Long-term cybersecurity career strategies

Maxime Lamothe-Brassard, founder of LimaCharlie, has worked for Crowdstrike, Google X and Chronicle Security before starting his own company. This episode goes deep into thinking about your long-term career strategies, so don’t miss this one if you’re thinking about where you want to go in cybersecurity in two, five or even 10 years from now.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

  • 0:00 – Intro
  • 2:56 – First getting into cybersecurity
  • 6:46 – Working in Canada’s national defense
  • 9:33 – Learning on the job
  • 10:39 – Security practices in government versus private sector
  • 13:50 – Average day at LimaCharlie
  • 16:40 – Career journey
  • 19:25 – Skills picked up at each position
  • 23:57 – How is time length changing?
  • 27:53 – Security tools and how they could be
  • 31:34 – Where do security tool kits fail?
  • 34:04 – Current state of practice and study
  • 37:10 – Advice for cybersecurity students in 2022
  • 38:21 – More about LimaCharlie
  • 39:50 – Learn more about LImaCharlie or Maxime
  • 40:08 – Outro

  • Transcript
    • [00:00:00] Chris Sienko: Today on Cyber Work, our guest is Maxime Lamothe-Brassard, founder of Lima Charlie. Maxime has worked for CrowdStrike, Google X, and Chronicle Security before starting his own company, Lima Charlie.

      Today’s episode goes deep into thinking about your long-term career strategy, so don’t miss this one. If you’re thinking about where you want to go and cybersecurity in two, five, or even 10 years from now, that’s all today on Cyber Work.

      [00:00:32] CS: Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity.

      After graduating from the University of Victoria with a degree in computer science, Maxime Lamothe-Brassard began his career in cybersecurity working for the Canadian government as part of the Communications Security Establishment or CSE. CSE is Canada’s largest cryptologic agency providing the Government of Canada with information technology, security and foreign signals intelligence.

      As part of the Canadian intelligence apparatus, Maxime worked in positions ranging from the development of cyber defense technologies, counter computer network exploitation and counter intelligence. After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defense. He was an early employee at CrowdStrike, then worked for Google, where he eventually landed in Google X. Maxime left Google X where he was a founding member of Chronicle Security. And in 2018, he founded Lima Charlie.

      Maxime has a very interesting career arc. He spent periods of time with two major names in tech and security before founding his own company. So, we’re going to talk about that, and we also want to talk about standardizing methods for security tool integration, and whatever else comes up. So, Maxime, welcome to Cyber Work.

      [00:01:57] Maxime Lamothe-Brassard: Hi, super happy to be here.

      [00:01:59] CS: So, you have a pretty storied career here, and we always like to go back to the beginning. So, what was your first spark getting excited about computers and tech, and specifically cybersecurity? What was the draw?

      [00:02:13] MLB: I don’t think it was one specific event, honestly. I was into the very earliest kind of people raised with a computer.

      [00:02:24] CS: In essence, you can remember.

      [00:02:26] MLB: Exactly, exactly. So, the computer part always been there for a long time. And then when I started university, it kind of switched over from just users of a computer into like programming. And so, that was interesting seeing a bit more. But security really started for me, when when I joined CSE. It’s a very special organization. And when I joined initially, I had nothing to do with security, like I built a job. But I could see internally sort of people doing security and kind of like, a little bit of it internally. And so, I was really, really interested and I applied as an internship. So, with an internship program that I was there, under, and so I applied for my next internship to go back into the security part of it.

      So really, I think the thing for me was starting that and getting that first realization that we use computers all the time, and it can be easy for us to not really know that whatever we’re using underneath is really understandable. As a user, I never, understanding seems like very opaque and difficult and whatever, right? And then you start programming, and then as you’re programming like, operating system, can’t touch that, like that thing. And then every time you get into it, you kind of learn more, and you realize that, after a couple layers that like, all those layers were built by humans.

      [00:04:14] CS: Yeah. It demystifies it piece by piece. But you can’t do it all at once. You can’t just kind of look into the guts of the machine and say, “Ah, I understand it.” So, you’re sort of stripping back the layers that way.

