The Cybersecurity Career Q&A Everyone Needs to Hear

Show Notes

In this special Q&A episode of The Cybersecurity Mentors Podcast, we answer REAL questions submitted directly by our community about breaking into cybersecurity in 2026.

We cover:

• How to become employable in your first 90 days 
• The best entry-level IT and cybersecurity roles 
• What hiring managers ACTUALLY look for 
• Home labs that recruiters care about 
• CompTIA vs GIAC certifications 
• MBA vs technical degrees for future CISOs 
• Common mistakes junior analysts make 
• Networking, mentorship, and career growth 
• What surprised us most working in cybersecurity 
• How to stand out when everyone says they want “experience” 

We also share personal stories from our own careers, lessons learned, and advice we wish someone gave us earlier.

If you're trying to break into cybersecurity, grow your career, or avoid common mistakes, this episode is for you. 

Come hang out with us in the Cybersecurity Mentors Skool community. It’s free to join.

Chapters

• 0:00: Cold Open And Community Q And A
• 2:09: First 90 Days From Zero
• 6:18: Best First Jobs And Pathways
• 8:55: Experience That Actually Counts
• 13:13: Home Labs Hiring Managers Respect
• 17:49: What We Look For In Candidates
• 21:36: GIAC Vs CompTIA For Early Career
• 27:08: MBA Or Masters For Future CISOs
• 33:08: The Real World Security Shock
• 37:52: Common SOC Mistakes For Juniors
• 42:08: Generalist Or Specialist In Security
• 46:25: Winning Leadership Buy In On Risk
• 51:47: Career Advice On Reputation And Networking
• 58:24: More Q And A Next Time
• 59:11: Subscribe And Join The Community

Transcript

Cold Open And Community Q And A

SPEAKER_01 0:03

Could you teach me? First learn stand and learn fly. Nature rules on your son, not the mind. I know what you're trying to do. I'm trying to free your mind, Nia. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

First 90 Days From Zero

SPEAKER_02 0:42

It's special. Why? Because we're having a QA, and all of these questions came from our community. Our school community. If you haven't heard, we have a school community. It's amazing. It's awesome. Join for free to connect with a number of people that are either in cybersecurity already or are working towards getting into cybersecurity. And they're amazing. We also have free hangouts every Friday. We jump on, John and I jump on with anyone who wants to join. You can bring questions there. We can talk about topics, you name it. But today we asked our community, hey, we're doing a QA episode. We want to hear all the questions that you may have, and we will answer them in our podcast episode today. And this is what they got. Now, we got a number of them. So we had to kind of pick and choose which ones just to make sure that we have enough time and we don't go overboard. But we will save the rest and we will answer those in another episode and we'll just keep doing it until we can answer all of them. But we got some good ones today. So looking forward to answering them and then seeing what you guys think. Yeah, I'm excited. There's some good questions. Yeah, yeah, there are. We broke them up into a few sections. So we got breaking into cybersecurity, experience, labs, and hiring, we got certifications and education, we got real-world cybersecurity lessons, we got career growth, mentorship, and then that's it. That's it for this episode. But yeah, let's just get started. So breaking into cybersecurity. All right, John. So if you were starting from zero today, what exact steps would you take in your first 90 days to become employable?

SPEAKER_00 2:23

All right. So we we've we've decided to time ourselves to not ramble on. Okay, all right, here we go. All right, so first 90 days, 90 days isn't a lot of time, but I would definitely focus on from zero, the fundamentals, as we've talked about several times. Um, and you need to understand the basics. You need to understand uh, you know, hardware, software, networking, operating systems. I think the A plus route is great. Do that, knock it out. Now, 90 days, you know, you gotta hunt you gotta hunker down to get it done in 90 days, but you can do it. It's not super complicated. But knock out your A plus, focus on maybe your network plus next because you need to understand the network. And even if it's not, I got to get the certificate. I'm not saying you have to get the certificate in 90 days, but you definitely need to build out those skills and understand the fundamentals and the and the concepts. Um, you need to, on the operating system side, understand Windows and Linux and get that experience. A good way to do that is make sure you build your lab up as you're learning. The TCM courses that are out there, they have some good ones that are free, like the help desk course and some of the fundamentals they have for free. I would definitely take a look at those. They also have an AI course that's free. TCM doesn't pay us anything, but I think they have some good content. Um, if they want to, hey, we'll we'll take some of that. But uh, but yeah, take a look at some of those that you could get for free. But building your lab up to start with, hey, I need to build, and we're gonna talk about labs and stuff here. Let's start a virtual machine, let's learn how to make a virtual machine, let's build a Windows virtual machine, let's build a Linux virtual machine. I do think if you can learn Linux skills, it's gonna help you along the way. People, some people hate the command line. I get it, I love it. I'm not an expert at it, but I do love it. But I think that's gonna help differentiate you ultimately in the in the first 90 days. You want to get to a level where you have enough solid fundamentals that you could start helping people with basic IT problems. Hey, my I can't connect to something. Hey, my printer's broke. Hey, my computer's not working. Hey, I got an error. Hey, you know, uh I need to, I need some help here, right? So those are the type of skills you want to build up so that you could start looking for those entry-level IT jobs to get get your foot in the door, especially if you're just thinking the first 90 days to get in and start helping, because there's a need for those people that AI can't take over because you need to have some hand holding and you need to walk in and say, look, let me help you fix this problem, which is where I started, really. That's how I started is helping people, help desk type work, fixing their problems, um, and troubleshooting. That skill of troubleshooting is a big, big deal. 10 seconds left. Boom.

