Job hunting tips for cybersecurity professionals

[00:00:00] CS: Cyber Work is celebrating its next major milestone. As of July 2020, Cyber Work has had over a quarter a million listeners. We’re so grateful to all of you that have watched the videos on our YouTube page, commented on live release feeds, left ratings and reviews on your favorite podcast platform, redeemed bonus offers, or just listened in the comfort of your own home. Thank you to all of you.

Because our listenership is growing so quickly and because Cyber Work has big plans for the second half of 2020 and beyond, we want to make sure that we’re giving you what you want to hear. That’s right. We want to hear specifically from you. So please go www.infosecinstitute.com/survey. That’s www.infosecinstitute.com/survey. The survey is just a few questions and it won’t take you that long, but it would really help us to know where you are in your cybersecurity career and what topics and types of information you enjoy hearing on this podcast. Again, that’s www.infosecinstitute.com/survey. Please respond today and you could be entered to win a $100 Amazon gift card. That’s www.infosecinstitute.com/survey.

Thanks once again for listening, and now on with the show.

[00:01:17] CS: Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cyber security industry.

Today's guest, Eric Jeffrey, is a fellow podcaster. He's the host of the Cyber Security Grey Beard Podcast, which is designed to help students, early professionals and seasoned cyber security specialists with career advice, as well as offering job hunting assistance and ways to advance a career. Sounds familiar.

Eric has over 25 years in information technology experience, including over 20 years in cyber security. He created this podcast to share his own personal experience and help others advance their career and enjoy the professional happiness based on his successes and failures. We're going to talk today about his security journey, as well as some of the advice he dispenses on his own show. Needless to say, if you enjoy cyber work, you should absolutely be checking out Cyber Security Grey Beard as well.

Eric Jeffrey has over 20 years’ experience in cyber security and currently works as a Senior Managing Consultant and Solutions Architect for IBM security. Mr. Jeffrey has extensive industry experience with stints in entertainment, defense, aerospace, healthcare and technology among others. Eric has published numerous articles and spoken at several conferences across the US and Canada. Mr. Jeffrey as mentioned, runs a podcast on the moniker of cyber security grey beard, where he helps students and early professionals begin and grow in the cyber security field. Eric lives outside of Denver, Colorado with his wife and four grown children. Eric, thank you so much for joining us today on Cyber Work.

[00:02:54] EJ: Hey, Chris. Thanks for having me. I appreciate it.

[00:02:57] CS: Let's start by talking about your past 20 years in cyber security. You spent 25 total years in IT and 20 of those in cyber security, which means we're talking 1995 to 2000 or so. Tell me about the change that happened in 2000 when you decided to move more into cyber security range.

[00:03:15] EJ: Sure. It's a good question. It's interesting looking back. I was married to a US Air Force officer for 14 years. Being around military folks was very interesting experience. I moved around every few years. When we arrived at Edwards Air Force Base in Southern California, I was doing some marketing work and then I got into contracting. Then I ended up at Lockheed Martin Skunk Works, where I was a system administrator and I learned quite a bit about network systems. This is in the ’97-’98 time frame.

I picked up my Microsoft certified systems engineering and I really like the networks. Networking, I think is a primary technology required if you really want to get deep into cyber security. When I left the Skunk Works, I went to a firm called Tiburon at Edwards Air Force Base and I was a contractor for the 95th comm squadron.

Really, just being around military and learning about the networks and one thing led to another and it was really just a fun journey and when I found it. It's like anything else. When you're in a candy store and you just find that perfect candy, and that's really what this is about.

[00:04:27] CS: That's the taste I’ve been waiting for my whole life.

[00:04:29] EJ: Yeah. I’m blessed. I found it early.

[00:04:31] CS: Nice. What was the cyber security landscape like in 2000, tech-wise, or procedurally, or scope wise and how has it changed in the past 20 years?

[00:04:40] EJ: I like the question. Some of it is massively different and some of it is sadly the same. Back then, TCP/IP was created in the in the 70s and the 80s and even earlier than that when it really started. It was designed to be a trusted environment. They didn't expect to have the breaches that ended up coming.

We started seeing some serious stuff in the mid-90s, in the late-90s. There weren't security operation centers back then. You had to knock in network operations center. You had the formation of it and an idea that we needed to have people protecting an environment. When I was at the base, you did have the security guys. There was a firewall up. That was pretty much it. I mean, cyber security was you have a firewall, you may have some bifurcated networks and that's it.

Today, obviously we have massive amounts of technology. I mean, leading in with machine learning and AI and cognitive and all this other cool stuff. Yet, we have the same problems. We still have passwords. We still have clear text to worry about. We still have social engineering, which is a problem. It's a really big problem. One of the things that I was thinking about that is still an issue, I don't hear a lot about it, I think it needs to be looked at and that's who watches the watchers. I remember back when I was doing some work, some of the airmen that were running the firewall, they wanted to use AOL Instant Messenger, but the base policy said no.

Well, one of the guys logged onto the firewall, one firewall and he made a modification. The squadron, or the airmen could use AOL Instant Messenger and nobody else could. There was nobody watching them. I think that we have some issues today with some insider threats. What are the policies and procedures around that?

I think that the passwords, who watches the watchers, clear text, these are all still really substantial security concerns. The passwords and a lot of my peers, Chris Roberts in particular has talked about this. Why are we still talking about passwords? It's just crazy. We may have MFA. We do have MFA. Still, I’m typing in a password. Whether you're using KeePass or LastPass, I don't even know my passwords, honestly. I have one main one to get into LastPass, but why am I still dealing with it? Nobody needs to do that anymore.

