Navigated to 102: Watch This BEFORE Starting In Cybersecurity - Transcript
Get the app

Log in
The I.T. Career Podcast

·S1 E102

102: Watch This BEFORE Starting In Cybersecurity

Episode Transcript

On a resume, they look for folks that are doing continuous education.

If they see someone's resume that comes across their desk and they're maybe out of a job for the last 6 to 8 months, but they haven't seen any like additional learning or skills or kind of growth from last year.

It's like, well, what are what have they been doing?

Like so many things in cyber change every two to three, six months that it's it's a continuously learning career.

Cybersecurity looks like the golden ticket right now.

High salaries, endless job postings, and everyone saying that there's a talent shortage.

But here's the truth.

Most people who try to break into this field are hitting a wall.

They spend thousands on certs, send out hundreds of resumes, and still can't manage to land that first role.

That's why today I'm bringing back Andrew Karate.

He's a cyber Warrant Officer in the Army Reserves.

He's worked for the Department of Homeland Security and today he's a senior security analyst at a huge financial institution.

On top of that, he helped run the New Village at DEFCON this year, a space dedicated for helping beginners get their first taste of cybersecurity in a hands on, approachable way.

Andrew has seen cybersecurity from every angle, military, government, corporate, and now in the community.

And in this conversation, we're cutting through all the noise and sharing what you actually need to know before getting started in cybersecurity.

The mistakes to avoid, the skills that actually matter, and the real strategies that will get you hired.

So with that said, let's roll into this week's episode.

Welcome to the show, Andrew.

It's great to have you back today.

It's so good to be back, Dakota, and it was awesome getting to catch up with you and actually meet in person for the first time, which I'm sure we'll meet more at DEFCON this year.

It was great.

Yeah, Defcon was such an experience.

It was so much fun.

I kind of regret not being able to hang around the new village some more and stuff, but it was a really cool time.

Just like you kind of mentioned with the initial intro, it's just there's so much going on right now in job hunts and folks trying to break in and understanding the environment we're in right now for the job culture and kind of job procedure of breaking in.

I think this video is going to be a really good, a lot of strong talking points that folks are really going to get attached to what we're done with this conversation.

Well, diving right on in, you know, Speaking of all the hype around cybersecurity careers, from your perspective, what do you think beginners are getting wrong when they're looking to break into that first cybersecurity job?

It's funny because I'm part of a like ADC, my DC 4 DOE group here locally in Arizona, and there was a short article that one of my colleagues posted where it's like you have college students that are using AI to generate their resumes and their cover letters.

That's then going against your place of work.

You're trying to get into their AI, their AI that's looking for AI generated resumes and cover letters that then no one is getting interviews and no one's getting pulled for it.

Kind of any type of like job placement or even like a first round interview.

So the one thing I think that's kind of sort of happening is a, a slight reliance on AI too much and not enough of the human factor.

So just like you and I probably did this back when we were initially starting off or maybe pivoting to a new role, doing that research, understanding the company you're trying to go to, what their goals are, what their priorities are, and actually taking your time to craft a strong cover letter and resume that meets all those requirements and that you're actually a strong fit for.

And then doing your homework, doing your research.

When you do get that, hey, you are, we'd like to bring you for that first round, looking up who you're talking with, looking up what the organizations goals and values are and making sure you're coming prepared and being the best candidate for that role.

I think certifications and education are just as important.

I think many places are still looking for that four year degree and maybe a certification here and there.

But that's one thing that some folks are missing as well as they're getting security Plus, which may be back five years ago was the foundational certification to get in the door for an organization.

But we're now at a point in time, I think where the entry level position has really become more of a, I'd almost say mid level title.

Because when any type of entry level position comes into the organization's pocketbook saying, hey, we need to hire some junior analyst, they don't go to recruiters, they don't have to.

They can post a job and within two hours they're going to have over 200 applicants trying to fight for this position.

And I think the best thing that people can do to really stand out to these next roles is just making yourself the best candidate, doing your homework on the organization, making a strong and really sturdy foundational resume with cover letters that you're taking your own your own time to kind of craft rather than using AI.

Because by doing that, you're only hurting yourself fighting against the algorithm when these companies are also using AI for detection to kind of figure out who's the best for this role.

You know, there's a lot of good things that you just unpacked there and I want to make sure and touch on all of them.

But the first thing that really stood out to me and I think is personally kind of a hot take in the industry is you said security plus doesn't matter anymore.

And I hopefully I caught that the right way.

I'm not twisting your words.

No, you're not wrong.

And it's like no, no, no, no shame or like mud on CompTIA, right?

Like I, I, I went through the CompTIA, the plethora, I went through the, the, the battle blogs of all of it up to their security three DX.

It's great material, it's good information, but the entry level role and even talking to Ryan Murray, who's our state system here in Arizona, it's just there's so much risk now when it comes into hiring junior analyst for these positions.

You have all these compromises you have ransomware is still up and coming and growing year after year for incidents that are happening and for young analysts come into a role.

I feel like security Plus that used to be that good foundational certification really is just not cutting it anymore.

They're needing an additional advanced level certification to bolster their knowledge if they don't have the actual job experience of working inside of that actual environment.

And that's where it comes into like the home labs, the Tri Hackney SoC level 1 certification, Blue Team Level 1, the hands on ones actually give you lab environments to mess with that allows you to come at those interviews saying, hey, well, what experience do you have?

Well, other than my labs I built in school or my home lab, I've also done these certifications that have like live data inside a SIM that I actually got to play with and write reports and go through vlogs and actually do full thorough reports on to make sure I can kind of line up what your company needs.