Best First Jobs And Pathways

SPEAKER_02 5:21

Yeah, that's right. You were timing yourself. That's right. Nice. Awesome. All right. Hey, man, that's that's good. I have nothing to say. Uh well, the only thing I would say is even if you're starting from zero, you always want to be networking. So even if you have zero experience and you're trying to learn, I would still reach out to people, try and find connections, try and find people that are already doing what you want to do and pick their brain and help, you know, most of the time you find some good people, they will help you along the way, mentor you in a sense. And then maybe when the time comes, they can give you a recommendation, you know, help you get a job. You never know. Always, always, always, always be networking. Even if you are coming from zero and you're at zero, you should always be networking with those who are in a position that you want to get. So that's that's really it. Yeah, good point. All right, question number two. What are the most realistic first roles for someone transitioning from another field and how can they position themselves to move into IT, SOC, or GRC within 12 to 18 months? All right. Well, some of the non-cybersecurity roles that we talk about all the time, that we say, hey, you know, take a look at these roles just to get your foot in the door, use them as a stepping stone to get into IT. So that is the help desk that is just working, just general IT support, technical support, junior system administrator. Um, those are the roles, some of the roles that I would say could kind of help you get your foot in the door. The knock. Thank you. The knock. Yeah, so again, that's the help desk, IT support, it's just general technical support, junior sysadmin, uh, the knock. Um uh maybe some vulnerability management roles. Um, those to me would be probably some of the first realistic roles that you can transition into as a stepping stone to then get you into a full-fledged cybersecurity role. That's what I would say. Any others? Did I miss any, John?

SPEAKER_00 7:33

No, uh, I think that that's that's true. That's good. I do think um like the vulnerability management is a good one. It's just you may end up just being the the person that's doing the the grunt work of that. Um, like one of our guys who started this a long time ago, but he was working with those scans and just getting the scan data and not really doing a lot of interpretation. Maybe he did like a first level interpretation of the data, but it's more like, hey, we need you to go check to make sure like the compliance checks out of that, where it's doing a scan of a system to against a benchmark. It's very basic, easy stuff. The benchmark is built in to say, do you have this on? Do you not? Right. And we do this in some of our regulated environments where we're scanning against the benchmark. That you know, that's stuff that's that's a pretty good um entry-level type role because you're getting into that vulnerability, vulnerability management mindset. So it's a good one.

Experience That Actually Counts

SPEAKER_02 8:31

Now, these are are just i IT, general IT. Now, if you can obviously get an entry-level cybersecurity role, that would be your sock analyst, um, maybe a junior pen tester, depending on your skill level, but definitely sock sock analyst is where I I say I push people to go towards. And that is for specifically for cyber. All right. Number three, what counts as meaningful experience in 2026 when so many entry-level roles require two to three years? What are the fastest ways to build experience that hiring managers actually respect? Ready? Timer started.

SPEAKER_00 9:15

All right. So this is the catch 22, right? We we've seen it, and guess what? When I started in cybersecurity, there were no entry-level zero experience jobs either. So this is not a 2026 thing, this is a life thing, right? It's always been this way. Um, again, it's not always what you know, it's who you know. So some that's how you can get in and get get your foot in the door. But as far as building experience, when I showed up for my interview at Clemson University, I had practically zero cybersecurity experience. Like I had done some of it on the side. I've been studying it, right? But I had like no, not a lot of real actual experience, right? So, what were the things that I convinced them that I was a good candidate? What why did they hire me? Well, number one was my passion, was my interest, was that I proved and I could show that I was eager to be there and had aptitude and attitude to be there. And I also had the fundamental experience that I had built on from the IT background. And that was number one was running Cat5 cable, which was basic, but it was something. Then help desk experience, uh desktop support experience, then a little bit of server administration experience that I built on that. And then I became like the IT guy. And again, I had to sell myself and trick them to hire me to be the IT guy. And I floundered a lot at the beginning, but then I finally figured it out like sink or swim. I learned how to swim. And I was good at it. I felt like I was good at it. I could solve problems, help people. You know, I got to a point where I'd been there long enough, like I'd pretty much seen that problem before. And I like troubleshooting, I like helping people. But that experience I built on, like this experience snowball, and I talked about this on our our hangout one time, it's like you just got to keep building on top of that experience, build on top of that experience. And then when I got there, it was that experience and just my passion for wanting to be in this field and get in. And obviously, today, and that was before you had all the things you can do to build out your lab and get some of that, you know, doing the tri-hack means the hack the boxes and all those things, those are all helpful to add on top of that. But you need to be able to come in with that attitude and they see you as somebody that's gonna hit the ground running, and you've you are continuously looking to improve, and you've shown that you're looking to improve, and you get it, right? You're not, you don't have to be the technical expert, but you get you get it, and you understand security fundamentals. So if you can bake that into it and they see you as somebody like, look, you know, we can hire you, you're ready to go. Very nice.