[00:06:48] CS: It kicks out some incomprehensible gibberish that is apparently safe and then there we go. I mean, that takes me back to a time I was not in IT. Yeah, at the end of the 90s and into the 2000s, there was – you could you could very easily be the only person in the office who knew what the security aspects of the company was. Even if you weren't the IT person, it just ran in the background. Do you think that there's still a lot of that lack of oversight in that regard, like there's still places that like you said, you have people who have been making these modifications to their firewall, or these clutches for 20 years and they're all just still sitting out there you think?

[00:07:29] EJ: I won't quantify it by saying a lot, or many or much. I will say that it is a problem. I will say, that there are individuals out there. I mean, even if you look back at Snowden. I just read Barton Gellman’s book, Dark Mirror. Even Snowden talked about, he got into security. He was working at the desk as a security guard and they had Mac filtering. He went and spooked some Mac addresses and he was able to go out. The network guys came in and said, “How'd you do this and why are you working as a security guard at the front desk? Do you want to work with us networking?”

Even if you look at Snowden, he was – that was the beginning of his journey, if you will, to get into networking. I think that there are issues about that. I mean, in my line of work, I talk to guys and I see what people are doing and some of it's questionable. Whether it's illegal or not, there are some unethical actions. The thing that they said about Snowden is geez, we couldn't get him in trouble, because he was breaking out. He wasn't breaking in. Be that as it may, you're still modifying another entity's environment for your benefit.

Yeah, I think that companies need to – data loss prevention, DLP is a strong technology to help with that. However, you really need to have audits and logs reviewed at the operating level. You need to have an operations review of the organization, I think.

[00:08:47] CS: Yeah, and to your mind, not as many people as should are treating this as a number one concern.

[00:08:54] EJ: Yeah. Inside of that, there was a study put out a few years ago by Forester, I think, that talked about 70% of the attacks were insider attacks. Everybody's worried about the Chinese and the Brazilians and the whomever. You know what I mean? I see that in my environment. I mean, I literally built a lab and I’m getting hit by Hong Kong, Japan and China, Brazil, Saudi Arabia. Truthfully, I’m worried about some people that are in my environment that may be doing some privileged escalation, or some lateral movement.

It's not always a threat coming from the outside, so we need to be aware of that. Your original question, these were concerns that we had back in the 90s. I remember, we had a sniffer on the line and it was all clear text and they were using telnet. I can see the medical appointments. I mean, you didn't have HIPAA back then. It was just starting in ’96, I guess. Now you have internal environments that have sniffers on the line, people are seeing the data and they're not supposed to.

There needs to be processes that are put in place. This is partly technology, but it's really more about a review and an evaluation of the people and the processes. They shouldn’t be able eto look at.

[00:09:58] CS: Yeah. Because these are processes that if broadly implemented, would probably take about a week of everyone's time. If we all made a concerted effort to do it, national get your security holes filled a week or something like that. It seems like this would be a – not stop being a problem very quickly.

[00:10:18] EJ: Yeah. A big part, honestly, that if people knew they were being watched – It's an old Star Trek episode, who watches the watchers. The other TNG geeks out there. What are the processes in place? Do they know they're being watched? Do they know that they have to do it? I think a lot of them realize, “Geez, you know what? If I want to make this modification, so I can.” Something as simple as, “I’m going to modify the proxy, so I can go to betting websites, because it's Tuesday afternoon and I’m bored and I want to get some money down on the NBA playoffs,” it's something as simple as that.

People may think it's simple, but what happens when you go to that site, it's a host for a botnet, or it has some malware and now, because you wanted to as the IT guy, wanted to go bet on a game, you're getting infected, you don't have the processes or the technology in place, now you put the whole environment at risk. If that individual, hypothetical individual, knew he was being audited, he probably would do it on his mobile device and find another way and not his corporate machine.

[00:11:14] CS: Yeah. Moving back to your career, what are some key moments in your career, like some places where you felt your skills level up, or where you took a new job that stretched your capabilities, or received some career changing advice from a mentor?

[00:11:27] EJ: That's good. I like the term level-up. We're going to talk about dungeons and dragons and Star Trek.

[00:11:31] CS: People at a certain age, a bell goes in their head when they hear level-up. Yeah.

[00:11:35] EJ: Fair enough. I’m thinking D&D, but it may as well be one of the online –

[00:11:39] CS: Oh, all of the above. All of the above.

[00:11:41] EJ: There were a few. A big shift early was going to Tirubon. When I left Lockheed Martin as a sysadmin and I was just dealing with Windows boxes and then going to Tiburon, I did some really fun things. I built a knock for them. We installed tools, including that sniffer I mentioned. El Toro Marine Base was decommissioned and they moved the marines to Edwards. I was the engineer that designed to build the network. It was actually in a hangar.

I thought it was cool, because they brought in the chinooks and the old Vietnam helicopters. I’m building out this network for these marines in this hangar and I learned a lot about the technology. I also learned a lot about processes and people. The project manager at the civilian agent. I learned a lot about politics in the workplace, working at as a government contractor, because I had to deal with civilians in the government. I had to deal with other contract companies and I had to deal with the military and the officers and the enlisted guys.

Learning the intricacies of that was very good at a personal and professional level, not to mention the technology. I also did some remote access back then. I was working with Altiga, which I think later was acquired by CISCO to bring in bell helicopter, and so they could have a remote connection. Back in the late 90s, this was unusual to do it this way. It was a VPN. Normally, they would just have a T1, line or some dedicated circuit. That was a big level-up.

Going to Hewlett Packard, I actually went to Agilent and then I was outsourced and I offshored my network operations center team to Malaysia. I learned quite a bit about offshoring and how that's different than outsourcing. I also was running a multi-million dollar contract for a vendor. Vendor management piece of it. Then I got into a lot with AAA, Access Authentication and Authorization with TACACS, capacity planning and performance management.

