The Bid Picture with Bidemi Ologunde

507. Aaron Hoffmann

Bidemi Ologunde

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 1:10:24

Email: bidemiologunde@gmail.com

In this episode, host Bidemi Ologunde sits down with Aaron Hoffmann, Senior Security Engineer at Rula, for a conversation on career growth, cybersecurity community, AI, and the human side of technical work. They discuss Aaron's path into security, his experience across different industries, his BSides Tampa community involvement, and how public speaking has shaped his perspective. What is AI actually changing for defenders? Where is the hype getting ahead of reality? How should organizations think about shadow AI, automation, resilience, and trust? Aaron also reflects on work ethic, burnout, continuous learning, and what the next generation of security professionals should understand about building a durable career.

SPEAKER_00

Okay. So thank you once again for joining me for join apparently I can't talk anymore. Thank you for joining me on the Oh my god. What am I doing? It's been a long way.

SPEAKER_02

I was about to say, even 500 episodes now, you should get that thing down pat, but I hear you. It's Thursday, almost Friday, looking towards the weekend.

SPEAKER_00

So thank you for joining me on another episode of the Bid Picture Podcast. I have a special guest who is joining me from Tallahassee, Florida. Got it. Over to you.

SPEAKER_02

Hey folks, uh, my name is Aaron Hoffman, and as Bid was saying, I'm based out of uh good old Tallahassee, Florida. And if you are not familiar with that location, we are in the Panhandle area in between Jacksonville and Pensacola. So not a uh a destination location by any means, but um it is the uh home of the Florida State University, which is my uh my alma mater, and uh home to myself and my family for uh for a good you know 15-20 years now. And uh yeah, it's it's been it's been great.

SPEAKER_00

And interestingly, a bit of trivia, Tallahassee is actually the capital of Florida, and I've met people who don't know that. Some people think it's Miami, Orlando, even Tampa, and I'm like, no, it's a town or city you you've never heard of.

SPEAKER_02

So you know, and and and Tallahassee, you know, uh you know, it's got a lot going for it. Uh but at the same time, yeah, when when you think of Florida, you don't think of of of Tallahassee. You think of South Miami Beach or you think of Orlando at Disney World. And yeah, uh Tallahassee, it's it's a great place to raise a family, I'll say that. Um, you know, I again I grew up here um and uh still living here after college, everything, but uh that being said, and not the most exciting place to live.

SPEAKER_00

So um a little bit about yourself. Um you are someone who is a I want to say a veteran of the cybersecurity industry. Um what was your what was your first real introduction into cybersecurity and at what point did this start to feel like a career rather than just an interest?

SPEAKER_02

Yeah, absolutely. So um kind of going over my my history itself. So um basically I started out uh in college, I went to FSU. Um this was uh 2011 when I first started, and I I basically picked a um a major. I would I I picked criminology at the time, right? Um sort of interested in it, wasn't really quite sure. Uh you know, I wanted to do the um you know law enforcement thing, you know, FBI agent. I was big into um uh what's the show, the uh criminal mind sort of thing. So, you know, at that age everybody just wants to be whatever they think is cool. So uh was was doing that, you know. And at that same time, I was working, um, so I I worked at um uh the Staples, so the office supply store. Um and so I was I was a cashier at that time, you know, everybody starts out that way. Um and basically I I was there for about a year and I just got tired of being a cashier. Um and so I was looking for other things to do at that point just to you know get out of being uh basically the punching bag for the uh the general public. Um and at that time the uh Staples had a uh kind of Geek Squad equivalent. So for folks who aren't familiar with Geek Squad, um that's basically the uh Best Buys um kind of break fix um tech support type service. Um I'm pretty sure it's still called Geek Squad, but um basically uh anybody, you know, your your grandmas, if they're having computer issues, you would go and um you know drop your computers off with them and they'll try and fix it. So um they they had a couple open positions, and Staples was actually pretty good about cross-training um at that point and um essentially teaching folks to move over to their uh their tech services uh role. So I went through and I was like, you know what, it it pay the pay is a little bit better. Um I don't have to sit in front of a cashier with register all day. Um and again, it just uh seemed like a better opportunity. So I studied for that, you know, that the the process to uh transition over to that department wasn't incredibly difficult for folks who are familiar with like the the Comp TIA exams. Um they essentially had a process very similar to like understanding like what is the CompTIA A plus, like that that type of certification. So um so I went through and passed that and um was able to at least convince my managers at that time to switch over to that. And so that's kind of how I got my first foot into the uh the tech space was um basically yeah, dealing with all the uh incredibly interesting uh stuff that you know just random folks off the street have with their computers, so um the virus removals and things like that. Um and so at that point, you know, I'm I'm getting close to the end of my college career. Um and I'm realizing that, okay, um I I definitely like the tech uh aspect. Uh the Criminology Act was was interesting, you know. Um but that being said, um at at some point, I forget where I heard it, there was either a a podcast or an interview or something where um essentially that and I also hate like explaining it to this just because it sounds bad, but um really you gotta make sure you're making good money at the end of the day. Uh uh so not not to say that I went into cybersecurity for for the money aspect, which you know it it is nice. Um, but uh I realized that okay, yeah, the the tech space um definitely pays a lot better than like law enforcement and um some of those roles that uh kind of uh follow that uh that sector. Um and so I switched my major from criminology to what was called computer criminology at the time. Uh I think they call it cyber criminology or something now, so it's it's always a an ever-changing name. So it was it was an interesting program because it was a combination of both um regular uh criminology, so you kind of have the uh like psychology aspect and law enforcement studies and stuff like that. Um but they also combined that with uh IT and computer science classes. Um and so this was actually really good because it was like uh it was like a light computer science degree, if you want to think of it that way. Uh and it worked out because I tried doing some of the higher-level computer science classes and I did not do well. So uh, you know, uh for folks who are listening in who are thinking about getting into cybersecurity, you know, uh you don't have to be the the world's greatest programmer or computer scientist to get in there. So uh uh yeah, you look at somebody who uh was was not um the uh the best in that area. Um but but yeah, so uh I went through that and uh you know eventually graduated in 2015. Um and uh that point was basically when I got my first uh uh cybersecurity job. Um so uh I started with a company called Reliant. Um they're no longer in business, but they um had an office in Tallahassee. Um I was I was very lucky to uh just wanted to find them first of all because again, Tallahassee is not um you know known for tech jobs and things like that. But um I I had actually interviewed with them um the year prior to graduation um and the hiring manager at the time. Um basically said, yeah, you know, it uh you're you're not quite there yet. You know, you you kind of have some of the skills that uh we're looking for, but again, because you're uh you know you're not fully graduated yet, and uh, you know, not just almost there, but not quite so. Didn't get it the first time around, but then that same position opened up um the year I graduated. So um I was like, let me try for it again. Uh so I went through and applied, and um, yeah, thankfully I was able to uh land that job. And that's that's really what kicked off my my whole career there, and really, really appreciate the folks um you know that uh uh brought me on at Reliant. Um some lasting relationships that I made there. Um even still today I still uh you know work with some folks from time to time and talk to them and see how things are going. So um, but yeah, so uh that's that's my uh my intro. And you know, my my career has since then spanned uh so coming up about 11, 12 years now, which you know uh it it's it does seem like a lot. It it feels like a lot, but um, yeah, a lot of folks uh you know they've been in there longer. But um, but yeah, I've I've worked across industries, uh, mostly financial services, um uh some cloud services and things like that. And uh, finally ended in a uh um interesting role in uh the healthcare space.

