The importance of cybersecurity education

Dave Hatter, technology educator at Cincinnati State and cybersecurity consultant for over 25 years discusses his security journey, the future of cybersecurity education and the roles of certification in pursuing high level cybersecurity careers.

  • View transcript
    • Chris Sienko: Hello and welcome to another episode of the Cyber Work With InfoSec podcast. Each week I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how those trends are affecting the work of InfoSec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Dave Hatter has more than 25 years experience in IT as a software engineer and cybersecurity consultant. He also has nearly 15 years as an educator, teaching technology courses at Cincinnati State. He’s going to talk to us today about his security journey, teaching to the security professionals of tomorrow, and the roles of certification and education in pursuing high level cybersecurity careers. He is also, according to his LinkedIn, the mayor of Fort Wright, Kentucky. Dave, thanks for being here today.

      Dave Hatter: Hey Chris. Thanks for having me. This is a topic I’m really passionate about, and it’s always exciting for me to get to talk about it because I think it’s critical for businesses as well as society as a whole, that more people understand how important this is, and also the amazing opportunities in this field.

      Chris: Yeah. That’s great. Well yeah, we’ve got lots of questions for you here. So let’s jump right into it. So we start out most episodes by talking about your career journey in cybersecurity. So let’s start at the beginning. When did you first get started in computers and later into security specifically? Were those always interests or did you move down that avenue later in life?

      Dave: Well, look at me. I’m a crusty old dude now. I’ve been doing this for a long time. I’m a child of the late seventies and early eighties when video games first became a real thing. So whether it was arcade games or Atari or ColecoVision, I can ramble off a long list of these game systems I had. I’ve always had an interest in gaming, and when I decided that I wanted to be a chemist, I went to college, realized I was not smart enough to ever earn a chemistry degree and needed something to fall back on, frankly.

      Chris: Oh man. Another member of the failed chemistry club. I was chemistry until I hit physics and calculus and how they all tied together and it didn’t go well.

      Dave: Things like organic chemistry, I realized I would never ever graduate from college. So seriously, I started looking into other options. I looked at computer science. As you may know, that also has a lot of math requirements.

      Chris: Sure.

      Dave: And I took what many people in IT call it, the cheap and easy route. I went for information systems.

      Chris: Okay.

      Dave: So I got a business degree through the college of business at NKU. I sort of developed a love for programming at the time, and I’ve spent most of my career, pretty much from the day I walked out of college in ’92, I spent almost my entire career in software engineering. As someone building lots of custom applications for lots of clients, in many cases for smaller clients, they didn’t have IT people. We were looking for hosting. So we had to be aware of how networks work, how to configure this stuff, to think about things like security, both at the network level but also at the application level. So I’ve been more focused until recently on application security. How do you stop things like SQL injection and validation, that kind of stuff, but as time has worn on and cyber security has become more of an issue for all businesses, and as I mentioned before, society as a whole, I’ve gotten more and more interested in it.

      I have a lot of background in various facets of IT and decided it would be a good time to try to move away from a pure software development sort of role and into more of a broader cybersecurity role, because I think, A, there’s a lot of opportunity for me, but B, I think I could bring a lot to the table for businesses, and it’s just something I’m very passionate about. So I started to study, make the transition out of the software development business into the cyber security business, and it’s been a lot of fun. There’s a million things to learn. It’s changing every day. So it’s constantly exciting, and sometimes a little frightening and depressing, but it’s been great so far. I’m enjoying myself, and as I mentioned, I’m very passionate about this and I love to tell people about it.

      Chris: So how did you move sort of step wise from software engineering to cybersecurity to teaching and beyond? What were some of the major job titles that you had along the way and what were the progression of skill sets that got you to where you are now?

      Dave: Good question. So for many years I owned my own business doing custom software development. So again, I had a lot of hands on doing this sort of stuff then, and to try to provide the best value to our clients, even though I was … so even when I had my business, I still did a lot of software development, partially because I’m a control freak, partially because I enjoy it, and partially because we never really expanded to the point where I couldn’t do it if I wanted to, and along the way … so again, I started looking at things like the CompTIA Network+ certification, CompTIA Security+ certification, some Microsoft certifications around Windows servers, networking, that kind of thing, to make sure that we were going about things the right way, and just frankly, I’m … I mean, look at me. I’m one of those dorky guys that just likes this stuff.