And that's an analyst that's going to be able to do a good, solid investigation.

Now, home labs I think are amazing and I definitely want to touch on that here again in a second, but I want to stay on the certification talk.

Certifications are I think definitely great.

And I think a lot of people put almost too much weight on them.

They think, oh, I'm going to get this certification and I'm guaranteed a job.

And again, that may have been true.

Maybe.

I think it was more than five years ago.

I think about 10 years ago, maybe 10 years ago, you got a certification.

There's a good chance you're going to get a job, but certification is no guarantee.

The best it's going to do for you, I feel like is open up a drawer, a door to that job interview.

You know, it's going to get you past those HR screening filters, those AI filters and say, OK, I, I want to interview this person.

And you know, that's, that's all it's going to do for you.

It's going to be up to you to get that job.

And that's what I also worry that AI is maybe like, you know, we're using AI to create resumes and stuff like you mentioned.

Is that possibly setting up false pretenses?

You know, is that actually holding us back as well?

It isn't.

It isn't.

So I'll be the first one to say that I use AI on my day-to-day life.

I'll use it to help summarize articles.

I'll help it use it to maybe strengthen certain e-mail responses or even resume bullets if I need a stronger maybe like overall arcing summary of like what my skills can really entail to match to to a company.

But with that, like just like hallucinations happen within AI, I've also had it try to create me like speaker BIOS for folks.

I come on my YouTube channel and it'll add in like how they're the sisso where they did this specific test solo and I've had to read that back with the people.

I haven't done that.

Like I'm not I've never done that.

Yeah, I'm not part of that.

I'm like weird that I don't know why AI is trying to say that you did.

So I think there's that pro and con to it.

And for those that aren't using it on a day-to-day basis and learning, using it for good and understanding how to write a good strong prompt and how to kind of still have the proofread and ensure that it's not adding in those hallucinations to a resume or to an e-mail response or to a kind of type of bullets.

That's what's going to make you a better.

That's how you can use AI in a, in a positive way to spruce up and help make your resume a little bit cleaner or sharper.

But I think with that, you're still having to do your homework, if that makes sense.

No, 100% and I agree and sorry to kind of jump around here, but also when it comes to like the certification side, how do you figure out, you know a plus is no longer the go to certification?

How do you figure out what certifications will actually help you get that job interview?

Man, we we had a good chuckle before we started with the A+ Lego.

First off, CompTIA, please combine the A+ certification as a singular certification.

Why you guys make it 2?

I don't know why, but just make it a singular one please.

I know, we know, that's the reason, but.

We, we, we know especially, I mean, and I'm not hating on Compta either.

I I think they plus is a great certification for people that don't maybe have that foundational knowledge that are looking just to break into Czech tech in general.

But yeah, I mean, why is it still a 2?

Like, you know, Cisco, they combined it, their CCNA certification down to a single certification now.

Yes.

So yeah.

So circling back to certifications though, right?

So it's like how and why to know what sort of you need to get into what role.

So one a lot of questions I get brought to me on some of the mentoring I've been doing is like a lot of GRC compliance folks that want to get into the GRC realm and they say, hey, what certification should I get to be a GRC analyst?

And if you kind of look across the in the web or even doing deep dives, like the only GRC certification I can think of off the top of my head is provided through ICCI SC2, which is like their GRC certification that they hold there, which it's entry level, but it's still even in the stats as I can like 2 to five years of like GRC experience and understanding like your basic like security plus information and like terminology knowledge that that longevity of like maybe being inside an organization doing very entry level compliance work, understanding NIST fed ramp and understanding those processes.

That's the best way.

And it's honestly just a lot of reading insight, self self-taught or very niche specific tools that offer like vendor specific certifications that are GGGCGRC oriented, if that makes sense.

Yeah, Yeah, the certification path is, it's hard, I'd say to a lot of folks like, hey, if you want to be a pen tester, it's great to know blue team skills because you need to understand what those things are doing to the security side when you're actually implementing the red team tools.

Vice versa, if you're wanting to be a defense sock analyst, it's an also important to get those blue team tool certifications, but also understanding how a pen test works.

What metasploit's going to pop off when Mimi Katz's ran, what kind of like detections are going to see within your EDR and maybe through your SIM that's going to pop off saying, hey, this bad thing is happening.

What are those IO CS look like?

So to each their own.

I always recommend some folks when it comes to like I think hack the box and try hack me.

Both have like the what path do you want to do you like survey questions that says, Oh, you'd be a really good sock analyst.

Here's some training or some certifications that match that was kind of goals.

And then same thing if it goes into like, oh, you'd be a great pen tester.

It pushes like a short list, like hey, here's some pen test certifications that align with those kind of goals of what you're interested in.

Absolutely.

And that that is, you know, a really valid point is, you know, a lot of people come to me when, you know, they're looking to break in and like, oh, I got to get this certification.

I got to get this certification.

I got this certification before I even started applying for jobs.

And that's just not the case.

You know, we see these LinkedIn profiles that have like alphabet soup after their names because they got in like 30 certifications.

Like I mentioned in the beginning, they spend thousands of dollars in certifications and yet they have no formal experience to back it up.

And like for me as a hiring manager, that's a huge red flag when I see someone, a resume come across my desk and they have like 5 and 10 different certifications, but nowhere in this resume they've talked about their previous work experience or even their like home labs and stuff.

Because I feel like home labs definitely have a spot on your resume if you don't have prior work experience to help fill that gap.