SPEAKER_00

So nice, nice. Thank you for that um extensive um breakdown. And it's it's always fascinating when I ask that question because no one I've asked the question. I I I haven't seen anyone with the same background as vast as I've had so many interviews, uh, formally, informally. And for me, it's more of from an academic background. I went to school for electrical engineering from bachelor's and grad school, and then I was just like, okay, well, do I want to become a professor? Not really. I don't like teaching. Well, not in a structured format, like me standing in front of a class and teaching them. And I was just like, I have this computer interest, kind of like how you described your Best Buy and that phase of your career, and you were already interacting with people, helping them solve computer and IT problems. For me, it was more like, okay, there would be some VCR video case recorder, and I would just put it apart and then figure out what's making it work, and then put it back together, and then my video game consoles, the same thing. And then when uh internet relay chat rooms came on, and then I was just like, you know, chatting with people and sharing ideas, that was my own approach to IT, and then I went to school for engineering, and from engineering, I was like, okay, well, let me find out more about this IT if it's a career worth getting into. So from this hobby, I came into IT security from an academic background, and then one thing led to the other. I got a job at Verizon and then from Verizon and different organizations around that 2015, 2016 time um frame as well. So it's kind of like we all find ourselves in cybersecurity from different backgrounds, different interests. Some people planned to enter IT, some people by mistake, by accident, some people from you know who knows. So you mentioned how you studied computer criminology, and I believe later on you went to study information assurance at Western Governors University, WGU. That's right. So uh how did that combination shape the way you think about cybersecurity from the technology aspect and the human behavioral aspect?

SPEAKER_02

Absolutely, yeah. And it's it's definitely a very interesting combination, right? Especially nowadays where we're seeing threat actors um move away kind of from the the purely technical um kind of uh exploits that they're doing, you know. Think of like the um uh uh some of the ones that are exploiting more human-based vulnerabilities, so social engineering and stuff like that, um, like like shiny hunters, you know, they're they're a little bit of a combination of uh you know going after social engineering type things and also the the technical exploits. But um so that so that background with uh the criminology side gave me kind of an interesting insight into okay, thinking about why is somebody going through and okay, going and becoming a hacker essentially, right? So um there are many different reasons why people will turn to crime, whether it's for for money reasons for uh um uh political reasons is not the right word, but being like an activist, right? So like being a political activist or something. Um so many different reasons why people will end up uh choosing to go down that darker path. But um kind of basing off that background was what got me excited and uh really wanted me to dive more into the technical aspect eventually. Um and so that's that's kind of when I moved on um to thinking about like, okay, I I I have my bachelor's degree um and I should probably think about getting uh a higher level degree, like a graduate degree or something. And so um I was looking around, you know. I uh at the time um I was uh this was probably like six or seven years into my career, I was uh very much not interested in um going back to like a brick and mortar type school, right? I didn't have the time to go to actual classes and things like that. So um so WGU uh Western Governors University is pretty unique. Um so they're they're an online school, um, and yeah, everybody has their opinions about um about online schooling. Um but for for me at least the I guess the benefit was that um I was able to take those classes and accomplish the schoolwork um essentially on my own uh on my own terms. And so that's that's one of the things that they kind of advertise, you know, is that um you can essentially complete the degree at your own pace. Uh which which is great because um, like for me, I was able to go through and uh finish the degree essentially in one semester. Um whereas uh folks maybe who um you know have family or they have a lot more stuff going on in their life, they can kind of take it at a slower pace and um you know they don't have to finish it up in the two years or whatever that would be normal. So um so that that I think was good for me because it let me go through and like there were definitely a lot of things that uh having been in the field for a while, like um a lot of classes that were just kind of like reviews essentially for me. Um but it did give me a good um essentially look into uh I would I guess like more management skills um from that type of perspective, right? Because um at some point, you know, um a lot of folks transition from being uh an individual contributor to uh a management type role. Um and so that that's kind of where uh like I saw or see my career going, hopefully, knock on wood, um, that eventually I will shift over from being somebody who's very you know down the weeds uh working, uh doing the tech work to uh more higher level you know people management type things. So uh so that that was also the uh uh kind of motivator there for that to just go through and um you know have a master's degree on my resume and uh just kind of do some additional learning. So uh but yeah, that being said, uh, Western Governor's University was great, uh very affordable, uh, which is another thing. So didn't have to go into uh massive debt to uh uh to complete that.

SPEAKER_00

Nice, nice. So in terms of um skill acquisition, um when you look back at your career from the very beginning, um Best Buy and so on, up until now, um was there any technical skill and non-technical skill you've acquired that you would say uh topmost, most important for you?

