New episodes every two weeks
Dec. 13, 2022

S02E03 - Crisis of Infinite Podcasts - Threat-X Crossover

S02E03 - Crisis of Infinite Podcasts - Threat-X Crossover

What’s better than one F-Sides podcast? TWO podcasts. Listen in as we join forces for our first-ever crossover episode with Gene Fay, ThreatX CEO, and host of the “eXecutive Security” podcast. And unlike those pesky DC comic crossovers where you can’t keep track of what multiverse of plots you’re following, ours is easy. We’re talking about careers in security. How to get em, what to do when you got em, how to help others get em, and absolutely no DC comic TV nerd references. This one gets good… 

Transcript

Jason [00:00:04] Welcome to Season two of Offsides, the annoyingly award lacking number one cybersecurity podcast. According to Muscle Car Poetry magazine and the most money losing not for profit venture this side of starting an airline. 

 Paul [00:00:20] Yeah and instead of the typical reading off of a list of breaches or talking about shunning technology, we try to focus on the human side of things. Jason likes when I say human like a robot. 

 Jason [00:00:32] No, he misinterpreted that. I do not. 

 Paul [00:00:35] Well, I feel like you do. But we like to focus on leadership, communications, human behavior and stuff that moves the elephants. 

 Jason [00:00:43] And today we have a very special two elephant episode two elephants. 

 Paul [00:00:48] That's better than all the ones. So tell me more. Tell me more. 

 Jason [00:00:52] Today. Today's episode is titled Crisis on Infinite Podcast. The Crossover Episode. 

 Paul [00:00:57] You feel like a movie. 

 Jason [00:00:59] It's actually a DC Comics Arrowverse reference crisis on Infinite Earths. If you're a comic book nerd or television arrowverse nerd, you would get the reference. But basically today we are crossing the streams. That's another obscure reference for Ghostbusters. We are crossing the streams, are actually joining forces with a special duel podcast episode today. 

 Paul [00:01:19] Yes, from what I understand, we are connecting up with the Thread X podcast that's hosted by Gene Fray. 

 Jason [00:01:26] I really hope you wondered from what I understand, I hope we understand that because we were both on the same call. 

 Paul [00:01:31] Yeah. But yeah. I'll have to figure out how to say that better for our next time we do a crossover. This is the first time. So it's butterflies. 

 Jason [00:01:39] This is we're learning. It's actually a really exciting podcast, the podcast. So we're crossing over with cross now I'm feel like a just a Jordan do the crosses over to afterlife. We're crossing over. 

 Paul [00:01:50] Well, you're really going deep. 

 Jason [00:01:51] On all this. Yeah, there's so many obscure references. We're crossing over. We're crossing over with what's called the Thread X podcast. And the Thread X Podcast is hosted by Jean Frey, like Paul mentioned, and it's a podcast. It features stuff that we're really, really engaged about. It features conversations with CISOs and other cybersecurity leaders on how people can enter into security and grow careers within security. 

 Paul [00:02:14] Yeah, like this new approach of Crossover podcast, it's good to see how real pros do their podcasts as we write. 

 Jason [00:02:21] Yeah. 

 Paul [00:02:21] Concerned about Lars. 

 Jason [00:02:22] They will lead us by example, I hope. Yes. We're going to be talking in this podcast episode crossover. We talk all things career and cyber, from certifications to college degrees to that vicious circle of you can't get into the field without experience, but how are you supposed to get the experience if you have none and you need it to get into the field? 

 Paul [00:02:41] Yeah, and this is an area that I personally care deeply about. Yeah. We need more diversity and more new people with very backgrounds in the security field because the attackers have varied experience and very backgrounds. And the only way to do that is to remove some of the artificial barriers, such as requiring more experience and is needed for entry level jobs and so forth. So this is I really care about some of the things Jane is going to be talking about. 

 Jason [00:03:05] Awesome. I'm excited. Let's roll the tape. 

 Paul [00:03:10] It might tape. Sorry it took me a second there. No one uses tape any more, Jason. 

 Jason [00:03:15] That's right. That's a bit analog. Okay, well, let's let's make it so let's hit it. Let's roll camera. Let's do this. Jean, glad to have you on our show from Thread Man. Really good to see you. 

 Gene [00:03:26] And welcome to the Executive Security Podcast. So this is a first for for I think both of us little crossover. 

 Jason [00:03:34] Yeah, I know it's a competing podcast, but we're not really competing. We're working together crossover episodes. This is like the DC Flash. What is the back girl? Flash Superwoman. And there's one more Green Arrow. This is the ultimate crossover of crossovers in the multiverse. 