Again, I just kept going down the path of networks over and over and seeing the way routing worked and how the telcos routed and we installed the technology. At the time, it was called net IQ and then I think it became Pegasus. The idea was I’m sitting in Colorado Springs and it should have been about 40 milliseconds to most places. All of a sudden, I’m going a 120 milliseconds to get to Portland. I called AT&T and I’m like, “What did you guys do?” “We didn't do anything.” “Yeah, you did.” I mean, routed me around Texas, guys, and then they put me back up there.

Learning about the routing mechanisms, that was big. Then, probably the biggest jump until I came to IBM was when I went to QuadraMed, a healthcare IT company, where they basically pulled me away from HP and said, “Listen, you're doing managed services. We have these engineers that are hardware and systems guys. We would like them to become a revenue generating team.” Rather than being a cost center, they’ll build a business around that. Build services and basically, rent them out or sell their services.

I did that for about eight and a half years. It was just a wonderful company. Great leadership. I had a couple of mentors there that – I remember the other day, I sent on Linda a note and just thanked her. I mean, I’m where I am today in large part because of some of the mentorship that I received at QuadraMed. I mean, it wasn't all hunky-dory and some of the deals that we did took literally years.

I mean, they're feathers in my cap. On my deathbed in 50 years thinking about my successes in in my career, a couple of projects with QuadraMed were huge. Then obviously, coming to IBM. IBM is it's just a great company. I mean, it's huge and I’ve worked at Lockheed. I worked at HP. I know big companies. I work in a practice that is smaller and I’m given leeway. I’m allowed to give back, which is something that IBM encourages.

Technologically, I’ve learned a lot about processes and how you can operationalize security, where I have a lot of the technical knowledge. IBM has focused me on operating operations and operationalizing, so I can go to our customers, which are some of the biggest names in the world and help them benefit from it. Whether I’m studying one day, or speaking with you, or building out a lab, hacking from one to the other on my other machines, what I’ve been I’m able to do and the clients that I’ve worked with here has been a major level up for me. I’m fortunate for that.

[00:15:57] CS: Cool. Now your answers triggered, as they should, triggered another couple questions for me here. First, I want to jump way back to you were talking about how working for Lockheed was, I believe, you were saying that it gave you the skills in knowing how to navigate between contractors and civilians and the military. Because a lot of Infosec students, people who are watching this show are getting their compliance and certifications to eventually work for the military, or DOD, or the government, could you speak a little bit about the navigations, interpersonal navigations between these disparate groups?

[00:16:36] EJ: Yeah. You need to understand a person's motivations. I’m going to make a little bit of a segue, actually to a sales situation that I had when I was at QuadraMed. I was responsible for bringing in revenue, but I also needed to make sure we had good margins, where we're making money on what we're selling. I made a decision and I sold it to the executives, all the C-level people that were going to stop selling hardware. I really upset a senior person. He was very angry with me.

I told him. I said, “But I’m saving margin and that's what the Chief Financial Officer wanted.” This guy was compensated on his revenue. He didn't care how much he made on it. He cared about revenue. What I learned there was you can't make everybody happy. It was the right thing for our business and for our customers. I stand by that decision. I probably should have known a bit better about the seller's motivation and how he would have been angry.

Going back to the DOD, a civil servant has different motivations than a military officer. A military officer has different motivations than an enlisted person. Contractors have different motivations than everybody. They want to stay employed. When you're working with other contractors, maybe you're a sub, maybe there's a new renewal coming up and you're competing. It gets pretty difficult. You run into some serious ethical problems, because if people don't have the goal of the customer, or you don't have an alignment of goals, you're going to be fighting with each other.

Just a real example, a civil servant may not want to get the project done too fast, because then they're not going to need as many employees. If they're judged on how many employees they have and you're going too quickly and you're being too efficient, that may cause a problem for them.

Meanwhile, the military people that are controlling the budget want you to go faster, because they don't want to have all these people. Then you're a contractor, you don't want to upset the apple cart and then have your company get fired on the contract renewal, because the civil servant that you've upset has a say in whether you get the contract renewed. My point is this; you need to understand the motivations, realize that there will be conflict in those motivations and be honorable and be ethical and be communicate – I mean, be communicative and let people know.

The DOD when I was at Edwards, it was very clear. Even at IBM when I’m helping a client, some people in the room may not want certain things. The CFO has a different motivation than a CIO. That CIO may report to the CFO. Here's a real issue that I run into; when you have a chief information security officer reporting to a CIO, there's a bit of a conflict of interest there. I am working for the CISO, but he reports to the CIO, who has maybe a different motivation. Our goal is to secure the client.

I need to understand, okay, for the CISO and for the IBM contract, this is what I need to do. I want to make sure the CIO is happy and getting what he or she needs. I need to realize what's happening. That's where going to a more senior person, like myself, where I have colleagues, I have mentors at IBM and I go and say, “Listen.” We have weekly calls with leadership and the consultants to talk about these types of things. What are the challenges on this project?

I encourage people to not shy away from the conflict. You don't need to like it, but you need to understand it. That's was a major thing that I learned at Tiburon, that has really carried through my whole 25-year career.

[00:20:06] CS: That's awesome. You mentioned, obviously, several times that you work at IBM and you really like it. Can you tell me about your current job duties with IBM? What does your day-to-day work consist of and what are some of your favorite parts of your job?

[00:20:20] EJ: No. That's a neat question. Thank you. I’m a little unusual in the fact that I am a people person. I can sell my degrees in economics. I have been selling my whole career. Oh, and by the way, I can code. I can get into Linux. I can VPNs and write and do the tech stuff. A lot of what I do at IBM is, and what I love to do and what I prefer to do is pre-sales solutions architecture.

