Joshua Copeland - Unpopular Opinion

Show Notes

Joshua Copeland is a cybersecurity executive, Tulane professor, and 22-year Air Force and State Guard veteran who’s built a reputation for saying what others won’t. Known as the #UnpopularOpinionGuy, he challenges the industry’s sacred cows…calling out certification theater, fear-based marketing, and leadership failures that hold the next generation back. His viral LinkedIn posts and conference talks push uncomfortable conversations into the spotlight, sparking change where the status quo falls short. 

By day, he leads cybersecurity at an AI company and teaches graduate school. By night, he writes with the same no-nonsense clarity that’s made him a sought-after voice in the field. His books blend manifesto and survival guide; unfiltered, practical, and rooted in hard-earned experience. If you want corporate platitudes, look elsewhere. If you want the truth, you’re in the right place.

Transcript

SPEAKER_01 0:15

Okay. Yeah. Cool, man. Well, I uh no, Josh, man, I appreciate you taking the time to to come on the Books for Guys podcast as you are one of the first individuals actually that I've had on here as a guest from the cybersecurity space, which is uh which is weird because I work with for a company that does security as well. And so, but uh no, man, good to have you on.

SPEAKER_00 0:39

Thanks for having me. It's uh great to be here and uh happy to share the uh world of cybersecurity with great other folks.

SPEAKER_01 0:45

No, I love it, man. I love it, man. I've got your uh I came across you on LinkedIn. I live on LinkedIn eight to ten hours a day just from uh from a recruiting standpoint, but I came across your profile, I think, because I I either saw a post from you or I saw you comment on some other people within the space that I follow, and then obviously came across your book, Unpopular Opinion, and I was like, all right, I like I like the message that Josh is trying to put out there, and uh so I appreciate you messaging me back and like I said, taking the time to talk about this. But man, so dive in a little bit, Josh, because you've been in this space for a long time and you speak on it, you consult on it. You've obviously written this book, which I said unpopular opinion, unpopular opinion burning down the BS to rebuild cybersecurity. And I've man, I've seen some of that over the last few years, just some of the, I don't know, just kind of some of the fluff around it. And I like that you're taking this approach of of trying to beat that down a little bit. But talk just share your story of how you how you even got interested in cyber in the first place, and then just kind of what you've seen to lead you to wanting to write this book and put this message out there.

SPEAKER_00 1:54

So, like a lot of folks, cybersecurity was not where I would have envisioned myself in high school. I was kind of the nerdy guy that, you know, did stuff with computers that, you know, statutes of limitations have now expired, but you know, doing things that probably shouldn't have been doing as a young kid. But I Ethical. Yes, ethical. But like a lot of kids in my my space, it's I didn't have money to go to college, let alone apply for college. So I did what a lot of folks did, and I joined the military. I did not join for IT or cyber. I was originally a logistics guy, and I got to my first duty station, and like, well, we have this additional duty thing that we need someone to do. And, you know, you're kind of into computers. Do you want to do this work group manager role? And I didn't really know what that was, but I did the thing that you're told absolutely not to do in the military, and I volunteered, said, Yeah, I'll go do that thing. And that was my kind of introduction into IT and then the very early cybersecurity. And from there it just kind of rolled into one role after another, eventually formally cross-training out of logistics into cybersecurity. But it was truly one of those things. It was by accident. You know, I've spent my entire military career. I did 20 years doing everything but the job I was actually supposed to be doing. So it was kind of the, well, we have this weird thing that nobody knows what to do with. And we don't really have an AFSC or an MOS that's tied to do that. So do you want to go do this new thing? And I'm like, sure, let me go do the new thing or let me go fix the broken program and figure out how we can make that better. Um, when I retired in 2018, I did what most folks do and went into the Fed contracting space doing cloud security, cloud security platforms for three-letter spooky agencies who are trying to put all their workloads out in cloud. And I start seeing kind of the self-leaking ice cream cone that was cybersecurity at that point, where everyone's saying that we're awesome, cybersecurity is awesome, you know, we have endless budgets, we can do all the great things. And that wasn't the reality that I was seeing. I was seeing that we're still not doing the basics very well. We have, you know, this huge talent pipeline coming in, but nowhere to put them, and kind of seeing all these problems that no one really wanted to talk about. So that kind of led into my initial series of posts on LinkedIn where I did my first three unpopular opinions that were your certifications don't mean anything, your experience doesn't mean anything, and your education doesn't mean anything. And obviously that drew some very visceral reactions from some folks, taking some direct pot shots at those kind of cornerstones of what people build cybersecurity careers on. And I've kind of just rolled with that as I've kind of matured through my career. You know, now I'm a director of cybersecurity, I do advising, I do consulting, you know, I teach cybersecurity at Tulane University. You know, I'm doing a lot of things in space to kind of disrupt what we've been doing to make us better. And then also just being the voice that I wanted to hear coming into the field, not the Lego movie everything's awesome thing of no, here's what's really going on in the field and how should we look at it and how should we fix it and having those conversations because conversations is really where we get things fixed.