 Gene [00:03:50] Well, yeah. 

 Jason [00:03:51] Paul shaking his head is about how to spell multiverse. 

 Paul [00:03:53] All the obscure characters. He didn't say anybody I recognized, so I was expecting a character that made sense. 

 Jason [00:03:58] But the DC Universe Man. 

 Paul [00:04:01] Show nonetheless, whether regardless of it's a crossover, it's going to be an instant conversation. 

 Jason [00:04:04] So it's going to be a great show. Jean, what are we talking about today? 

 Gene [00:04:08] So we did. I know sometimes people find it funny that we do actually prep for these things. So in our prep we had a lot of debate on different topics, but the one that seemed to really get some real interest among the three of us is the age old question Do you need a college education? But more specifically, do you need a college education to get into cybersecurity? And so we thought that would be a good topic, especially for the threat, I should say, for the Executive Security Podcast. We talked to a lot of people or talk about a lot of kind of people that are thinking about getting into the whole industry and what it takes to get into the industry. So I think it was a great topic that we all had some different points of view. I thought we'd kind of kick it off and see what people think. 

 Jason [00:05:00] Yeah this is a great timing for us to early in our season to we spoke with a recruiter James Warren. Probably one of the best recruiters I've ever worked with out there and honestly worked with is not the right term, but one of the best recruiters that I know. So we just came off hot off an episode where we talked about getting your foot in the door in cybersecurity, I guess really good tips. So this is great timing. And yeah, I've got some strong opinions about this and they're probably not going to be it's not going to be popular, but I've got opinions. 

 Gene [00:05:31] So who wants to begin with? Let's lay some lines in the sand. 

 Jason [00:05:37] I'll revert to my childhood and girl. Not at. 

 Paul [00:05:40] All. I'll start off. All right. So I think we all have that on this podcast. We all have degrees of some types, so we are coming with a specific perspective. Right. But I think we're going to have, you know, different opinions, the ultimate goal. But for me, when I first started my career right out of the Marine Corps, I only had an associates degree and luckily someone gave me a chance and it worked out very well for me. But, you know, I always look back at that as like if somebody didn't give me the chance just because I didn't have some qualification on paper, would I would I have kept pursuing the thing? So, you know, I while I have a degree, I look at people's desire because if they have, you know, all the fancy degrees and so forth, but no desire to constantly learn that to me is is the really important part about security, because security is such a a is a field that every year have to constantly learn and keep updated and, you know, learn new skills that, you know, college gives you, opens the door for that. But it's not necessarily the only route to go into that constant lifelong learning mode. 

 Gene [00:06:46] Yeah. I guess I'll go second. From my perspective, I come from a blue collar upbringing. My father didn't go to college. My mom did, but not until much later in life. But I was kind of just grew up in the environment that you were just expected to go to college. And all four of my my three siblings and I all went to college. Four of us have advanced degrees. And it was just kind of the gateway to the next the next, I guess, American dream, if that's what you want to call it. And so I've always been of that mindset and and and have a hiring bias to it up until I've been in cyber school for 17 years and, and brought that hiring bias to just expecting that we don't interview people unless they have a college education. And I'd say the last four years has definitely opened me up to being more. More, as Paul said, and thinking about people's work, ethics and and being learned because of the dynamic nature of cybersecurity. But it's only more recently that I've been even open to that. 

 Jason [00:08:05] Yeah. My take on that. You don't need one, but you absolutely should have one. And you should want one. You should want to be the best of what you do. You should be the cream of the crop. You should give yourself every competitive advantage to getting that job or getting that position or getting that role and being the best in what you can do. And I absolutely believe that comes with having a college degree. 

 Paul [00:08:27] Well, but the question was, do you need it? Right now, you're just describing self-improvement. 

 Jason [00:08:32] I mean, I don't I don't need to know what a hammer nails as a carpenter. You know, I can figure it out on the job. I can learn. No, it's you don't need. 

 Paul [00:08:4 ] It doesn't teach you how college the way I look at college and you know, I got my master's in network security. So it's very focused on security. It didn't teach me how to be a good security person. It taught me concepts and you know how to think about a problem, but not necessarily the specifics of. 