But but I would like your, your opinion on this whole thing of having too many certifications, what should be on the resume versus, you know, what doesn't belong there?

Yeah.

And I can the way I can talk on resume, I've sat on interviews as like a senior analyst or engineer on my team.

I've, I've yet to be a hiring manager, but talking with my managers and getting to still sit through those interviews and getting to help review resumes.

It's one thing that a lot of I've at least even folks I've talked to on my channel that are hiring managers that they look for is on a resume.

They look for folks that are doing continuous education.

If they see someone's resume that comes across their desk and they're maybe out of a job for the last 6 to 8 months, but they haven't seen any like additional learning or skills or kind of growth from last year.

It's like, well, what are, what have they been doing?

Like so many things in cyber change every two to three six months that it's it's a continuously learning career is one thing I.

100%.

Is that then that's what I tell people to like, hey, look, if you hated college and you hate learning continuously, cyber is probably not for you.

Because every six months I'm having probably every two months, I'm having to go through new CVS, new tools, new new AI, integrated tools that they're putting into the current tools I have that cause more headaches.

Sometimes that's a whole another talk for a whole episode.

Yeah, we can do a whole episode about that, but yeah.

But it's having exactly like you said, like if you're lacking the enterprise experience is what most managers and I and I have talked about.

It's, Hey, we want to see what you're doing on a home lab.

We want to see what you're doing with inter I hack me.

We want to see your GitHub repository.

We want to see you bragging on LinkedIn that, hey, I just did this mitre attack defender free training on LinkedIn for a day and got this 12 hour good job certification.

But what did you learn from it?

It's those talking points on the resume that if you can describe, and one of my good friends that was one of my folks that helped me get into this field.

I use his, I use his story.

And I think we talked about it even last time when I was on your channel.

He got a GED, self-taught coder.

He he taught himself Rust, Go Lang and C++.

And he now works and got a job doing contract work initially with Northrop, Northrop Grumman.

And now he has his like TS clearance.

He still has I think a GED and he never went to school because he didn't want to, bless his heart.

But God's a SEC plus a CYS, a some AWS certifications, but he's just so self-taught proficient on coding for what he needed to do.

He he met a need an organization needed to fill and he was the best candidate for it.

So how you correlate that onto your resume is you talk about the projects you did.

He talked about all the coding he did.

He had a GitHub repository, He had a home lab when they asked him questions.

Obviously for those that have been through technical interviews, myself included, where they say, hey, like we need you to open up a terminal and just like we're going to ask you to run a command and just run it and can you explain what it does?

He could do that like to the like molecule level.

Wicked smart dude.

That's crazy.

And it's being that prepared for those interviews and having and knowing how to describe that on your resume that's really going to make it stand out if you're missing the enterprise experience.

And it's, it's weird cuz I talk about having a home lab super important.

I currently don't have a home lab.

It's in the process of being built with one of my buddies and I, But so not saying that it can be skipped over cuz I do see and like when I get to actually talk to people about it, those that can really dive into like the breakdowns of what they're doing with their home lab, how they're, what, like free source tools they use to like install and what they're detecting and what they're, Oh, I also made this a custom honeypot where I, I, every week I jump in to see what attacks are happening on it.

That's impressive.

And managers and even engineers and analysts like myself, Mike, Hey, that's, that's actually really impressive like that.

That's like stuff like our TRT's are doing in some of our like our pen test teams do for active like threat enumeration to see what's going on in the network.

So I mean like to have that kind of skills and you've done it on your own home lab that those are impressive things to talk about.

It's huge.

There's definitely a place for it on your resume.

You know, here's the truth that no one puts on these Rd.

maps.

It's not the CV ES or the fun stuff that drains you.

It's the glue work.

You know, the five portals, the three contracts, the meetings you get drugged into trying to figure out who owns this.

Meanwhile, the real work, the learning, the automating, the levelling up, all gets pushed to sometime later.

That's why I'm excited about what Meter's doing.

Instead of having to stitch together a bunch of different vendors, Meter delivers a complete networking stack, wired, wireless, and even cellular in one integrated solution built for performance and scale.

This isn't some box reseller.

Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployments and run support from the first site survey through ongoing operations.

1 standard, 1 playbook and one place to point when you need answers.

What is the stack?

ISP, procurement, security, routing, switching, wireless firewall, cellular power, DNS security, VPNSD, Wan, and multi site workflows just to name a few.

So the stuff that usually takes 5 contracts shows up as one solution and it scales from branch offices and warehouses to large campuses and even data centers which is huge when your footprint grows.

Security minded takeaways for this is fast, secure, scalable connectivity without the complexity of managing multiple providers or tools, plus the deep controls and visibilities.

That's exactly what you want during incidents, audits or everyday OPS.

Fewer seams and more signals if you're the hands on engineer.

People call when the Internet is slow.

This is Bill for you, the folks who value uptime control and tooling that respects your time.

Again, thank you to Meter for sponsoring this episode.

Go to meter.com/IT Career to book your demo.

Now that is METE r.com/IT Career to book a demo.

Now back into this week's episode.

Really it this doesn't just apply to cybersecurity either guys, you know this this applies to networking.

This can apply to wow.

This really applies to just the tech industry in general.

The the value of home labs.

You know, people are always like, well all these jobs out here want multiple years of experience just for an entry level position.

How can you ever get that?

The chicken before the egg scenario.

Any chance of getting the eggs before they turn into chickens?

And I'm like, you don't need a job to actually gain the skills and build the experience.