SPEAKER_01 5:02

What are some Josh? I've and again, I don't I'm not as technical and I'm around some guys who are in this, but I feel like I've seen just in my my role as a recruiter over the last 10 years, I've seen this like ebb and flow of security, and there's been times when everyone's like gung-ho, full speed ahead. We need to implement more processes and more tools, and we're taking this cybersecurity a lot more serious. And then there's been like times where there's nothing, and I feel like no one wants to is prioritizing cyber, I guess, the way they should. What's just your overall view of, I guess, and this is probably pretty broad, but like as a country, I guess, where are we at from a cyber standpoint? And like, what are some of the frustrations that you personally see, I guess, and what can we do better about? That's a really broad question, but I see like just for myself, see the dangers of it. Like, and more and more I'm getting introduced to like, like, even right now, anyone can pull my information and do things with, and it's kind of freaky. But and I know it's hard to prevent a lot of that, but like what are we doing or what can we do to be better? And just, I don't know, what are some of the frustrations you're specifically talking about, you know, from your book?

SPEAKER_00 6:14

Yeah, I think the biggest one is is that within the cybersecurity field itself, we're really, really bad at translating what I call the bits and bytes into dollars and cents. I can sit here and I can talk to you all day long about what vulnerabilities the system has, what the CVSS score is, and whether it has a KV. And at that point, your eyes have already glossed over and you have no clue what I'm talking about because it doesn't matter to you. Now, what we've really done is we haven't built folks to be able to translate that into things that you're going to care about, things that your mom and dad will care about, things that your board will care about, things that the business units that you're supporting care about. We tend to be just super hyper focused on all things cybersecurity rather than the bigger picture. So I'll take, you know, world events as we have them now. You know, there is a current conflict with Iran. Any politics aside, whether you agree with it, disagree with it, doesn't really matter. There are second and third order effects of that. Iran is a well-known sponsor of terrorism, and particularly cyber terrorism across the board. And that was well before any incidents that we've had going on. So it makes sense for us to go, well, now we've entered into a legitimate kinetic conflict with that organ that country. What does that mean from us from a cyber standpoint? Well, you have to think about it from kind of like that 10,000-foot view. Iran does not have the capabilities to reach out and touch the United States where we live from a kinetic effect. Their missiles don't have that kind of range. They don't have the Navy Air Force to be able to do that kind of thing. But what they can do is radicalize individuals and they can do cyber attacks. And cyber attacks are very, very low cost. They have a low barrier for entry, and they're super effective. And we've seen that both in Iran as well as Ukraine fighting against Russia, where they're building all these really interesting drone-based capabilities that are super low cost. You know, they're costing sub thousand dollars for a executable product that actually does a kinetic attack and it's going up against multi-million dollar weapon systems. You know, I live down here in Louisiana and we have the port of New Orleans. You know, it is, depending on what year it is, one of the busiest ports in the country, and it's one of the two major ports importing oil coming into the country. So if you were a threat actor, New Orleans is one of those big kind of juicy targets to potentially hit because now you're hitting supply chain. You know, people are already losing their mind that gas prices are going up, you know, they've gone up, what was it,$2 where I'm at in the last month? Um now they're talking about increasing it from ethanol 10% to ethanol 15%. You know, lots of third and fourth order effects. Now, if we start throwing cyber attacks into that, what does that do to the economy? Where are the second and third order effects of that? Where we operate on what's largely just-in-time logistics. You know, your grocery store only has enough food to feed your community for two to three days. They rely on getting that truck in, you know, on Tuesday, Thursday, and Saturday to replenish their stock, to get you the perishable goods, the fruits, the vegetables, the dairy products. What happens if that doesn't get there because they're able to leverage a colonial pipeline type attack where you're shutting down the entire eastern seaboard and gas prices go through the roof? What does that do to communities? And that's where we've not done really great at being able to explain how cyber affects everything else.