A seller comes to me and says, “Hey, Eric. I have a client. These are their problems. What do we have to solve those problems? How do we do it?” There was a project that I worked very recently, really another feather on my cap. This is the biggest project I worked at IBM. I love it. I won't go into too much detail, but I’ll say this. It crossed between IBM security, our global business services blockchain and our global technical services for the cloud. GBS, GTS and IBM security all brought architects to a solution, where we have a client that is basically a broker of information between buyers and sellers.

I was brought in as the lead architect to talk about what security components do they need. We have all kinds of security components. Do they need a security operations center? Ah, they're a little small for that. Do they need MSSP? Yes. Do they need identity and access management? Possibly. How about application and vulnerability scanning? Yeah, most likely. How are their processes on change management and patch management?

I sit in and do design thinking workshops with them and understand where they are and what they need and then come up with the solutions. I then coordinate with the cloud team. I know a bit about the cloud, so we need to decide are there going to be containers on these systems? Where are they located? How many do you need? What operating systems? How do we secure those operating systems? Then oh, look. We have blockchain too. Well, how does the blockchain fit in? When we're talking about authentication and authorization, where do we need that at the security level, versus at the blockchain level, versus at the cloud level, where is there overlap?

That is a massive project. It is extremely fun to work on, meet a lot of people. It will change the world. When this thing goes out, if it does happen, everybody will know exactly what I’m talking about. It is huge and it's fun. What do I do to make that happen? I research. I talk to peers. I sit down in meetings with the clients. I do artifact creation, architectural decisions, raid logs, or I’ll sit there and come up with architectural reference architectures, just to lay out and show how things are. That's a lot of my day. I sit in on deal intakes. Is this deal viable? Can we do this? I review other people's designs and help determine whether or not it can be done. Is there a better way to do it? Is there a cheaper way to do it? How does this solution fit in with the client?

I mean, we may want to sell 10 million dollars. If their budget's 500,000, that's a disconnect. You need to figure that out. That's a difference between a technical guy who wants to throw everything at it and a seller who goes, “Hang on. We need to be a little bit more realistic.” My day-to-day at IBM is juggling a lot of these things and being there to help people solve problems.

[00:23:30] CS: Okay. I want to jump from your career to general talk of careers, because obviously, we have a career person who's on podcast is giving cyber security career advice and so forth. I want to start with the big question that keeps coming up on every podcast. I’m sure you had asked before, but what are your thoughts on the so-called cyber security skills gap, or talent shortage?

[00:23:55] EJ: Yeah. This is a conundrum. Like I said, I have a degree in economics. I’m really big in supply and demand. I’m sitting there going, if you really have a cyber security skill gap, why is it so difficult and time consuming to hire somebody? The first thing that I would ask is this, what is your definition of a cyber security professional when you're talking about a skills guy? If I have a seller, who is selling services that are cyber security service, he's a cyber security professional? What about a project manager who is an IT project manager who is now working for a project that I’m dealing with installing QRadar or a SIM at a client, is that a cyber security professional?

Or are we talking about people that I like to say, are keyboard beaters, somebody doing a vulnerability scan, somebody that is staring at eyes on glass, or somebody that is doing pen testing on our red team. Are those the cyber security professionals? We need to figure it out. I recently saw a thread on LinkedIn. A guy made a really funny point. He goes, “Hey, listen people. If we're short 3 million jobs, that's 1% of the population of the United States. Statistically speaking, I’ll say there's probably a 150 million professionals. Really, 2% of the population are going to be in information security and we're short that much? I don't really buy that.”

For people to see here, there's statistics everywhere that are just lies, damn lies and statistics, I do not believe we have a skills gap of 3 million people in cyber security. With that said, I absolutely believe we have a skills gap in what I consider the true cyber security, the keyboard beater, the vulnerability manager, the eyes on glass, the third ship, somebody's coming in from Asia and hitting my system and they shouldn't and then I have to escalate it threat hunting, absolutely there's an issue there. Yeah, I think we need to understand, what are we talking about with cyber security professionals? There is a gap in certain areas.

[00:25:49] CS: Yeah. I think that's one of the things that we've discussed and also that I’ve learned just by doing this podcast is that there's the cyber security is such a vast range of job types, job opportunities and especially skills and backgrounds. There's so many jobs that we've talked about, like risk assessment, or threat modeling, or things like that that don't need any real keyboard beating experience, necessarily. If you're a problem solver, if you can explain things to the client well, if you're a good writer, you can get into the industry.

I think maybe there's also a perceptual issue if people say, “Well, I’d love to jump over to cyber security, but I don't know how to do all that computery stuff.” There's so many jobs that don't have anything to do with that aspect of it.

[00:26:37] EJ: Oh, a 100%. I had a lady reach out to me. She's in Canada. She is an accountant auditor. She wants to get over to cyber. My wife actually does cyber security as well. She's on the risk and compliance side. We have interesting dinner time conversation about our day at work. I told this Canadian lady, it's easy. It's hopping over. If you were fixing Hondas and then you go work for Toyota. You know what an audit is. You know what compliance is. You just may need to now learn about ISO 27001 instead of –

[00:27:09] CS: You just need to know what the rigid is. Yeah. Right.

[00:27:12] EJ: I think this is a great point, Chris, for the audience. Don't think because you're doing something today, that it doesn't correlate to cyber security. I had a guy out here yesterday detailing my car. Is really nice, very personable and I’m sitting here going, “He could get into cyber security.” He likes people. He's good with his hands. His technical acumen, might need to know a little bit more about it, but I could certainly find places for him to go help. Work in the helpdesk. Helpdesk is a great place to start, because you see everything, find out what you like, what's your favorite piece of candy in the candy store. Yeah, there are a lot of ways that you can jump.