SPEAKER_02

So I would say that the most invaluable skill that I have just uh that that I would say has helped me out throughout my career is definitely the soft skills, um especially having worked in in the retail side for so long. Um so I spent I spent about three years uh working in retail, um, two years in help desk after that. So I had a lot of um time to kind of practice and hone those soft skills, right? Um and it's it's definitely been very important. It's it's things that you can't really learn in school. Um, you can't learn from a book. Um, it just comes from having spent time just in front of people and dealing with people and understanding how they work and understanding how they don't work sometimes. Um so definitely the the soft skills of being able to communicate, and like I'm not gonna say I'm the best communicator, absolutely not, but um I have seen plenty of folks uh throughout my career in this industry that uh just cannot communicate properly, um, and that has held them back because they can be great engineers, uh, but if they can't get their point across or they can't do it in a way that uh gets people to agree with them, then they're not gonna accomplish what they're trying to do. Um so besides that, uh writing was also actually a really, really good skill to have. Um so uh I I worked as a pen tester for a little while, so penetration penetration testing, um, and for folks listening and who may not be familiar with that, um, essentially is going through and uh replicating attacker uh uh tactics and techniques to essentially quote unquote do ethical hacking against uh um an organization. Right. Um and the product that at least I could what I consider the product is the final report. Um and so whenever I'm working with like students who are very interested in pen testing and stuff like that, I'm like, you gotta make sure that when you graduate, you gotta realize that you're you're not done writing reports. You will still be writing reports if you want to be a pen tester. Um and uh again, that's another thing is that you have to be able to convey in that case, here are the threats or the risks that are associated with uh what we found, uh, in a way that the the company or the customer will understand it and realize, okay, yes, this is serious and we need to we need to take care of it. So um those are the two, I think, soft skills that have been uh most valuable to me from a technical standpoint. Definitely uh being able to understand um at a foundational level uh programming and scripting, um, especially these days as um we're starting to get more into uh automation, uh, you know, kind of handling everything with AI and all that, um, being able to show that you can automate processes, um, save time doing things because when you save time, you save money. Um, that looks really good, um, especially to business owners. Um, so it's I I I highly encourage folks who are um you know getting into the industry or just kind of like looking where to see they should upskill. Um if they if they aren't already considering things like scripting or uh just starting a basic programming, at least just understand the concepts. Uh because yeah, there's there's not a at least for me in my my past ten years, I've I've never gone a day without like, okay, I should probably script something out, or I should I need to read through this code or something like that. So yeah.

SPEAKER_00

Yeah, I I agree with you on the um actually both the technical and non-technical, because starting with the non-technical, the ability to communicate, the ability to understand other people, not even from a human to human level, from a okay, well, there is this job we have to do, there is this task. Maybe you're on the same team, maybe you're on different teams, or maybe it's the tech team and you're talking to someone in finance or HR or legal or a different side of the business, or someone from another company entirely, and the company is in a different industry, or for some reason you find yourself working together, maybe on a working group or on a task force, and you have to be on a meeting together, and you have to speak languages that each person would understand. So it's more of okay, well, how do I get my point across to this person in a way they would understand and they would see that I'm trying to solve their problem so that they will be more receptive to my ideas or try to help me solve my problem. And it sounds simplistic, but I I guess because humans are involved, that's what pretty much every human interaction boils down to the ability to communicate ideas properly, efficiently, effectively, and so on. And a technical skill, like you mentioned, scripting, the ability to basically save time and money because as we all know, resources are finite, nobody has millions of anything, nobody has time on their hands, everybody is busy doing one thing or the other. But you want to be able to get as much stuff done as possible within a 40-hour week. Because work-life balance is also a thing. I don't want to carry work into Saturday or Sunday morning, and then I do I don't get enough rest and I'm grumpy on Monday morning. That doesn't help anybody. So if I'm able to, if I'm able to save time and help my employer save some money, then I'm more valuable to the organization. That could look like, okay, well, now I know how to script something, or I know how to prepare a report faster. I know how to help a colleague edit a report faster. Or I know how to create a PowerPoint faster, I know how to finish a spreadsheet faster. Whatever it is that that job entails, knowing how to do it efficiently, effectively goes a long way. Of course, that would look different for someone in cybersecurity and someone in marketing and someone in filling the blank.

SPEAKER_02

So exactly. Yeah. Although it's it's interesting now, though, too, especially um uh at my current role, um, there are there's a very big push for um certain non-technical teams to be uh be a little bit more technical. So you're starting to see a lot of folks, like especially in as you mentioned, like marketing, actually um are uh using AI to uh kind of uh accomplish their their daily tasks and everything. And so it's it's very interesting to see uh kind of the shift, um uh, like I said, as as uh non technical teams become more technical and um yeah, some of the risks that associate with that.

SPEAKER_00

Nice, nice. So you've worked Across different industries, financial services, retail, hospitality, and so on. This broad experience, how has it changed your view of what risk is?

SPEAKER_02

Yeah, that's a great question because every every industry and every company within the individual industry verticals, they all kind of see risk differently. And so, for example, a financial services company is going to see things a lot differently from uh from a healthcare company. They're the data is um very different in the way that it could be considered sensitive, and the impact of that data uh getting into the wrong hands also has a very different uh different outcome. So, you know, you think think about like a bank. Uh you know, we we hear about banks getting breached every other day. Um the most that comes out of an individual is okay, my my bank account uh information is is out there. There's the potential that you lose all your money. So that that's pretty serious. Um on the other hand, in in healthcare, um for example, you have a lot of sensitive information about people's medical history or their uh uh yeah, so like medical history surgeries and things like that. And it can have a different impact on that person if that information were released um out to the public. So um a lot of us have uh you know medical conditions or things that maybe we don't want to share with the world. Uh or again, yeah, stuff like that that we just wouldn't want um other folks to know. Um and so that has a very different impact on the individual versus okay, you know, I lost some money or that that sort of thing versus I lost uh privacy um and my trust essentially in that organization because now the world knows um uh you know things about me that I didn't want to know. And that can be used against them, things like blackmail or whatever. Um but uh but yeah, so that that being said, um definitely um especially also having worked across uh various sizes of companies from small startups of like 200 folks, uh, if that to massive uh you know global conglomerates of like 80,000 people. Um it it is definitely interesting to see um where uh some of these organizations organizations will put resources towards actually uh you know combating those risks. So um definitely larger companies will obviously they will have the more resources to do that. But the problem that um I had seen is that you end up uh having a lot of silos, um especially with like global companies. And like we talked about earlier, um, where communication is important to be able to get your point across, what I ended up seeing was that you would have a lot of these little little kingdoms within these larger companies, right? So you would have a director who has their goals, and then you have another director who has their own goals, and they would end up kind of infighting um to try and get each other's goals uh accomplished over the others, which would lead to things like uh you know folks lower on the on the uh on the ladder not being able to either do their job or they would just get blocked because you know something's going on on the political side that uh was preventing work from being done. Um and so that that's something interesting I saw from larger companies. Again, you have a lot more things to work with, but uh with that there's there's a lot more of the uh kind of political side internally that you had to deal with. Um whereas uh smaller companies um less resources, obviously, and uh a lot of times they're more focused on um trying to just make sure that they're profitable at the end of the day. Um because that that's again, really why why we're here um as uh you know cybersecurity professionals is to enable the business and make sure that it stays secure and it's is still functional at the end of the day. Um and so there are a lot of times where it's like, okay, um you have to think like as a cybersecurity professional, um, I want to say, yeah, let's lock everything down as much as possible. But at the same time, when we propose those ideas, maybe that is preventing the business from actually uh you know accomplishing its goals, right? Uh maybe it's something at a larger company would make sense, but a smaller company that needs to be fast to make sure that they you know get a product out to market, um, that it's it's not quite doable at the time. So you I kind of find that there is a lot more uh less uh structure in that aspect, I guess a good way to put it in in smaller companies where there's you know there there are some things that people sidestep, especially in in security. Um, but uh but yeah, really at the end of the day it's it's again enabling the business, making sure that uh it it makes money at the end of the day.