SPEAKER_01 9:44

And that's scary to think about. I I spend a lot of time thinking about that now, just again with who I work with and looking at world events. Josh, how hard is it to really play offense from a security standpoint? Because everything like I've as a as someone who generally knows a little bit about the space, you hear about there's really not a lot we can do to prevent certain things. It's how quickly can we keep it from being too dangerous and causing having too big of an effect, like some of the stuff you've talked about. How hard is it to really play offense in the space versus some of those threats that come through and can wreak havoc in certain certain areas?

SPEAKER_00 10:24

That's the thing with cybersecurity. Offense is very, very sticky of a situation because it relies on reliable attribution. Just because the machine that's attacking my network is coming from a IP address based in the Philippines does not mean that it's a Filipino-based threat actor. That absolutely could be a Chinese actor using a bot network that is a completely unsuspecting compromise system from some organization. So if I try to do offensive operations against that, now I'm potentially creating international incidence in theory, depending on what type of system that is and who owns that system, legitimate acts of war. So largely, unless you are, you know, wearing that military uniform, working for the appropriate agencies out of Fort Meade, offensive cybersecurity is extremely hard to do because there are just so many ways that it could go horribly, horribly wrong. And which is why, to your point, we've largely focused on building the walls the best that we can and then building systems within those walls to be able to recover very, very quickly. And we've seen that work very well in some organizations and very poorly in others. I'll give an example of healthcare systems. They are absolutely prone to ransomware because they have typically very poor security models. They have very poor backup and recovery models, and they've become extremely tech dependent. Go into a hospital and take the electronic health records away from the nurse and the doctors and see how well they can compute what the appropriate dosage is for a, you know, 5'11 male that weighs 240 and is having this particular condition. You can probably find a nurse in their 60s that can whip out a pen and paper and figure that out real quick. But that, you know, 25-year-old nurse who just graduated school is gonna go, I have no idea. I need my systems. I need my systems to help me do that. And then you have kind of those things where it happened in Germany where there was a ransomware incident where they've now actually tied back human death to a ransomware because they had to reroute a patient from the nearest hospital that was under a ransomware attack and could not care for them because they didn't have access to their electronic health records and their computerized systems for getting medications, and they died en route to the next nearest medical facility. That would not have happened if they had the appropriate medical systems protections around that. And there's always that kind of weird situation where you have to figure out what's the appropriate amount of friction. You know, do I want my doctor to have to pull out his phone, click a duo button, go over the computer, type in a six-digit code so he can find out what my drug allergies are as I'm coding on the table. No, I probably don't want that level of friction. Now, putting my security hat on, I'm like, yes, all the multi-factor authentication, all the things. But the reality is that's more harmful than it is helpful, which is why you see hospitals now where they're using proxy badges tied to their ID cards where they can swipe in and out and add some layers of security, but also kind of reduce that risk. But when you have systems that are typically old, you know, most of your X-ray machines that you see in hospitals, unless it's a brand new machine or running on Windows XP that's never been patched, that is probably on their primary network, that is connected to the internet because they don't have radiologists sitting on site anymore. They're sitting in their basement with 60-inch high-def monitors reading X-rays from 60 different hospitals all day long, because that's more efficient. But that means all these systems have to be interconnected. That means that we have all these different holes in. So being able to create that resiliency to be able to go, okay, this went down. How do I get at least the critical things back up so we can get back to functioning? Is where we have to really start talking business to everyone else in the organization of going, okay, I understand cybersecurity is not a priority for you. But what is a priority for you? Okay, now that we've determined what's a priority for you, what systems enable you to do that? And that's when we start making those links between the cybersecurity requirements and what they actually care about. And when you can get them to care about, oh, if they take down the EA EHR, I really can't do my job. Then magically the light bulb clicks and they go, okay, protecting the EHR is actually important. It's not, you know, just something we're gonna spend a lot of money on and get no return on our investment. Yeah. But you have to be able to explain in the terms that, you know, they understand and what matters to them. You know, security matters to me because I'm a security guy and I look at it that, you know, my job is ultimately to protect people, whether that's people directly, people's data, or people's money, I'm it's all about a people-based thing. And that's kind of hard for some folks to really think about is that cybersecurity is really a people-focused job because if there isn't people, if there isn't people's data to protect, people's money to protect, I have no job. You know, businesses exist for a reason, and our job is to protect the things they care about, which ultimately come back to people.

