case. What were your thoughts when the case was explained to you and had you heard about it before they called you?

Robert McMillen: No, I didn't even know what Enron was. I actually told my wife, I said, you know they're calling me down to this company called Enron to.. I said, what is that? Yeah. I don't think a lot of people knew who they were before the scandal, and the restoration itself really wasn't that exceptional. It was kind of interesting because they sent me boxes of backup tapes. You remember backup tapes?

Chris Sienko: Oh yeah, yeah.

Robert McMillen: So boxes of backup tapes, 40 feet long and two feet high. So it took a little while to get through all that. But what was interesting while I was sitting there and really the only person who knew I was there, as the IT administrator because he was letting on and I had to sign all these secrecy papers and things like that. So what was interesting was that everybody was doing business as usual. They had no idea what I was doing or what was about to happen.

Chris Sienko: And even the hammer hadn't come down yet is what you're saying?

Robert McMillen: That's right. Yeah. And the stock itself was trading at $60. When I started the restoration project. Two weeks later after it hit the news, it was just a few pennies.

Chris Sienko: Wow. So yeah, I mean, how did they find you? What was it about your consultancy company that they said, "Let's, let's go with this person". Had you been doing other stuff for a while?

Robert McMillen: Well, it was prior to my starting my company officially. What happened was I was just laid off the week before because of the dot com bust or the dot bomb recession back in 2001. And so I was actually jobless at that point and it was funny because everybody on my street was all in high tech and we were all jobless. We were all playing basketball day.

Chris Sienko: Yeah. Oh yeah.

Robert McMillen: Yeah, it was, it was pretty fun. But I got called back by the company that had laid me off and said we do business with Enron and we want you to do this one job as a consultant.

Chris Sienko: Okay. Are you saying it was a pretty straight forward job, but did you learn anything from that project specifically?

Robert McMillen: Well, what they needed was someone who was experienced in Lotus notes, which, you know, some larger organizations use, especially the accounting firms and also someone who understood a program called Arcserve, which is a backup program. And I was the only one who was certified and experienced in both areas. I actually, I didn't have any prior arrests. I had no issues with security.

Chris Sienko: You played basketball all day, what problem would you be?

Robert McMillen: That's right. So I think it was a right place, right time, kind of scenario. At that time I was nobody special. I just happened to have gotten experienced in the things that, that they needed. And, got lucky.

Chris Sienko: How about some of those, those other, there were some other interesting stories in there. You know, what are some other sort of interesting things that happened, you know, war stories, if you will, from your, your consultancy days. What were some of-

Robert McMillen: Well speaking of, of war stories, I did get a call from the Army, the US Army, and, they had heard about the Enron case and, some people were, you know, higher up were interested in what I had to say about cybersecurity. Now cybersecurity was really in its infancy, you know, around 2003 at that point and the war in Iraq was just beginning. And so they asked me to come up, so I did some training with the troops and helped them prepare for what was to come. Now that we didn't have the sophisticated attacks like we have now.

Chris Sienko: Right.

Robert McMillen: But so what I mostly taught them about was port security. So of course you've got, you know ports that are open by default when you install a computer or a server. And so what I did was I showed them how to protect themselves from malware by locking down ports, using firewalls, which again, most people weren't really using back then. It was a fairly new thing. So I had to show them how to use the firewalls, and how to protect themselves that way, because they were setting up TCP IP, you know, ethernet networks out on the battlefield.

Chris Sienko: Wow. So, that doesn't sound like there were a lot of competitors in your area. So I guess I'm trying to get a sense of like what the things that happened, you know, and these opportunities that came to you. Obviously, opportunities come, but you have all this preparation that allows you to sort of step up. Like what kind of advice would you give to people now. What should people sort of be aware of or have in their back pocket? What are some really useful security skills these days that could help you if someone comes to call and and said, "We want you to do this, this unusual thing".

Robert McMillen: Yeah, no, absolutely. Well of course there are degrees that you can get and certifications you can get, but the funny thing about it consulting and data security is how fast everything is changing.

Chris Sienko: Sure.

Robert McMillen: I also teach college now and I've helped out many, many of my students and colleagues start their own consulting practice. So I've had these very questions, you know, in front of me many times. And the first thing I tell them is that they should not be complacent. This is one of those industries that turns over about every three years. So that means that there is almost nothing over three years old that is very useful in a modern security role and three years from now, there's almost nothing that can help you that, you know, today.

Chris Sienko: Right, right.

