How to build a cyber security team and why you should do it?
Matthijs Nelissen is a cyber security expert through and through having specialized for more than 15 years. He’s co-owner and senior security consultant at Cyber4Z, who are experts in the field of strategic and tactical design of cyber security, IT, Privacy and Blockchain technology. Matthijs’s strengths in communication mean he’s one of our Knowledge Partners leading some of our Cyber Security specialist programmes. Matthijs is clear about the core values he applies towards his customers: hard work, open communication and fun. We can definitely see all of those in action.
How to build a cyber security team and why you should do it?
Matthijs Nelissen is a cyber security expert through and through having specialized for more than 15 years. He’s co-owner and senior security consultant at Cyber4Z, who are experts in the field of strategic and tactical design of cyber security, IT, Privacy and Blockchain technology. Matthijs’s strengths in communication mean he’s one of our Knowledge Partners leading some of our Cyber Security specialist programmes. Matthijs is clear about the core values he applies towards his customers: hard work, open communication and fun. We can definitely see all of those in action.
Welcome to the stellar labs podcast. Future learning today at Stella labs, our mission is to bust the technology skills crunch with effective, measurable engage in training. We consult on design and deliver the technical and people skills and competencies you need in business. In these podcasts you'll hear from industry experts and practitioners from the worlds of technology and training. They'll share their experience, insights and inspiration and their visions for the future with you. Keep listening to start your future learning here today. Hello. Welcome back to the Stellar labs podcast. I'm Stella Collins and today I have the amazing Matthijs Nelissen with me. Matthijs is co owner of Cyber4Z, a company who specializes in consultancy in the sub cyber security world. Matthijs and his team are also knowledge partners for us at Stellar labs and we have learned a lot from them. Welcome Matthijs. Great to have you on the show. Thank you. So[inaudible] um, you obviously are a company, you have cybersecurity specialists on board. You're cybersecurity experts yourself. Yes. How, how did you go about building a team of cyber security specialists?
:Most of our employees actually are from our own network, so we know them. Um, they didn't apply at us, but they, uh, we know them from previous assignments or previous customers or previous employers. Um, we have, um, a majority of our people are actually, uh, senior, uh, specialists. Uh, so they already have a lot of experience, uh, in the cybersecurity, which ranges from a non technical sites, uh, like, um, um, uh, ISO certifications to a technical site. And obviously the, this applies to the whole it, uh, world, but also to cybersecurity. It's a very evolving world, so you really have to make sure that people aren't knowledgeable but are also able to maintain this. So you can build a good cybersecurity team. You have to educate them well. Uh, you have to make sure that you get the right work experience, uh, and you have to make sure that they stay up to date.
Speaker 1:Okay. And I guess that is a constant challenge and staying up to date because the, uh, the, the goodies and the baddies are out there together sort of battling one, one of them coming up with a good idea that the other one immediately thinks, right. We can, we can defeat that.