SPEAKER_01 15:20

Yeah. I'm glad you used the healthcare uh example. Personal experience, I've got so many frustrations with technology in the healthcare space. As a patient, you're like, come on, this has got to be easier and more efficient. But that kind of leads me to my next question. You kind of you were talking about this, like they're outdated systems and whatnot. Another question I've got for you is with technology, specifically maybe AI as the focus here, with things moving so fast and then and then threats being able to maneuver and and do things quicker. How I guess just from like uh when you go in to figure out how to improve someone's environment so that they can be more safe, what's a first step approach that you try to implement or talk to people about? Because what I'm thinking is is like threats are moving so fast, we really can't keep up with it from infrastructure cost, you know, what it takes manpower to monitor all this. But like, what's your, I guess, first step approach to even improve someone's environment just a little bit so that they're not as easily susceptible to threats as, you know, and again, things are moving fast. But like, I guess what's your first thing you try to get people to realize and at least do from a security standpoint so that they can minimize a little bit?

SPEAKER_00 16:39

So I take a look at it from a business lens. What do you do? What are the things that you need to be able to operate whatever your business unit is, whatever your end goal state is? What are the things that you do for that? Do you know what they all are? And for a lot of organizations, they don't. They they don't have good asset inventory to understand, you know, here are all the systems I have. Because ultimately, you know, 25 years ago when I first came in, if you wanted to bring a system onto an organization, that was a huge process. You know, you had to talk to people, you had to get permission, you had to do all kinds of other stuff. Now, anybody with a credit card is an IT department because anybody can go out and buy a SaaS solution. The only person that's going to be able to tell that they did it is going to be the CFO's organization when they get the bill. Maybe flag, why does Josh, who works in accounting, buying, you know, Google Workspace? That doesn't make sense. And that's only if they have checks and balances in there to kind of identify those things. So it's what are you doing? And then how can we make that better, faced, faster, and safer? And once you kind of get that piece done, then you can roll out into doing kind of other cool things around protection. But unless you know what you need to protect, you're just buying the shiny new tool that you just seen at RSA or Black Hat, and you're spending a lot of money and probably not moving the needle a whole lot. Yeah. Where you mentioned AI. AI is here. Everyone's using it, whether you agree with it or not. I've spoken in front of conferences and asked rooms of a thousand people how many of you think that you have AI in your environment? And about half of them raise their hand. And I look at them and laugh and go, okay, everyone who didn't raise your hand, you're lying to yourself. And you are because you're people in your environment absolutely are using AI. So for those of you who didn't raise your hand, how many of you think that there's somebody in your environment that's using something like Grammarly? And about half of them raise their hand. I'm like, okay, you know that Grammarly has an AI backend that's absolutely ingesting every keystroke that those users are making, and then taking that and putting into LMM to spit out corrections on grammar phrasing and all the other good stuff that Grammarly does. And they go, Oh, like you got folks who are going to be using ChatGPT, Gen Spark, Claude, you know, God forbid they're using OpenClaw and doing crazy things. But ultimately, people are going to be using the tools. You don't have a really good way to block and tackle. Even if you tried, you could say that you're in an on-prem environment and you have absolute control of what goes in and out of your perimeter. And you can go, okay, I'm going to block every, you know, AI tool at my firewall to keep someone from going in and out. And then they pick up a cell phone and they take a screenshot or a picture of what's on their