Robert McMillen: So you have to be constantly learning and adapting to cyber criminals and modern threats. And this means taking more classes, doing skills assessment and Infosec, you know, watching video courses going to seminars, you know, learning new technologies and reading books, you know, whenever you can.

Chris Sienko: Always be learning.

Robert McMillen: Always be learning. That's right.

Chris Sienko: Yeah. Okay. I mean, do you have any sort of strategies for that? In the sense of like, like what, what should, like a person's average week, you know, obviously they're working a day job or whatever, but you know, do you recommend like, you know, an hour a night of just kind of like keeping up with things a couple hours a week, you know, what do you think?

Robert McMillen: Yeah. And that, that's a really good question. How much time do you spend? Now, when I went to get my degrees, you know, the, the early days when I went back to school to learn about computers, there were no degrees in infrastructure and cybersecurity like there are now. And cybersecurity is actually a fairly new degree program in many colleges and universities. So the things I learned were just basically ad hoc classes that I was taking, but nowadays it's a, it's a different story. So, round 2010 I decided, you know what, I, you know, they now have degrees and I should probably look at getting those degrees. I already had a lot of certifications and which was great. My business was already going great. But, sometimes clients would ask me, "Hey, you know, do you have a degree in, you know, that kind of thing and what did you get your degree in?". And so I decided, "You know what, even though, t the time I was 40 years old, it's time to go back to school". So I did. I went back, I got my Bachelor's Degree in IT Administration. And then I went for my Master's Degree in IT Management. And the way I did it was I worked, you know, my usual eight to five, although in, in, you know, consulting, sometimes it's six to 10, and weekends and things like that. I'm glad. But I would spend about two hours a night after I, you know, I'd go home, have dinner, spend about two hours a night, working on you know, get passing my classes. And that meant watching a lot of videos, reading a lot of books and of course taking tests. And then on the weekends I would plan on four hours a day for each day. Now, of course I had little kids at the time, wife and two kids. My kids are grown now or in college. But, was able to make that work for me because I still ended up having a couple of hours to spend with the family each night. And then eventually after graduating I had a lot more time available and I was able to make more money because, you know, I learned a lot of things.

Chris Sienko: Now let's sort of compare like 2001 with, with 2020 here, you know, or '94 whenever you were sort of first doing this, you know, obviously the, the landscape's changed significantly and sure, you know, on one hand, you know, you were able to sort of help with the Army by knowing about, you know, port security and things. So there were less things that you needed to know, but it was sort of harder to know them. Whereas now it's easier to find lots and lots of sources of information. But there's just so much more that needs to be done. Can you sort of sort of compare and contrast like the challenges, is it more challenging now? Less challenging now? Just different?

Robert McMillen: Well, what's happening in the it industry is the same thing that's happened in the medical community and that is there was a time where you, you'd go to the doctor and the doctor was the doctor of everything. That's, that's not the case anymore. You can rarely find a doctor who is doing general practice and that's exactly exactly what's happening in our industry. So you're seeing specialties, you're seeing everyone is going to a specialty. So I think that makes it actually easier because people no longer are expecting the it administrator to also be a programmer or to be a cybersecurity specialist. I thought it was interesting. I went to a company recently where they were having a security issue. They actually got encrypted with, you know, ransomware and their security team was actually so separate from their IT team that they wouldn't even let them talk to each other. Which I thought was, was really interesting because they believed that if the two groups were talking to each other, it could actually open up new security risks.

Chris Sienko: Oh, how so?

Robert McMillen: Well, because if you have disgruntled employees or you have employees that you know, don't necessarily know exactly what they're talking about and they're influencing other people, then you could have, you know, issues. So they, they believed that by separating -and they're not the only ones, a lot of large companies are doing this- by separating out those two groups, then the security folks can be watching the IT folks and the it folks watching and security.

Chris Sienko: Yeah. Watching with a little more distance or is sort of impartiality or something.

Robert McMillen: Oh yeah, exactly.

Chris Sienko: Do you agree with that?

Robert McMillen: I thought it was difficult because it, it makes ityou know, collaboration is a big part of learning.

Chris Sienko: That's where I'm coming from. That seems very counterintuitive to me. So I'm curious what-

Robert McMillen: I would agree. I think, I think it is counterintuitive. But we see a lot of this happening and, and you're also gonna see changes over time too, you know, five years from now they're going to say, Oh, what were we thinking? And then 10 years later, the goal, let's separate those guys again. You know, so there are people are practicing these things.