Heck, here's another example. Nursing. When I was in QuadraMed, it was a healthcare IT company. We would bring in nurses, so they could help us understand the business and then they would work on the clinical development team, because they would sit there and they would do quality assurance. Now that may or may not be cyber security, but you're finding somebody that is an expert in a field that you now need, so you bring them over to your company. I think that there are a lot of ways people can bridge from one profession to another. You're a financial advisor, go work for a company that does cyber security and be in their finance department. Is that a cyber security professional? I don't know. But now you're working for a company and you can take pride in the fact that you're helping defend citizens against the tax in your financial role. It's not just what you do day-to-day, it's who you work for that can make an impact.

[00:28:36] CS: Yeah. Yeah. My last guest was Amber Schroeder of Paraben, is computer forensics tool and she was saying one of the best people on her computer forensics team came from a psychology background. She's so good at it, because they need someone who can –when they're sifting through 100,000 text messages and you don't understand how a 16-year-old speaks, or explains themselves, that's a really valuable thing to solve this case. Those are things that I think people don't think of when they think of cyber security. They just think of the 24, or the CSI, or the rotate the screen and all that stuff.

[00:29:17] EJ: It blows you. I was watching, I think Live Free or Die Hard the other day with Bruce Willis. It was so unrealistic and so frustrating, I turned it off. I’m like, “Come on.” You don't just backspace on his 401k and zero it out. I mean, basic accounting, you have to have a debit for a credit. I mean, let's do something a little bit better, Hollywood. I read Mr. Robot. That one was pretty good, but still looking at the command line as he's typing. I’m like, “Eh, you know.”

[00:29:41] CS: Yeah. Well, there was one I saw. It was a very bad sequel to the Turbulence movies. One person's typing at the computer and the other person's looking over their shoulder and pushing a button now and again, like somehow it's like, have you thought of the colonel's thing? It's ridiculous.

[00:30:00] EJ: Yeah, let me continue that. It's really important for people listening to understand, Hollywood is not cyber security. Chris, you just mentioned the psychology. How about mathematicians? I learned yesterday, I’m reading Hacker in the State. I forget the author. He was telling me that in the book, he was stating since they're not telling me directly, that the NSA employs, I think, more mathematicians than anybody else, because you're dealing with cryptography. IBM needs mathematicians. With quantum computing coming and what that's going to do to cryptography, we need help.

Just because you can't and don't know and don't want to know and don't care about Linux and NMAP, that's just a small piece of what is cyber security. Don't let that scare you or fool you. There's a lot more to cyber security than most people think.

[00:30:44] CS: Right. Yeah, I think that also is on our industry to widen the tent and show what the actual scope of what we do is in terms of that, because I think a lot of people are scared off before they even get to the gate, because they figure, “Well, if I haven't been hacking into mainframe since I was six-years-old, I’m never going to make it.”

[00:31:04] EJ: Yeah. Here's a really good one. This may lead in another conversation about what you study. I have a lady that we work with, that I work with at IBM. Very impressive. She's a young lady. I want to say she's 23. She graduated from Rutgers last year. She was in our early professional program and they brought her over to my practice on the security intelligence and operations consulting. I was on a project with her in Minnesota, outside of Minnesota, in Minneapolis.

There was another individual and he just graduated the same age. I think they both went through the same program. Actually, I guess he's a little bit older than her. He's 25 and he went to Penn State. He has a cyber security degree. Her degree is in criminal justice. The client loved her. When the contract was up, I ended up going somewhere else and this Penn State grad with someone else, they wanted her to stay on for another contract. They loved her. She was criminal justice. She didn't know cyber. She knew people. She knew communication. She knew scheduling an organization.

Good for her. It was wonderful that the client was able to find her and it was a win for everybody. IBM has a great employee, the client now gets to utilize her. She has a criminal justice degree. She is the same as the cyber security guy, two years older than her out of Penn State and she was kept on that project, because she was the right person in the right place at the right time. Understand that there's a lot of that in life as well.

[00:32:22] CS: Okay. Well, that jumps nicely to my next question here, because we get a lot of mixed messages with regard to hiring practices in cyber security lately. Based on your own experience, are you finding organizations are actually emphasizing the need for traditional education credentials, such as BA or BS? Because we hear a lot of times people say, “Well, you don't need a degree. Just as long as you have the passion. As long as you can show you can do the work or whatever.” There still seems to be a fair amount of gatekeeping on behalf of HR and things like that of we're just not going to show you the candidate if they don't have a classical academic degree. I mean, where do you think we stand on all this?

[00:33:00] EJ: Yeah. It's a very difficult question. It's actually a very personal question to me, I mean, just you said I have four grandchildren. They're 18 to 22 and the youngest just went off to college last week. My oldest graduated college with a degree in 3-D modeling and graphic design. Then my second is studying mathematics and finance. Then the fourth is not going to college. Didn't work for him. This is very personal to me, where three of the four children going to college, went to college and the fourth one, it's not for him. College isn't for everybody.

What my son did was he went out and got his A plus and he was looking at getting into going the path that I say that people should go. Trade school or community college, or get your search, go to helpdesk. I have no issues with 18, 19, 20-year-old that was flipping burgers through high school, great job, great way to get to know what it's like to go to work. Then when you're 18, 19, go join the geek squad at Best Buy and make $15, $17, $20 an hour and help people set things up. Then get started there.