Home Labs Hiring Managers Respect

SPEAKER_02 12:10

We have multiple uh podcast episodes out there that talk about this topic, that talk about what is the experience that you should be going after, what should you be doing to gain that experience? Because, like John said, this is not a 2026 issue. This has been since security came to be issue where hiring managers want entry level, but they expect three to five years of experience already. So it is, like John said, hand uh hands-on labs, a real troubleshooting, any internships that you can get, any volunteer work, any you know, freelance small projects that you can do. You know, the home labs are a big part of your arsenal if you are trying to get into security and not go the IT route first, not go to the help desk, not go to the knock, not get another job, and you want to go straight into cyber, your home lab is a huge, huge part of that um that hands-on experience that you can then show and leverage and talk about. So that is very important. So we can actually, I guess, talk about the next question. Because the next question is how do you build a home lab that hiring managers actually care about? We've talked about this in length, but I'm gonna just break it down for everybody again, okay? The most important thing you can do is get on LinkedIn, get on Indeed, go look at the actual job descriptions of the jobs that you want. Look at a ton of them, more than just one, more than just a few. Look at a shit ton of them and compare. What are the responsibilities? What is the work? What is what do they want me to do as a let's just say a sock analyst, for example. What do SOC analysts do day in and day out? You list that out. Use AI, use ChatGPT, use Claude, use whatever platform you want. Get a bunch of those position descriptions, have it break down exactly what a SOC analyst does. At that point, you will see, oh, a SOC analyst deals with vulnerabilities, a sock analyst deals with alerts, with looking at logs, with some networking, with some uh some system admin stuff. We got phishing. I mean, this I'm just naming a few. Based on all those things that you would have to do as a as a SOC analyst, that's how you would build your lab. That's what you would say, hey, a sock analyst, they are they're using a sim solution, right? Uh 56% of the jobs that I found on Indeed want you to know how to use Splunk or want you to know how to use a SIM tool. Okay, then you build a SIM tool in your lab. And there's a ton of free stuff out there. Splunk, for example, um, there's a bunch of others that that you can that you can go after, but you can also use this data that now you have to say, hey, 56% of these companies want you to use a sim solution. 48% of those want you to use Splunk. Okay, well, I'm gonna go figure out how to learn how to use Splunk. So I'm gonna build Splunk in my lab. Um, that's that's really it, guys. That's that that's how you kind of figure out what are the things that you should be doing in your lab. You go and look at the position description and you look and see, well, what am I gonna be doing in my day-to-day job? And you try and replicate as much as you can from that into your lab. And you're building a lot of this stuff from scratch, which gives you even more credit, more street cred when you go in your interview. Because it wasn't like you just came in and it was already up and running. No, you had to troubleshoot, you had to go through the headache of building it from scratch, standing it up, connecting all the connections, configurations, getting it to work, and then you start actually using the tool. So that to me is how you build a home lab that hiring managers actually care. Because if you can show that you are already doing at some level, some capacity, what they want you to do if they were to hire you, you're set, you're good. Then the social skills come in.

SPEAKER_00 16:12

I'm done. Yeah, so uh I'll just add, I mean, build secure hack, right? This is what I preach. And I am doing that even today. Like as a CISO, I go back to build so that I can better understand different platforms like DevOps and Cloud and things like that. Like I'm learning right now. I'm got an Azure lab that I'm using and I'm deploying VMs and creating users and things like that. Like I'm literally doing that so that I have a better understanding of what does that look like? How does that work? What you know, that build, the build thing, people sleep on build, they sleep on it because they want to just go find bad things and be that you know person that looks for the the evil. But the build is super important. And guess what? Most of the time you can do it for free. You just gotta spend the time. And now you got your chat GPT buddy to help you out, help me understand how to build this thing. So there's really no excuse not to build things and build it, build things that you see in those job descriptions, just like you said. Like look at the job descriptions, they're using this and this and this and this. Most everything you can build some version of that and play with it. And people aren't building things. If you build it, you will better understand it a hundred percent. Like there's no doubt, if you build it from the ground up, you will know it better than somebody that's even used that tool a long time because you actually connected the dots to build it and make it work.

What We Look For In Candidates

SPEAKER_02 17:46

Absolutely. All right, next question. What are some key aspects that you two specifically look for in a candidate? I'll let you take this one, John.

SPEAKER_00 17:56

All right. So key aspects. So I think the big things are a lot of people will come in and they'll say that they're passionate about cybersecurity, that they love it, they want to do it, and then one of the things we really look at is show us what show us the evidence, show us the receipts of where you are passionate. A lot of the a lot of that is just what we said. Like, okay, show me. Do you have a lab? Are you building a lab? What does that look like? Have you proven that you are doing things on your own to get as much experience as you can on your own? And and really humility, we talked about this and the the Dave Burke episode. Like, humility is not a thing, it should be the number one thing. Because if you're humble and you're honest about what you know and honest about what you don't know, then now you we see you as somebody that can learn and that somebody that's gonna come in and be honest about what they can contribute, but where they're lacking and where they want to get better. But you got to also add that you want, you know, the the attitude of wanting to get better, be the best you can be, not just be like, yeah, I don't know, sorry, right? But the humility piece of that, and then just the eagerness and the attitude of, look, you know, here's I'm this is what I'm doing. This is how I can prove to you that I'm serious about this. I want this to be my career. I want to get in and and be a part of this team and make a difference. And then when you see people that you kind of question how humble they are, usually that doesn't, I don't feel good about those folks. Like I don't feel like like I want them on our team. Um, and it's, you know, everybody struggles. It's normal, as Dave Burke said in that episode, it's normal for people not to be humble. But, you know, there's a healthy ego to that too. Again, hey, the little competitiveness. I want to be the best. I want to be good is is not a bad thing, but you need to come at it with with humility and say, all right, I'm just trying every day, I'm just trying to get better. I'm trying to get better. And if you have that eagerness and attitude and humility, you're you're rocking.