      [00:04:27] MLB: Exactly. So, when you’re able to take off the hood, and you start messing on the inside. That’s kind of where the security aspect comes in. The whole concept of like hacking, and you realize that, yeah, the computer will just do whatever it’s set to do. And if I start, putting stuff in there, then the good thing –

      [00:04:49] CS: I think that’s an interesting twist, especially in terms of just the evolution of technology because we put toast in a toaster, but no one ever like expects you to know how to sort of like take it apart or repair it if something goes wrong. All of our other tools, they either work or they don’t. But the computer, I think, is kind of one of the first things where there’s a real sort of investment in understanding, like the guts of the machine, and not just using it, like you use a – like an iPhone. You have to know, like, what the underlying motives are and what the underlying sort of systems and you have to sort of figure your own security out and things like that. I think that’s interesting that you put it from that way.

      [00:05:27] MLB: Yeah, absolutely. I mean, it’s not for everybody. I think, I suspect we’re going to talk career at some point, but when you talk career, knowing the depth there is really what’s going to help.

      [00:05:49] CS: Yeah. So, how did you come to work for the Department of National Defense in Canada? And also, can you tell me about some of your work roles there? You said, you started out as an intern? Was that right? Internship?

      [00:06:00] MLB: That’s right. That’s right. I started internship, building corporately, totally normal, you could do anywhere, Java software.

      [00:06:11] CS: Okay. So, you said, when you sort of saw the interior security aspects of it, you said, “Oh, that’s interesting.” So, you kind of re-upped and sort of changed your focus a little bit. Is that right?

      [00:06:22] MLB: Exactly. Internally, it was sort of, the group that most people wanted to try to get into, because obviously, if you translate that into like us terms. If you interned at the NSA, and you kind of wanted to do cool stuff, right?

      [00:06:38] CS: Yeah, totally. I’m assuming this was kind of a learn on the job situation. Were you doing sort of like your own study on the site? Or were they giving you all the tools you needed to kind of do the work for them?

      [00:06:54] MLB: It was very much the first case. And I think that is singularly the reason that, you know, my career kind of took that specific direction was that, they didn’t say, “Hey, this is the thing you need to do over and over again, or like everything.” But rather the exact opposite approach, where I joined, they told me, I think, on the first day, and I kind of liked that idea. They said, “Whatever you build here during your internship, we will never use it. Don’t worry about that. Don’t worry about that. We want to see what you can do, how you learn, and we’ll get ideas from what you’re doing. But don’t worry about the thing itself.” And it was a Greenfield. They essentially told me like your project is, and obviously, there’s something I can get into, but like, something like super generic. Your project is, I don’t know, like Windows Messenger, or whatever it is.

      So, it’s okay, and what do you mean? Well, let’s just understand everything about it. So, for somebody just getting into the field, it also helped that this was an Ottawa in the middle of winter. I’m not from Ottawa. It meant, like, it’s super cold and super snowy. It’s like dark outside from, I don’t know, 9 AM and again at 3 PM, so I had nothing else to do.

      [00:08:33] CS: No incentive to go outside. I’m in Chicago, so I can relate. That seems very forward thinking. Is that a sort of a common thing with security that they’re just basically telling you sort of like learn on the job, and we learn by sort of seeing how you learn? Or do you think that was kind of a unique test case?

      [00:08:57] MLB: I think it was pretty unique. I think the that organization and in furthermore, that kind of group, did not have the same kind of pressures and limitations of other places, right? If you are an intern in the company, whether you want it or not like the company has monetary incentive, they want things to work, to move forward. And so, those guys had kind of the luxury to go and say like, what they did, first of all, was very open minded, you had to think outside the box. So, it was their incentive to communicate that all the way through to internships.

      [00:09:40] CS: Can you, based on, you’ve seen the world from both sides now, can you make any generalizations between security practices on the governmental or federal level and security in the private sector?