You don't need to go to college and come out with a bachelor's in in aerospace engineering, or industrial engineering, or economics, or finance to go work in cyber security. There are fields that do need it. I think sellers should have a bachelor's degree. I think sellers should be well-rounded, project management. I think if you're going to be dealing with some of the auditing, the governance risk and compliance, I think you need to understand more about the whole business scheme.

If you're going to be a vulnerability manager, or you're going to be an eyes on glass SOC analyst, why do you need to be studying Ayn Rand in university? Why do you need to take chemistry, or biology, deep mathematics? I mean, it's just, I don't think it's necessary. I believe that this is a very politicized question. I think that our culture, our society over the last generation or two, it tends to snub our nose at folks that are laborers. I can't find contractors. I can't find plumbers, or HVAC repair guys. When I find them, they're so busy, I can't get them in, because there has become in my opinion, a nose snubbing at those careers. It's a detriment to everybody, especially the individual.

Don't force somebody to go to college that wants to sit up at 2 a.m. looking at glass and seeing attacks coming in from China, going through run books and their soar platform to fix it. It is an honorable profession. It is an important profession. It's a good career that will pay. I think that organizations need to look at what it is they're looking to hire. Absolutely like I said, some professions, if I’m going to have a cryptographer and he's going to be trying to fix the quantum computing problem, I’d like him to at least have a bachelor's in math, right?

When I got a vulnerability manager, “Hey, do you know Linux?” “Not really, but I’d like to learn.” That's a start. Do you fit into the team? Again, back to Snowden, Barton Gellman's book, he talked about he loved working the late shift, because then he could do his things when it was quiet and before he became nefarious. There's something to be said about people want that job. People want to do that work. We as a society should foster love for that and appreciation, because we need it. We need somebody there at 2 a.m. that sees the attack coming in. Don't force a degree on somebody like that, because you're going to burn them out and you're going to get the wrong guy or gal.

[00:36:30] CS: Do you have any advice for if you are that person who wants to just do the work and doesn't want the degree for making an end-run around these gatekeeper moves by HR and things like that? How do you get your resume in hand if you don't have the sheepskin?

[00:36:48] EJ: Yeah. That's a good question. Again, it's personal. I mean, two of my four kids ended up doing what some of the other parents didn't want to do. I’m sitting here to both of them and they would tell you this today, “Dad was there.” I said, “Do what you want. It's your life. Be happy. If you want to work eyes on glass, you want to pen test, you want to vulnerability manage, fine. Find a way to do it without going to college. Here's how you can do it; you can look at community colleges.” We have a great one here in Colorado, Arapahoe Community College. I helped them design their cyber program and they brought in business and industry leaders to build, business and industry leadership team to build the program, not having academics sitting down deciding what they think is best. Go to a trade school. Go to a community college that work with industry people to build the program.

Usually, it's two years. A lot of hands-on. It's a great way to go. If you can't afford that, or you don't want to do that, then study. Get your A plus and then move from there to your security plus. I’m sorry, your network plus a second, and then go to security plus. When you have your A plus, go work at a helpdesk. Make $10, $12, $15 an hour and answer the phone. When the person can't launch Microsoft Word, you tell them what the icon looks like. Some of it's frustrating. Some of it's fun. You learn. You learn about networks and sys –

[00:38:01] CS: Grows your vocabulary too, trying to explain to people who are not so tech savvy like, “Okay, it's the X in the corner or whatever.” Yeah.

[00:38:11] EJ: Helpdesk is a phenomenal way to start. Geek squad, or other similar things. Go to your local tech stores, fix computers in the back. Once you have your A plus, you can do that. I’m a big proponent. This is really what I talk about a lot on cyber security graveyard. I tell my children, I live my life this way. Be happy. Do what makes you happy. If making other people happy is important to you, but you're not happy, you're going to need to reevaluate that.

If making them happy makes you happy, great. Then go make them happy. You need to understand that life's too short to be miserable. It's too short to be miserable if you don't like your job. It's another thing I talk about is retraining. I ran into a couple of military guys at a conference in Texas that I was speaking out and they're like, “We love what you said. How do we level up? How did we get to the next level? We came out of the military, what do we do now?” I gave them similar advice to what I’m saying here. At the very basic, 18-year-old kid just graduates high school, has a little interest in computers, A plus, network plus, security plus, go to Best Buy, Geek Squad, helpdesk and then go from there and find what you love to do.

[00:39:13] CS: Yeah. Let's talk about cyber security graveyard a little bit. What got you interested in hosting your own podcast? I’ve talked about a little bit, but I’ve seen the episodes over there. Tell our listeners what they'll hear if they go over.

[00:39:27] EJ: Yeah. Why did I do it is because I like the sound of my own voice.

[00:39:33] CS: Makes one of us. I hate to hear myself, but anyway. Come on.

[00:39:39] EJ: It was something years ago, I was listening to Dennis Prager when I was driving around LA and he said, “If you want to get into talk radio, stare on the camera, or stay in the mirror and talk to yourself for three hours. If you can do that, you can be on a talk show.” I thought about that and it's not, I don't want a talk show per se, but I do want to share and give back. I was talking to a mentee of mine, Aiula. He is 23, 24, graduating University of Buffalo, developer. Wonderful kid. Great mentee.

He doesn't just ask about cyber. He asked me about everything. “Should I buy a house?” Aiula actually is why I started the podcast. He's like, “Eric, you keep answering the same questions. Why don't you just do a podcast and answer it once and then send people to it?” I’m like, “Huh. That's a great idea. How do I do that?” He gave me a couple tips. From there, I just went and looked it up. I mean, I’ve been running a webpage on and off. The late 90s, I had a fantasy football game that I did. I was typing in HTML.