      Chris: Yeah, sure.

      Dave: And I see those tests as sort of a personal challenge. So along the way, I’ve tried to stay up to speed, get some certifications, learn these things, and then more recently as I decided it was time for me to make the jump out of a pure software development role and into more of a broader cybersecurity consulting kind of role, I started to look at other certifications like CISSP, CISA, other things that were out there and basically said, “Okay.” Again, I’m pretty knowledgeable about this stuff anyway, but it’s time to start focusing certified ethical hackers and start going down the road, getting some training, doing some self study and taking these tests so that I could have some credibility in this space, and that’s pretty much what helped me make the leap. Now the thing that’s really been amazing for me, I’m fortunate that over the years here in Cincinnati, I’ve got a lot of connections in IT for many years as a small business owner working with other businesses, supporting us and so forth, and a friend of mine, Tim Rettig owns a company here in Cincinnati called Intrust IT.

      We’re a managed service provider, and cyber security is becoming increasingly critical every day for us internally as well as our clients, and it was a great opportunity to join the Intrust team and have a focus specifically on cybersecurity, and even still let me do a little software development. So it’s a total win for me. So I purposely was working towards this, but I happened to luck into having a great relationship with a company that had a need, and it’s just a great fit. So I’m probably luckier than other people might be in regards to making that transition.

      Chris: Yeah. Now tell me about your favorite parts of teaching security as a professor. What aspects of security are you teaching your class?

      Dave: So I’ve only taught one security class. Most of the classes I’ve taught over the years have all been software development classes, and again, there’s a little security mixed into that, but recently I had the opportunity with another local community college to get into a class that’s I think really fascinating and a great way for anyone who’s interested in trying to get some basic skills and possibly move into this space. It’s basically security fundamentals, but it’s geared around the CompTIA Security+ exam. For folks watching this podcast that aren’t familiar with that, CompTIA is an industry organization. They provide a lot of education and training materials. They’ve got a lot of certifications at varying levels. Security+ is kind of their entry level security test, but the curriculum is developed in conjunction with the publisher who’s got a book that you could buy the book and take the Security+ test, and in this environment you can take this class, it’s a 15 week four credit class, you get your three credits towards a degree, and it prepares you to take the Security+ exam. So in my mind it’s a win win.

      You can get the best of both worlds, and we pretty much guarantee you an A on the final if you take and pass the Security+ exams. So you’re getting 15 weeks of in class experience doing exercises. It comes with some great virtual labs so you get some hands on experience doing a lot of things, encryption. It’s a really cool curriculum and it was a lot of fun to teach it. I’ve only done it once so far, because I do have the Security+ certification. It was a lot of fun. I learned a lot along the way and I think the students had fun, and I’m hoping to get the opportunity to do it again real soon, but I would recommend for someone who’s thinking, “Okay, where can I even get started on this?” Look to your local community colleges. See if they offer a class like this where you’ve got someone you can talk to about it, you’re getting some hands on experience doing the work, you’re potentially earning college credit towards some type of certificate or degree, and at the end you should be fully prepared to go take the Security+ test.

      Chris: Another option would be to take a boot camp through our organization. Links downstairs.

      Dave: Bootcamps are good too. I certainly don’t have an issue with that. There’s really never been a better time if you want to get into IT from a training option perspective, whether it’s online training, there’s just so many options and so much good content out there, and a lot of it is very reasonably priced if you do your homework.

      Chris: Yeah, yeah, yeah. So since you’re so specifically tied to education and learning in that regard, we’ve spoken to several other guests in a variety of positions from academic to military to the private sector about the so-called “skills gap” in the cybersecurity industry, this belief that there aren’t enough trained professionals to fill all the positions that are out there. So how does this look from your end? Do you see the skills gap as a shortcoming of education, on job training, other factors? Have you experienced it personally at all?