      [00:09:53] MLB: That’s a good question. I think, to kind of like clarify it, I would even say, intelligence and then federal and then private sector. I think intelligence agencies are totally different world that have very different business drivers.

      Now, you looking back at sort of federal government and private sector, there are pretty big differences. I think what I’ve seen more is people being worried, like, truly worried about the consequences of what it does in the private sector. People, especially, more so nowadays kind of realizing that like, “Hey, this can have really deep cost and impact.” In the government, I think it’s wildly varied, depending where in the government. If you were talking to somebody in – I’ll use like us terms, but working in the White House, there’s probably also big concerns, and people shouldn’t be serious about it. But if you’re in agriculture, somewhere, there tends to be – the stakes are much lower. And so, the kind of classic, the line I’ve heard, I’ve actually heard at one point in my career talking to somebody like that smaller government, which was, “All I want from you, is just to tell me which box I need to buy and put on my network to be safe.” The compliance part was really, really overwhelming.

      [00:11:44] CS: Got it. But I mean, you say the stakes are low in a smaller network like that, but they’re really not. We’ve heard enough stories about hackers, like breaking into water treatment plant, networks and trying to poison the water supply and stuff. So, I mean, at this point, everybody’s a target. But I understand that, obviously, the White House, or what have you have layers and layers and layers on top of layers. But, yeah, I think that’s interesting that it’s so much of it is compliance based, and it’s just like, please, let me not think about it.

      [00:12:14] MLB: Yeah, exactly. I think what it is for a place like, White House, for example, is more – yes, there are many layers, but the damage from, I will say, kind of the PR, public relation that’s very visible, is a concept like front of mind. Whereas if you’re in something, again, I don’t need to pick on agriculture, I think it’s really important, but like, it’s not the water supply or electric supply, kind of not as worried some –

      [00:12:52] CS: It’s a lesser disruption.

      [00:12:54] MLB: Exactly.

      [00:12:56] CS: So, for the benefit of listeners who are starting or choosing where to start in their cybersecurity careers, which is a fair number of them, we find it helpful to ask guests about the day to day work of their current position. So, can you tell me about the average day, or an average workload as the head of Lima Charlie. Are there tasks that you’re engaged in most days and how much time is spent in putting with clients? And how much is involved in putting out fires and so forth?

      [00:13:18] MLB: That’s a good question. It’s a really, really evolving question. So, we are a startup, so what that means is like that picture, it’s like constantly shifting. Today, I’ll pick a point in time. We do things like fundraising, we do things like sales, but also, I’m still very involved in sort of the day to day development and operations. So, what that means, classic day for me is maybe we’ll do one call with a venture capital. That’s kind of a totally different frame of mind, because then I’m trying to sell the vision in the long term and who we are and what to do.

      I’ll do a call with a with a potential customer, so those tend to be really interesting. Because in our case, we have a lot of different types of customers doing different types of things and my background is pretty deep cybersecurity. But I don’t get to do it so much these days. So, I do like to –

      [00:14:29] CS: That’s something I always ask about is do you – I mean, obviously you’ve pictured your life here, but do you regret not being able to sort of like get your get your hands dirty with the stuff as much as work on the client side or work on the managerial side?

      [00:14:52] MLB: I miss it. I definitely miss doing it. But what I don’t miss is having do it day in, day out. There’s a lot of – I mean, depending where you are, right? But if you’re doing like incident response or things like that, it’s just a lot of firefighting, it’s a lot of very pressure –

      [00:15:12] CS: And you’re always on, I imagine. You always kind of teeth gritted.

      [00:15:16] MLB: Exactly. So now, I get to chat to people about these interesting topics. And most importantly, is, I know what I’m talking about, as well. So, that really bridged the gap, talking to people. There’s going to be that and then there’s going to be some development on the side and infrastructure are kind of looking the way things are developing, costing, and all that kind of stuff.

      [00:15:42] CS: Gotcha. So, of course, before you got to Lima Charlie, you worked several other places, and I’d like to take the opportunity to drill into your career journey, as well as it has some big names and some interesting timeline. So, as I mentioned, you were an early part of CrowdStrike in 2013, for about 10 months. What did you do in that capacity? And why did you move so quickly to your next opportunity?