SPEAKER_00

So yeah, yeah, I agree. It's the analogy I like to use is when people ask me what's the difference between a large organization and a small organization in terms of cybersecurity, and I tell them, think about a small boat and a big cruise ship. It takes so much to stay a big cruise ship. If you want to turn, I guess, 10 degrees, you have to turn slowly over a period of maybe one hour to turn 10 degrees. A small boat, you can literally just go like this boom, and then you go you can even overturn, and now you're turning back the other way around if you don't if you're not careful. So that's true. Yeah, yeah. So large organizations, if you want to they they talk in quarters, you want to onboard something, you have to make a plan, you have to plan the meeting to then plan the main meeting to then talk about the and then you talk about uh different things with different teams before you sign a contract with one vendor. A small mom and pop coffee shop, for example, they want to change whoever handles their payment point of sale system. All they need to do is just make a phone call. And in two hours, someone new is bringing a totally new system, and they install it and they test it, and then you start using it the very same day, compared to a large organization where you have to call and HR has to sign off and legal has to sign off and this and that. So I've been fortunate enough to experience both worlds just like yourself, and it's like it's it's like night and day, basically.

SPEAKER_02

So I have a question for you. Which one do you prefer?

SPEAKER_00

I want to say they have uh pros and cons. So folks like you and me, we have ideas and we like to be able to execute those ideas as soon as possible because again, we want to help the business, we want to help the company do what the company does best. If it's financial industry, we want the financial industry, we want the financial institution to serve their customers in the best possible way. If it's telecommunications, same thing. So if I come up with an idea, I would like from start to finish maybe two weeks at the most. But then if it's a large organization, now we're talking three, four months. It's still gonna exactly at that even conservative estimates. It's still gonna end up becoming executed, but now I'm thinking, okay, well, let me prepare myself that this is gonna be a long-term uh project. A small company, on the other hand, there's less resources. It's like, well, you want to do something, you have to lean on open source software, uh, which comes with its own security risks again. So you have to balance those, okay. Well, uh, I cannot approach uh my finance folks to approve this thing. Let me go on GitHub and find an open source version. How safe is this thing? Because I don't want to introduce risk into my employer's network, so it's like, okay, well, a small organization organization is fast, but the resources you need are not there. A large organization has the resources, but they move slowly.

SPEAKER_03

That's right.

SPEAKER_00

So it's like this balancing act. So I would prefer quick, fast, plenty of resources, but that just doesn't happen.

SPEAKER_02

So I hear that. Yeah, I I am very much in the same mode. I think uh, yeah, especially having moved into a uh smaller company, that this is this is where I feel the most comfortable. Um even not from a resources perspective. I just like the fact that um there's a lot more opportunity for uh you to basically get your hands in a lot of the different uh products that are that are going on. Uh so great for folks who are new in the industry too, by the way, that uh yeah, smaller smaller companies end up having a lot more uh things to do, but uh you get a lot more experience that way. So yeah, yeah.

SPEAKER_00

So um let's go the security engineering direction. So what does a security engineer do um in today's May 2026 world? And how much of that role is technical versus communication and good judgment and good priorities and so on?

SPEAKER_02

Yeah. So the security engineer role is definitely one of those very nebulous titles that exist out there. Um, every company has a different idea of what a secure engineer should be doing. Uh, but that being said, uh so just as a perspective in in my background in the more um uh I guess traditional kind of like startup uh structure. So uh the way that we kind of structure things at my current company is that we have folks who are dedicated towards application security. Uh and so those are the folks who are doing things like reviewing code and uh making sure that features that the actual developers are introducing are secure. Um we also have infrastructure security engineers who they are the ones who are making sure that uh like our cloud instances and the underlying networking um that run the apps are are secure and functional. Then you also have folks like me who are in security operations who uh we're the ones who are essentially monitoring and kind of making sure that there are no um actual security issues that are occurring in the environment. So um it it's definitely one of those things where um uh there there are so many different possibilities out there as uh uh as a security engineer title um that uh there's there's lots of opportunities, I'll say that, um, under the security engineer uh um function. So um but uh but yeah, from basically just kind of being uh technical, like uh just as like a general idea of what my day kind of looks like, um, I would say that right now it's split, I would say probably 50-50 actually right now between technical and non-technical um job duties. Um and the reason why is just because um our specific situation is that uh we end up having a lot, we're working in healthcare, we have a lot of um compliance and audit type uh duties that we have to deal with. Uh so we we end up handling uh things like vendor reviews and just making sure that we're not onboarding uh you know vendors that are uh uh fly-by-night companies that uh use sketchy auditors like uh like Delve. But uh so um yeah, it uh it really depends. You know, some days I'll have a full day of uh dealing like incident response and uh you know running queries left and right and talking to folks and things like that. But um yeah, I I I would say that uh definitely any role, any security engineering role, um you're you're going to have at least a good uh you know 15 to 25 percent of your day being like non-technical things, whether it's meetings or uh going through planning, uh uh documentation. I hope folks are doing documentation because that's uh you know my my big stickler. I'm a big documentation fan, but uh so um but yeah, yeah, it's it's a very much of a split. You're there there are very few, I would imagine there are very few because I I've not worked everywhere, but um there are very few uh engineering roles that uh you're gonna be like a hundred percent technical. So especially as you move up higher in the ladder two. Um another thing is that when when you kind of move up in that uh you know engineering levels, like um different five uh companies like Google and Facebook, you know, they use the the level system or whatever as uh engineers get higher up. Uh you're kind of expected to be more of somebody who is um able to interface with different um you know business functions and things like that. So you're not just doing coding all day, you're able to uh kick off projects with uh other teams and get a product out the door, that sort of thing.