      Dave: I have experienced it personally, in all facets of IT. It’s hard to find good software developers, but I think it’s extremely evident around cyber security, because I don’t think a lot of people until maybe the last three or four years have really looked at it as a career field, have taken it all that seriously. There’s a lot of small businesses who think, “I’m too small, I’ll never get hit with this.” I don’t know that various colleges and so forth have really been pushing it as a thing until recently. So I think there’s any number of aspects that have driven this gap. I also think a lot of people are scared off by it. I mean depending on what you want to do, you’ve got to be fairly technical.

      Chris: Yep.

      Dave: Having taught programming for a long time, it’s not for everyone, and so I think there’s a lot of aspects to it that have driven it. I do think as society as the whole has started to realize that anyone from just some guy on the street up to the largest corporations are potentially subject to the negative ramifications and implications of cybersecurity flaws, gaps, breaches, et cetera, one or more people are getting interested in it, which is a good thing, and I think to some extent that’s spurred the large plethora of options out there to get the kind of education that would allow you to break into the field. So I think it’s never been easier to try to get in. The one thing I’ve seen … and I still can’t quite understand this, and I’ve seen this around software development too. You go out and you look, there’s job postings like crazy. You go to somewhere like Dice, there’s a bazillion job postings out there, but then they want someone that’s got five years experience doing some real esoteric thing that has been around for four and a half years.

      It’s like, well that person doesn’t exist, and recruiters are throwing these resumes away. Someone somewhere has got to be reasonable and say, “Yes, this person may not have all the skills we need, but they have some of the skills we need,” and maybe they’ve demonstrated through their resume that they’re pursuing education through a bootcamp or through a community college or certifications or whatever. So they’re apparently trainable. I mean the expectation of recruiters in many cases to me seem completely ludicrous based on the skills that are out there. I think there needs to be some kind of alignment to get people into a real space of yes, this person may not have all the skills. They have some of the skills. They’re working to acquire the skills. They’ve demonstrated that they’re trainable and teachable. We’re not going to get Vint Cerf or somebody for every job. It’s just not going to happen, or Kevin Mitnick. We’re going to have to take people from the pool that’s available and the people that are out there trying to get these skills. That’s I think one of the biggest disconnects is the, in many cases, unreasonableness of the demands of the employers and potentially the skills gap in the HR people who don’t really understand the skills of the people they’re talking to, the resumes they’re reading, that sort of thing.

      Chris: Yeah. That’s been a recurring theme on this podcast is the need for some sort of a job posting reform or a baseline set of setting expectations accordingly and not looking for unicorn candidates and then giving up when no one applies or one person applies or whatever.

      Dave: Well, I’m glad to hear that that’s a recurring theme and it’s not just me that feels that way.

      Chris: Yep.

      Dave: Because I see it over and over again, where the stuff that people are saying they need is so unrealistic in many cases, compared to the talent that’s out there, but there is good talent out there and there are people who are willing to put in the work and get those skills, but it becomes a chicken and egg thing. How can I get the skills if I don’t have a chance to get the education and the training and the opportunity to do the work?

      Chris: Right.

      Dave: Well, where can I get the people? That’s a sore spot for me and kind of a frustrating topic. So I’m glad to hear that I’m not the only one that feels that way.

      Chris: Absolutely not. So what role do you think learning security in school or bootcamp or whatever plays versus say hands on experience and certification training? Do you feel that a security professional receives ongoing educational environment, that they’re getting something more than say just taking the book home themselves and self teaching and practicing?

      Dave: I’m a big fan of education. Obviously I’m somewhat biased. I’ve been an adjunct for 15 years. I’ve never been a professional college professor, and I originally got involved in it because I’m a big believer in the quote, “While we teach, we learn.” I mean I learn stuff every time, and I know one of your questions coming up is going to be about the national cyber league. I learned an amazing amount of stuff doing that.

      Chris: Yeah.

      Dave: So I’m a big fan of education, and I think for many people who … it’s been my experience on the programming side of things, there are certain people who are just naturally inclined to be phenomenal programmers.

      Chris: Yep.