      [00:16:06] MLB: So there, I forget what my official position was, but that was really early CrowdStrike. As in, all early companies, like titles doesn’t mean so much a whole lot. But I would describe it as I helped architect and put in place kind of early systems of what was eventually going to become, I want to say they call it Overwatch now. They’re monitoring services, so very early on.

      I think that’s an interesting topic for this discussion, particularly because it’s all psychology, right? So, I left the government, not just the government, but the intelligence sector, which kind of means if you think of like, the mentality as you’re leaving a place like that, it’s a cliché, but it’s also very true. It’s this idea of you’re doing work to help protect the country kind of thing, right?

      So, I would say on the spectrum of idealistic to pure money hungry, it’s very, very, very far on the – well, pretty far on the idealistic side of things. So, I was very much security operations and practitioner there, and idealistic, leaving. First job in the private sector. I’ve never actually worked in the private sector, and for a startup. So, the gap between where I was, and where leadership was in the company was really white. And I don’t think there’s – it’s all a gray spectrum. Now, starting a company, I realized that, everybody’s got to pay the bills.

      But that gap was really, really wide, and I think it was just too much of a gap for me to kind get – I really wanted to go and have a deep impact on detecting bad people and doing that, at scale is a different deal than doing it as an individual contributor. So yeah, that gap was kind of a big jump.

      [00:18:27] CS: So, from there, you spent a year and a quarter at Arcadia as the CTO and Chief Architect then moved on to Senior Security Engineer at Google for a year, and then Senior Security Engineer at Chronicle for another year and a half. So, can you talk about some of the experiences and skills you picked up at each of these positions and how it helped to position you to take on your next highest job opportunity?

      [00:18:48] MLB: Yeah, especially like, Google is its own thing, right? What it means is, I don’t think, when you apply there, it’s you they’re evaluating and not so much your previous positions. So, I think, getting my foot into Google, obviously, from there on, that was huge benefit from the name. But at first within Google, I did a lot of development around Windows endpoint, which is roughly endpoint sort of has been where I really focused my career. There was a normal move. So, a lot of Windows development around endpoint technologies.

      The way that I kind of transitioned into Chronicle, which is there’s Google, there’s Google X, they’re theoretically sort of separate, but not really. But for me, the trend in my whole career has always been that I would try to push and build things that have not been built before. So, seeing the opportunity really, really early on, hearing about this new startup being created in Google X around cybersecurity, that really piqued my interest. And so that’s when I went to talk to those guys and it was a good fit and eventually made the move.

      Chronicle and Google X itself, that was a really, truly unique kind of experience in my mind. And that Google X, like I said, it’s sort of separate, but not really. The whole kind of concept is they start kind of like a bit of a skunkworks internally, like trying to do new moon shots, do new thing that’s really big. As it’s kind of rolling out internally at some point, they decide, like, “Hey, we cancelled it, or we go, and we spin it off into its own company.” So, that’s how kind of the Chronicle really came alive. But during that internal, that is the really unique part, because it’s Google X, meaning, all the money in the world kind of thing, right? You’re a startup with like, I don’t know, $50 million in the bank. Is it a startup? Yes and no.

      So, that’s really why, like, it was unique, because we were trying to do extremely big things or looking for extremely big things to solve with the means to do it.

      [00:21:50] CS: Yeah, you don’t see that very often. It’s sort of startup goals with big investment behind it.

      [00:21:58] MLB: Exactly. But I would say, having kind of lived it, I think it’s definitely, there are pros and cons to it.

      [00:22:09] CS: Oh, really?

      [00:22:10] MLB: Absolutely. Because, yes, you got all the investment behind you. You can go and do those big things. But it also indirectly changes the mentality of the startup. I think, there’s not this pressure around, if you’re picking the cliché, tiny company in a garage, right? There’s a lot of pressure to make things work and to push the boundary and really take risks and do these things. Whereas if you’ve got all this money, in a way, you’ve got a bit of a pressure not to take too much risk, either. You don’t have the pressure as much to go to market and have this product and really, really push it. So, yeah, pros and cons.