 Jason [00:08:57] And it taught you critical thinking skills. It taught you English, English. It taught you math, science, it taught you history. All these other things that we seem to lose that we go, Oh, all I need to know is security. I am so tired of having security engineers on my teams or working for me. Well, actually, I don't have any of these seeing security engineers out there that can't spell their way out of a paper bag or can't put a grammatical thought together in a communication to me as a leader or to the rest of the team. And it's frustrating because it's that it's that focus on just tech. I only need to know the code. I only need to know security, but not this other well-rounded part of education that gives us those critical thinking skills and communicates such needed communication skills and business skills. 

 Paul [00:09:40] Well, but that's a that's a different conversation, right? Like, okay, so to get started in the field, I guess that's an important part. If you want to get started in the field, do you really you obviously need to know how to communicate effectively, right? That's that's a given. Do you need to know how to write a thesis on something? No. Right. So giving people the opportunity to break into the field and hey, okay, you may not have the traditional background, but, you know, we we need a security operations center analyst. Come on in and we'll teach you and you can grow with us. Right. That's, you know, having a gateway of of a college degree as a requirement versus a nice to have, I think is where we limit ourselves to a lot of really interesting people. I'm like one of the smartest people I've met in security, had no degree, didn't even have a high school diploma, but was incredibly smart and very, very had a strong desire to learn and did great. Right. 

 Gene [00:10:34] You know, I think about it in terms of some of the things that Jason had mentioned. When I when I think about the college experience and I'm thinking about a somebody coming out of the military going into college, into a four year program or somebody going directly into a four year program. But I'm thinking about the life skills that you learn. The communication time management, moving away from home to kind of those types of things is as part of what helps you to then enter the workforce as a slightly more mature person with some level of experience. I think the from a from a do you need it? I think it it definitely seemed to help a lot of the people that that I've hired. But again, as I contradict myself, some of the recent hires that we've made even here at Threat X or people that didn't have a four year degree and they've they've worked out phenomenal and they've come in with a different set of life experiences. Like one of our podcast, we interviewed somebody who was a hairstylist for 12 years and then went on to do some do some programs that got her some exposure to get into a level one SOC position. And then she moved here and she's, she's awesome, phenomenal. And it's actually been one of our best podcasts for I think there's a lot of people that empathize with that, that, that career trajectory. 

 Paul [00:12:09] Yeah. With the cost of college, I mean, the cost of college just. It makes it unattainable for some people. Right. Like, the only way. The only reason I got to go to college is because of the GI Bill. Right. If I didn't, I may not be in the field. And, you know, the life experience, things that you said, like, you know, I didn't go to person. So I'm using personal experience. I didn't go to a traditional college. I did all mine after school because after work, because I had two kids and working full time. And, you know, I didn't need to, you know, be crammed into dorm rooms to learn life skills. So, I mean, again, I, that's why I, I try to be empathetic to people's, you know, what they bring to it and their desire and their capabilities versus, you know, the piece of paper. So, Jason, you wanted to add something to that? 

 Gene [00:12:53] No. 

 Jason [00:12:54] I that you're going to you know, I want to go, kids, you don't need it. But it's absolutely a great to have. I didn't have it. I didn't have a college degree when I got into tech. I didn't even have an MBA degree. I had about two years of wasted junior college over an eight year period and got into technology through sort of certifications. And it was great, it was awesome. And then I went back to college because I realized I wanted to be really good at what I do and be one of the best at what I do in college can give you that. So no, you definitely don't need it to break in and I don't hire based on that, especially for entry level of entry level because you need a four year degree and two years of experience. 

 Paul [00:13:27] Like it's not as high level, you know. 

 Jason [00:13:30] Yeah, we've all seen that, right. Entry level and then like years of experience, I'm like, what are you talking about? It's a, it's an entry level position. You don't go if you come out of a gamer. If you're a gamer that you're sold, you're hired. It's like you just have the drive and the initiative to you can absolutely get your foot in the door that way. But to if you really want to be really good at security, absolutely. You should go for your college degree after you're making money to pay for it. 

 Gene [00:13:55] Well, I think the one of the things that we've talked with some CEOs on some of the podcast is something that you just hit on Jason, which is the whole idea of do we create the problem ourselves? Because when we create these job racks for people that we're looking for, we say, okay, hey, there aren't enough people in the industry. And then we create the jobs spec for an entry level position, and we put those criteria, including college education and experience. Do we sometimes just limit ourselves on that side? 