      Dave: They just are able to think in the logical sort of way that you need to be able to think to be able to take a real world process and break it down and turn it into a working application, but not everyone naturally thinks that way. Maybe people can be trained to do it and enjoy it and it’s a great career for them, but they struggle when they get started. So I think having someone … whether it’s a bootcamp or a community college or a four year college or whatever, having someone who understands it and has empathy for the struggles that students are inevitably going to face, can answer questions, can demonstrate how to do things will go a long way towards making it easier for people who might not be naturally inclined, but I think there’s plenty of people out there who, with the right material and the right access to tools and so forth can learn it on their own. The certification piece … I’m a big believer in certification. I have a lot of certifications. I’ve invested an enormous amount of money and time, not because I want people to say, “Look at me,” but because A, as a consultant, it does give you at least some credibility, and B, I’m forced to learn things I probably wouldn’t learn otherwise.

      So I see it as sort of continuous learning, investment in my own career. There are many people out there that have no certifications and know more about this than I ever will, and there are many people out there who have a lot of certifications who really have no idea what they’re doing. I think certifications are a tricky thing because it depends on how rigorous the certification body is. There are some bodies, like (ISC)² with the CISSP exam, not only is the test very difficult, but then you have to have another person who’s passed the test sign off on you.

      Chris: Yes, right.

      Dave: The PMP exam, you have to basically put in thousands of hours showing your work in the various disciplines and names of people who will sign off on it and say, “Yes, you really did this,” if you get audited in addition to taking a very difficult exam. Other exams, not so much. So I’m a fan of certification. I guarantee people will learn if they take these certifications. I think it does demonstrate to a potential employer that you’re teachable, you’re trainable, you’re interested in learning, you’re willing to put in some effort.

      Chris: Yep.

      Dave: Ultimately though, I think a combination of all three is probably the best bet, but I really, at the end of the day, don’t believe there’s any substitute for hands on experience. I mean you got to get in there, and working with other professionals who have experience communicating, collaborating, seeing how other people think about it is really the best way to learn, but when you couple that with education and certification, I don’t think you can do it wrong.

      Chris: So what I was going to say about certifications, it sounds like even though you have over a dozen certs, you basically treat them as tools to solve a certain problem rather than sort of like baseball cards to be collected.

      Dave: I do. Again, I’m forced to learn a lot every time and I see it as a personal challenge, a tool in my toolbox, and there are certain skills that maybe I don’t have now or they’re not as sharp as I would like them to be. So I see that as one way to try to improve those skills.

      Chris: Okay.

      Dave: And to be able to demonstrate at least some credibility in whatever that particular area is.

      Chris: Yeah. So yeah, you mentioned a little bit, and I’m very excited to jump into this next part here. According to your bio, you coached a team of students in the National Cyber Leader spring 2019 season, which is a capture the flag competition. So I guess first of all, I’d like to hear your experiences with it, but more generally, what in your opinion makes a good capture the flag exercise? In creating a CTF or running one, what aspects do you think make it educational and challenging for students in a way that can apply to their future work?

      Dave: Well this is the first time I’d ever experienced one of these myself. So to answer your question, what makes it good? The thing that was cool about National Cyber League, and there are many of these things out there, was they had a range of challenges from relatively simple to very complex before the actual competition starts. They have what they call a gymnasium where you can get in there with the students and just try different things. It’s broken down into a variety of different domains from identity and access management, wireless encryption, different domains that sort of fall into the cybersecurity space. So it ran the gamut. Again, some of these things were very difficult. There were some very interesting exercises around stenography, which I really didn’t know too much about beforehand, but trying to go out and discover tools that lets you try to extract the messages that are encoded in that image.

      There was lots of cool stuff like that. Again, many things … I’ve read about it, but never experienced it before. So the ability to get into a lab environment, either on your own or in a classroom with students, and then work through these exercises and frankly see students come up with some very creative … and there were times where I’m like, “I have no idea what this thing is supposed to be.” So we all get on Google and start searching and suddenly a student throws out an idea and the next thing you know, we’re going down that rabbit hole, and by God that was the right rabbit hole.

      Chris: Wow.