GIAC Vs CompTIA For Early Career

SPEAKER_02 20:32

Yeah, no, I completely agree. I think just um, you know, curiosity, right? Trying to figure out why that works that way, why why we do things this way, why, why, why, asking the why, especially at the very beginning when you're first starting your career. I think that also helps you tremendously. And if you can come in and already have great communication skills, great people skills, like be able to read the room, that's just a huge plus. So yeah. Yeah, those are good. All right, uh, let's move on. All right, so this is getting into certifications and education. All right, the question is a lot of senior level roles request GAC certifications, while very few mention comtia. Should someone pursue GAC certifications early, or is Comtia still more appropriate for entry-level candidates and career changers? Good question. Yeah. All right. Let me start my timer. All right, here we go. All right, so let's let's break this up. So a lot of senior level roles request GX certifications, while very few mention Comptia. That's that's that's true. Why? Because at a senior level, that means that you've already gone through the beginner stage. A lot of Comtia certifications are good for beginners, are good for entry level, are good for dipping your toe into the water, getting a basic understanding of whatever the certification is, right? We mention A plus a lot, right? That will help you get the fundamentals of just general IT because it'll give you a little bit of everything that someone in a help desk or a support, IT support role would have to handle, would have to do. Then you move on to network plus. That's again entry level basic fundamental knowledge of networking. Then you go to Security Plus. Even Security Plus is just basic. Level entry level knowledge of security. And then you go on and on. They got Pentest Plus, they got Linux Plus, they got all these other certs. Comtia is a certification organization for entry level, getting your step into the door. GIAC does have some of that as well, but GIEC is like you said in this question, that's more senior level. That is, you've already gotten some experience, some knowledge under your belt, and you're ready to move on from entry level work. Again, GIC is more expensive than Comptia. So if you are, you know, if you have some years of experience in cybersecurity and you're trying to move up the corporate ladder and you're trying to move into a more senior role, absolutely GIAC and other organizations would be best for you for those certifications. It also has to do with what you're trying to do, what your job is, what your role is, what kind of credentials do you need to back that you actually know what you're talking about. But Comptia for sure is a stepping stone to get into an area, to understand the basics and fundamentals. I wouldn't just go with Comptia and then just stay there. Absolutely not. They're they're like the first phase of becoming a successful powerhouse and cybersecurity and just a general professional. Um if you have the funds, but also if you have the experience, I would totally recommend go after GX certifications depending on what you're looking for and what your role requires. Um but yeah, that's that's my two cents. What do you got, John?

SPEAKER_00 23:58

So um my very first cert was A. Very first cert, and I paid for that out of my pocket, right? Um, I didn't have anybody pay for that for me. And and SANS has been around a long time. It's got a lot of visibility, it's very known. Everybody knows SANS, they've heard of SANS if you're in cybersecurity. Um, it is very expensive. My first SANS certificate was um SANS 503. It was like networking, intrusion detection, and it was legit. Like it was a very good course. I went, I did go on site to take the course and then studied later and then took the certificate test, but they do have entry-level stuff, they have fundamentals and foundations, which I'm sure are very good. It's just you got to be ready to drop five grand and maybe more to get the certificate. Now, if you get somebody to pay that for you, then do it, right? I do not, I mean, they are they are good. They are a good company. There are other companies that don't have as much visibility, like I mentioned, TCM. They have a lot of that stuff too. It's way more uh more uh uh easy to get into it to take those those courses and and actually start getting searched as well. Those are legit. We were one of the first ones, we got called out because in a good way to put TCM in the same, like, hey, we want we would like to see you have these search GAC and TCM as one of the lists. Again, TCM isn't paying for us. Hit us up, TCM, if you want to hook us up. But we put that on there and then um they called us out. Oh, look at this job description has TCM in it. And I was like, Yeah, I mean, we think it's legit. I took one of the courses. That's how I know it's legit. And they didn't, they didn't respond back. I was like, dude, Heath, hook me up. I mean, I've given you shout-out, and I respond anyway. But it my my point is that GEC is good, SANS is good, I've had several GX certifications. It's just, you know, be ready to drop thousands and thousands of dollars. Now, if you treated it like an alternative to a bachelor's, then that would be a different question. That would be something to consider. It's like, all right, instead of going to get a computer science degree, should I, could I, should I pursue all these GAC certifications? And they actually do lead that into they have a master's program after you go through so many courses of GAC and get those. That could be a path that could be an alternate path that you could take.

MBA Or Masters For Future CISOs

SPEAKER_02 26:35

Awesome. No, that's good, man. That's good. Well, this actually leads into our next question, which I'm gonna let you answer and then I'll give my two cents afterwards. But the next question is if the long-term target role is CISO, is an MBA more valuable than a master's degree? Take it away.

SPEAKER_00 26:55

All right. I recently had this conversation with uh one of our guys or one of our students who's ready to graduate. He's got he's graduating this this uh in this month, I think. And um, great guy, super awesome. I've seen him mature over the four years he's been here, but he's thinking about pursuing a master's. He actually asked me specifically about an MBA. And here's the advice I gave him, right? Now take it with what you want, but this is what I said, right? I said, from Steve's experience, who has an MBA, and some of our guys, they've taken advantage of that opportunity to be at a university. Him, he was looking at an MS, a master's in computer science, and thinking about leadership. He wanted to be in a leadership role uh going forward. Like that's his path he wants to go into, right? Which is CISO. So, what I said is, in my opinion, I don't think nothing against the NBA, um, nothing against a master's in computer science. I just said you've already kind of checked that box from a technical computer science perspective. I don't, it's not gonna hurt you to have a master's in computer science, but really, how much more will it help you, especially if you want to go the leadership route to go get a master's in computer science? It won't hurt you, but it might be better, in my opinion, to pursue something that's outside of that technical realm that is more people focused, more people skills focused, more soft skills focused, more leadership focused, um, or business focused. Like I said, having that business skill set on top of your computer skill set is rare. And it doesn't have to be an MBA. It could just be business, a business degree. The MBA program is unique, right? Especially the entrepreneur program. They're making you think like an entrepreneur. Here's how you need to build your business, here's how you grow your business. It is not bad. It is not a bad thing. It's just it's that's its focus. I actually suggested, and I said, you know, I've thought about this myself, is a degree in maybe psychology or something, business psychology, something around as a leader, you need you're leading people. You need to convince people to to follow the mission, to pursue this and to motivate them and get them on board. And that skill, as we talked about with other leadership and people skills and soft skills, that can really help you if you want to pursue a leadership path, in my opinion, maybe definitely more than a master's in computer science, and really probably effectively more than an MBA. But, you know, that's just my opinion. Steve, what do you think from that MBA perspective?