SPEAKER_00

Nice, nice. And I agree with you because me I'm more of threat intelligence. I interface with security engineers, I interface with incident response, basically every other side of cybersecurity, because we kind of have to. So, like I mentioned earlier, you want to be able to speak the other people's language whenever you find yourself in a meeting with them, or even just trying to learn what they do so that you can add value to each other. And threat intelligence is basically the ability to determine what a threat actor would do or what they are currently doing so that you can stop them from doing it, or you can prevent them from doing it. So you don't want someone to hack you. Well, you kind of have to know how they would want to hack you so that you can then set up your network to prevent that from happening, or if you're in the midst of a cyber attack, it will be helpful to know what they are using to attack you so that you can stop them from attacking you. So that's exactly a big summary of what Threat Intel is, and it's technical, yes, it's also non-technical because uh if you find something that a hacker is using to hack you, well, how would you present it to the team that would develop the tools necessary to prevent that hack from happening? You need to be able to speak that team's language. So if you want to present the summary of everything that was done to stop an attack to maybe the senior leadership or whoever needs, maybe even legal because a cyber attack sometimes legal needs to get involved for uh so many different reasons. You need to be able to present your summary to legal in a way legal would understand, and to the finance team in a way, okay, maybe you have to pay a fine. Well, this thing would cost this finance team some money, but present it in a way that they would understand, not the technical details of the cyber attack. So it's it's a good mix, like you described, of knowing technical components and non-technical components. You could be the best threat intel analyst if you cannot speak the language of finance and legal and fill in the blank, then you need to go learn some new skills, basically.

SPEAKER_02

So exactly. Yeah. I I I will say um, yeah, being being in security, um being friendly with the lawyers and finance is a incredible skill to have because uh yeah, they will they will come and save your butt sometimes. But um yeah, I I I I will say that um yeah, threat intelligence is is definitely one of my my favorite um kind of subfields uh within security, um, especially somebody looking into it, somebody who has not worked in CTI. Um, but it's it's a it's a very valuable subset because, like you said, it's it's understanding the actual attackers and the motivations behind it, um, and being able to relay, like you said, the tools. Because for for me, somebody who is like writing the detections and everything, I need to know like, okay, what is this threat actor group? What are they using today or this week or whatever? Um, so super cool because that also ties in again, actually, a lot of like the criminology aspect too, because you have to understand, like, okay, why are they doing this? Um, so so such a such a cool field. I'm I'm always I I like I I wish I could have gone into that that that field back in the day when I was like looking at stuff, but uh I did uh so nice, nice.

SPEAKER_00

So let's talk about um community participation, giving back to the community, and so on. So for folks who don't really know us, um, we actually met at B Sides Tampa. I want to say a few years ago. I time back.

SPEAKER_02

Two, three years ago, I'm down, yeah.

SPEAKER_00

Yeah, yeah. So what has the B Sides community meant to you, both personally and professionally?

SPEAKER_02

So, from a personal uh perspective, it's been a great way to meet folks like yourself. Um, first of all, it's it was a way for me. So I I first got into B-Sides again. Um this is probably about four or five years ago. So the my my very first B Sides was uh B Sides Greenville up in South Carolina. Um and I chose that one uh because one of my best friends lives up there, so I gotta you know go up there and visit him and at the same time go to the conference. And so um Greenville is um is a smaller conference. I would say maybe max uh 400 or so attendees, whereas um just for reference for folks, uh besides Tampa this year, I think we had like 2300 people attend. Um so very, very big size difference. But um it it was just a way for me to kind of see because like I and that was like one of my first trips up to Greenville, um, a way for me to see like, hey, there's actually a lot of folks um in places that I would never have expected that are working in cyber or very interested in cyber and that sort of thing. Um so really good way for me, especially as someone who is very much an introvert who um you know doesn't get out much, I'll be the first one to say that. Um way for me to go out there and just kind of you know meet folks who are like-minded and um just be able to interact with them and uh you know share ideas and things. So um is very accessible too. Uh again, they're they're not very expensive. Um, even if they do charge ticket prices to get in, it's maybe at most 40, 50 bucks or something for for the day. Um but uh I I started that one as an attendee. Um and so you know, sat through some talks and stuff like that. But um I I really liked the idea of being able to help contribute to uh some of those events, and so the following year um I I volunteered uh for B-Sides Greenville. Um and so that was one of my first uh volunteering um uh roles at a B-Sides event. And so great, great time again because that actually forced me to also talk to folks. Like the first time I went there, and you know, I said hi to a couple people, but uh being a volunteer, um, you will be placed into roles where you actually have to interact with folks, and so um met a lot of great people um up there, and of course, you know, down in Tampa, um, this was my second or third year volunteering, I think. But um, but yeah, so another great place because it's more local. Um I've also volunteered at uh B-Sides Shacksaville, again, another much, much smaller uh B-Sides event, but uh a little closer than Tampa, um about two hours away from Talassie. So um so great from a personal relationship perspective and just getting to know folks like yourself. Uh from a professional standpoint, um, it's it's been great again because I've been able to you know meet folks who are like, hey, uh you know, we we kind of keep in mind like yeah, if there's any jobs that are coming up, um, just to kind of scope by like what's going on in the industry, right? Um, and so uh a lot of times it's uh it been situations where like um I'm not necessarily looking for a role, um, but maybe I know somebody who is in the job market or something. I'd be like, hey, you know, are you looking for this kind of experience? I can introduce you, that sort of thing. Um so great for at least kind of getting uh referrals and referencing folks and stuff like that. Um as uh um somebody who worked at a vendor uh previously too, that was also kind of a nice um way to meet folks in the industry um and understand what kind of things that they were looking for uh like from the products that we were selling. So uh you know, definitely not there to sell anything. I always told people when I was there uh uh under the uh the vendor umbella. But uh um yeah, at least great to see like okay, because I there were folks who I met were customers of ours, and like I had never talked to them uh during during the day. Um, but I got to at least hear like, hey, yeah, we use your product, and you know, here's the things that I have issues with it. Um and I never would have heard that without having gone and you know gone to the ground and you know actually talked to people. So um yeah, it's it's great experience, you know. Um again, much more, much more low-key than some of the big ones. Um uh definitely a lot more uh learning focused, I would say.