      Dave: So it was a lot of fun. It was very cool. It was a great opportunity to see people sort of show some leadership skills and take the initiative and try to solve these things on their own, and I had a lot of fun. I’m really looking forward to doing that again, and again, I learned a ton myself, things that I just never had experience with or exposure to before. So in my mind, particularly as fast as the cybersecurity landscape changes and new attack vectors are coming up every day, well I think it’s probably a lot of work for whoever’s building these capture the flag type tools, environments, platforms, et cetera to stay up. It’s an amazing opportunity for people to get hands on experience and potentially collaborate with other people to solve some interesting challenges, think about things in a new way, and do some things they just otherwise probably wouldn’t have the opportunity to do until it happened for real, at which point now it’s a whole different situation that you may not be prepared for and would certainly be under a lot more significant pressure. You don’t want to end up going out of business because you weren’t prepared to handle this challenge when you could have participated in something like that and said, “Oh, I at least know where to start to try to address this problem.”

      Chris: And you’re probably not going to have those kind of time-dependent challenges in real life, but I think there’s a lot to be said for being on the clock in that way and having that sort of collaborative function as well. So were there any challenges that were over your head? Is there anything that you guys weren’t able to break through?

      Dave: Yeah, there were several. I mean we didn’t finish several of the challenges. Part of it is you’re talking about a three hour a week class at night. People have real lives, myself included. I have a real job. I’m doing this adjunct professor thing as a [inaudible 00:21:27].

      Chris: Yep.

      Dave: There were several in there that were really difficult and we just didn’t solve. So I don’t really see that as a failure. I just see that as more of, hey, there’s more to learn and you’ve got to keep working at this stuff and learning about the stuff, and again, it was a lot more fun than I anticipated, because I didn’t really know what to expect, and at least with National Cyber League, they did a really good job. The tool was good, it worked smoothly, they had a lot of great examples, like I say, from relatively trivial to very difficult, and the gymnasium thing beforehand was pretty cool. My only real complaint about it at all was they didn’t open the gymnasium until a very short time before the actual competition started.

      Chris: Yep.

      Dave: And I think especially for people new to it, it would be helpful to have more time trying to get familiar with how the thing works and what they are expecting of you, as opposed to you’ve got a very short timeframe to try to understand it and then just go, but sometimes that’s the way it is in the real world.

      Chris: Yeah. Oh yeah. No, and I remember, again, going back to eighties games and stuff, but all the kind of puzzle solving games like King’s Quest or whatever, where a lot of it wouldn’t be a failure of logic, it’d be a failure of not knowing how the interface works and, “Oh, okay. That’s what you meant for that.” So, yeah. So we do a weekly … actually twice a week we have a writer who takes dead CTFs and walks you through them step by step, and I’m not terribly security savvy, but it’s very educational to see the sort of mental steps along the way, and we’ll try this, and then we try this, and we find that piece here and then we unlock this.

      Dave: That’s really cool, yeah, and I think there’d be a lot of value in that for people.

      Chris: Yeah. Oh, we get tons of readers. It’s very exciting.

      Dave: I’m going to have to check that out myself.

      Chris: Yeah, yeah. I’ll send you some links. So what role do you think that professional certification will play in the enhancement of security career in the future? What certifications, using your crystal ball, do you think are going to be most important for security aspirants in 2019 and beyond?

      Dave: Well, there’s the big ones out there, like the granddaddy of all of them at the moment, probably CISSP. I think that’s probably the most well known. It has the most sort of broad applicability and credibility. You’ve got increasingly specialized certifications. Even with (ISC)², they’ve got five or six other certifications now, one focused specifically on software oriented security issues. I think you’re going to continue to see specialization. You’ve got things like Certified Ethical Hacker out there that I think has gotten a fair amount of traction. You’ve got all kinds of certifications around penetration testing and offensive type security versus the more defensive thing that I think most people think of. I think for folks, to some extent you got to kind of decide … I mean to be good at the offense, you also have to understand the defense and vice versa, because you’re two sides fighting against the other.

      If you only understand offensive football, you’re probably not going to do very well, because it’s only half the game, but I think at least where we’re at today with this seeming focus on, “Well here’s a checklist of skills that I need. All right recruiter, go find me this person. Well, do you have this? Do you have this? Do you have this? Do you have this? Nope? Thanks. We’re done here.” These specialty certs will probably continue to grow in popularity so that people can say, “All right, I can check off that box. I got this thing, I got that thing.” I think the entry level things like Security+, and CompTIA has CISP now, which is sort of similar to CISSP. There’s several of these guys out there. The problem I see here to some extent is cyber security has now become very hot.