SPEAKER_02 29:33

No, absolutely. So if someone is asking me, hey, I want to be a CISO one day, what should I do? An MBA or a master's in cybersecurity, computer science, whatever, I will absolutely say get the MBA. Why? Because in a CISO role, you will be, like John said, managing people, communicating risk. You're gonna be working with executives or people at that C-suite level. You're gonna be managing budgets, right? I mean, you're gonna be working with money, and you're gonna, you're gonna have to learn how to align security goals with overall organizational roles. And yes, my MBA program was more focused on entrepreneurship, but that's towards the end. At the very beginning, it was very basic general master's in business administration. So you got all that basic knowledge. And then at the end, you did kind of focus more on starting a business, running a business, and just being successful at that sort. But I'd learned a lot of these things through my MBA program. Now, um, I actually think that if I would have, you know, had a little more people knowledge, a little bit more of like psychology or just management or just something along the lines of working with people, managing people. Um, if I would have had a little bit more of that in my MBA, that would have helped me even more. Um, but I did get a lot of the the basic stuff that I feel like a someone in that leadership role, not just a CISO, but in any sort of leadership role, would need to build and run a successful team for an organization. So go the MBA route or go a more uh uh management psychology business oriented route. If you already have a bachelor's degree in cybersecurity, computer science, anything technical, you don't need more technical. That's that's enough. After that, then comes the certifications that you go after, but you don't need a master's. Unless one day you want to be a teacher or a professor and you want to teach cybersecurity or computer science or something, that's when you need a master's, maybe. But other than that, you don't need it.

SPEAKER_00 31:48

Well, and I will say a lot of CISOs have an advanced degree. You know, they have their bachelor's and they have a master's. Um typically, probably a lot of them are like whatever their ma their bachelor's is is also their master master's as well. But from my experience, that's I totally agree. You know, something that's on top of that that mixes it up, that's not just the same. You know, because you really if you're getting computer science, you're you're trying to be, you know, very in-depth on the computer science world to understand that next level. And you pretty much got it. You know, four years, you're good on computer science, in my opinion.

The Real World Security Shock

SPEAKER_02 32:30

Yeah, if you basically graduated, you're good. All right. Let's go to the next one. Uh all right, so this is more into real-world cybersecurity lessons. Here we go. Next question. What surprised you most when you started working in cybersecurity? Something no course or certification prepares you for. All right. What surprised me the most is how shitty companies have when it comes to cybersecurity. Seriously. Like there are so many things that you learn while you go to school or while you're doing certifications that is just like a no-brainer type of thing that is just basic, basic cybersecurity hygiene. That it's like this is the least thing you should do in an organization to be secure. And you come out thinking that all of these organizations know what you know and are going to not be dumb and do the bare minimum at least. And then you get your first job. And then you realize half of the organization has their freaking passwords posted on sticky notes on their monitors, and they're in a cube farm. So you just walk down and you see Joe. Hey, Joe, what's your password? Oh, Joe's password is Linda loves pizza. One, two, three. Who's Linda? His wife. Okay. You look at Joe's Facebook profile, he's enjoying a huge pizza. Like, I mean, that's just one thing. That's really surprised. It's really surprised me how bad companies and organizations' security is when I'm coming in fresh off school, and I'm like, oh my God, all these organizations, they all got it together. Like, I'm gonna have to come in and do this, that. And you're dealing, like you are dealing with fighting leadership to set up a password expiration date. Because people have had passwords since the 1990s and they haven't reset them ever. Like, those are the things that really surprised me coming into the field from studying and preparing and actually working as a cybersecurity professional. How bad organization's cybersecurity posture really is, and how much you have to fight and argue for an organization to do the bare minimum. It's like low-hanging fruit. Like, bro, just get two-factor authentication and we will stop half of the attacks that we get. That's what really surprised me.

SPEAKER_00 35:06

That's great. That's a great point. Um, and it's still true to this day. It's still true to this day. I get, I get, I understand some of it, but I do have to fight those battles too. I'm like, literally, like, hey, I'm I'm there's one I'm working on right now. I'm like, wait a minute, what? Why are we not doing that? Um, and usually I I can win those battles, but it's still a battle. Um, AI is a good example. Everybody wants everything connected to their AI and they want to hook it up to everything and give it all the access. And I'm like, hey, take a look at this article where it has deleted somebody's whole production database. Like maybe you need to woe up. Um but yeah, no, that's that's a great point. And the good, the good news about that, right, is job security number one, because most people, even though they think AI is going to take over, they still need somebody like us to come in there and say, hey, why do we not have this turned on? Why is that on? What are we doing here? So there's a there is a big need. And I'm I really am not surprised anymore when I see things. I'm like, yep, that makes sense. Unfortunately, yep, that makes sense. They didn't do that, they're not doing that, right? As we've been doing risk assessments and helping with risk assessments with small companies, like, I get it, right? They don't they don't worry about that. They're doing business. But they need people like us to come in and help them do those fundamentals. That also is very good news because it's not rocket science. When you look at the CIS top 18 or 19 controls, whatever it is now, um, it's not super complicated. It's fundamentals, but the fundamentals keep you out of the news. There are two incidents I saw yesterday, read about yesterday, where it was a VPN account without multi-factor, and that's why they got breached. Basics. So yeah.