 Jason [00:14:24] So, yes, you know, and here's here's what I see as part of the root of that problem, or at least how I think it's some of it is evolved is there's this what I call it, ego. It may not be, but I think it is. There's this ego of security like that. We're above and beyond tech like. So there's this idea that and I've seen this where you go, it's an entry level SOC position, but they have to have I need at least one or two years of helpdesk or 1 to 2 years of tech, some sort of technology. Then it's, then it's no longer entry level. Like the idea is like, oh, you have to, you have to have been in the, in the industry in some way. And I call shenanigans. I think you absolutely can just start at SOC just like you could start it helpdesk with just, you know, home computer experience or a class that you took. So yeah, and I think that was part of it is this idea that, well, we're security and you really need to understand stuff before you commit. I've had this conversation with previous manager of mine that are hiring entry level. I'm like, No, you don't just hire them, you know? Do they have the drive to the Ivy Initiative? Do they want it? Yes. So, Hiram. 

 Paul [00:15:21] The So hey, let me, let me throw in something to the fire then then because this is something I see constantly on social media sites is certifications. Right. So, you know, college makes sense because you have a wide array of different skill sets you're learning like English or sciences. It's just teach you to be curious. The way I looked at it and. Right. Curious. Interacting with other people. How to. How to apply learning and so forth. Certifications. On the other hand, now I'm not I have an opinion, but I'm going to throw it to you 2/1. Do you see value in certification and you see it as a necessity for certain? 

 Jason [00:15:59] Yes. In fact, for entry level three in know probably you're up in this rotation, you. 

 Paul [00:16:06] Look. 

 Jason [00:16:06] At it, how can I tell what you're looking at? You're looking at. 

 Paul [00:16:08] It. I'm saying I should have pointed this. I should have said, Jean, it's your third. Go ahead. 

 Jason [00:16:12] In fact, I would for entry level, especially if you're looking to get in where I said it's great to have a college degree, you should have it if you're looking for a fast track. Certification is the way to go because it speaks directly to the skill set that somebody is asking for that entry level position. And it's a lot easier to get, Jean. 

 Gene [00:16:32] I guess due to that. I don't. To what specifically what are the certifications that you think have value and what are the ones? Oh, again, for our listener. 

 Jason [00:16:42] A lot of people, when. 

 Gene [00:16:43] They don't even know what black hat is, you know, there's a lot of scammy sites out there, right, where people just want to try to take money from these entry level people. So I'd love to get your guys perspectives of what are the ones that you think are worthwhile and you see value in that. So get I don't I don't know that. I don't know how to differentiate them. You know, Sands would be the only one that I could probably if I saw, I'd be able I could easily identify with that one. But others, I don't know if I could. 

 Paul [00:17:16] So with that. No, he he said you specifically. So I'll go after you. Go ahead. 

 Jason [00:17:21] Yeah. Sands. I love Sands because I know the depth and the breadth of the courses. Fact for me, if you've taken the course is more important than the certification just because they're so awesome. OCP is a big one recently, so that's offensive and that's probably one of the better than I would say throw it out. You can just, you know, take it with you with some light reading in the bathroom. It's not worth the paper it's printed on. And then your standard CISC, CISC and and in a way and this is getting a bad rap lately, but CISSP, I feel, is the bachelor's degree of security because it's so comprehensive and so about the entire security program, not just, you know, tech security. So I think that's another good one to have, too. 

 Paul [00:18:03] Hmm. Yeah. The first starting out. If you're just interested in security for me. Well, one, if you don't have if you don't have the money for some of these certifications. Right. I will ask people about their capture the flag experience. Like what did you do to try to learn security on your own? And if they can demonstrate like try hack me and things like that. Yes, that that shows an interest. And, you know, you could teach the technical skills, but if somebody looking at a certification because they think that'll make them more comfortable because sometimes having a certification makes you feel more confident about yourself, you know, if you're just starting out, I think Security Plus is very good to start out with. And then from there, if you want to move into management and you want to understand the why behind security, CISSP is very good. You know, I always looked at the CSA as well. If you want to be in management, you need to understand audit principles, one, because it helps you be a good operations person, but you're also going to be working with auditors a lot, and it's good to understand why they do the things they do. So do in your CSA. 

 Jason [00:19:05] Why do auditors do wait? I'm Segway AG. Why do they do what they do? Because I don't understand it. And I am I am CSA. 

 Paul [00:19:11] Yeah, well, I read about the approach that auditors take and you know, I actually when I first, I mean, I use so I use certifications personally to help me focus my training, right. You know, it's good that you get a certification afterwards, but it helps me focus. So for instance, the auditor one, you know, when I was being audited, when I first started my career, I was frustrated, like, why do they keep critiquing me? Why do they keep doing X and Y? I got my CSA, not the certification wasn't the the interesting part, it was the learning up to getting that. And once I understood, I became great friends with a lot of auditors and so forth. So I mean, it builds your career. I mean, just because now. 