You have to have that motivation.

You have to have that willingness to learn, but how you actually build experience doesn't have to be on the job.

I mean, I have two I got two different home labs behind mega networking one over here.

I got a server cluster over here and then I have another one out of my garage.

And you know, I'm not saying go out and buy all this expensive hardware.

You don't need that.

This is half this stuff is stuff I've just gathered over the years.

I'm I went to you know, my employer was getting rid of some stuff and I'm like, hey, that's going to e-waste.

Does can I have it?

And they're like, sure.

I don't, we don't care where it goes.

Now I even personally attest to that too, because, you know, I'm a college dropout.

College wasn't for me.

And I think college is great for some people, but everyone has their own path into this industry.

And for me, it wasn't college.

I just could not focus and I wanted to learn.

It just wasn't the right environment for me.

So I I was self-taught.

I self studied and I was still able to land a job in the field because I had a home lap.

And during my first interview, I talked about that and I actually just talked about this in one of my videos I did at the end of that first video or that first interview, I asked between now and the next time we meet, is there anything I can do to help make myself a better candidate?

And the hiring manager said, well, we use a lot of Cisco and Baraki.

So if you are interested in learning about Cisco and Baraki between, you know, between now and if we call you back for an interview, that would be super helpful.

Matter of fact, you can actually, they had a program back then where you go to like sign up for a webinar and they send you free hardware for like with a one year license.

So I, I didn't even leave the parking lot.

I was on my phone already signing up for the those webinars.

So by the time they called me back for a second interview, the first things I was able to say is, oh, I actually got some Cisco Meraki gear and I've integrated into my home network and I've been doing this cool stuff with it.

And later that hiring manager told me that not he, he pretty much told every single candidate about that, you know that hack to get that free gear.

And I was the only one, the one who actually followed through with that.

Those are called subtle hints, everybody subtle hints.

Exactly.

Well, it's funny because it's like I have a mentee I'm doing right.

I'm talking to you right now.

And he's wanting to get into project management, but then also possibly now leaning to get into more cyber specific.

And he's prior military and he has his VA benefits, but he's contemplating going into this like I'll call it a boot camp, but it's a school allegedly.

But 30 grand to get like all these certifications.

And I'm like, you could do that or I'm like, if you just have some good self motivation, like you can sit down and probably pass your SEC plus in three weeks right after that, if you do a hard good study session for probably another week and a half, two weeks, you can probably see why say, cuz they really go hand in hand.

You can then pivot onto like project plus.

Like, I'm like, that's the thing.

Like, yeah, paths are different, right?

Some people really need that organized structure, college aspect where there's a professor, you have dedicated deadlines, assignments, essays, there's a punishment or something that happens if you fail to do something compared to the aspect of, hey, if I just do this on my own, I can do whatever I want.

But some people need that structure because without it, they're never going to get something done.

And that's one thing I really press on a lot of my folks, I mentor.

It's silly.

I kind of give homework.

I'll say, hey, look like, well, let's link up in 30 days.

Here's some challenges I want to have you do though do.

And so like, I know I was mentoring one person during December last year.

I'm like, hey, look, Adventist Cyber is happening here in try hack me.

I want you to do the entire Adventist Cyber.

And in January, I want us to link back up on a call and I want to hear your thoughts on what you thought about the Adventist Cyber.

And that was the only test I wanted them to do.

And crazy enough on January he came back and did it.

And I'm like, awesome man.

And it's always a good feeling when you give those like little one, it gives you a it can show you how dedicated someone is when you give them the advice like, hey, look, this is what you should be doing to be successful.

It worked for me.

It's worked for others.

I give them the advice to doesn't work for everybody, but it's just a way that's going to make you get better and come back from the information you're to get.

Try Hackney's Advent Cyber does such a good job at giving a nice spread to of like red team, blue team, GRCCTI, open source report writing.

So you get to touch a little bit of everything.

Crazy enough.

Two months later, he did end up getting a project management job for like an MSSP, which made me super happy.

That's awesome.

But yeah, it's ideally just like, figuring out what's the best way for you to learn is one thing too within this field.

And whether that's school, whether that's a boot camp, whether that's self pace, whether that's joining a cohort, whether that's getting on to, I know you offer also training and stuff with your website, Dakota for kind of progression, resume review, mock interviews, mentorship, finding what's fits best for your schedule and your career is, is what's going to make you successful and grow that.

And I also just tell people time management because it just takes, it took me a year to get into this industry.

So yeah, I definitely want to get back to like the time it takes to actually make this career transition.

But one thing I want to ask you is, you know, from your perspective, you know, there's school, you know, there's boot camps, there's these learning platforms like try Hack Me.

And how do those actually stack up to what you're actually doing in the real world?

You know, I, I know you, you know, you're a big proponent of like hack the box and try hack me.

And some people say those are wonderful platforms.

And some people say those will teach you no usable skills.

That's a really good question.

And it's so funny because it's just like not to bash on school.

I'm going to bash on school for a little bit on this one.

So it's like, that's fine.

I went and got my masters in cybersecurity and specifically for where I went, it was more business continuity, like management, like my capstone was building out a business continuity plan, which is like a 50 page, like what if I call it the what if book?

Because what if this happens is it's, it's your, all your contingencies of what's going to how you're going to save your company.

And I had to make my own MSSP.

I had to make a network map and whole architecture where all my hosts, my endpoints were, where my servers were, what I was using for defence.

And it was great.

And then I got into my first strap at a sock and I used none of it.