Common SOC Mistakes For Juniors

SPEAKER_02 36:57

It's a good point. And and I'll say this I've I've worked in higher ed, I've worked in healthcare, I've worked in insurance, um, I've you know been around, and it's the same no matter where you go. Every everyone is suffering from the same issue, and it's just basic, basic cybersecurity hygiene. Yep, it's true. All right. Moving on to the next one. Um, what's the most common mistake you see junior analysts make in a SOC environment? Take it away, John.

SPEAKER_00 37:31

I would say the most common mistake is not asking enough questions and not there kind of comes back to the humility, um, being open and honest about especially interns, but like just being closed off, not communicating, just kind of waiting to be told what to do and not be engaging and being active of like, look, you're in the, you're in the you're here. You're here. You've got the golden ticket to learn. You've got people that are senior that right beside you that you could take advantage of. So that's the biggest mistake is I see people not fully appreciate that opportunity. You're in the sock. Look, this is this is happening. We're here. Let's let's be curious. Like you said, let's go ask questions. Hey, why are we doing this? And also, there's a good advantage of that too, because those new folks, they're not used to the way we've always done things. So when you ask questions, people think they're worried. They're like, I don't want to ask a dumb question. Like, no, you really do need to ask those questions because they might make me think, that's a good point. I haven't really thought about that. Like, why are we doing this? Yeah, that's a good, good idea. I haven't just had time to think about it and have that fresh perspective. Plus, it shows me as a stock manager, like, this person's interested. They're, they are wanting to get better. They're learning. And the only way you get better is to trial and error and fail. So I'm not going to get mad at you if you fail, as long as you don't do it too bad, right? But like you're asking the questions about it, and you're, hey, uh, you know, this is what I'm thinking here. What, you know, what do you what do you think? What is this the right uh analysis of this event, of this incident? So it's just that continued, you don't give up when you're in the role. Okay, you got it, this is now is the time to really learn. And if you don't take advantage of that, you're definitely missing out on a huge opportunity. And we've we've had to let interns go because, like, I don't think this is for you. All you do is sit in the corner and wait to be told what to do, and you're you don't realize, yeah, you don't realize how big of an opportunity this is. So um, that's probably the biggest uh issue and and uh mistake that I see people make.

Generalist Or Specialist In Security

SPEAKER_02 39:46

I would completely agree. It's like tunnel vision. It's like, hey, you bring in these junior analysts and you're like, all right, this is what I need your help with. I need you to do this. And it's like just tunnel vision. And this is like, hey, this is my lane. I'm gonna stay in my lane, and that's it. That's all I'm gonna worry about. I'm just gonna check the box and just and not ask questions, not see, hey, what's your neighbor doing, not get involved in other things? Absolutely. The other thing that I I enjoy to hear about is when we hire someone that's coming from a different organization and they come and see how we do things, and they say, Hey, in my last company, we did this, which is different, which may work, may be better. I like that because you know, he has an inside, he's got insider information on how Lowe's cybersecurity team does something. And I'm using an example because we did have someone who worked at Lowe's who came to our team. Um, and they say, Oh, at Lowe's, at Lowe's Cybersecurity Center, we did this and we did that and we did that. And that's good because that makes us think. It's like John said, okay, well, okay, well, Lowe's there, you know, they're they're they're they're legit. Why are they doing that way? Why are we not doing that? And it's just, you know, opens up a whole lot of things. So that's something that I actually like. So if you're going into an organization and you have prior experience and you see something that that new organization is suffering with, and you don't speak up and say, hey, at my last organization, we used to do this and it worked. Then you're just hurting yourself and the organization because they can see you in a different light and then start saying, whenever a new issue comes, hmm, I wonder how so-and-so at this company handled it. Hey, so and so, how did you and this company handle it? So now you're being involved in more conversations. People are looking at you to see what you have to say, and that just puts you in a better position. All right, I'm done. Uh all right, uh, next question. When it comes to cybersecurity, is it better to be a jack of all trades or a master of one trade? I'll let you take this one, John.

SPEAKER_00 41:46

I was gonna say, I'm I'm excited about this question. Shout out to our school folks. All right, so um, and probably heard me talk about this. I came up as a jack of all trades. I definitely know people that are the master of one in cybersecurity, and that was their focus, and it worked great for them too. Like there's there's nothing wrong with that. In my experience, Jack of All Trades has helped me the most. And I've talked about being able to talk to different teams and communicate in their language and understand where they're coming from. And when I do that, I can see how I'm building that bridge of communication. And they're like, okay, John gets it, right? He's not, he's been in some of those roles. He understands where I'm coming from, right? And so a lot of security is you're selling security. If you can't speak their language or see where they're coming from, a lot of times it's like, well, they don't get it. And you know, and they might say they're doing something on the back end, they're gonna do something else because they don't think security gets it. Um, I got an amazing compliment the other day from one of our guys who said, you know, John has the hacker mindset. And I was like, yeah, I mean, I think so, but that was cool for him to say it because he's like our director of offensive security. Um, because again, the defense and offensive mindset, like I can switch between the two, where some people like, I'm just offensive. That's all I do. I love red team, I love hacking things, that's all I do. And then the other side is like, oh, I'm just blue team. That's all I do, is I'm gonna protect and defend and monitor. Well, there's a lot of things where that mindset you can shift between. When you can do that and think like a threat actor, I love it because I can be like, well, wait a minute. What about this? That could be a weakness. What about what would I do if I was trying to get around that weakness? And vice versa, if I was attacking something, be like, oh, how would they detect me? How would they find me? How would they see what I'm doing? How would I hide my tracks? Those kind of things. And so having both of those skill sets has really helped me. And it's definitely weird when people talk to me as a CISO, because people, most CISOs are come have come up the compliance path and then they're not that technical. And so I trip them out sometimes because they're like, Whoa, wait a minute. The CISO's coming to this meeting, he he knows what's going on, right? He can actually sp speak and and talk to this. And they're like, that's that's weird. And I was that's like that's right. I mean, I like I like it. I like being weird. And and as a CISO, you can still dabble in different things and do some of those things, which I do uh because you know, I'm I'm The CISO. I could still be technical. Um, but yeah, my opinion is even if you were gonna go full GRC, okay? My opinion would be to definitely be as technical as you can can, because if you just do GRC, you are definitely gonna have a gap in what you do when you see a compliance control that says you must do this, what you know, this, this, and this. But if you can't actually think through how the admins are gonna implement that control, and what are there gonna be the headaches, what are gonna be the shortfalls, what are they gonna do to bypass it because it doesn't work? And you're like, well, listen, the control says you must do this. But missing out, this is why the whole build secure hack mindset and building up your fundamentals is important. And like, oh, if I was the admin, I can see where this is gonna cause me a lot of headache, right? And so that makes you even better as a full GRC focused operator, too. I'm kind of like this translator where I'm I'm not an expert in compliance, but I live in that world and I understand the compliance, but I understand the security piece of it and how it really applies, and I understand the technical piece of how it would be implemented. So all three of those things make me a good CISO, in my opinion.