 Jason [00:19:49] Like you wouldn't have been friends with them otherwise. Like, oh, like now I know I'm friends with I did have. 

 Paul [00:19:54] One auditor who I, I just, I could not stand this. 

 Jason [00:19:57] Person like having a friend that works at the IRS. I work for the IRS. 

 Paul [00:20:00] You understand that? It's an important, good job. It's like, okay, now that you're not just a bad person, you actually have a good reason for what you're doing. And so, so but now certifications, you know, it's I look at it as a good way to focus your energy and it shows that you have an interest in a field. But I wouldn't depend on that either. Like, you know, we when I first started, all those things were required. You had to have a CSP, you had to have a degree and so forth. But, you know, there's there's a significant gap in the security field. And I think that's because of the artificial gatekeeping that had occurred in the nineties and 2000s and so forth. So I think we have to be more inclusive in our hiring and remove some of those barriers that we put into place, especially the ones that require some type of monetary entry point. Right. It's like you have to make it available to for free. 

 Gene [00:20:49] Yeah, I think about it as the certifications. I am a big fan of them, but again I have a more difficult time understanding the different differences of them. So I would just encourage people that are thinking about doing the certificate route to really do their research. Don't just Google it and put your credit card down and and realize you've spent hundreds of dollars, if not thousands of dollars on something that's worthless, like reach out to people in the industry, get get some references so that, you know, the year the things you're going to have go focus your time and energy on, have value on the other side of it because I just hate to see people get burned. There's too many scams going on in this whole freaking industry. Just pumps me out to hear people spending thousands of dollars on something that was turns out to be worthless. 

 Jason [00:21:41] Can I counter that? We're talking about the spend that we're talking about is for training, not for the actual certification. The CISSP certification is $600, which is the junior college. The price of a junior college course. 

 Gene [00:21:52] Yeah. Okay. 

 Paul [00:21:54] So hold on. Let's let's I mean. 

 Jason [00:21:56] If you're arguing that $600 is too much of a barrier to entrance and security, that first. 

 Paul [00:22:01] Segment has no money. Absolutely. Like someone getting straight out of college who is trying to find their first apartment, who doesn't have the financial resources? Absolutely. I mean, $600 like people are living paycheck to paycheck. Right. And if you're. Trying to transition out of being, you know, a frontline service worker into the security field. And the only the only thing stopping you that is $600. That's a lot of money, right, for a lot of people. So I don't think we should have it shouldn't be a requirement. We should have alternative methods for people to show their desire, like the free seats in the free training that's out there. Right. I mean, $600 is a lot of money to a lot of people. 

 Jason [00:22:41] Yeah, I agree. It's a lot of money to a lot of people, but I don't believe it's a lot of money to someone who's a recent college graduate and that somehow they can find the 600 bucks over a period of a year of studying to put together for the test or get a grant or look. Local people that are. But yeah, you can find ways for that $600 cost. I don't believe that's a big enough barrier to entry to get a certification. 

 Paul [00:23:02] Not absolutely disagree, I think. I mean, any again, any monetary barrier of entry into a field to me. You're you're you're holding back people who may be the most amazing security person like, you know, because. Would you I mean, would you bet? 

 Jason [00:23:18] Well, while you don't have, you know, the barrier to trade has no home Internet, how do you get the job? Know if you don't have home Internet, if you don't have a home laptop, you don't have a good enough laptop to get into a CTF and you don't even have one that you can afford. You can't do a CTF. 

 Paul [00:23:30] Right. So why are we why would I mean, there's other methods of doing it, right? Like if you have the desire and you showed, okay, I go to the library for, you know, an hour or 2 hours on the weekend. And I I've done this on, you know, one of the free education sites that should show that to me means a lot more than someone who just showed up because their parents could afford college and they just showed up to a class to be the person who took the time and did the extra steps, even even because I mean, even without the financial resources, that to me shows someone who's going to be a very hard worker who's going to learn and who's probably going to be very amazing. 

 Jason [00:24:05] Yeah, I just I don't think that that number is statistically relevant, that there's a number of people that are saying that aren't doing it because it's 600 bucks. Yeah, there are some, but I think it's such a low percentage outlier, so why not? So it's not a barrier to entry. 

 Paul [00:24:19] Why are people not joining this field? Right. 