Chris Sienko: Oh yeah. Oh yeah, no, we were going to have, we're going to need more than one lesson, then we're going to get more than one lesson. So moving on to the heart of the talk today, you know, I want to hear about your work with Infosec Skills and I believe you have created our Windows 10 hosted security course. Is that the the one course you've created so far? Have you done any other coursework or collateral for us or anyone else?

Robert McMillen: I've done a lot of coursework for LinkedIn Learning as well as Microsoft. And I started out basically with a YouTube channel, which is where a lot of people found me- over 30 million hits right now. So things are going pretty well. But so when I got a call, the call from Infosec, I was really excited because I rarely get to talk about cybersecurity with any other medium. And so being able to just talk about security, especially with Windows, because that's really my specialty. I have a Microsoft Certified Trainer certification and a eight MCSS. So, you know, I really, I'm focused on Microsoft. I realize some people are focused on Linux and that's one of the great things about separating, these types of jobs , is you can focus specifically on something. I don't even know how to spell Linux, basically.

Chris Sienko: Yeah. Right, right, right, right.

Robert McMillen: Although Linus Torvalds lives just a few miles from me, strangely enough.

Chris Sienko: So, I mean, let's talk a little bit about what, what students will learn in, in your Windows 10 security class. Give me the arc of the course.

Robert McMillen: So the, the course in Windows 10 security basically says, "You know what? You already have most of the things that you need to know, most of the things that you need to keep your, your network secure". And a lot of people don't even realize that these are included in Windows 10. And, I've extended that into my new course for Windows server security, which is going to be released shortly. So I go through things like, did you even know that Windows 10 and Windows Server 2019 has an anti-ransomware button?

Chris Sienko: No.

Robert McMillen: Most people don't know that you can, you can keep, you know-we're always worried you have which anti-virus is going to keep us safe from ransomware. There's a button you can check that will keep hackers from encrypting your files. So that's one of the things I show. I show local security group, a group policy security settings that you can set. App blocker so you can decide, whether you're going to allow certain applications to run. [We] Go very much into BitLocker, which shows you how to encrypt your drives. I had a client once that thought their hard drives were encrypted because they were using a program from IBM that said that, "Hey, your files are encrypted". But when you took the hard drive out and moved it to another computer, they weren't really encrypted so you could see them. And so this, this client lost a laptop, just one laptop and they came to us and they said to us, "Hey, our it administrator said that this is encrypted, but we just want to make sure that it is before we decide whether or not we have to inform our clients". Because there are laws that say if you, lose a client data, you have to inform them. So I went ahead and pulled the hard drive out, put another computer, said, "Hey, these files are not encrypted Like your IT administrator said they were". That company sold a year later for pennies on the dollar because they told all their customers that they lost their data, and their value went down to almost nothing, just because they lost a single laptop. That's how important cybersecurity is.

Chris Sienko: I want to go back to this, this ransomware anti-ransomware button here just for a sec, cause I'm- you just blew my mind. But my two questions are like, one, how does this work? What exactly is the mechanism that keeps ransomware out? And two, why, why does Microsoft not have this like burned into the side of a mountain or something? Why, don't they advertise this everywhere? Why are we learning about this in a course? I mean, I'm glad you're telling us about it, but I'm so curious. Yeah. So, yeah. So let's, let's get back to this, this ransomware button. I'm so fascinated. Like why is, you know, like how does it work? I was not aware that there was a mechanism like that. And two, why is that not like default, you know, pressed or whatever.

Robert McMillen: Yeah. Why is it not turned on by default? Sure, totally understand that. Well the ransomware button can cause issues with certain encryption programs.

Chris Sienko: I see.

Robert McMillen: So if you're using a third party encryption tool and you turn this on, then it may not work right. So that's why it's not turned on by default. But if you do turn it on, the only type of encryption that will work are Windows supported types of encryption because it will whitelist that type of an application. But it's pretty cool. It says, "Hey, if this button is turned on, your files cannot be encrypted by any, you know, program that's not provided by Microsoft".

Chris Sienko: Okay. That's interesting. The big focus of Cyber Work-obviously as in the name-is, career and study and getting a leg up in the industry. So as someone who's worn a lot of different hats in the industry, what are some recommendations you have to help get people into cybersecurity who might have an interest, but no previous experience or background whatsoever. I mean, you went from photography into cybersecurity and, and obviously it's still possible now, but what do you think?

Robert McMillen: Yeah. So if you're really new to this, this whole industry, cybersecurity specifically is what you're asking about, right?