Winning Leadership Buy In On Risk

SPEAKER_02 45:47

I would agree. I have nothing else to add. So let's move on to the next question. Um, the next question is how do you navigate situations where leadership doesn't understand or prioritize security? So let me start my timer. I'll give my quick two cents and then I'll hand it over to you, John, because this definitely fits what you do every day. Um, all right. So for me, question again is how do you navigate situations where leadership doesn't understand or prioritize security? When I've come across a situation where I have a risk, I have a big issue, and I'm trying to get leadership, which and sometimes leadership is not as technical as you. Leadership doesn't have the experience and the knowledge that you have to really see a risk, how you see it coming from a cybersecurity standpoint. You know, they're more worried about business, they're more worried about keeping things running, uptime, making money, like that. That's their focus. So I come in and I take the approach of how can I tie this security risk, the security issue, this project that I want to take off or I want to do whatever? How can I tie that to business speak? And this is where the MBA came into play. Because I then say, all right, well, they are focused on the company's reputation. They are focused on the uptime, they are focused on making money. Like that's that's that's what they do. That's that's their job. So how can I uh share this risk and translate it into that and say, hey, if we don't do this now, it's not if, but when bad guys take advantage of this, our reputation will be affected. We will have a lot of downtime because we're gonna have to go back and patch things in an emergency, bring things up, whatever, and we're gonna lose money. And if our reputation goes down the drain, less people are gonna want to attend this university, we're gonna be on Channel 7 news, it's just gonna look bad. And all of this could have been avoided if you would have listened to me, your subject matter expert, when I said, Hey, it benefits us to do this now. I know it's gonna cost money, but we will save money in the long run. We will save a headache, and maybe you don't get fired. Now, I will obviously do it in a more professional business speak, but I'm just breaking it down to you as simply as possible. I try to say, if you don't do this now, this will happen. And it's not an if, it's when it happens. So you either deal with it now, when you're in control of the situation, or you were gonna have to suffer it when you are no longer in control and you're playing catch up. And I'm gonna say, I told you, man. I told you. And when they when they when channel seven comes to me and says, Hey Steve, you were in charge of this. What happened? What's going on? I'm gonna say, Here are my receipts on this day, on this time. I talked to these people, I told them this, I told them this, and they decided not to do it, they accepted the risk. So, you know, it's it's on to you. So that's my two cents.

SPEAKER_00 48:54

I'm done. No, that's good. That was definitely good. Uh and I always come back to be Yoda, not Luke, and the Star Wars analogy that Adam Anderson, shout out to him, gave us hey, you're not the hero. You're not here to stop everything and and save the day. You're the wise counselor, you're the guide, and you're here to say, hey, I highly recommend we do X, Y, and Z, because as you said, here's the risk, here's the likelihood, here's the impact, here's the potential cost if we don't do something. Back to business speak, here's the cost to fix it. Speaking in their terms. And you present it, you present those risks and you get put out there so they are informed. Your job and security and as to, especially leadership, inform them of the risk. That's your job. Your job is not to accept the risk. Some people say, Oh, the CISO is supposed to accept the risk. No, I don't accept any risk. Right? I inform and educate so they can make an advised business decision on whether or not they want to accept that risk or not. And if they don't, how they might want to mitigate that risk. And I give them options to mitigate that risk. Here's what it would take, here's how much it would cost, right? And if they choose not to mitigate that risk and they choose not to take your advice and mitigate it, that's fine. You need to be okay with that. Now it's best if you can get that in writing and say, like, look, I told them, but you may you probably won't get it in writing, but at least you know you've done your part to inform them so they can have an informed decision, and you should be okay to move on because it at the end of the day, if the business, it's a business. They have to make way all the pros and cons of a choice. You know, what the money is that investment worthwhile? Or maybe I'm gonna spend, you know, a million dollars to fix this risk, but that's gonna hurt me for three million dollars and another opportunity if I did pursue that, right? So you have to think in that perspective back to the business mindset and the NBA mindset. So, yes, basically what you said, but remember be Yoda, not Luke.

