Security Chipmunks

Mentorship, Connection, and Playing the Long Game

Edna Season 4 Episode 18

Share episode

Send us a text

Discover how to navigate the complex landscape of cybersecurity careers with Fletus Poston III, Senior Manager for Security Operations at Crash Plan. Drawing from his diverse background spanning regulated utilities, financial services, and software development since 2007, Fletus shares transformative insights about finding your place in the security ecosystem.

The conversation challenges conventional wisdom about breaking into cybersecurity, with Fletus presenting a compelling metaphor: "Security is like a city" with diverse roles from entry-level positions to executive leadership. Rather than fixating solely on offensive security roles, he encourages newcomers to explore various disciplines to find their perfect fit, whether in SOC analysis, governance, or offensive security.

What truly sets this episode apart is Fletus's counter-intuitive approach to career advancement. Instead of mass-applying to positions, he advocates for a strategic "long game" - identifying target companies, building relationships with their employees over time, and positioning yourself as a knowledgeable peer rather than just another applicant. This approach leverages the power of internal references, dramatically increasing your chances of success.

The discussion delves into the often-overlooked human elements of security, from establishing effective mentorship relationships to implementing practical safeguards against emerging threats like AI voice scams and deepfakes. Fletus shares actionable advice for creating secure password practices and verification techniques that protect against sophisticated social engineering.

Whether you're just starting your cybersecurity journey or looking to advance to the next level, this episode delivers practical wisdom from someone who's navigated the field's challenges firsthand. Remember Fletus's parting advice: "You add value to every room that you enter," and approach security problems with perspective and understanding rather than simply saying "no."
Socials


Socials

Speaker 1:

is from a cooperative project for acquiring skills essential to learning. Welcome to the Security Chipmunks podcast, where we keep chipping away at it. I'm your host, edna Johnson, and here we have our co-host, neil Smalley, and today's guest is Flitas Poston III. Flitas, please introduce yourself.

Speaker 2:

Sure, First off, happy to be here. Love the tagline of chipping about it, so I think that's important, as this field is always about taking the bite-sized chunks and then digesting them. So with that Fletis Poston, been in this field since 2007. Started as an IDS handler, then did a little bit of a stint in the IT field doing IT service management, web application monitoring and then electronic document management During the time as an electronic document management analyst BA 80 groups, process accounts, service accounts for about 300-plus servers at a regulated utility before putting cyber formally back in my title the year or two after that when I became a cyber systems engineer helping build out the SOC for a large regulated utility here in North Carolina.

Speaker 2:

During that time supported anything from the endpoint all the way to cloud and anything in between. So email gateways, network gateways, proxy server, SIM. That time supported anything from the endpoint all the way to cloud and then everything in between. So email gateways, network gateways, proxy server, sim. We had soar when I left and when I was leaving that organization before I joined crash plan, where I currently serve as the senior manager for security operations. In that role I own pretty much anything but grc. So identity, threat and vulnerability management, security operations as well as application security. So been around the block a little bit, been in different industries, saw different things. Pretty much always been in the private public sector. So currently in a PE backed firm, so done small business as well as large enterprise security.

Speaker 1:

That's a very impressive background, flores, so you have a diverse experience in the cybersecurity field. So when you see newcomers coming to this field, what are some things that you recommend that they do when they are thinking?

Speaker 2:

about getting into cybersecurity. So, first off, similar to some of your path, from what I've seen and listened to, your Simply Defensive today, it's being curious, asking questions and understanding what about cybersecurity interests you? Most individuals today think cybersecurity. They immediately go offensive, they think pen tester, they think ethical hacking, they think compromises. And I always tell people security is like a city, so there's diverse rules that make up the entire thing.

Speaker 2:

So you have anything from the janitorial staff, which is your entry-level role, all the way up to the mayor, which would be your CISO or CSO, and there's everything in between. You can also look at it like the military. You have cooks all the way to your captains, colonels, generals. So what is your discipline? What is your lane you want to get into? And let's develop that. If it's a SOC analyst, let's go try HackMe, hackthebox. Let's learn about all the different tools out there with TCM and other vendors who are putting stuff out. If it's not SOC analyst, let's say you're more of a governance, risk and compliance. Let's go look at grc. Maybe that's where your bread and butter is. You like doing policy and procedures or security awareness, or you like to study the latest threats that are happening from a compliance point of view. And if neither one of those, then you get the offensive side.