And I'm like, I learned terminology and verbiage, which was great.

And having the educational knowledge I thought was excellent.

And that was my intention of going back to school because my, my bachelor's degree is in criminal justice.

But The thing is I tell people when it comes to, and this is where I kind of find, and as we mentioned, like COMTIA certifications, SANS certifications, they're great.

But The thing is the real important thing that I think people need to understand when actually getting into a role is learning the tools.

We're just going to pick on.

We're going to pick on Splunk and Elastic because they're just relatively free trainings that you can have to both those to include Google Chronicle.

And that's one thing I tell people where it's like, well, I need to get CompTIA SEC Plus and my CYSA, my project Plus and my pen test, my SEC Plus.

And it's like, well, you could, but then like you're going to get into a sock and you're never going to be able to touch a tool because all you, all you know is the, the knowledge aspect of it.

Where it's like, go, go into Splunk or go into elastic and jump into a ton of their free training on what's a dashboard, what's SQL, What's, how do I, how do I go through their logs?

How do I write your rules for rule detections?

And Splunk, Elastic, Google Chronicle, they all have all this free training that just actually will teach you that tool to better yourself.

And that's one thing where it's like once you actually get into a sock, try Hack Me and Hack the Box, because they're the two primary platforms I like to mess around and play with.

There is excellent training in a few of those rooms that I've used on a day-to-day basis.

Like what like anything Wireshark related to going through, like P cap analysis.

Fantastic.

I love going through that stuff.

And try Hack Me has some amazing rooms to include.

Also Hack the Box, some of the Splunk trainings as well.

We're actually going through and like going through vlogs and having to jump around and write specific queries to look up different date ranges and times and like to write out an SQL query.

That's fantastic.

But the caveat is, is if you only learn Splunk and then you jump into an organization that's like using like Sumo Logic or Elastic or Google Chronicle, the whole query and perimeter, the language could be completely different or not really similar.

It's similar in its sense, but now you have to kind of teach yourself a whole new parameter.

It's like coding.

A lot of folks say, well, once you learn one language, you can learn them all because they all have some similar ticks.

But it's like, I would argue that if you learn Python, you're not going to go over to Rust and pick it up like within a day.

So that's one thing where I do think some of the training platforms do have excellent rooms that correlate to what it's like to work inside of a sock.

But once you get into your first role, it's really important just to learn the tools and be dangerous in all of them.

When I was at the States, I tried to touch as many of the things I could.

I touched well.

I won't name the tools the.

Secret's safe with me.

But I touched, as I must say, layout the entire plethora of what the states use them.

I jumped into every team as much as I could.

Foreshadowing to learn what the tool did to at least get like a low level.

So like if someone asked me about it, I could say, Oh yeah, we use that tool.

This is how we use it.

This is what it does.

And that way I had like a just a nice like, like I could scratch the surface of it to be enough to go in there and dive through and do like log analysis to review things.

That's one thing I would tell people where it's like, yeah, it's is there good real life training experience from those training platforms?

There is, but not every single room that they drop every week or that people create is going to be like a man.

This was the room that got me into cyber because there's some rooms in there that are you don't need so on both platforms.

Completely understandable.

You know, and we, we talked about certifications and their, their role they play.

We've talked about, you know, the resumes and what to put on there, and we're talking about skills.

And this next question is, is kind of a broad 1.

So, you know, it might be a little hard to difficult, but in your opinion, when you're like mentoring someone, what are the the very top skills and habits that you see that separate candidates from the ones who land jobs and the ones who are still stuck not, you know, not getting that entry level position.

That is a broad question, but it's a really good one and I think I know have a great way to answer it.

So it's funny and I can I can go back to some stories from when I was at Cactus Con this last year.

I sat in our career village and got to do some mentorship and resume review with folks.

And as silly as it is, like all the resumes are reviewing some of these college kids, the projects they were doing, the GitHub repositories, they did their, their resumes were rock stars.

The issue was honestly the soft skills and basic communication.

So the the star method for interviewing, which is like situation, the task, the action and the result.

Going off those I'd, I would ask like, Hey, if you were, if you were working a project of something that you didn't get along with, how would you work that project still?

And I had this one candidate was like, well, I probably just wouldn't talk to him to get the project done.

And that was his answer.

And it's like, OK, I'm like, and then I had to keep it with a straight face.

I'm like, well, that's, that's one way you could do it.

But I'm like, what that job is looking for, for your answers that they're trying to see how you problem solve.

Like so if you're dealing with a colleague that you don't get along with, like they don't want you just to ignore them.

Like you still have to work with them for as long as you're there.

They want to see if, OK, well, like, what is, what is your like analysis?

Like, are you going to address the problem yourself?

Are you going to go to a manager?

Are you going to try to go to maybe as another team member and say, hey, can you just sit with me and, and Kyle and we're going to chat real fast.

And so I want to make sure that I'm not doing something that's causing issues or getting him annoyed with me.

Or are you going to go to a manager?

They're wanting to see your process for like how you kind of like solve a problem.

Same thing with like questions such as like explain the time you've, you've been challenged with a task and had this other candidate.

It's like, I've never been challenged.

I usually pick up stuff really fast and I'm like, OK, well, that's one way you can answer it.

But I'm like the same same process.

They're wanting to see your kind of analysis processing skills of what happens when you get stuck on something.

Do you just give up?

Do you go immediately to a Tier 2 and ask for help or hey, do you take a step back?

You reanalyze the problem, you do your research, you go to Google, which is your best friend and any sock or any role when you don't know something, just go to Google and YouTube and see if it's been created already because why reinvent the wheel and you just go from there.