Chris Sienko: Yes.

Robert McMillen: Okay.

Chris Sienko: Cyber security, the whole, the whole umbrella, you know.

Robert McMillen: Oh, okay. Okay. So you're not just talking about cybersecurity, but basically anything that's out there?

Chris Sienko: IT or cybersecurity, penetration testing, [anything] part of the whole sort of family of things.

Robert McMillen: Yeah. Yeah. Well, you know, a lot of employees don't realize is you are going to have to pay your dues, so if it's your first it job, you're probably going to be on help desk, and if it's your first cybersecurity job, you're probably going to be reading and learning to interpret a lot of log files.

Chris Sienko: Right.

Robert McMillen: So I don't know if you ever had to go through a lot of log files before, but after a while it gets a little boring. But you know, that's how you pay your dues. So if you're, if you're brand new and don't know how to even spell or define TCP IP, then what I suggest is that you start out with your first certification to be the A+ certification and certifications are great because they are things you can earn very quickly. They have a lot of credibility. They don't cost a lot, and they don't take more than a few months to a year to get them. So you can use the resources at Infosec to more efficiently attain security certifications. But I would definitely start out with the A+ certification just because it's what a lot employers, including myself when I was an employer, that's one of the things I asked for. So by having a plus, you have a lot of base knowledge but there are many great cybersecurity and other it infrastructure degrees out there. Should you get them? Well here's the thing is are you going for a job that requires them? So you want to learn from the job boards. You know, you've got Indeed, you've got the LinkedIn, you've gota lot of different ones out there. Find out what they're looking for. So if your dream job says you need a degree, then you should probably go get a degree. And there's a lot of good ones out there. Like I said, now in cybersecurity, which I'm really excited about. I'm even teaching some of those courses myself. So if you're going to work for the really big employer: the one that has great job security and benefits in the whole thing. That's the US government and the armed forces, and they don't care where you got your degree from, they just want to tick a box saying that you've got it. So I wouldn't worry so much about where you get your degree, you know, as long as it's, you know, a reputable place. So you could even go to places that are less expensive. Nonprofit. I would definitely look for a nonprofit type of a college university and one that has a lot of online classes, if you work as most of us do and you need to do this kind of stuff after hours.

Chris Sienko: Yeah. To get a little more granular, in your opinion, what are some of the cybersecurity skills rather than certifications? What are some skills that are most in demand and most likely to accelerate your career? What are some things that people are overlooking in their studies or preparation that they should be able to know backwards and forwards?

Robert McMillen: Yeah, so, where I see things going is compliance, especially on the consultancy side. So compliance is a big area that I believe is not only big now, but it's going to be big and growing for many years. So the type of compliance we're talking about is PCI compliance, HIPPA, Sarbanes-Oxley, lots of different privacy acts that, you know, based on various different States. I see a big uptake, I don't know if you've even heard about this, but in insurance compliance, if you want to get something called cyber data insurance was -I was surprised about six or seven years ago when I first heard about this- if you want to get cyber data insurance, you have to have somebody like me come in and basically affirm that you are safe before they will even give you that insurance. So you've got to be endorsed by somebody. A lot of the big accounting firms, they're, they're not making the money off of the auditing like they were. They're making money off of cybersecurity, which I was also fairly surprised to hear about six or seven years ago, as they're paying really big dollars to have people do IT security audits, cybersecurity audits for compliance issues. Now, if you're going to be an employee, small companies, of course they have a single it administrator are going to be security focused, but large companies that you know, have big data security departments. They're going to basically be constantly upgrading and they're going to be looking for, you know, skills in these areas. So this one company that called me a few weeks ago that got hit by ransomware, the hackers wanted $800 per file to restore. So they're really upping their game as far as how much money they want and before assisting them, I asked if they had backups, but they said that they did, but those also got encrypted.

Chris Sienko: Wow.

Robert McMillen: Yeah, exactly. 95% of all Fortune 500 companies are using active directory. Those are skills that you're going to need. Yes, Linux is important and yes, you know, some people use Mackintosh for reasons I don't really understand, but you know, you, what you really want to do is understand windows 95% of your clients or the people that you go to work for are going to be using it. You've got to have basic Windows skills, active directory skills and that will definitely help you as you go for your job search.

Chris Sienko: Okay. I'll just jump in real quickly, regarding cyber insurance, by the time this video goes live, there'll be an article on resources.infosecinsitute.com on whether your firm should purchase cyber insurance or not. I just got that proofed. Just going to go on the site and a few weeks or we'll be there by the time you see this. So as I'm training becomes more ubiquitous, a la Infosec Skills, what are your thoughts on skills-focused training versus boot camps are for your academic study on the subject? And can you sort of talk about the advantages and disadvantages of each method?