monitor, upload it to Chat GPT, and they get a result back and email it to themselves, and all your protections just went out the water. So what you really should be doing, instead of trying to block everything, you figure out what do they need to do, what do they want to do, and create less friction paths for them to actually be able to do that. So yeah, you want to use, you know, Gen AI to help with your product marketing or to draft emails or whatever the case may be. Give them a solid framework of here are the things you're allowed to do, here are the things you're not allowed to do, here are the things that if you do them, it'll get you immediately fired. And here are the tools that we've already approved for you to be able to do that. So if your organizations will go with, you know, you're a Google workspace organization. All right, we're gonna give everyone Gemini. It's already built into the product. We're gonna give you some training on how to do some basic prompt engineering. We're gonna give you your left and right guardrails of here's the things you're allowed to do, here's the things you're not. And on the back end, because it's a tool that we've purchased, I can do some controls around that. I can say you can't put things that look like credit card numbers in, and you can't put things that look like social security numbers into it, and do some data loss prevention from that perspective. And I can sign up for the data, zero data retention agreement with that provider to where it's not using that to train its model, because I guarantee you all the free versions of it that all your employees would be using is absolutely training the model. We've seen that repeatedly where um Samsung had their code leak because they were using a free model. We've seen issues where uh there were patient data where leaks because they were using a free version of a GPT to do patient letters. So they're importing patient names, addresses, and medical conditions to format letters and export that out. If you give folks the and the tools you want them to use and make it easy to use those tools, they won't go around you to figure out ways around that. I go back to my very early days where when you first had Exchange, and Exchange said you can now block file types when you send emails. And everyone's like, okay, cool, we're gonna do things like block zip files. It took less than 24 hours for people to go, okay, I can't send a zip file, but if I change it to.txt and just tell the person on the other end to change it back to.zip, I can now still send zip files. Humans are smart and they're lazy, and that's an incredibly dangerous combination of those two things because if I make something hard, they're going to find an easy way around that. So the kind of the secret sauce of good cybersecurity is making them do the thing you want them to do and making that easy for them to do without breaking your security requirements around that.

SPEAKER_01 21:52

Yeah. No, it's interesting. There's a lot to it. That's what I think is so confusing for people that not that aren't like yourself and in it every Every day to fathom all the different aspects and things that go on in your world and things that you're doing to protect us and companies are doing to protect their products and all these things. It's just, it's truly mind-blowing to sit down and think about it and talk about it. Which leads me to like one more question. I've got just a couple more for you, Josh. Obviously, you teach as well. And I'm curious to know your thoughts on the next wave of cyber talent that's being trained up to, you know, help with whatever future issues that come about in this space. Do you feel like we're doing a good job getting them trained and ready for the next phase of issues? Or is that something we struggle with, like with the university system? Are we, are we, I had a professor on a couple weeks ago and he was like, you know, one of the things I struggle with is are what we are teaching students now, is it really applicable? Is it is this b worthless, or like are we actually giving them knowledge for the future to use? And so from a security standpoint, I couldn't, I guess that that's super important. And I'd be curious just to know your thoughts on the next generation of students who are learning this. Are we doing a good job preparing them?