      The salaries are good. There’s a lot of opportunity if you have the right skills and know how to explain that to someone that would want to hire you, and it seems like there has been a giant rush into this space now, and there are a ridiculous amount of cybersecurity oriented certifications, and I think some of them are more risk focused, some of them are audit focused, some management focused, some technical. They’re all over the spectrum of their focus area, and I think trying to understand who is the certification body, what is the credibility level and influence level of that body out there in the marketplace? Because if you go out and spend 4,000, 5,000, 6,000 bucks on a certification that really isn’t in much demand and people don’t know what it is, you probably haven’t really done yourself … other than the learning that will naturally come along with it, you probably haven’t really done yourself any favors.

      The agile space is full of these kinds of things. If you were to take certified scrum master, professional scrum master. Now there’s a jillion agile certifications out there. So just getting any one of them may or may not be that useful because the recruiter doesn’t know what any of them mean. They want to see CSN. You got CSN? Good to go. You got PSN? Well that’s no good. So I think for folks who are aspiring to earn these certifications, both for the learning they’ll get as well as the potential career opportunities. I think it’s really important to understand what is it you think you want to do, how much demand is there out there for that, and then what is the best certificate in that particular space?

      Chris: Okay. So for our listeners who might not be involved at all right now in cybersecurity and are considering starting at the beginning, where would you recommend starting? And then second related question, where would you recommend for people who might be well along in the workforce, maybe in tech but not in security, or just in another area entirely? Where would they start in sort of looking to sort of transition towards security as a career?

      Dave: So for people who have absolutely no experience whatsoever but are trying to figure out how to break into it, the best thing to do would be to try and find some folks who have some experience and knowledge and ask them about it. So you can try to decide, “Is this really something I want to do?” Maybe talk to some bootcamp people, talk to some folks at a local college that have a program, and again, try to understand, “What is this thing about? Is this something that I think I would like to do? Is this something I think I’m willing to put in the work to learn?” Because if you don’t know anything about it and if you’re not sort of a technology minded person to begin with, it’s going to take a significant amount of effort to break into this thing, because you’ve got to know the seven layers of the OSI model and all this other stuff –

      Chris: Yeah.

      Dave: – to really be able to understand all the stuff on top of it that fits into the cybersecurity bucket. I think for folks that are already in IT and maybe has some background there, you could probably start with, okay, what kind of certifications are out there? Because if you read the background or description of what you need to know to pass any particular tests, if you’re already an IT person and you read it and you say, “I don’t have any idea what this stuff means,” well maybe that’s not for you, or at least it’s going to be indicative of the fact that you’re going to have a significant learning curve and you’re going to have to put a lot of time and effort.

      If you look at it and you say, “Hey, I already know most of this stuff. I’m interested in this stuff,” that might be a good place to put a stake in the ground and say, “Okay, I can see a path here,” whether it’s Security+ or CISSP or whatever, but there’s an enormous amount of online resources. There’s an enormous amount of online free training where you get a little taste of the stuff, like Udemy, Codeacademy, Cybrary. There’s just a ton of these things out there where you can try it for free or find really high quality courses for relatively low amounts of money and just try it and see what you think and then decide, “Okay, yes. I think this might be for me. Maybe I should go after a certification.”

      Chris: Of the dozen plus certs that you hold, which ones are the most useful to you in your day to day work? Are there any you particularly feel are kind of a skeleton key? Or do they all just have their own purpose and situation?

      Dave: Of all of them … skeleton key is a good way to describe it. I would say probably for me the most skeleton key-like one is probably the PMP certification, because it tackles a very wide set of domains. Risk management, which of course applies to cyber security and really any anything in IT or business for that matter. You’ve got cost management, you’ve got schedule management. I mean all of those things apply to virtually any IT related discipline or any business, and while … I’ll take my PMI hat off, because I’m a fan of PMI, some of this stuff is probably overkill for anything but the largest projects, and you’ll learn a lot of stuff you’re probably not going to practice because it just doesn’t make sense in your environment, but you’ll learn a lot of stuff that just makes you better.