 Jason [00:24:21] It's not because of the $600 CISSP fee, I can tell. 

 Paul [00:24:24] You know. 

 Gene [00:24:25] It's an awareness mistake. Those are the other things that, you know, thinking that it's all hackers with with hoodies and, you know, everybody's got to be deep coder. I think that's that's a bigger issue to to our industry is is helping people to understand what it is and that it's you know it doesn't you don't have to be a hands on keyboard, you know, address developer to to get your entry level position. I think Paul and Jason, you hit on the it's the soft skills that desire to to be learned to want to work in a very dynamic environment willing to put in the hours to to learn what you don't know today, but showing that in an interview, it can be difficult, right? Because everybody can say the right things. But so I think, you know, the certifications can be one way of helping people to at least show that, hey, I don't have even money for community college, but I do have the money and at least show the time and effort to do the certifications. And and there's a lot of free programs out there, too, which are also ways to at least, you know, show initiative, which I think is is a big part of it. But I guess for both of you guys, how do. 

 Jason [00:25:43] You. 

 Gene [00:25:44] Take, you know, when you when you're getting resumes, how do you how do you how do we find this? How do we develop how do we see the soft skills on pieces of paper or, you know, not even a piece of paper anymore on you know, on resumes that we look at to try to try to help people get into our field. 

 Jason [00:26:02] Or I can tell you what gets cut off is English and spelling and grammar mistakes immediately right off the bat. I will not hire if you have spelling and grammar mistakes unless it's it's a it's obvious it's ESL. So that's probably a tough topic. But I looked to be like, is this ESL situation or is it? And they'll be like, No, this is unfortunately. 

 Paul [00:26:22] You may want to say that. 

 Jason [00:26:24] English as a second language. Yeah. So if English a second language is an issue. So I have a my entire team actually at where I work now is in India. So there is you know, there is it is a it is a it's a very high level second language for them. But it's second language. I mean, they're very fluid, but you still find grammatical and spelling errors. So I think maybe, maybe, maybe I want to step that back and say it's it's changing where maybe it wouldn't be a definite flag, but i would work with h.r. At a to understand that. But that basic communication skill, like if you don't have that and you can't tell the story in your resume, that's a problem for me. And that yeah, that was even for an entry level. You don't need to go to the extent of telling a story and figure that out. Just, you know, follow the standards. What was your experience? Where did you go? You know, did you go to school? Why are you even applying for this job? If that comes across, then I'm game. I'll say it's more about it's the my thing is it's not the candidates that are really the problem. I don't think they need to change anything. I think it's the hiring managers and it's us that need to change and like stop this insane idea that an entry level needs to be somebody who's had years of experience doing something they could have come out. I started. You said you were a who was you said the hairdresser example. I was a bartender till I got into tech. You know, what does that have to do with tech? Nothing is good with people. So I can imagine a hairdresser would be really even better with people. Right. So. 

 Paul [00:27:41] Well, the thing I look for is what? What in there? What's the story behind the story? Right. So when I say that, you know, it's it's easy just to list a whole bunch of bullet points, like responsible for etc., etc.. But if I see somebody who, you know, I have a podcast, right? Or I, I did for CTS and came in third place. Right. Or, you know, something that tells me that they're more than just wanting to show up, that they actually want to take the next steps. I look for those little tidbits in resumes, and usually that's in the narrative portion, right? When you get down to the bullet portions, it's it's there's it's just a bunch of, you know, tech, typically technical stuff and whatnot. But if I see something says, okay, I, I was a bartender, let's use Jason Z. Well, I was a bartender for four years, but during that four years I also did eight CTF, so I have no idea where to start. Right, but I did it right. That to me shows a lot of initiative and that's somebody that's interesting that I want to talk to. 

 Gene [00:28:44] And I'm just wondering, because I think, Jason, you mentioned H.R. giving you the applications. Is H.R. doing as a disservice? 

 Jason [00:28:53] How much time do we have we have for our time? Because that could be a whole nother episode about the just the disconnect between internal recruiting and what a security role needs. Because sometimes it's not it's not us driving that, how many years of experience. It's their job level that they have that you may have opened versus now you may have a SOC. One engineer that across the organization is at a certain level. And for that organization the level is you need to have a college degree because that's just what we pay. And they're based on pay bands, not what the field is or that position. I've seen them, right? Absolutely. Can be that internal recruiting is has a misalignment and the organizational leveling has a misalignment with what it really takes to be that role. And they're pushing the well, you've got to have a degree because this person over here that gets paid this much is on the same level. We're actually probably going to maybe get paid less because security is a high paying field and they need a college degree. So therefore you need to have a college degree for your role. So I've seen that too, and it's frustrating. 