Speaker 2:

Where a lot of people get back into. The original thing is let's break it, let's fix it. So that's where your purple team comes back. So I push a lot of people to look purple just because I'm a blue teamer. I want them to see both. So I push a lot to the purple side because I don't want you just to break it and walk away. I want you to break it but help the blue team catch it and or defend against it next time.

Speaker 1:

Yeah, that's excellent advice. Yeah, that's excellent advice. What about if somebody is wanting to be more competitive in the market?

Speaker 2:

Do you have any recommendations for that? So this is the non-stereotypical answer To be the most competitive. It's to go find someone. It's when you know them, not who you know, it's when you know them. So I push people to go to local meetups. If that's your B-sides, if that's your DEF CON chapters, if that's your ISSA, isaca, get to know people as quick as possible and it's get to know them with intention. So go in. Don't immediately ask them for something, but get to know them. Spend the first couple months building that relationship and figuring out who they are. It's a long game.

Speaker 2:

Most of the people I talk to when I mentor is I tell them to go ahead and pick three or four companies that they want to work for at some point in their career. Follow them, connect with them, watch when people get a job with them, connect with them again. Introduce yourself. Hey Sally, I saw you got this information security role, congratulations. I'd love to work for company A at some point. Is it okay if I stay in touch? Give Sally a couple of weeks. Reach back out to Sally. Hey Sally, how was your first month on the job? Is it what you expected? Is it not what you expected? What do you wish you knew a month in that you knew on day one. By doing all this, you're getting yourself a competitive advantage because at some point they're going to post a job again and you're going to be like okay, sally, I've applied, here's my resume, can you hand it to the hiring manager?

Speaker 2:

Most companies, including myself, as a hiring manager, I get an internal reference. I'm at least going to do a phone screen or a video call with you During that. This is where you get to speak to your recon, your OSINT that you've been doing of. Hey, I saw you just got Series B funding last week, congratulations. Or Sally was telling me about a project you threw on day three. I'd love to be part of that and this is how I can add value. What you just did there is.

Speaker 2:

You now sound like an internal employee because now you're referencing my core values. You're referencing what projects my team was working on. You're referencing what my marketing team or PR have done to position yourself to look more like a peer than a candidate. So play the long game by following what they're doing. Like their comments, repost their articles, comment on things and be selective with how you engage on LinkedIn. I recommend everyone to link, but don't just immediately ask for a job. Like their comments, comment on them, engage with them and then just wait. And that's why I say three to four companies, because you may want company A in 2025, but company B might be hiring. Well, in 2029, a is now hiring. You've made that connection for the last three years. You're going to have a lot of OSINT and RUCON to talk about in three years because you've been following the company for three years and interacting with one to many employees at that point in time that is such incredible advice and I love how you're.

Speaker 1:

You're telling people, like, play the long game, because really that's what you want to do. You're building a career and that's going to be over many years. It's not just you just getting your first job in the field, which a lot of people are focused on they want to get that first job but also thinking about the future and making a plan and following up on that. That's such great advice. You mentioned mentoring, and that is something that I think is a wonderful step that people can do to help themselves, to see outside of themselves and think of other ways that they can approach problems. So what are some of your thoughts on mentoring?

Speaker 2:

So, alluding to what I just said, there you're going to get passive mentorship by following industry professionals. It doesn't have to be the Dave Kennedys, the Jake Williams, but it could be the individuals on this call. What we post is valuable, what we do in our day-to-day jobs. As you alluded when you heard me say earlier, I have a diverse background. I've touched regulated utility, I've touched finance, I've touched software development, so you can pick my brain passively to learn what these industries do and how the day in the life works. The other thing that you can get from a mentorship is just making sure that you either set up a formal or informal relationship. If it's formalized, tell me what your goals and objectives are. Let's do this for three months, six months, one year, and then we're going to end it. If it's informal, it usually turns into a friendship. Months, one year, and then we're going to end it. If it's informal, it usually turns into a friendship. It starts as what I would call contractual of what you're just pinging me and we're going back and forth in Discord, slack, signal, linkedin, whatever the platform in which we connect on, and we're just passively giving information. That informal can turn into a formal or just turns into a lifelong connection. And when I say a lifelong connection, there will be times when I'm stuck. But I know that Neil has dealt with this, so I'm going to ping Neil, or I know that Edna's done this I'm going to ping and so you can quickly send a note. Keep working, knowing that you've got that connection where you've more or less scratched each other's back and you're going to get an answer, because we joke we don't disconnect.