SPEAKER_00 23:16

Um, I think there are some programs that are doing really great jobs. I think there are other programs that aren't. And I won't, you know, get into the ones that aren't, but you know, I can tell you that, you know, we have a community college here in Bozier Parish, Bozier Parish Community College, that is doing a fantastic job of getting folks into a program that's low cost, getting them legitimate hands-on education to get them kind of job ready in two years to actually do things in cybersecurity, but it's very focused on kind of critical thinking and legitimate tools that are current as of right now. There are other programs that focus, you know, largely on just churning through certification programs that you see a lot of what I call pump and dump, where they spend a week fire hosing the information into their brain, they take a test on Friday, and then Saturday, everything they learned over the last week is just dumped out and they're on to the next thing. So I think the programs that you see that are very, very successful are going to be the ones that are teaching critical thinking. Because it's not the tools are going to change, the technologies are going to change, the things I was doing, you know, almost 30 years ago when I started in cybersecurity. If I try to do them now, I would look at myself and go, You're completely insane. But the critical thinking of, okay, here's what I have available to me. What can I do is kind of that really critical piece to figuring out what's next. And cybersecurity is fortunate, I think, in that there's no one right way for someone to get into cybersecurity. You know, I find folks from other backgrounds are typically some of the best cybersecurity folks, ex-medical folks, whether they be folks like EMTs, I know a lot of pharmacists that are now cybersecurity professionals, nurses. I even know a couple of people who were PAs and doctors who switched to cybersecurity. And they have a great mind for triage. You know, where do I stop the bleed? What's the most important thing for me to focus on right now? It's going to do the most net good. Folks who come from law enforcement backgrounds already have a very investigative mindset where they can go, okay, this happened. What are the next three things that had to happen for that to get to this point? You know, folks who are prior military are really great because they understand hierarchy and they understand structure. You know, folks who are coming from just absolutely wild backgrounds that seem completely unrelated make fantastic analysts, like marketing majors. I love folks who are marketing majors because when you look at the skill sets for social engineering and the skill sets for marketing, the Venn diagram is almost completely on top of each other because they're both about getting a person to do the thing that you want them to do.

SPEAKER_01 25:52

Yeah.

SPEAKER_00 25:52

From a marketing standpoint, it's typically get them to buy the product that you want them to buy. From a cybersecurity standpoint, it's getting the person to click the button you want them to click, or on the defender side, getting them to not click the button you don't want them to click. But it's the same skill set. It's the same things that you kind of the human psychology that makes that work. You know, I had an analyst that had a degree in 18th century French literature as their undergrad degree. And they were barned on one of the best analysts I've ever had because when you think about writing papers for 18th century French literature, you're doing deep dives into, you know, even the linguistics and making connections between this real world event that was going on at that time and this thing. And that's what an analyst is doing sitting in a sock. They're looking at this one piece of information and connecting all these other pieces to build a total story. Yeah. So I think if you get folks who can actually have good critical thinking and step back and go, does this make sense? What's the part that's missing? That's going to be kind of the key. And you'll see that even with AI usage. You know, you have the folks who don't have the critical thinking and they'll take whatever, you know, Claude or ChatGPT or Gemini spits out as, you know, gospel. And that's how you get the lawyer who got popped for not checking his references on his work product. And then you have the folks who go, okay, these parts make sense, these parts don't. And they'll dig in and and kind of leverage AI to be the helping tool that it should be rather than be the replacement that a lot of folks are looking for it to be. And that requires that critical thinking piece. So as long as we're still building folks that have legitimate critical thinking and allow them to use the tools that are out there. So, like in my classrooms, I do not ban the use of AI. I just say use AI ethically, you know, cite that you used it, you know, help me understand what your prompts were that you used it. And did you check it? Are the sources that it's telling you, are they legitimate sources? Do they actually exist? Are they related to the thing you're even talking about? And when you start building those kind of questions in your students' minds, you get the right outcomes, regardless of the tool set that they're using. Yeah.

SPEAKER_01 27:59

I'm so glad you brought that up because I'm sitting here, we were talking a little bit before uh we pushed record uh about my company where we do we help create student-led SOC programs at a lot of universities down in Louisiana. And it took me back to ri to learning how we were vetting students, and it was a critically thinking exam because obviously you can't get if it's a 24-7 SOC, students who are just doing technology, there's not enough of them. Their classes are the same, so they can't work different shifts. So we had to figure out a way how to get students interested who were English majors or doing other things to come over and be a part of the SOC. Number one, it was uh to get them interested to maybe switch and go the security route. Number two, it was to find people who could work different shifts than the people who may be interested, you know, from one class. But the critically thinking and test, I I remember some of our leaders talking about some of the highest scores they got were people from marketing or English and different things. And it was just the way they thought. And they I remember them talking about how good that was and just how like excited they were because this student had a way of thinking that would match up extremely well for what they needed, you know, in this space. So I'm so I'm really glad you brought that up because it was triggering me thinking about how we approach it the same way. Uh so it sounds like we're on the same page as critically thinking is the way you gotta vet and go about training these future people in the space.