 Paul [00:29:49] How about you? Oh, was I was actually going to speak to you. What's your thoughts? 

 Gene [00:29:53] So for us, i mean, we're a smaller company, so 50 people, we don't have a formal h.r. Person that is, you know, going through all the resumes. So the hiring managers are doing it themselves, which allows for the candidates to do it too, as best you can in a resume and a cover letter or project themselves. So the college education piece of it can be slightly less important. And we can you know, we're interviewing sometimes it's through. I put down the reason to go to colleges through the network, but I just think in general network, right, because I think that's the other way to get into this field is to have people that are within your network help you get introduced to people you know, like both of you gentlemen to say, look, you know, I was a bartender, but here's the things I've done and here's the things I desire to do. So the the H.R. piece of it isn't a big impediment for somebody trying to get into our organization because we don't have that formal piece I'm thinking about the college education probably is. I haven't looked at any of the job aspects lately, but there probably are requirements that we should probably reevaluate. And some of them, some of the positions that probably it doesn't need to be as stringent as it has been. 

 Paul [00:31:18] Yeah. I mean, for us, one thing that I like about where I am is and diverse equity inclusion is very important and part of that is to have our h.r. Our hours are part our H.R. partners are with us on that, helping us understand, okay, where do we where do we make sure to expose our jobs to places that may not have been exposed to so that you get those diverse people? But part of that is looking and getting people within our organization to look at some of our job requirements and say, hey, does this does the way we work things even prevent people from going in? Right. And something that I learned, you know, I was reading some social media posts and somebody said, hey, if you put that, you have a requirement that people have to lift £20. You know, you may be limiting people who have physical disabilities from even applying to your job. Right. Because if they see that, they think you're not even open to considering them. And it's like, whoa, okay, you got an hour using certain words, right? Makes it seem like, hey, this is, you know, we want, you know, certain things and you don't even intend to do that. So having other people look at your job, your your job, requisitions and descriptions are really important as well. 

 Jason [00:32:30] Mm hmm. Yeah. Hear, hear. All right, well, this has been a great conversation. Let's let's go around the table and just let everybody sum up where they think they're at. And let's start with Paul. 

 Paul [00:32:39] Well, I think everyone 100% agrees with my statements that college education is not required, and I can't wait for Jason to hear his claim. But, you know, the thing I the thing. 

 Jason [00:32:50] I'm agreeing with you should be. 

 Paul [00:32:53] The thing I'm hearing from my you know, my other co-hosts are you know, there's there's lots of different avenues in to security. And the way I think about it and what I've taken away from this is, you know, that it's just a piece of information, right? College degrees, certifications and so forth. That's a piece of information that may not tell the whole story of the individual. So you have to be open to considering other aspects. And yeah, I, you know, when I first started, I college degrees were really important. What I thought they were very important. But now that I've been in the field a while, you know, I agree with my my co-host. It's just a piece of information. Gina, what are you next? 

 Gene [00:33:31] Yeah, I think about it in terms of just that. It's a journey. I don't think it is a requirement for most jobs within cybersecurity today, but it has a lot to do with the supply and demand. The fact that we have three and a half million positions open world wide says companies like all of ours are willing to be more open if we suddenly have a situation where there's not not such a gap or disparity between the number of positions that are open, I think that that requirement could fall back into place. I think the most important thing, if you really want to get into cybersecurity, is to be a learned person. And whether that's with or without a college education, you have to have a desire to learn because the attacks keep changing, the technology keeps changing. The environment which we were trying to protect, it keeps changing. So you can't expect to come and do the same job day in and day out. And if that's what you're looking for, cyber isn't for you. But if you're looking for something that's very dynamic that you want to continuously press yourself to learn new capabilities and new and. Then than that. It's a great environment and I think along the way getting a college education to complement those other skills. And if you want to move up in the management, those will become requirements. So not necessarily do you need a day one, but I think you need it. You need it if you want to move into upper management. 