Speaker 2:

Well, I have three different monitors around me right now. I have discord open on one of them. I have slack open on one. I've signal on another. I'm going to see your message in almost real time. I may not be able to respond real time, but I tell my mentees because slack is on every device I have. Discord is on every device I have. I'm going to see it before I go to bed. I will acknowledge it and either answer it because if not I'm going to forget or I'm going to tell you I'm not the right person. But Jack is, susan is, billy is, and let me make an intro to those.

Speaker 2:

So that's where mentorship is not just trying to create a clone of I. Don't need clones of me. That's why I didn't name my son Fleetus, I need to build practitioners' engineers, analysts, who can learn from my mistakes, because with mentorship, you're teaching them how to get out of the ditch because you've already been in the ditch. You don't want to see them run off the road and not how to get back in it, but at the same time, you want to teach them that when they get in the ditch, this is how you get out. Not keep them from the ditch per se, but teach them how to get back out of it. Same thing goes for every mentee.

Speaker 2:

I ask, I turn and ask them to be a mentor as well, because if you've been on the job one day or 30 years, your life experiences allows you to give back to the next person. Next, it's having three tiers. So you have someone in front of you that could be a business leader outside of your organization, outside of cyber. Altogether you have someone beside you. We build that healthy competition. So the three of us are competing to see who's going to find the next CVE, who's going to find the next promotion, who's going to get the next kudos. So it's a healthy competition. But we know that when the rubber hits the road, we have each other's back and then that's that buddy system or mentor system, where that next person who's behind you, it's that middle schooler, that high schooler, that associate level person or bachelor's level person who's like I have imposter syndrome because you guys know all this stuff and I know nothing.

Speaker 2:

Well, it's that curse of knowledge issue. Remind them, at one point I was a novice. I can't think like a novice because of the curse of knowledge that I have. I've done it too long that I can't remember what it's like to be a novice. Like I say this phrase right now, you're going to know what I mean, someone else loop, swoop and pull. I'm talking about tying your shoe. But if I say loop, swoop and pull to a four-year-old, it's a context issue. So you got to learn how to use a lexicon or a vernacular that resonates with someone who's green, new, and not assume that they have a baseline knowledge. And that's where we have a problem, not just in mentorships. In our field, we talk like everyone knows what we know. As your accounting team, as your finance team, your marketing team, your R&D team, we all have our own lexicon and we're all SMEs, which doesn't make us any less intelligent.

Speaker 1:

It just means we have diverse knowledge. That's so true. I know that, like as I've been learning, it's been. I've looked up to people and thought, wow, they're incredible. As time goes on, you start to become friends with some of these people and you learn more and more. Those people that you looked up to start to become your peers, that you looked up to start to become your peers.

Speaker 2:

The other thing, too and you hit the nail on the head is this is a small field. There's only a couple hundred thousand to a few million of us, depending on which statistic you look at. At some point in time, I'm either going to work for you, with you, or against you, so we need to have a healthy relationship because of that. You're either going to work for me, I'm going to work for you, or we're going to be competitors at some point, so we need to have a cordial enough relationship that I can be your subordinate, you can be my subordinate. If we get into that position, or if we're competing because we both started our own cyber firms, we still need to be healthy companions Because, at the end of the day, we're all here to protect the country in which we live in, and then, ultimately, the organization in which we're hired onto, and then, finally, ourselves and our family members, because security starts from the time you wake up to the time you go to bed.

Speaker 2:

So we apply it to all aspects of our life. We protect us personally first. Then we go into the community we live in, and then we go into the nation we live in, and then we get to the country we live in. So security just moves from the time you wake up to the time you go to bed, and it's just where do you apply it, no matter if you're in security or not. Security is something you do every single day, and you either do it through the school of hard knocks you've been burned by the stove, you've had your identity stolen, you've been robbed, or someone taught you, formally or informally or someone taught you formally or informally.

Speaker 3:

You know you meet people who are like oh, help me with this, or what's it like doing this?

Speaker 2:

And you know it really does come full circle, yeah, yeah, and to pull on some more stuff and to go back to that. The human-centric approach to security is something that I think we've all forgotten. We're used to process and technology, but if you think about it, there's people, process and technology. I asked several CISO friends of mine either or just I've met what is your line item for people? And a lot of them are like well, I have a security awareness program or this is how much I spend on their endpoints because I harden their endpoints. That gets back into technology. What are you actually spending per capita on each employee of your company? It's very tiny when you look at your total budget for your security firm. We rely on technology a lot, but the most preventative way is teaching us to see something and say something, To be cautious.