Some other things I've seen is kind of just like the lack of self motivation or self starters.

So just like we said, like he's being in breaking into cyber doesn't happen overnight.

It is not a, you wake up one night and you read a cybersecurity book and then the next day you're, you have six job offers with 100K salaries.

It's, I wish it, I wish it was true.

That'd be a great world, but it's not the world we live in.

So it's when you're giving someone a task like, hey, look like this is what you need to do.

You need to go through and like probably dedicate.

You could do three days a week, maybe an hour a night or an hour every one of those nights.

So 3 hours a week of just say go learn something and that whether that be like log analysis, whether that be and go to like a bunch of rooms and try hack me for an hour.

Go go through some study material for setting for certification and actually learn the material.

Don't just like brain dump it.

And the the push back I get from candidates that do take the time to go and learn the material, get the certifications, get honest good feedback from both positive and negative interviews.

So always reaching out to a place you applied, you saying, Hey, thank you so much for the, the time to interview if they weren't selected and just ask like, hey, if it's within your policy, could you we please set up a follow up call?

And can I just talk to your hiring manager in the team to get some feedback on things I could do to make myself better the next time I come across your guys's table.

And the folks that have done that have gotten such good feedback.

One of my one of my folks said, yeah, they honestly, they said I was just missing.

I think like they wanted more Linux experience.

So he simply just went and got his next bus and he learned Linux and I'm like perfect.

And then next go around when he found like a similar role with AI, think I got a similar job.

He got the he got the job and I'm like perfect man.

He's like, yeah, I figured out what I was missing.

Awesome.

I had a relatively solid rest of the resume, but they said I was just lacking that one piece.

Soon as he did that, everything rounded out and it worked out.

That's so cool.

And you know, a lot of people forget to do that whole follow up stage.

You know, it sounds, it sounds kind of silly, you know what I mean?

But it is it is huge because every interview you go on should be a learning experience.

You should treat it as a learning experience.

You should try to improve at least a little bit like 1% every interview you do trying to get that feedback, you know, going.

And not every company will give you that feedback.

You know they.

Won't.

Yeah.

It can be difficult.

Well, I love the question you said because I have, I have a similar question I always ask whenever I get like, hey, do you have any final questions before you leave today?

Yeah, The question I always ask is, is there anything on my resume that you didn't see that I could expand upon now that was missing or is there anything on my resume that's missing that you didn't see that would make me a stronger candidate?

That's.

A powerful.

Because maybe you have that experience that you just failed to put on your resume where they're like, Oh yeah, you know what?

We just thought you were really more into coding.

And I go, well, I do code.

Like I've done these projects.

Here's my get a repository.

I thought that was on my resume.

I apologize.

But yeah, let me send that over to you guys real quick.

And that could be the deciding factor for that second call, for that second interview.

Those are some powerful tips right there.

Now, you know, we've talked about pretty much everything leading up to getting that first job, but the question I always get asked, and I know everyone is itching, is it still possible today to land a job in cybersecurity without like any other like just jump straight into cybersecurity, No help desk, no networking.

Is cybersecurity still a field that you could just jump directly into?

See this is AI have a mixed answer to this one.

So my answer is yes, but it's going to be a uphill battle.

So, and it's also going to depend on your organization you're jumping into and how well their onboarding process is.

So with my jump into cyber, I've been now with, we'll call it 4 orgs counting the military I've been in, right?

Every organization I've been in has had a pretty like pretty, what's the word I'm looking for tedious onboarding process that gave a really good granular experience of like from start to finish of what I need to do to be successful.

But the caveat is, is a lot of those times were it's all, it was all self-taught.

I would have like a, a mentor or a buddy that I was assigned that I could ask questions to you if I was stuck.

But it was kind of like a, hey, look like onboarding takes about two months.

We're going to put you in this like dev environment.

It's going to be a bunch of mock cases.

We're going to then kind of slowly work you to that before you actually throw you on prod or production, which is like your live environment that actually is doing the real world stuff.

And then what I would do on those situations is I would just go in and like, I would absorb all that training and knowledge and just get into the procedures.

And that way I knew like, hey, look like if I, as long as I follow these procedures and then also in add in my root cause analysis, that's my end goal for all these cases.

That's my end goal for using these tools.

And the more, the more adaptable 1 can be to jump right into a job role that maybe they've been a stay at home parent for a while.

They were doing a job hiatus, They went and traveled.

They want to get back into the industry and maybe they've, they, they do a killer job on our interview and they, they get that chance from a hiring manager.

It can't happen.

But the caveat is right now, I think within the job market, it's just really rough right now.

There's still so many of the job like the shadow jobs and it's, it's such a, you'll get hit up by recruiters for you're the best candidate.

You get the resumes and then you just get ghosted or you'll immediately within like a week or two, get the rejection e-mail and they went with a internal hire.

It's, it's hard.

And that's where I think networking really comes into play of like getting to talk to folks within this organization and maybe within your city or state you're in and going to meet ups and making sure that you can kind of find that way in to show people the passion you have into cybersecurity that can help you land that role.

So is it possible to go right into cybersecurity to be successful?

Yes.

However, there's going to be some self motivation, a good procedure and training platform that you'll hopefully have at that organization and just asking questions and making sure that you fully understand what you're doing.

Jumping into something and like trying to assume that you understand a process half heartedly will cause errors and mistakes, but that will then possibly get you terminated or written up or put onto a PIP because you thought you knew the processes.