      I think from understanding how business works, understanding why I would need to understand how to compute the risk on something, because a lot of times when you talk to IT people who maybe aren’t as business focused, well they want all the security, they want all the whatever, and in many cases, Chris, it doesn’t make sense. I’m not going to spend $100,000 to secure something if it’s only worth $10,000, unless there’s some other reasons, like I have a legal or regulatory reason to do it. So I think that’s probably the closest thing to a skeleton key. I learned a lot from it, a lot of the estimating stuff. We went out to talk to a client about the work that needs to be done and we’re using techniques like the  estimating and so forth, which I learned from studying for that test.

      Chris: Yeah.

      Dave: So that’s probably the most skeleton key-like one. I think, again, if you’re trying to get into security, I recommend people at least take a hard look at the CompTIA Security+ exam, because you don’t have to meet a lot of requirements to take it. If you’re willing to put in the work, you can take the exam. It’s a reasonably challenging exam, and if you can pass it, you know a fair amount about this stuff.

      Chris: Yeah. That’s a good first run.

      Dave: Yep. Absolutely.

      Chris: So as we wrap up today, where do you see cybersecurity education and certification training in the years to come? Do you think the skills gap can be made up? And what tip would you give for someone looking to take the first step?

      Dave: I think it can be made up and I think as we find ourselves increasingly in a scenario where more and more of our daily lives are impacted by technology … there’s a great article on sort of a segue topic here called The Coming Software Apocalypse. It was in The Atlantic I think, and the gist of it is not necessarily about cyber security. It’s more about we now have all this technology, it increasingly impacts our physical world, in many cases really old, millions and billions of lines of code written by dozens, hundreds of different people. So you’ve got one very complex elaborate system talking to another very complex elaborate system. Something goes wrong in there and you can’t even figure out where it went wrong. One of the points they bring up is a 911 system that went down and caused a bunch of outages in 911 for people using the system because the programmers never thought when they built it that they would ever get enough calls in the entire [inaudible 00:32:26] system to hit a number larger than you can store in an integer.

      Well they did and it blew the thing up. So as we see more of these things that aren’t necessarily security related but have an impact our daily lives … we already know that a virus was used to shut down the Iranian centrifuges that they were using to refine uranium. We’re going back and forth with them now out there in cyberspace. What would stop a hacker from attempting to say, “All right, every Tesla at 5:00 PM is immediately going to accelerate to maximum speed until it runs into something?”

      Chris: Right.

      Dave: I think people are going to start to take this more seriously because we’re seeing more impacts in the physical world, people are having their identity stolen, and I think as a result of that, they will be more interested in, both from a personal perspective and from a business perspective, getting the skills to try to stop this kind of thing.

      Chris: Yep.

      Dave: So I think certification, education will continue to grow. I think it’s a great space to be in on that side of it, and I think there’s never been more opportunities to jump into something where not only can you have a great career, a challenging career, where you’re constantly forced to learn things, be paid very well, and frankly, perform potentially some good for society by trying to stop these kinds of things. So there’s never been a better time in my mind to say, “Hey, cybersecurity, maybe that’s for me,” and there’s so many opportunities out there to at least start to get the skills to get in and try to block some of this stuff.

      Chris: All right, and on that note, Dave Hatter, thank you very much for joining us today.

      Dave: Always my pleasure. Send me those links and I’ll definitely check that out.

      Chris: Okay, and thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work With InfoSec. Check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work With Infosec in your podcast app of choice to see the current promotional offers available for podcast listeners, and to learn more about our Infosec pro-life bootcamps, Infosec skills on demand training library, and InfoSec IQ security awareness and training platform, go to infosecinstitute.com/podcast or click the link in the description below. Thanks once again to Dave Hatter and thank you all for watching and listening. We’ll speak to you next week.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.

Weekly career advice

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Carbon Black, IBM, CompTIA and others to discuss the latest cybersecurity workforce trends.

Hands-on training

Hands-on training

Get the hands-on training you need to learn new cybersecurity skills and keep them relevant. Every other week on Cyber Work Applied, expert Infosec instructors and industry practitioners teach a new skill — and show you how that skill applies to real-world scenarios.

Q&As with industry pros

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.