      [00:23:01] CS: Pros and cons. So, taking your own personal experiences and applying them to a more philosophical, sort of overarching framework, do you think that the time spent on one job before moving to the next is changing in length in these days? Especially in terms of the so-called Great Resignation that’s been happening over the first few years? I mean, when I got into the industry, I always heard, “Don’t stay less than three years at a place. Also, don’t stay more than three years, because you’re not going to learn anything new and so forth.” But I mean, you’ve had some very, sort of quick stepping stones that brought sort of big dividends. And I don’t know if you think that’s something that can be applied overall, or if that’s just your phase, specifically?

      [00:23:38] MLB: That’s a great question. I don’t actually see it that way, when looking at my career. So, I never made the conscious decision, like, “Hey, I’m going to do this to step up my career kind of thing.”

      [00:23:53] CS: Got it.

      [00:23:54] MLB: I think, this is kind of a gut feeling. But that the Great Resignation is a really, really good thing, especially for industries that have a much lower salary, that have less education requirement, kind of where, where unions have been kind of historical.

      But I don’t know if – I haven’t really started feeling it in cybersecurity. I think maybe it’s because in a weird way, exactly, you said, I feel like we’ve had it for a long time, in a way, in security. Staying a year and a half in some place has been like – it’s been kind of almost the norm for a lot of people that I know. So, I don’t think that part has changed so much. I think what really is critical in my mind to the progression is sort of, I guess twofold. One is taking things away from a job, right? I think working somewhere, there’s very few places that you could work at, and not get anything from it. Even if it’s an awful job and you don’t like and all that, I feel like there’s some learning you should get from it.

      [00:25:19] CS: Yup. Even if it’s self-directed.

      [00:25:22] MLB: Exactly. So, I think that’s kind of one big aspect. And the other one is learning, I guess, maybe it’s related, but learning what you want out of the job, right? We have a luxury and security, huge labor shortage. Security is really big industry, many different types of things to be done. And I think it gives us the luxury to figure out, “Hey, do I want this cushy Google job to put in my terms, and kind of do interesting things, but kind of work government pays kind of thing? Or do I want to do firefighting, incident response?” I know a ton of people that just love it. Or development or policy work, there’s just so many different things.

      So, I think, I see the progression in my career as a refinement at every step of me realizing like learning specific things, and then realizing, I don’t like this, but I do like this. And so, it’s like, adjusting the course every step of the way.

      [00:26:36] CS: Right. So, it’s not the sort of traditional, first I was a junior manager then I was a senior manager, then I own the company, and then blah, blah, blah. But it’s more of the sort of pivoting of if you don’t like what you do, then do something else kind of thing.

      [00:26:49] MLB: Exactly.

      [00:26:52] CS: So, I want to talk about Lima Charlie a little bit and sort of our larger topic around security tools. So, you had an excellent article on your Lima Charlie company blog, explaining the reason you created this sort of universal platform, especially as it ties into the evolution of cybersecurity as a practice. And so, I want to start with that, the evolution of cybersecurity. The article notes that one large problem for security departments is the production of certain specialized security tools that turn into an exercise and extreme logistics, as companies have to acquire dozens, if not a hundred or more specialized tools to do the work of securing their business and then to make that all somehow connect and communicate.

      So, you noted that because it’s easier and more profitable to create a tool with a hyper specialized use, that you get the silo landscape with an infinite number of security tool choices that have sprung up. So, do you have any thoughts on whether this was preventable, given given a time machine and the benefit of hindsight, do you have any thoughts as to how the original wave of cybersecurity tool creators and architects could have done things differently? Or is this just the way it will always going to be?