But if you're going too fast and not asking those questions at the time where you can at that the onboarding process or while you're still in training, once you get production, that's you're, you're knocking down real servers, You're you're taking people offline, you're blocking legitimate applications.

That's causing a whole org to do manual signatures for the entire day.

There's a story behind that that we'll talk about later, but.

No, absolutely.

And you know, I'm curious in, in your opinion, what are some of the, the realistic first jobs that people should be targeting if they're trying to break into cybersecurity?

So the first thing I want people to understand is every job does not have to be 6 figures.

So you can get into state and city organizations for probably a better opportunity than public sector.

But the caveat is, is the pay is probably not going to be that top tier private sector pay.

But understanding that like IT, help desk, system admins, even sock analyst level 1 positions are all like brand new first year user friendly, but they may not be at that salary increase that you're going to want.

Like even when I left PDI, took AI, took a salary decrease to break into cyber.

But I knew with my hard work and dedication, I would really invest in myself to make sure I could get back into where I needed to be at a healthy salary point to take care of my family.

So I just tell people to be, be open to certain roles and be open to growing within that network.

So we've talked before Dakota where it's like all because you get into someone specific organization doesn't mean you have to stay there for 20 years at the end goal.

That's always the goal.

But I mean, like, I have a colleague of mine right now that's been in a company for about 6 months, but he's already looking to jump because he's, he's mastered a lot of the skills.

He's asked kind of what if there's any kind of growth opportunities there at the organization and there's not.

So now he's looking to do that next role, and the roles he's looking for is about 40 to 50K more of what he's already making.

And he's only been at that organization for six months as a senior analyst, so.

But unfortunately, that's kind of what you have to do in this industry if you want to go after those big bucks, you kind of have to do that job hop to be able to scale up because, you know, gone are kind of the days of staying in within an organization and getting these big raises.

It does happen.

And I'm one, I was going to say I'm one to talk because I 2 times I've gotten like two different organizations, I've gotten, you know, ten $10,000 plus raises, you know, in a single year.

So I mean it, it happens.

And that's what even with it's out of promotion too, is the thing.

But if you really want to make the big bucks, because let's be honest, there is money to be made in cybersecurity if you're willing to chase after it, but you're going to have to do the job pop.

And that's another that's a whole another topic for another day is like how to make those big dollars because that gets really difficult.

I feel the higher up that ladder you get because you kind of start getting niched off into the specialties and that that's definitely not a beginner's conversation though.

Yeah, that'll be a more mid level advance like hey, you're ready to make your first career hop to your other org.

How long should you stay there?

Because just just like you said, like the money's in cyber, but you have to get, once you've learned the skills that the organization you need, the next question you need to ask yourself is 1, is there growth where I'm currently at or do I need to look elsewhere to grow?

And sometimes your organization wants you to stay because you're a valued team member.

You, you carry the way you're killer on metrics.

But a good manager is going to understand that if you're looking for that next position for growth and that they don't have it, they're going to support you finding that next role.

And that's one thing that's the state did for me leaving for Wells Fargo.

They, they knew I was a sharp cookie and that I was going to get headhunted.

And I unfortunately did.

But my manager was so supportive about it and gave me great advice and actually told me to take the role.

And he was more impressed because he's like, look, Andy, what that tells me is that I'm such a good manager and I'm, I'm turning out such strong engineers and analysts that that's the type of sock we we have.

And he had some Rockstar still there.

So I didn't feel super bad.

I got one of my buddies on that was easily doing double the work I was.

So I left him in good hands.

But yeah, having supportive management and supportive team members to help you kind of lift you up and not hold you down is also super important in this like role and kind of business we're in.

100% when I first got into tech, that was kind of my, my path is, you know, I, I went the networking route.

I'm a networking guy, but I knew the easiest way to get in was to the help desk.

And so many people hate on the help desk, but it is a, you know, honestly, I feel it's like the easiest stepping stone to break into really any sector of tech.

And The thing is, I knew I wasn't going to be on the help desk forever.

My goal was one to two years at the help desk and then slowly progressed into my next career.

And that's exactly what I did.

I went from the help desk.

I was there for almost exactly 2 years.

I left for a network engineering position.

It was at the school district that I absolutely hated the politics.

I went from a really great family owned company, had an amazing boss, one of the best bosses I've had.

And I went to this really toxic environment.

This whole situation is toxic.

So I was only there for about 6 months and then I left there for a position as a network operation center technician and had an amazing boss there and then ended up getting promoted up to a director level roll at that company.

And you know it all, every job role served a purpose in my career path.

And that's what I'm trying to get at is sometimes, yeah, it might not be the glamorous cybersecurity job you want, but it's the job that you're building experience, you're gaining knowledge from the people and you're, you're getting built up to take that next position.

It it's, it's and you know, we talked about this, you know, jumping straight into cybersecurity.

While it's possible, it is definitely a huge pill battle and I think the other path is to start in a non cybersecurity role building experience that can translate into a cybersecurity job.

And that path, while it I think it will take a little bit longer, is I feel 10 times easier to do.

But everyone has their own journey into this career field.

Absolutely, Dakota.

And it's a nail on the head.

It's like my law enforcement experience, like as odd as it was made me really, I say solid at my investigations of just asking why, doing solid reports, being able to break down and write a solid story of like who, what, when, why, where.

And taking my experience into report writing for talking to a judge and jury to then talking to C-Suite level and folks that are not cyber and not understanding what happened to breakdown an event that happened.

So everyone has different paths just like as you talked about during this talk.