SPEAKER_00

Nice, nice. And I want to say I have the same experience both personally and professionally, because people that meet me now, they think I'm an extrovert. And I was like, no, I've never been an extrovert. I am an introvert, I was born an introvert, I'm still an introvert, but apparently the podcast, going to conferences and B-sides, local and bigger conferences, and so on. I make it a point of duty to meet people and talk to them. And the the people I meet like yourself and I I go to DEF CON in Vegas, B sides Las Vegas, the same week of DEF CON. And I make it a point of duty to talk to at least two people. There's no gender preference. Is no background. Maybe I don't go around looking for people in threat intelligence. I just if you seem like you want to be approached, I'm gonna approach you because not everybody wants to be approached, and then some people have headphones. I'm not gonna approach you if you have headphones on. No, that's not that's just yeah, somehow. So uh the kind of conversations we have, we may not uh uh end up exchanging contact, but just the conversations we have at that kind of setting, and they're like, Oh wow, this person has uh something in common with me. You wouldn't know that if you don't talk to them, exactly. Yep, and of course, professionally, I've had people that have been on the podcast that I met at a conference. I've had people that I've ended up working together with at a company, a new company, but we met at a conference. I have a I have a friend who was also at DEF CON in Vegas a few years ago. He lives in Australia with his family. He was visiting the US, he was visiting his family in Vegas, and then he attended DEF CON, and then we ended up interacting, and then we still keep in touch up till today. Wow. And we met three, four years ago. He's from another continent, the opposite end of the world.

SPEAKER_02

So it's that's the great thing about these conferences, right? You know, yeah, you meet people from all walks of life, that's for sure.

SPEAKER_00

Yeah, yeah. So um, of course, one thing I like to um encourage people who are trying to get into cybersecurity is well, it's one thing to have the technical skills, it's another thing to actually interact with people, network the conferences you can afford, uh attend them. Because cybersecurity is such a unique field that there are conferences where you need to pay $500 for a ticket, and there are conferences like B-sides where you only need to pay $20, $30, and then you attend, and then you meet all it's uh you know, there's different uh levels of conferences basically. So maybe you attend the fancy ones, the big ticket ones, maybe once a year or once in two years, and you don't even have to, and that's the beauty of it. Exactly. So yeah, yeah.

SPEAKER_02

And it's good because too, especially with B sides, because it's local, you're you're meeting the folks who are your neighbors and folks who are you're you're potentially more likely to work with directly than like if you're to go out to B-Sides Las Vegas or DEF CON. You might like you say you might only see them once a year, and they might be somebody who lives in Australia or something. Yeah, uh but at the same time, yeah, you're right. It's it's really just a good way, again, um can't can't speak highly enough just for the networking aspect for any conference, really, just to get out there. And I I tell the students I work with, I'm like, just just go shake hands, and you know, you never know what happens. Some somebody you meet there, you know, they could end up being your boss one day, or you could be their boss, and boom, there you go.

SPEAKER_00

So, of course, there's no um conversation nowadays that is complete without talking about AI. So let's let's approach it from a less typical AI conversation. Let's talk about shadow AI. So, for those who are not familiar, shadow AI is basically when employees use personal AI systems for work, and then it becomes problematic. Summary long story short. So, shadow AI is becoming a bigger risk as employees start to use unsanctioned tools or personal accounts for work. In your perspective, what's the right balance between enabling productivity and protecting sensitive data?

SPEAKER_02

Yep. And yeah, that's that's a problem we're we're fighting day in and day out right now. It's it's it's always a balance because at a core level, I I want to see folks be productive and use the layers tools and everything, be successful with that. Um, but yes, there there is that balance where hey, you can't go and um uh upload all of the bank's transactions to the AI just to summarize that, because now that uh you know OpenAI or Anthropic has that information, stuff like that. So um so it it's hard because it's such a new feel, or I guess um the tools that we have to kind of control that are still uh very much in the early stages. Um so uh that there are things that are coming out like um like AI gateways and whatnot that are attempting to uh at least kind of structure that in such a way where uh internal teams have a little bit more control around the AI tools that people are using. Um and I think what I have seen that works the best is making sure that there's good communication from the highest levels of leadership down. Um making sure that there is an under making sure that there is a solid direction on where the company wants to use AI, how the company uses AI, uh, and that sort of thing. Because if there's no direction at the top, you're gonna have those situations where people are like, hey, we've been told to use AI, but we have no uh directions on on how to use it. But we're afraid for our jobs because we don't want to be seen as the ones who are like not adapting, not uh innovating in that sort of thing. So they're gonna go out and just do whatever they want, whatever they think is what whatever they think is fine. Um so having leadership come down and say, like, hey, yes, we are going to use X model, we are going to use this product, that sort of thing, and say that's the end all be all sort of situation. Um, I think is a really good first step. Now that again, very, very small baby first steps because there still needs to be the technical controls around uh you know handling how people actually access these things. So uh it it remains to be seen, I think, um, the the really solid ways because it's like every other day there's some some new tool that comes out or uh some some new feature that uh lets you know um uh Claw go and access your whole machine and and work for you all day or whatever. And uh again, we we sometimes just don't have the tools to kind of get that under wraps. So um so yeah, that that being said, I think um really really making sure that not having the hardline stance of absolutely no AI, um, that's just never gonna go well because people are gonna go out and do it on their phones or whatever, but making sure that they are given the tools uh that they need to or that they feel comfortable with using, uh, and making sure that it's given to them in such a way that it is at least attempting to put some guardrails around that. So uh I I I would say probably in like another year or two, maybe the industry will kind of have a lot more structure around that. But yeah, again, it it still feels like the Wild West to me right now.