Speaker 2:

Ultimately, I want you to slow down. That's not something you hear in 2025. Faster, faster, faster. As a human, I want you to stop. I want you to assess. I want you to pause, Good friend of mine, sometimes. I want you to put your hands behind your back for a moment, Twiddle your thumbs for a second and then put your hands back on the keyboard. Do you still feel like clicking? Do you still feel like answering that question? Do you still feel like downloading that piece of software? Because sometimes just that three to five second pause can't do that on every decision you make, but you can do that when you get the hair on the back of your next hand up because something just doesn't seem right, legitimate and not been cloned because it can be done within milliseconds or seconds, where it used to take minutes for the adversary to spoof something.

Speaker 3:

It also kind of goes back to the aspect of developing those connections of the different companies. You can actually figure out who actually works at these companies if you're spending years following at these companies. If you're spending like years with the different, following the different companies, and you're like, oh, this person isn't actually a recruiter for them, maybe I shouldn't talk to them.

Speaker 2:

And the other thing is fake jobs. To go back, earlier, we were talking about people who just apply for everything. Ghosting was real during COVID, fake jobs were real during the pandemic. There are fake jobs now just to collect personal, identifiable information. They just want you to interview, apply, give away your information, because that's the application process, and then we've all seen it the scam. Hey, go ahead and go ahead and buy your laptop from this website and you can expense it. Most people don't think about that because they're hurried to get a job. If someone's never been in the field, they think that's normal practice. It's not normal practice to front your own hardware expenses or to send in an ACH payment to something else so that you can set up your direct deposit or give gift cards. I mean, we all know this. Now back to that common knowledge. Your C-level never needs an Apple gift card ever, and if they do, they're not coming to you, they're going to their executive assistant yeah, sorry go ahead, neil.

Speaker 3:

Oh, it's just always an important reminder. I know somebody who, like, has done all the trainings and stuff and then they still like it wasn't work related, but they got the scan thing for something else and then they're like going, they are like part way through it like you've gone to the store and it's like yeah, I think I heard and it might not be the right store but target or some of the other big box stores have started training their employees that if they see people walk up with large amounts of gift cards, to call a supervisor over, not to make the sale.

Speaker 2:

Just like western union implemented something, I believe, in the early 2000s for the same wire scam issues it was happening just to keep the old ladies and your grandparents or your neighbors from giving their retirement away because their grandson's stuck in a mexican jail and they need the money wired right now. So that's where the training comes back in. And I alluded earlier. Security is everyone's job. We just happen to put security in our titles or have security in our titles. So, getting people to stop and assess at the bank, at the checkout system yes, we've moved to self checkout, which makes it a little harder, but it's still putting more what I would call safeguards and gates.

Speaker 2:

So anyone who's been in cybersecurity you know you could put gates in for a reason, for collusion, for insider trading, insider risk. There's gates intentionally put for your depth and defense or your defense in layers, depending on how you want to word it to do the same thing, and we have to do that with us as humans. I tie my shoes so I don't trip and fall. I lock my door so I keep the honest person honest. At the end of the day, me tying my shoes is not going to keep me from falling. Locking my door is not going to keep the adversary out, but it does slow me down from falling. It does slow the adversary down from coming through my front door.

Speaker 3:

Yeah, it definitely makes me wonder how long before my parents will be getting calls from my clone boys.

Speaker 2:

I've had that happen once already because I do similar stuff to this. I've given my voice out a lot from trainings, my own YouTube channel. I've had someone call my voice. It was a friend of mine. They wanted to test and see and it literally other than the pauses because they weren't using a paid subscription, you would have thought it was me. The software they used had enough delay that the human mind's like that's not a real person. I can get rid of those pauses. Now with paid subscriptions, I can put my face on it. Now I can put the voice behind it. I can do a lot of things to make it real. I could schedule the Zoom call and people may believe it's me.

Speaker 3:

It's definitely made me more cautious, having to rethink how I do things and not take the easy option and just go through some extra hoops sometimes.

Speaker 1:

Yeah, at this point people need to be sure to set up a code word with their families and close relatives so that they know that if somebody calls like I've already told my parents, like we have this code word, if somebody calls with my voice because, like, like you fleet is, my voice is all over the place. So I've let them know that if I call and say that I need money right now or I'm in jail or whatever the situation is, just hang up. If I don't say the code word, um and uh, then call me directly on my, on my number.