And I think whether it's going through school, self-taught, getting your GED, joining the military, maybe going an untraditional path into cybersecurity, there's thousands of different ways and avenues to get into this field.

And the easiest ways is to do the best way that fits your lifestyle, that fits your journey.

Now, as we start to land the plane here, you touched on networking with people and I know too many people.

That seems really intimidating, especially when you're just starting out.

But I, I want to hear from your opinion again.

How important is networking?

You know, I, I see it all the time.

I feel that sometimes in tech it's not what you know, it's who you know.

But I'm curious on your opinion on how can networking with people help land an actual job?

So it's funny, I'm actually gonna be doing a video here soon on my channel of how I got to go to Defcon for free from networking.

And it's, it's, it's wild because just by even doing my YouTube channel, getting the talk to folks like you, Dakota and Tyler and Josh, it's, it's opened up so many doors and avenues for me to go to online conferences, go to real conferences.

Being part of New Village this year, I got to go there for free.

And it's because of getting the con contact folks within this, in this, in this community we live in, in cyber and just kind of share my story of how passionate I am about helping folks break into this industry and why I enjoy the job I do and wanting to kind of just help others kind of understand their journey or where they belong trying to break into cyber.

And so I tell people, when it comes to networking, it's huge being able to walk into a room and just maybe challenge yourself to like, you know what, I'm going to go to my, my local meet up and I'm just going to say hi to three different people today.

And that's all I'm doing though, and I'm going to take off and then maybe the following month, go there and say, OK, you know what?

This time I'm going to shake three people's hands.

I'm going to exchange my LinkedIn with two people and then take off.

And then the third time you go set up a real strong challenge.

And maybe there's a, a keynote talking at your local meet up or someone that's presenting, offer to meet up with them after the fact for maybe like a 1520 minute phone call.

Talk cyber Exchange, LinkedIn, and keep challenging yourself for new different ways to kind of connect and grow with people because not everyone's an extrovert, chatty Kathy, like myself, sometimes folks are more of recluse and don't want to talk to anybody, which I totally understand.

And there's Discord servers, there's cohorts and other communities as well that you can kind of just kind of lurk in and kind of just like chat with people here and there and kind of drop in questions here or a funny comment or a meme.

But still being part of those communities, I think is a great way to still 1 to get yourself known, talk to people, find folks with similar interests, or even talk to folks that may be at organizations you, you wish to be working at.

That you can say, hey, I'd like to talk to you for 5-10 minutes.

I know you work at Microsoft.

It's one of my, it's one of my top five dream places to work.

Wanted just to see if we can chat for a bit.

Now you, you just mentioned you had a YouTube channel and you know, I'm, I'd love to hear more about that, but also if people have further questions for you, where can they find you?

So my YouTube channel does have all of my like link, link tree info and all that jazz, but you can find me on LinkedIn.

I have my discord channel but YouTube has all those links and that's probably the best way to reach me.

That's awesome.

Now, again, here's that that one question, you know, if you could give one piece of advice to someone who is looking to start their cybersecurity career, you know, something that you wish that every beginner knew, what would that one thing be?

Make the time in your schedule to map out what you want to do.

So my journey took me about a year.

I was married, two kids.

I was still working law enforcement.

I was on call all the time.

I had to go to court.

I worked in a track, the traffic vehicular crime Bureau.

So we went out to fatal accidents, hit and runs.

So my day was pretty busy.

I started my day at 6

I started my day at 6:00 AM.

I ended about 5.

I'd have dinner at six, put the kids in the white to bed around

7

7:00, and then I'd go back downstairs and pretty much be online doing homework or studying from like 7:00 to 11:00 and then repeat Monday through Friday.

So I had a lot of dedication and hard work of what I knew I needed to do to break into this field.

And so you really just need to find what motivates you, what path you want to try to get into.

I knew I wanted to get into blue team, so I was very blue team oriented for the training and certifications I was going for.

And I set goals.

I have a weird methodology that I will buy my certification, my certification and I will set a test date and I get myself that long to study.

So I have a SSCP here coming up in about a month and I already bought the voucher, already set the date and I need to pass it in a month because that's my test.

I need to know it because I'm taking the test in a month and it.

Helps keep you accountable.

It does, and so being having that time management and understanding the commitment and if you have a family and stuff, it's hard.

Like my wife knew it was going to be long nights writing papers, doing homework, but having a supportive also having a supportive family or folks you can talk to about this is also helpful because it's it's stressful.

You're going to get tired.

Burnout's a real thing.

But just having good outlets and good ways to kind of de stress and do that kind of stuff.

That's I think the most important thing that if I can go back, I would.

I would re hammer and double down and just probably do a little bit more studying and to get myself ready for that first role I got into.

You know, it's been so wonderful having you back on the channel again.

You've given so much great knowledge.

And you know, we could go for a whole nother hour because, you know, we didn't even really touch on LinkedIn and just all the other things that people should be considering if they are looking to get into cyber security.

But I really appreciate you taking the time.

Dakota it's always a pleasure.

We'll definitely have to do an AMA one of these days.

Maybe like a fireside that's like a live, absolutely, let's do a live AMA and just like allow people to just fire questions and we'll just go and see how long we can go for.

Absolutely no 100%.

Again, I really appreciate you coming on the channel and I really hope all of you enjoyed this episode.

If you have any further questions, please make sure and drop them down in the comments below.

And until next time, keep learning.

Never lose your place, on any device

Create a free account to sync, back up, and get personal recommendations.

Create account