Robert McMillen: I've been to all those things, so I guess I can. Boot camps are great for students that are just, they have a lot of money or they get it paid for by their employer. Boot camps tend to be fairly expensive, you know, several thousand dollars for a very focused short amount of time. So I wouldn't suggest boot camps where you go to them, pay this money for people who are just starting out. Usually they're people who tend to have, you know skills already. Now skills-focused, online courses are awesome because you can take an average Windows computer, add virtual machines to it and run through a lot of different lab scenarios or even use an online virtual setup that's going to work through your browser. So what all this is, is pointing to is context. If you simply watch a video or you just read a book, it's not going to be enough. Context means having your hands on what it is that you're learning. So it makes all the difference when you need to show employers what you can do. So four year colleges and universities are very important for those companies that need to just tick that box and say you have it. But most organizations don't really care so much about that. What they wanna do is they want to say, if you were in this scenario, what would you do? And you being able to know how to do that because you have context.

Chris Sienko: So I want to talk a little bit about the way we study with regards to skills training versus, because when you're in college or you're taking college at night or you're doing a boot camp, you really have no choice but to study. You've got tests constantly. You have a class you have to go to every couple of days or you know, in the case of a boot camp you're going for five days. So, you know, without a professor assigning daily or weekly tasks sometimes these, these types of services are hard to stay on track, to meet learning objectives. So do you have any tips to help lifelong learners stay focused on training and accomplish goals?

Robert McMillen: I have a few ideas. Find out, first of off you, you've got to get your mind right, right? So find out in your own mind what's important to you and then put it in front of you at all times for motivation. It could be a picture of your family, your dog, your car, or even a picture of a pile of money. I mean that's, that's pretty motivating.

Chris Sienko: Vision board it.

Robert McMillen: Whatever takes you off of playing Call of Duty for a few minutes and onto study. Now you can apply some knowledge learned from many teaching researchers and that is delayed gratification. So if you come up with a reasonable amount of time that you should allow yourself to work, and- just like I had to do, you know, when I was getting my degrees while I was working full time- and then you can reward yourself with playing the game or you can read for pleasure or maybe finally eating that candy bar that you wanted to eat, you know, whatever works for you to make that reward worth the delay. So it's something that teachers look for. My daughter actually taught me this. She teaches music for elementary schools and it's one of the things that they look for when determining the maturity of students at a very young age. But some of us revert back and no longer remember how to delay our rewards. And so we need to relearn that skill.

Chris Sienko: Yeah. What should people be shopping for when seeking out skills-based training? You know, there's a lot of skills-based education programs out there. What do you think distinguishes the best ones?

Robert McMillen: Well, the, the best skills-based training are ripped from the headlines. Just like Law and Order. You remember Law and Order? I love that show.

Chris Sienko: I love it. I live it every time I'm in a hotel room it's on.

Robert McMillen: You want to look for skills based training that is based on what is in the news today. So if you see a lot of it online, you see a lot of stories about it, that means that employers are looking for it as a skill for hire. So as an example Azure and AWS are big. They're sort of fighting back and forth as to who's going to be the biggest, you know, cloud, that type of thing. Well, companies are likely looking for candidates who know one or the other or both and skills based on cybersecurity that are out there are fantastic. However, I've found that they're a little bit uneven. Not of course at Infosec, but I've seen a lot of ones out there that are a little bit dodgy. So you don't want to look for training that is based on a third party product that may be gone tomorrow. You may end up wasting your time. So you want to look to the technology that is, it is representative. So for instance, instead of focusing on something like intrusion detection products from say and Entrust or Cisco firepower, you want to look for training on what makes a good intrusion protection service first. So you're not wasting your time on a product that may be soon gone, right? So skills-based training should have those clear directions. If you have to ask a forum or open a ticket on what a lot of the directions mean at the outset, then it's probably not for you. So make sure you're using technology that is relevant today and find out, you know, when the product was made, it's market share the latest updates, when the last update happened and when it happened : a year ago or last week? All these things can ensure you're not wasting your time.

Chris Sienko: So for people who might want to sign up for your class in a Windows 10 host security. And again go to infosecinstitute.com/skills and use promo code "cyberwork" for a free month. What tips do you have for anyone who wants to get the most out of the class and also, once you've completed the coursework, are there other areas of study you'd recommend to sort of build on after that?