SPEAKER_00

So yeah, yeah. And a big problem I see is the policy gaps are just not catching up fast enough. And what I mean by that is you tell employees to not put anything on their personal um AI accounts. Well, someone has smart glasses that is connected to an app on their phone, and they record their screen using the smart glasses, and it's basically giving them summaries and summarizing emails and helping them edit emails, and they just you know do everything from the app on their phone because the glasses is capturing it anyway. And guess what? These employees are working from home, so you cannot exactly see them in an office wearing the smart glasses. So now you're saying, okay, well, you want them to work remotely, but you cannot police how they work remotely. They are set up with VPNs and so on, but then they have smart glasses on and that's Shadow AI 101, basically and the employee will tell you, well, they're trying to be more efficient, they're trying to send out what whatever it is, they send out maybe 40 emails per week, and now they can send out 80 emails per week because they use the smart glasses. Well, where is that good balance? Or employees uploading stuff to external websites because it makes them faster and they can split a file. Yep. If if they are developers, they can split a file in a way that chunks it appropriately simply because the company does not have a file splitting tool. So now who's at fault? Because the employee is doing their work as best as they know. Maybe there's a training gap somewhere, maybe there is a smart glasses policy that is faulty. ETC ETC. Like you said, it's the Wild West, and maybe in three years is when we're gonna see how everything is going to be maybe done properly and so on. Well, what do we do between now and three years' time?

unknown

Yeah.

SPEAKER_02

Either that, or hopefully the uh you know, the the bubble will pop by then and uh or maybe maybe token costs will uh get so high that uh it just becomes impossible for regular folks to use it. So who knows?

SPEAKER_00

But uh I was I was reading just earlier today that companies had rushed to deploy AI systems are now scratching their heads and rethinking the because they didn't realize, well, this cost is just gonna keep increasing. And now they're like, okay, well, do we pause on this AI race? Well, our rivals are gonna overtake us and we don't want that to happen. But then you uh cut costs by firing a bunch of people. You simply moved money from a people bucket to a tool bucket. Because now the money you saved on firing people and all the benefits, you won't have to pay them. Now you have to pony up to tokens and yeah, yeah.

SPEAKER_02

It's uh it's I don't know. Like I I I I I want to say it's a short-sided thing just because um, you know, it it's the it's the the new shiny toy that everybody wants to use. But at the same time, from a business perspective, like I get it. I get that it's being relayed to executives that if you're not doing this, you're gonna be left behind. Yeah. Uh but yeah, it's yeah, like you said, we're we're seeing a lot of places now they're they're rehiring uh lower level developers and whatnot that they fired because they thought that AI would replace them, but uh they're actually ended up being cheaper than having to deal with token costs. So uh, you know, we'll see. Uh the the the one thing I'm kind of curious about is um like like I said, when when does it become impossible for the average show to afford to use AI? Um because at some point we're gonna get to that point where the the compute costs and everything are just so crazy high that uh either there'll be like different tiers of AI, so maybe you have like the uh the low-class AI and the high class AI, but um which I'm sure still exists today. I'm sure like the government has access to stuff that we uh only dream about right now. But uh so yeah, very interesting, that's for sure.

SPEAKER_01

Yeah, yeah.

SPEAKER_00

So to kind of start wrapping up here, um, I want to touch on some um career lessons and a little bit of work ethic. So cybersecurity can reward intensity, um, but it can also lead to burnout. How has your view of work ethic changed over the course of your career?

SPEAKER_02

That's a really good question because yes, it definitely has changed, and you know, I am I am clearly not uh, well, I feel like an old man, but I'm not an old man yet. Um But definitely early on in my career, um, you know, when when we're young and stuff like that, we want to make sure that we're making a good impression. Um and so when I first started, I was like, yeah, I was working long hours and I would volunteer for things that would end up uh you know keeping me there in the office later than um what my normal scheduled time would be. Um and you know, back then I could handle that. That's cool because you know, hey, um I'm feeling good, I'm young, I have energy, I can uh I can I can deal with that. Um but uh eventually as I kind of got more into my career, like I started to realize like, hey, um, you know, all that extra time and effort that you're putting in um doesn't necessarily actually mean that you're going to see um an actual benefit from that, right? So um I started kind of stepping back in a lot of places where it's like, okay, maybe I don't need to be on my machine until 9 p.m. every night uh when um I can just spread that out over the rest of the week, that sort of thing. Um and so now I'm definitely in my uh that kind of stage in my career where um I I definitely will I still find myself like volunteering for things every now and then, stuff that at least looks interesting that might require more time for me, but I still try and make sure that I devote time to uh making sure that I I'm not burning myself out. So um, you know, I've got you know my pets that I keep uh you know to take care of and try and make sure that at least I'm staying healthy from a physical and like mental perspective. So uh just taking breaks from electronics period, that's especially something now that I felt that uh I I I used to play a lot of video games when I was younger. Um and uh now I kind of find myself like, do I want to stay on the computer and play video games the rest of the night, or maybe do I want to go read a book instead, or you know, go for a walk or something? And so um yeah, it's it's definitely real. Um, definitely for folks who are listening, that uh you really have to make sure that you put yourself first because if you're burning yourself out, you're not gonna be um at that level where you can perform during the job. So that's not gonna help anybody, right? So um, yeah, and then make sure that you're you know still at least putting in the work, but uh not so much that uh you're gonna break yourself and not be able to do the work, period.

SPEAKER_00

Right, right. And I agree with you 100% because I tell people burnouts has different symptoms for different people. It doesn't look the same for everybody. Some people feel burnouts when they start not looking forward to waking up on Monday morning to go to work. For them, that might be a symptom of burnout. Some people are like, okay, well, I can't remember things like I used to. That could be a symptom of burnout. Some people could just be just getting frustrated at their co-workers and getting irritated by every little thing. Some people start reading meaning into emails. That could be a sign of burnout. So me personally, I go to the gym uh every more every weekday, 5 a.m. to 5 45. Shout out to F45. Um it's one of the things that keeps me because that is literally the only time I have. I have three boys. My oldest is six years old. So your hands are full.