Speaker 2:

So yeah, I've done two things. I mean, growing up, I always had a safe word, so my non-parent picked me up. But now, because of fakes, I've also got to the point where I asked someone to reach for something behind them Because I want to make sure that the generation can change their face quick enough. This is as a hiring manager to protect against the North Korean. Things we've had is reach back and grab something and hand it to me, or take something and put it in front of your face Because I want to make sure that it stays the same. And it could just be hey, can you show me that picture behind you? So it's casual enough that a normal person would think nothing about it, but the adversary who's trying to spoof this person is going to be like and they're going to jerk. Or, to your point earlier, it's like where's the car parked? A normal answer would be in the garage or the driveway. Well, my safe word is it's in the middle of the red unicorn. The answer to that is red unicorn. It's something that's off the wall. It's nothing related to where's the car parked, but it's a normal question that an AI bot will try to answer. It's going to say in your garage, in the parking garage, in your driveway, on the street, and it's going to try to answer a real question. So giving an obscene or random word similar to your passphrases if you're using password vault, never answer those things correctly.

Speaker 2:

Folks, social engineering is real. I know what street you grew up on, I know the mascot of your high school, I know your first car, I know you dated, I know your spouse, I know your partner, I know your favorite ice cream because you put it somewhere on social media. And if you've fallen for most of them, you filled out one of those quizzes in the early 2000s where you answered all 20 questions and three of those were your security questions. First off, never give your parents maiden name out to anyone other than a bank. No one else in the world needs to know your mother's maiden name ever, and even your bank probably doesn't need to know it in 2025. Sorry, that's my little security awareness tip for today no, that's good tip.

Speaker 1:

That is actually the first time I've heard somebody say that out loud.

Speaker 2:

So um yeah, if you've got a password vault. You can put anything and everything in that password vault so you can answer every single question. I have a good friend of mine who uses Star Wars for all of his answers. He just picks a character for every single one of them and he puts it in his password vault so he knows this is which Star Wars character I chose for this question. I have another one who uses song titles for all of his secret questions. Who uses song titles for all of his secret questions and he knows again in his vault this is the song titles I chose for Netflix or for Hulu, or for bank of America, et cetera.

Speaker 1:

That's brilliant. I really like that.

Speaker 2:

Personal story. I called my bank up and they asked for my, for one of my answers, and I gave them, like Jabba walkie, and they literally said, no, I'm asking for your secret question. I'm like that's the answer. They're like, sir, that's not what the question is. It's like, well, type in Jabba walkie, oh, it worked. Like I told you, that's the answer. Answer the question legitimately, right? Excellent, it turned into a two-way communication. You validated my identity and I taught you something that you may want to apply.

Speaker 1:

Wonderful. Do you have any final things that you want to share with our listeners?

Speaker 2:

So we talked about it a little bit. So I'll just reiterate again no matter where you're at, no matter what you've done, you have knowledge, you have intellect, you have diversity, which means you have value. You add value to every room that you enter, every job that you take, every talk you give. So make sure that you remember no matter if you're 18 or you're 65, you have life experiences that are going to be different than the person you're speaking to. Another thing remember from Covey perspective is key. When I sit across the table, I'm going to see a six, you're going to see a nine. It's not until I sit beside you and look at it from your lens that I'm ever going to have your perspective and I'm also going to see the six, or you're also going to see the nine.

Speaker 2:

So take time, especially as a security practitioner, security leader, someone who's mandating stuff, to look at it from their point of view. Get to know why they do the things that they do, why their process is the way their process is, the things that they do, why their process is the way their process is. And then, once you know that, you can come in and say well, I love what you're doing, but can we change this? Or it would be nice if you stopped doing this and did this instead, and you've built rapport at that point in time, because you've taken the time to understand why they do what they're doing. Additionally, don't be the machine of no Good friend of mine again. Russell Eubanks, know your no K-N-O-W. Know why you're saying no? Know why you're saying no. Yes and no are complete sentences, but not in cybersecurity. It's yes but and no but. Rarely ever use the yes and no as a complete sentence.

Speaker 1:

That's great advice, thank you, and thank you so much, flitas, for being on our episode today. This has been an episode of Security Chipmunks. Please make sure to like, comment and subscribe and tune in next time.