      [00:27:56] MLB: I think it’s just natural evolution. I think it’s absolutely natural for smaller scope, siloed products to be a core part of innovation in any industry, right? You can’t spring out of nothing and be General Motors and kind of be – those guys buy those smaller companies. So, I think it’s a core part of it. And what happened is, we are a brand new, like a really, really new industry, and I think we’re just now starting to get into this maturity of – it’s like, we’re teenagers, we get a driving permit, we start to understand what the world is, what are the best ways to do things and not do things.

      So, when we didn’t have that, that’s why everything was just like a one-off product, everybody was trying things. You’re trying to get all those learnings, this institutional learning. Now, we’re starting to kind of shift into that second phase where we know what a lot of those concepts are. I feel like defense in depth was sort of the very first tagline that had the learnings behind it, and a chunk of institutional learning. But we have things like the MITRE framework now, which are a lot less, in a way cutting edge and cool and sexy. But that’s how we, as humans, if you look at engineering, we got to building the big bridges that we have today, not just by having a bunch of people trying to throw stuff at the wall, but like, at some point, the formulas became like, “Okay, this is how you do this.”

      So, I think, that’s why there’s that transition. So, I think, it’s absolutely natural that we had it, and we will always have those smaller scope products. But we’ve got to transform as well. We’ve got to get those big learnings in. And I think, then, is when we start to take a lot of the collection of those smaller tools or smaller use cases and say, those things really worked. Now, let’s take those one offs and do something proper that we can build upon for the future, for maturity.

      [00:30:34] CS: Yeah, tie it all together. So, where do you think security departments most frequently fail when designing their security strategy? Do you think that this piecemeal approach to building security toolkit results in blind spots that aren’t noticed until the worst happens?

      [00:30:49] MLB: I think that story is very different depending on who we’re talking about, right? So, we mostly deal with people that are on the higher side of the charity and it’s under security. We deal with security professionals. So, I have that bias view. That being said, you know, every now and then, we do talk to smaller places, right? Sometimes they’re startups, sometimes they’re just kind of smaller companies. And there, really, I think, the common mistake that I see is people trying to do too much themselves.

      It’s a cliché, but there’s a reason it’s a cliché of like, buying a tool, and nobody’s watching what the tools doing, right? I think, those folks would be better off by going to an MSSP, or to somebody that can help them do security knows what they’re doing. But in the bigger side of things, it’s very different. I think there, the critical thing that’s got to change is that we see a lot of bigger companies relying too much on the promise of a vendor. So, for somebody saying, “Hey, I have this tool, it protects me against bad stuff.” Okay. That doesn’t sound like a very mature defensive option.

      [00:32:28] CS: Right. Turn it on and it doesn’t sing in the background, I don’t think about it.

      [00:32:32] MLB: Exactly. I would love it to be true. If it can be wrong in one thing, it’s that. I joke sometimes, I want my grandma to be able to stop the Russians just installing it. That’s great.

      [00:32:48] CS: Amazing. We did it.

      [00:32:51] MLB: I think people, I think those bigger organizations need to start shifting into a mode where they know their security posture. They think what exactly are the things we need to detect? How are we going to do that? And kind of broach that very transparent.

      [00:33:06] CS: Okay. So, from discussing the state of world security and our part in it, we want to turn now to the work side of the Cyber Work podcast and talk about the work of security, whether it’s security engineer, architect analysts. Lima Charlie seems to be crafted for a variety of levels and types of physicians to interact with in different ways. So, can you tell me your thoughts on the current state of security practice and the process of learning study, experience and career advancement that you recommend to kind of grow and develop in this industry?

      [00:33:35] MLB: Sure. That’s a pretty wide question.

      [00:33:40] CS: Oh, yeah. Start making a little narrow in a little bit.

      [00:33:43] MLB: Yeah, exactly. Absolutely. I think, it’s a really, really wide industry. So, the first thing I feel that people should think about is not too narrow their view, right? I think a lot of people that come in and see, let’s say, the red teaming, like penetration testing as like the first thing that they see because it strikes the imagination.

      [00:34:07] CS: Yeah, it’s exciting.