SPEAKER_00 29:24

Yeah. One of the critical things in cybersecurity is diversity, not for the sake of diversity, but because diversity is critical to defense. You know, if I hire, and this is what typically occurs, you know, I'm ex-military, came with a traditional undergrad graduate degree with all the typical certifications, with the TSSCI background. Typically, what you'll see is people will hire people who essentially on paper look like them. They're going to hire ex-military with the appropriate college education. And that sounds good on paper because it's like, well, if I'm successful, people who are like me should be successful. But in cybersecurity, that is absolutely the worst thing you can do because our threat actors are everybody from someone who grew up like me to a 14-year-old kid in their mom's basement in Russia and everything in between. So I need people from different backgrounds from different thought perspectives to all look at the same problem from different angles. Because ultimately, if everyone's like me, where they're ex-military with a traditional undergrad degree and certification, we're probably gonna look at that problem the same way.

SPEAKER_01 30:30

Yeah.

SPEAKER_00 30:31

Because we were trained the same way. And that creates massive blind spots where these bad actors will exploit that, knowing that you know, tend to hire similar. And you can kind of see that in LinkedIn posts and you know, job hiring of what they're looking for from a a threat actor perspective. I look at job post as kind of the my God, I can't believe you're doing that, where they say we're hiring a stock analyst and we want someone who has specific experience with Palo Alto, firewalls, Splunk service, CrowdStrike EDR. Like, okay, you've just listed your entire tech stack for a bad actor to know how to exploit your environment. Like you, you're you're handing them, if not the keys of the kingdom, a map to the kingdom with, you know, exactly where the locks are, and they just have to wait for the right time when that zero day pops for, you know, Palo Alto, or you know, there's something that's not been developed for Splunk, or you know, you have the CrowdStrike 2.0 incident where it takes everything down. And now I know, well, here's a 100 companies I can actively exploit right now because all their security stack is down. So that's kind of those weird things where it's not necessarily about the tools, it's about the talent behind those tools and how they view things and how you can get all these different perspectives and different backgrounds so you get a better 360 degree of what your problem is rather than, you know, just my view and the people who are similar to me.

SPEAKER_01 31:58

Yeah. No, that's good stuff, Josh. Um, well, I got I got one last question for you, man. This has been awesome, and I appreciate your insight because I, again, even working with a company who's does similar things, I'm not in it day-to-day, and and this stuff just goes over my head, and I'm constantly learning and trying to dig in and just figure more out of bad. So it's so interesting to me. And I know a lot of people that are friends of mine or colleagues that watch and listen to this too, like they're way smarter than me. I think they're gonna really appreciate this conversation and and me having it. But last question for you, Josh, and more just around your book. You know, when people read your book, what, if nothing else, what is the one thing you hope they take away from it? Um, because I know you're trying to put a lot out there and in in your message, but if there's if there's just one thing you hope someone takes away from it, what is that?

SPEAKER_00 32:47

I think the big thing is just understand that cybersecurity is a place for everyone. You just have to be able to to to stand back and think differently than what the the crowd is. Cybersecurity has a huge issue with imposter syndrome. I have it every day. You know, I'm like, why am I teaching students? Why am I standing on a stage at, you know, RSAC? Like, I'm just the guy who rants at the internet type thing. So if I have that, I know tons of other people have it. So there's a place for you. Look for ways that you can move the needle. Even if you move the needle, a micrometer every day that adds up over time.

SPEAKER_01 33:18

Love that, man. Love that. Well, man, thank you. Thank you so much again for coming on here and just sharing your knowledge and insight. And we've got your book on the Books for Guys website. So anybody who's interested can go find it. And we'll make sure we we add links to where they can find you and follow you on LinkedIn and all these others. And man, keep keep doing the good work. I there's nothing imposter about it. You're you're one of the smart ones out there and have the right approach. And so, but thanks again, Josh. Really appreciate it. Yeah, thanks for having me, Chris. I appreciate it.