SPEAKER_03

Plus you got the podcast and everything. Yeah, man. Yep, yeah.

SPEAKER_00

So now it's like almost 9 30 p.m. and I still do this, and I talk to people at night, and I do my work during the day, and which is why I only have time for the gym. 5 a.m. Nobody is awake yet. I go and come back, and nobody's still awake yet. And like I said, it's only weekdays because weekends, I literally have no time during the weekend to go to the gym. So when I start my day that way, and then I come back, and then I get two kids ready for school, and before you realize it, if it's not even 9 a.m. and I've done so many things, and then I go to work. So that already sets me in a positive mood because I've worked out, I've taken care of things around the house, I've dropped two kids off at school, and it's not even 9 a.m. And it puts me in this mindset of, okay, well, I've already accomplished like 20 different things. Then it gives me this mindset of okay, well, now let me go accomplish something at work, and then I come back from work, and then I hang out with the kids and play with them, and then we do some rough housing, then they go to sleep, and then I turn on the microphone, and then I record a few episodes and so on, and so and it's to me, it's like okay, well, that's what works for me, right? It may not work for you, it may not work for my friends and family members and so on, but everyone eventually needs to find out okay, what works for them. Part of what allows me to do that is I'm not on social media. Again, that's what works for me. So it's like, okay, well, burnout-wise, okay, it's a good balance every other month. I take some time off from work, you know, use your PTO, it's there for a reason, you know, stuff like that. So yeah, yeah.

SPEAKER_02

Uh yeah, I'm telling you, man. It uh yeah, I like you said, the uh yeah, definitely the 545 gym, uh definitely not for me. Um, but uh I I will definitely give a plug that uh getting physical activity in that is one of the best things you can do just for your mental health, too. So uh yeah, folks listening in, always uh yeah, try and make some time for that as much as possible.

SPEAKER_00

So um final question here. Uh when you think about the next generation of security professionals, cyber professionals, what do you hope they do differently than our current generation?

SPEAKER_02

That's a really good question because I think it's it's tough, especially now with the um again with the whole AI conversation and everything, where seeing where just the industry as a whole kind of goes. Um I I think that currently something that uh at least our our industry as a whole has just not quite gotten a wrap around is just the general human aspect of security, right? Because we're we're still falling for the same things left and right, the social engineering aspect. And I think that um it's it's a very tough problem to solve, right? Because you're always gonna have folks who are just aren't are not paying attention who um they may just not be technically adept enough to kind of spot issues, but um I think that the next generation, I would hope, is able to go out and out into the community first of all, and be able to kind of share and relay these ideas, um just general, like um teaching folks how to be safe with their with their devices and whatnot. Um, especially the younger generation too, because we're you know we're seeing a lot of kids who are growing up with just playing around the iPad and not actually knowing how to type and everything. Um so they're gonna have a very different uh perspective on technology than like what we do and what our parents did. Um so yeah, being being able to, at least on a human level, uh understand and relay how to be safe, um, I think is gonna be very important going forward. Um just because again, technology is so prevalent in our lives these days. AI is now like in everything, and I got a dishwasher that has AI in it now. So um, yeah, being able to say, hey folks, here's how you make sure you're not sending all of your your dishwasher data out to the company or whatever, uh, or here's how you don't accidentally expose your uh you know your smart camera or whatever out to the uh the public internet. Um is I I think something should that would be really good. Um, you know, special shout out to uh some of the students that I work with who um they put together a really good program at FSU that kind of goes out into the community and um you know just teaches like older folks especially like uh things to look out for um uh on the internet as far as like safety safety issues go. Because you know, every every day we hear like some some old person got scammed for you know thousands of dollars because they uh you know they fell for a fishing cam or something like that. Um so yeah, it's uh it's it it remains to be seen. I think um I I I am definitely not the person to uh be forward thinking like that, I'll admit. Um, but uh if I had to say one thing, definitely that's um yeah, we we we need to kind of as a as a society, you know, um kind of figure like, hey, how do we actually take security seriously um and understand those things?

SPEAKER_00

Nice. And to touch on that slightly, I would say uh social interaction is a skill that we are collectively losing as a society.

SPEAKER_03

Yes.

SPEAKER_00

And I I want to say that kind of started around the time social media became prevalent and COVID fast-tracked it to the point where the kids now they don't even want to do anything that would that would make them interact with other people. So like you go to a party, and at the party you only hang out with the people you know, or you don't even go to a party, and you're the party is on a video game platform like Twitch or Discord, and that's where kids hang out now. And you go out to publics and Walmarts, people don't talk to each other when on the line to check out, yeah, or you go to the mall, and if you want to talk to someone you don't know at the mall, you would be labeled a creep.

SPEAKER_03

Exactly.

SPEAKER_00

Yep, which didn't happen as early as five, ten years ago.

SPEAKER_03

Yeah.

SPEAKER_00

So bringing that to the cyber industry world, kids these days don't want to go to a conference. If I see students, young students at a conference, they are mostly keeping to themselves. And I'm like, shouldn't you be prioritizing networking? But then what do I know? Maybe I'm just an old person.

SPEAKER_03

Right?

SPEAKER_00

I don't know. I don't know.

SPEAKER_02

Yeah, it's it it it is interesting to see the um, yeah, even even between generations like that, just the the changes in how yeah, people socialize and everything. Like I um I I I've always thought to myself, like, whenever um if I have kids that I I would not put devices in front of them until they're way older, you know. And I'm sure it's hard these days too to uh kind of keep that away from them because you know all their friends are gonna have devices and stuff like that. So uh but yeah, it's like you said, with with after COVID, it's it it's a noticeable change in just how society functions in general. And not not for not for the better, that's for sure.

SPEAKER_00

Yep, yeah. Wow. This has been a fun conversation, and we've gone past one hour easily. Like I mean, these things happen. What can I tell you?

SPEAKER_02

Right, man. Yeah, great conversations, that's for sure. And uh appreciate you having me on the uh on the uh on the podcast, man.

SPEAKER_00

So of course, whenever we can set this off, it's we didn't even touch on so many different things. And I guess there's gonna be a part two. Who knows?

SPEAKER_02

There we go. Happy with happy to be back.

SPEAKER_00

Thank you so much once again. Talk to you soon.

SPEAKER_02

Thank you, man. Have a good one.

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.