 Paul [00:35:07] Yeah, I agree. And I think if you if you don't even if you don't have it, when you start learning it as you go along, even if you don't get the final certificate or the, you know, the final piece of paper per say, the process is what's important. And I think, Jeanne, that's what you write in I 100% right. The process of learning, continuous improvement, taking different views and understanding them is really what's key. So. Well, you know, I really appreciate, you know, Jason, I really appreciate the opportunity to have this joint podcast with you. It's good conversation and you know it. You know, I picked up a lot. I appreciate the perspective of someone in your role and you know, and you know, as a closing, what would be the one thing in your role? I think a lot of people want to hear what you have to say on this. What's the what's the piece of advice you would give to an applicant or somebody who's looking to break into the field? What's that final piece of takeaway that you'd give them? 

 Gene [00:36:07] I think it's just. Yeah. What would a final final. You know that you want. 

 Paul [00:36:13] Your final answer on that. 

 Jason [00:36:14] Yeah. 

 Gene [00:36:17] I mean ultimate would be that it. Well you can't teach, you know, passion and energy or, you know, commitment, those types of intangibles. Like you can teach somebody cybersecurity, but you can't teach somebody the desire to want to, you know, be a part of the industry. I think that's that's what people have to kind of go through. It's like if if you're if first for many people, especially for the Plus or my podcast, they just don't know anything about cyber. So first is learning about cyber, but then as you learn it, maybe you can build a real passion for it. It's an unbelievable feel to be a part of. 

 Paul [00:36:52] Totally agree. Jason, what's your thoughts there? 

 Jason [00:36:55] Mine is more of a tip. So I think like we all kind of agree and disagree in our own little ways. But, you know, I probably have one tip for anyone trying to break into cybersecurity. It's not going to change anytime soon. Well, we as hirers are not doing a good job. Give us time. We'll figure it out. But in the meantime, if you're an entry level or you're trying to get an entry level position, could do do some sneaky stuff and go find the LinkedIn contact of the person, either the hiring manager or even above the hiring manager, like the CSO, the head of their cybersecurity program, LinkedIn it, Google it, find that person, send them an email, sent them at LinkedIn, and tell the human side of your story of why you want that role, not the tech. Don't go into there. Oh, and I did this was ETF. I just go, hey, I'm trying to break in. I have this experience. I think I'm a, you know, the story. Like, why? Why would you be a great asset? Because I have drive by a passion. I really want to get into security. I think it's great. And I'd make a great employee and just tell that human and, you know, go outside of the normal chain of resume and wait for contact because honestly, you're you're probably not going to float to the top if you don't have right now in today's world unless you have that degree or that certification or that experience. So float yourself to the top by telling a story. And that's great. 

 Gene [00:38:04] Advice. Awesome. Well, I appreciate it. Paul and Jason, this was a great joint podcast. I'm really glad we did it. And thank you guys for your interesting perspectives and and thank you for letting me talk. I know that both of you guys go back and forth. I've heard I was able to wedge myself in because you guys have some great banter back and forth, listen to your other podcast. So I'll definitely encourage my listeners to to jump over to your podcast as well. 

 Jason [00:38:32] You did a great job and we're going to move over to yours. And can I also just say, if I wanted to highlight this on my on our podcast was you would you would you had brought up something when we first talked to you, which I just think I want to call out on our podcast. Was the goal that you had about getting 30 people jobs. Can you can you can you share that with our listeners? 

 Gene [00:38:50] Yeah, I. 

 Jason [00:38:51] Think emails. 

 Gene [00:38:52] Every hour I write down a goal of trying to help 30 people find jobs. And that's not including anybody that I hired. They don't get counted, but it's just when somebody does a cold outreach or somebody makes an introduction and says, Hey, my son or daughter or my friends trying to get into cybersecurity, I'd make it my job to try to get that person a job. And that's that's a goal every year. So I'm pretty pretty close to achieving. 

 Jason [00:39:18] That is that's a major that is amazing because it's so specific. It's it's achievable. It's not like this General. I'm just going help people get jobs. You're like, no, I'm going to help people get jobs this year. It's commendable, man. I wanted to I'm glad that you shared that. 

 Gene [00:39:29] But now we've all got to give back. The industry has been great to us. I know for both of you guys as well. So it's our opportunity to give back and it just takes a little bit of time. But the rewards more than worth it. 

 Jason [00:39:42] Paul and I need to do more with our lives, but I know I do. 

 Paul [00:39:46] I feel whole my building down like that. I have. The Help was like, okay, I got work to do now. Thank you. For a new year. So yeah. 

 Jason [00:39:53] Yeah. So we just had Jesus Christ on our podcast to step it up a little bit. Awesome. Jean, this has been awesome. Thank you so much for your time and great. Thank you. Crossover of crossovers. 

 Gene [00:40:05] Absolutely.