Now to get back in 20 plus years later and learn how do you do the podcast, what's an RSS feed, where you post it. I get to stay fresh on some of the technology. At the end of the day though, and this is another thing that I’ve taken away from IBM and they've done a wonderful job helping me and that is to give back. I have been blessed in my career. I mentioned Linda before. Tom, a senior seller at QuadraMed. Just some great people that have helped me grow and learn and I want to give back. I want to help.

It's a great way to do it. My listenership is not huge. I think a lot of podcasts, people hear about Jocko getting millions and I’m – I’ll settle for a couple hundred, a few thousand. If I can help one person one time, heck it's fine with me. The podcast for 10 minutes. I try to keep it at 10. Sometimes they go to 12 or 15 if I’m really rambling.

The idea here was just to give back and help. I have some knowledge and some experience and why should other people reinvent the wheel? I mean, learn from my pain, or learn from my success. That was the whole idea. It's a way to get it out in volume. There's no money behind it. I don't make anything. I don't care about that. I’m not monetizing it. It's not about me. It's not about money. It's about the audience and that's why I did it.

[00:41:44] CS: What I think about that too is your podcast – I mean, ours is obviously a free-flowing conversation and it happens every week, but you have you very much have honed the podcast as a tool method, where you have a 10 to 12-minute concentrated thing. The title is what you're going to learn about. You're going to learn about what you're going to do if you lose your job, if you're unemployed and looking for a job, if you're looking to do this one specific thing and it's really good in that regard. You just look through the list. Is my problem on here? Click it. 10 minutes later, I have some advice on it, which I think is refreshing. I mean, obviously, not every podcast works that way.

[00:42:20] EJ: Yeah. I mean, Jocko's I think are four or five hours a day. I can't do that. It's too much.

[00:42:26] CS: Yeah, it serves function. Part of it is just, I got to be in front of the screen all day. I just want someone else telling me something.

[00:42:34] EJ: Yeah. My thing, my biggest disappointment in myself for the podcast is I’m not doing it enough. The lady that I mentioned from Canada, she sent me I think nine different topics. Done. I’m going to start doing them every other week really for the next few months. I hope that people send me what helps them. The last two that I’ve done are not on cyber security. I’m going to be getting back to cyber security.

One of the topics she had suggested was how not to sabotage your career. Trust me, I really do give a lot of information on that. I have sabotaged myself too often. I’m happy to do that. The last one was on a pep talk. It's tough right now. I wanted just to give back and let people know, hey, it's bad out there, but here's some things that you can really look at and you can feel positive about.

Yeah, the idea is cyber security and then here's the technologies, here's a pep talk, here's how to find a job in COVID. I’m going to get back on some of these to the top. Yeah, I’ll stick to the 10 minutes. I’m not going to talk to talk, I’m going to talk if I have something to say.

[00:43:32] CS: Right. Can we talk a little bit about that? Obviously, the past few months have completely changed the employment landscape yet again. What is the job market like right now in the age of COVID-19? Who's hiring and how is the process changed for getting noticed, or getting an interview, or has it changed at all?

[00:43:50] EJ: Again, I’ll be a little personal here. I think it's important to show my human side that I’m not just some keyboard beater or seller for IBM. My wife as I had mentioned, she does cyber security. She does governance for some compliance primarily, but she also does a lot with agile. She has a CISSP. She has a PMP and she has an MBA in finance. She's been doing cyber for about nine years.

She was laid off in the middle of April. She worked for a small local firm and the cyber security just never really took off. They're more of a bar, a hardware bar. She was ripped. I have actually seen firsthand what the job market is like for a relatively seasoned cyber security professional with alphabet soup after her name. It's been tough and it's been lucrative. She has been getting interviews and she has had – she was a finalist for two positions and this is the real crux of it. Then they either hired internally in 1K – actually, three positions she was getting offered. Two from the same company. One of them they gave to an internal person and then earlier in COVID, they just pulled the wreck down and the other firm had pulled the wreck out. These are both very well-known. I won't mention their names, but they're very well-known cyber security firms nationally and I think one of them is international.

She has an interview later today, where we're hoping that that'll be her final and she'll be up and running and she'll be working as a cyber security program manager for an international firm. The answer to your question, just to use her as the example, the interviews are out there. People are looking, they're just scared to pull the trigger.

What I have suggested to her and sometimes she listens and sometimes she doesn't. That is spam the board, spam for jobs. She said to me a number of times last time and she says, “Eric, there's nothing else. I’ve done all that I can. Unless I want to go –” This is a key thing for the audience, she can do project management, she can do agile scrum and program management, she can do human resource management, but she wants to do cyber. She wants to do GRC, or to build a program. She said, “Eric, I’m not looking at those other jobs, because we don't need to. Fourth kid’s out of the house. We're empty nesters, man.”

We're at a fortunate blessed position where we don't need her working. She wants to work and if she does not land this position, that puts her at four months. It's going into the fall. She may open it up and that's what I would suggest to the audience as well. Shoot for your dream. If time passes, then you need to open it up and literally, have more than one resume. I don't have one resume. I have I think five; management, technical account management, security, etc. My wife, the same. She has a number of them, and then go out and spam it. Now has interviewing changed? I don't think so. I mean, you just do it over Zoom, or WebEx, or video or whatever.

[00:46:37] CS: Onboarding might be a little different now, but that's different. Yeah.

[00:46:40] EJ: Yeah. Another real example, my daughter in college, she just did an internship for a Manhattan Wall Street firm. She was supposed to go for a 10-week internship in Manhattan. They ended up making it six-week virtual. I found out later, it was a six-week job interview and good for her, she got the offer. Some firms are still hiring and they're still following their process, but do be aware that sometimes they'll pull the wreck at the last minute, sometimes they will go internal.