Robert McMillen: Yeah, one of the things I would do is, is make sure you have a separate monitor. When you watch the video say, you're watching my Windows 10 host course or my upcoming Windows server course or a lot of the other,different courses that are out there, make sure you have more than one monitor. It'll really be worth the investment if you don't already have it. And you can follow along on your computer. Or if, say you install a virtual machine, if you're worried about your host computer, you know, getting damaged. So my courses are a little different from most instructors. 80% of my course is demonstration. I don't use a lot of PowerPoints. I walk you through the steps you need so you can fully understand what you're doing and why you're doing it. So the next course that I'm working on, will be out in early March. At least I believe it is on Windows surface security. So some of these concepts, they're going to be a lot of course about active directory because that's, you know, what makes the server secure. So,if you watch the windows 10 version already, then you're probably about 25% of the way there, by the time you get to the server course. You don't need to spend a lot of money on third party products. Microsoft has built into their operating systems a lot of useful tools that can save you and your employer a lot of money.

Chris Sienko: Do you have sort of a track beyond Windows 10 and so forth? Where would you, sort of learn after that? What builds onto that?

Robert McMillen: So if we're talking about, say Windows 10 and then we go onto Windows server, then I would say we're probably going to look at-what's really big, is not just cloud but also cloud using virtual machines and storage. I think one of the things that is really overlooked, and it was overlooked by this company that called me a few weeks ago, are the backups. Microsoft just comes up with some, some great ways that you can ensure your backups security, and that's one thing that I would really like to get into is, you know, if all else fails, you've got to have something to come back to, right? So I would like to show people how to use what's called a bastion active directory forestry and domain to separate their backups from their production environment. And you could also use that in the cloud. You could create your bastion forestry and domain at Azure, or you could create it in a data center. You could create it actually on site in your local area network. And I'd like to show people how to use access control lists using, say Cisco routers and switches, on how to protect one domain forest from the other.

Chris Sienko: Okay. So as we wrap up today where do you see cybersecurity education going in the years to come? Are there any innovations you can expect on the horizon or issues that you hope will be resolved? And, and also just, you know, obviously we talked about the sort of acceleration of learning and the sort of obsolescence of things that are, are known now. Do you see education strategies that will sort of keep up with these problems?

Robert McMillen: Well, I love this question because I think five years from now we're going to see new ways to educate that we haven't even thought of yet. I know the Infosec Institute has got some great skills assessment ideas and things that are, you know, for 20, 20 and beyond. I think it's, it's taking the right step, but it's learning is going to be like watching the video game. If you and I, we're watching what was happening five years from now, we probably have epileptic seizures because it's going to be, you know, bells and whistles like crazy. But it's also going to train students if faster than they've ever been able to be trained, you know, before. There's a trillion dollar hacking a market out there and, I believe that the skills training combined with video training that everything is interactive is going to really drive that down and make us a lot more secure. So every step of the way of the, the training that's coming up is going to send you off to sidebar links, mini quizzes, you know, other types of certifications, exactly what's happening in video games right now, side quests and things like that. So it's, we're headed in the right direction for that. But I think five years from now it's going to be very video game like.

Chris Sienko: It's rare that I get to talk to someone on the show and, and have them say we're going in the right direction, with anything security related. So I'll, I'll take that. I'm going to quit while I'm ahead here. One last question. If our listeners want to know more about Robert McMillen and your other activities, where can they go online?

Robert McMillen: They can go to techpublishing.com to learn about me, what I'm up to, latest videos I'm showing. This year I'm really excited because I'm building a brand new studio right in the Oregon coast where I'll be adding training on a giant touchscreen monitor, virtual backgrounds, demonstrations on servers and other products that will make every tech hungry person person wanting more.

Chris Sienko: Cool. Robert, thank you again for all your fascinating stories and for being with us today.

Robert McMillen: Hey, it's my pleasure.

Chris Sienko: Thanks for having me and thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec and check out our collection of tutorials, interviews and past webinars. Or you can go to infosecinstitute.com/podcast. It's simulcast over there. If you'd rather have us in your ears during your work day, all of these videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. Again, for a free month of the Infosec Skills platform discussed in today's show, go to infosecinstitute.com/skills and sign up for an account. In the coupon line, type in "cyberwork", all one word, all small letters, no spacesfor your free month. Thanks once again to Robert McMillen and thank you all for watching and listening today. We'll speak to you next week.