Career Advice On Reputation And Networking

SPEAKER_02 51:10

We should put that on a t-shirt, John. Yeah. Be Yoda, not Luke. All right, all right, we're gonna do one more question. This is our last one. Um, all right, and that is other than don't be an idiot, what is the best piece of advice you've gotten as it relates to your career?

SPEAKER_00 51:31

So I I would say honestly, there's not a lot of advice that I've gotten about, hey, this is this is your career. The thing that stands out though is throughout as I look back on my career, there were a lot of opportunities that I was very excited about. So this is gonna be a great opportunity. And then the door closed on that opportunity and it sucked. I didn't like it. I was upset about it. But now it's crazy how if those doors had stayed open and they worked out, how I would likely not be where I am today. And so thinking about you're gonna have missed opportunities, and this is just reflection of what I've seen in my experiences. There are there's missed opportunities, but they just because the door closes doesn't mean maybe not right away, but but down the road, there's not another chance for a different door that that opens that could be lead you down the real path that you don't even know was your path. Like I did not go into this is to be the CISO, right? I that was not my plan. If you had told me that was gonna happen 10 years ago, I'd be like, nah, that's not that that's not happening, right? I don't want to, I don't want to be that person. Um, but I'm fortunate and and find myself here today, glad that it worked out that way. But there were definitely opportunities along the way that I thought, oh, this is this is what's gonna be for me. Like I was gonna go be a full-time offensive security person. I pursued that a couple of different times and it it was like, oh, this is going good. This is going good, and it didn't work out, which now I'm glad it didn't. Um so take that. What I would say for people is don't be discouraged. It's you're gonna be discouraged, but don't hopefully take that with the big, the big view, the the long-term view of, okay, well, that didn't work out. Maybe that's the for the better good. Maybe that's really not the path that I'm supposed to go. Keep chucking, keep trucking, keep going, you know, keep looking for those things, keep getting after it, getting your stuff done, building on yourself, improving yourself, and those other doors will happen, right? What does it say? Um, and I can't remember the exact saying, but you know, luck happens to the people that are just you know more often getting the work done, right? They're out there doing the thing, and you're you're you just end up being more lucky. But really, some of those things, even though they're invisible at first, they work out in the long run.

SPEAKER_02 54:05

No, that's great, man. That's great. So I have two pieces of advice. One that was given to me and one that I learned on my own. The one that was given to me is you know, your reputation follows you everywhere. Make sure that when you say you're gonna do something, you do it. Make sure that you are someone that people around you can trust, people around you uh respect, and people around you can depend on you. Because you never know when you'll be in a situation when the person you least expect can help you tremendously. And the cybersecu cybersecurity community, in my opinion, is small, man. It is small. And if you don't um have a good reputation, it will follow you. And when you least expect it, it will affect, you know, you potentially getting a new opportunity, you potentially getting a raise, you you know, being invited to be part of certain organizations, winning awards, you name it. Your reputation follows you everywhere. So cherish it, treat it right, and make sure that that you know when people talk about you, it's in it's you know, it's it's in a good it's in a good manner, basically. The other thing I learned on my own is networking is king. And I and we try and shove this down everybody's throat who listens to us. But but let me just give you an example. I have worked in different organizations, I've had a number of different jobs. All but one job I have gotten because I know someone, or because someone uh gave me a reference or someone recommended me. All but one. Um, and I would not be here today if it wasn't for all those connections, all those people that I've gotten to know. Especially John is one of those huge connections. Uh, you know, he's been a mentor for me forever now, feels like forever. Um, and you know, there's been a lot of times where John has said, hey, so I recommend so-and-so, or John has has uh convinced me to come back multiple times to work with him. Um, but yeah, I mean that that is one thing I learned on my own. I and and it's it's something that I would tell people now networking is king, network, network, network. You can never have too many friends when it comes to a professional in a professional setting. Never, because you just never know who can help you today or who can help you tomorrow, or maybe you can help them, but it's always good to have that. And then, yeah, your reputation, man. Your reputation, that's all you have in this industry. So make sure that you do what you need to do to make sure you have a good reputation. So that's what I got.

More Q And A Next Time

SPEAKER_00 56:58

Yeah. No, those are those are great. And speaking of, if you want to check out the Networking is king course, the literal course that we built to teach you how to network, come join our school community for free. This course is for free. You can join it and go watch it right now and watch all our modules and learn how to network with people. Yeah. Um, I mean, if you have questions, you can ask us and we will we will answer your questions right then and there in the community. It's funny how people I'll be like, yeah, did you see the course that we have about this topic, even in the community? Like, go look. But um, yeah, we beat this over everybody. Um, but I hear it over and over. I know from I totally agree with my experience too, is the same. I wouldn't be here without other people and helping me uh bridge those opportunities. So these are good, man.

Subscribe And Join The Community

SPEAKER_02 57:53

I think this is fun. And we didn't even get to all of them. So for those questions that we did not get, I have them. I saved them. So we will tackle these next time. We'll probably do another of these here shortly because we have a lot of good ones. Um, but thank you to everyone who submitted a question in our community. And for those of you listening, if you do have questions, all you have to do is join our community in school, throw it out there, and we can either answer it right then in there, or we can, you know, jump on a quick chat uh video call, answer it there, or we'll use it for our next episode or our next QA episode. So thank you all for joining. Thank you all who submitted a question. Thank you to our school community. Y'all are awesome. And that's it for today. Till next time. See you everyone. Bye-bye. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

SPEAKER_00 58:44

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_02 58:54

Have questions, topic ideas, or want to share your cybersecurity journey? Join our school community, the Cybersecurity Mentors, where you don't have to do this alone. Connect with us there and on YouTube. We'd love to hear from you. Until next time, I'm John Hoyt. And I'm Steve Higgeretta. Thank you for listening.