      [00:34:09] MLB: Yeah, it is. But there’s a lot of excitement in blue teaming. But there’s also a lot of value and different people derive a lot of interest out of things like policy work. So, don’t over focus, go and talk to people that are even remotely kind of doing security that I think, that’s a very, very valuable thing. The other part I think of around career growth, is this idea of understanding what you’re doing. That sounds like a funny statement. But I think we’re getting to the point where it’s easy, and sometimes encouraged to, “Hey, I use this tool. I know how to use this tool. This thing tells me about that.” But I think in terms of longevity of your career, and being able to pick and choose where you go towards the future, it’s really important to try to understand this example what the tool is doing, right? What’s happening behind the curtain.

      So, understanding kind of the fundamentals of security. We talk about exploits, what does that look like? All these things. It doesn’t mean that you have to become an expert at building exploits, probably not. But at least having a grasp of what it is, because that’s how you’re able to go from, maybe today, at your job, you’re learning to use this one tool, the next job that you’re trying to get, maybe they don’t use that tool. And that will vary tremendously the amount of effort that you’re going to have selling yourself to get that job, if you have to go and say like, “No, I can use this other tool”, versus “It doesn’t matter which tool you’re giving me, I understand what’s behind.”

      [00:36:12] CS: Understanding the larger concepts and so forth. So, from a professional standpoint, what advice would you give cybersecurity students getting their knowledge and experience in 2022? Are there any trends, pivots, or innovations that they should be looking at in the new year? Or obviously, know your fundamentals, and so forth. But what do you see on the horizon that people should be watching out for?

      [00:36:36] MLB: I think, I mean, there’s the staples of cybersecurity, understanding, I think, endpoint endpoint technology is really, really critical understanding that. But more and more, I would say, the sleeper here is, cloud security is becoming more and more complex. People are relying more and more, and as that complexity grows, it means that there’s more dark corners. So, getting involved into understanding those, and being comfortable in that kind of ecosystem is going to be a big driver to kind of future jobs and requirements in those jobs.

      [00:37:23] CS: Alright, so as we wrap up today, Maxime, thank you for your time. Well, this has been a masterclass on, I think, just general career movement within a cybersecurity field. You just went above and beyond on so many different things that I like to ask people about, and so thank you for that. But as we wrap up, can you tell our listeners any more aspects about Lima Charlie that you’d like them to know about, and some of the projects, and products that you’re excited about going into in the new year?

      [00:37:51] MLB: That’s kind of the cool part about what we do, is we get to touch a lot of different things. So, we’ve been very endpoint driven, so far. So, around the EDR space, and all that, it’s really cool. But I think the coolest part is, as we’re kind of fulfilling our vision, we’re adding a lot this year of external data sources. So, we’re adding other EDRs, we’re adding cloud, a lot of cloud logging into the platform. So, I see it like a big pot where we’re cooking. And so, we had plenty of EDR. But as we add those other things, I think it kind of changes fundamentally, how people are going to use our platform and how people are going to see their ability to go and reach across the stack, all the way from like the iPhone of the CEO, to the developer logging in to GitHub. So, those are the kind of things that excites me for the year for us.

      [00:38:49] CS: Very cool. So, one last question, if our listeners want to learn more about Lima Charlie, or Maxime Lamothe-Brassard, where should they go online?

      [00:38:58] MLB: Limcharlie.io is the spot, and we have a community Slack and we have documentations and YouTube channels. So, there’s a lot to see there.

      [00:39:08] CS: Beautiful. Maxime, thank you so much for joining me today. This has been so fascinating.

      [00:39:11] MLB: Thank you, it was good.

      [OUTRO]

      [00:39:13] CS: And as always, thank you to everyone listening to and supporting the show at home. New episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on video on our YouTube page, and on audio wherever you get your podcasts.

      I’m also excited to announce that our Infosec skills platform will be releasing a new challenge every month with three hands on labs to put your cyber skills to the test. Each month you’ll build new skill ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.

      Thank you so much once again to Maxime Lamothe-Brassard, and thank you all so much for watching and listening. We’ll speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.