You need to spam the boards and do the same things you do without it. This is what hasn't changed, Chris, the way you get noticed, same thing I tell everybody. I’ve done it. It works. First thing you do, find a job you want, apply for it. If you're submitting it online, do a word doc, because the online systems can't read PDFs well and you're going to get fostered out. Right after you submit a resume, no matter where you do it, get on LinkedIn, find somebody that you know that works there, or find somebody that you know that knows somebody that works there and get a warm hand-off and have them run you through the system. If you're going to just send a resume and it's going to be a black hole, it's going to be very rare that you will be contacted. Make sure you're following up. That does not change at all with COVID.

[00:47:51] CS: Right. Yeah, one of the last things I want to wind up with, we walk towards this line and I want to walk over it a little bit. You said, if you're looking to move into cyber security, A plus, net plus, sec plus, work for Geek Squad, work for a helpdesk or whatever and then see what you like and see which part of the candy store you like or whatever. What are some of the next steps to your mind, if you're in that position, what are the next natural stepping stones in different directions from keyboard beater to theoretician?

[00:48:30] EJ: Sure. I mean, a natural progression is going to be a guy that's a SOC analyst, that he becomes tier two and then he's a threat hunter and maybe he'll go off and do pen testing or vulnerability management. That is going to be again, the keyboard beater and I mean that affectionately. I do it. I love it. I was playing with Cali last week and the hours are flying by, I didn't even realize where they went.

Keyboard beater is determined endearment. That's an easy one. For another person, let's talk about the lady I mentioned before. The criminal justice. She comes in and now she's doing some consulting right out of college. That individual needs to start to think in three to five years about going to work in the workforce, because when you're 30-years-old and you've been doing consulting for eight years, people are looking down their nose at you saying, “How are you telling me what to do when you've never done it yourself?”

Think about the fact of how your client, how your customer is perceiving you. There are so many different places to go. You can look at project management. You can look at program management. You can look at getting into marketing. We had a wonderful employee at IBM security, she had studied marketing and she ended up becoming a marketing intern, but she wanted to get into security. I was trying to help her get over to IBM security to work in our marketing department and she ended up leaving to a competitor. Companies need to pay attention to the path of their employees and help them grow.

There are a whole heck of a lot of places to go. The easiest thing that I can say is this, follow your passion. Some people bag on that. I don't. Like I said, you got to be happy in life. I have been winding around. The journey that you have, and I think I talked about this in my last podcast. That is you're going to look at where you're going. On the way, you're going, “I want to go over here and try that. Oh, now I want to go try this.” That's great. That's why I ended up where I am.

I started in economics and I was doing marketing and going into Best Buys and teaching people about software programs and now I work for IBM as a architect. It was not a straight line. Life is not a straight line. Life is not always up in good things. Not. You have downs. You have peaks and valleys. You have to ride out the valleys, find out what you love to do, find a way to make money at it. Ask people that have been there, how they got to where they are, ask for recommendations.

Yesterday, I have a wonderful mentor, Shrini, here at IBM. I’m in a little bit of a challenging situation and I wanted his guidance. He has another one. I mean, Shrini is my mentor. He's a distinguished engineer. He has a fellow that's his mentor. We all ask for help and to find where you're going to go, don't be shy about asking.

[00:51:01] CS: Yeah. All right. Yeah, I want to wrap up on that and maybe that was the answer right there, but I was going to say, is there any particular advice that a mentor in the past has given you that stuck with you, that you've used as a guiding principle that you would want to share?

[00:51:15] EJ: There's a sentence and I’ve used it throughout this meet, this discussion, this interview. His name is Tom Dunn. He's a Senior VP of Sales at QuadraMed and he's gone on to other companies. Wonderful man. Great mentor. Great friend. He did say something to me. He said, “Are you listening, or are you waiting to talk?” So much in my life, because I’m like this one, “Come on. Stop talking. I got something to say. I got something.” No, no. Listen to Chris, Eric. You might be able to learn something from Chris. Shut up. That's the best advice that I’ve received. I received a ton of advice. For me, I need to shut up and I need to listen and not wait to talk.

[00:51:53] CS: Right. All right, so wrapping it up today. If people want to know more about Eric Jeffrey, or the Cyber Security Grey Beard Podcast, where can they go online?

[00:52:00] EJ: Sure. I swore off Twitter. I think it's a disaster. You cannot find me there. You will never find me on Twitter. However, you can certainly connect with me on LinkedIn. You can go to my personal website, it's ericjeffrey.com. You can also certainly go to my cybergreybeard.com to e-mail me or just check it out. I’m always looking for suggestions on what to talk about.

I do the podcast to help others. If I’m not talking, it's because it doesn't look like anybody needs some help. Let me know what I can do for you and I’m happy to put together a 10-minute podcast.

[00:52:33] CS: Marvelous. Eric, thank you so much for your time and insights today.

[00:52:36] EJ: You're welcome. Thank you for having me. Appreciate it, Chris.

[00:52:38] CS: Thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec, check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.

Thank you to all of you who have been rating and reviewing. If you could throw a five-star at us, or anything that you think is appropriate and review, it really does help us to get in front of more eyes and ears.

As mentioned at the very top of the show in a video, we want to hear from you about what you want to see more of on the show. We're looking into possibly expanding Cyber Work. Please go to www.infosecinstitute.com/survey and you'll find a short set of questions about your listing habits and interests. If you take the survey, you'll be eligible to win a $100 Amazon gift card. That's www.infosecinstitute.com/survey.

Thank you once again to Eric Jeffrey and thank you all again as always, for listening and watching. We will speak to you next week.