Speaker 2:Yeah. As a sub security is always an arms race and so a, a new vulnerabilities are found. They are not yet solved. Uh, they can be misused by attackers obviously when they are found, let's say the defenders, uh, try to, um, uh, apply patches or do remediation. Yeah. And then they try to find the next rentability. So, um, yeah, it's a constant, a cat and mouse. I would, uh, I would say for you in trying to train up cybersecurity specialists, I mean, what have you, what have you done in the past? Um, if you look at the, uh, the demands from our customers, there are certifications and trainings that are in high demand, uh, and that a cyber security specialist should have, uh, on his resume. So it's, it's getting DOE cert certificates, getting that training. Um, and, and obviously work experience is really important. So whenever we have a more junior consultants, yeah, we, we, we let him tag along with a more senior consultant so he gets a the right work experience. And this also applies for penetration testing. You always need to have a senior penetration test or that knows, um, uh, the test well knows the systems very well, but not all of the tests are so in depth. So there are tests that you can, um, yeah, I have a more junior a test to do so he can get the experience, um, and work with the senior and then gradually take over the role and do pass a penetration test, uh, him, him or herself. Yeah. I'm glad you said on herself. I think a, um, applies to, uh, many it areas, but cyber security is a, it's not a man's world, but the, the percentage of men are, uh, are, are far higher than, uh, than women. Yeah. Yeah. My, my daughter works in cybersecurity and in the PR area, but she's, she knows a lot of people in cybersecurity. And one of the things they've started as a, uh, ladies of London hacking society. Yeah. Very good. So trying to encourage more women into, into the field because it's a, yeah, it's a really good markets and there are a lot of assignments. There are a lot of, uh, if you look at the news every day there is an article or news about something happening. Either it's a ransomware or it's a data leakage or, um, and so we're, we're really, yeah, there's a lot of things we still need to do to, to, to even get the basics right. And so there's a lot of work and, um, uh, we already very fortunate to have two women on boards, but, uh, yeah, I think the more the, the more the better and they bring something else to the table. Definitely. Yeah. Good. So obviously, clearly the, um, the, the working on the job part of it is, is really important. And one of the things we're working with you as, as our knowledge partners at Stella labs to build a cybersecurity program. Yeah. What do you believe is different about what we're doing at Stella labs compared to perhaps some of the more standard programs? So I think you kind of converted me, uh, into a, the way we deliver the course. So I think the big selling point is, is not, um, the content is good, but you can also find that in other certifications. It's the delivery method that really differentiates this one from, from others. I've done a lot of cyber security training. Um, there is a lot of trainings with a, a big PowerPoint slide deck and a trainer that is knowledgeable and if you're lucky, he can deliver very well. If you're not lucky, you will have very boring training on a very interesting subject, which is a shame and it doesn't stick. So, um, I think what's really, uh, will help is the delivery method. The way we set up the course here. So you do preparation, you do workshop, you have, uh, tasks afterwards. You have repetition built in. You have, uh, for myself, I'm not a big reader, so I can't remember stuff if I read it, but I do remember it if I watch videos or if I do it myself. So if you combined it, the different ways of learning into your, uh, your workshops and your cybersecurity program, I think that really helps people to remember it better than, than traditional training.
Speaker 1:Yeah. And that's one of the things we're trying to do, isn't it built in many different ways for people to access the knowledge, but also really importantly for them to have in the labs as we're calling them rather than workshops now. Um, it's to have the, um, to have the experience with, you know, uh, as you were talking about with the, the, the, your junior people, you know, somebody who's sort of sitting alongside with the sitting alongside with, and then that actually going to have a practice in, in the real workplace.
Speaker 2:I think there's a lot of knowledge available. And so if you would research yourself or you're interested in a subject, um, you don't have to spend money on a training but it will not stick as well and you will not answer. We really pre preserved the internet, gathered all the important stuff and, and, and put that in the training. And, um, I know there are also like, if you're more interested in a certain topic, we have additional, uh, resources for you to look to look for. There's a lot of stuff you can research yourself that we will help you with. And I think if I would like research something instead of reading something, uh, yeah, I would remember it far better. Yeah,
Speaker 1:absolutely. Yeah. Yeah, yeah. We know that. We know that getting people to explore knowledge for themselves is much better than having it thrown at them. And it kind of, you know, just slides off. Yes. So for you, as you are one of the trainers on this program, the tires, what's the difference for you as a trainer? I think,
Speaker 2:um, it's, it's less broadcasting, let's put it like this. And so I, I'm not talking all the time. I set up and I facilitate every participant to, um, yeah, to maximize their learning experience. But it doesn't have to be always me. And so if I look at the exercises that we already, uh, that we already made, we obviously prepare everything and we test everything. But, uh, the, there's a lot of research and a lot of, uh, things that the participants can do themselves during the labs. Um, which is different from me just delivering a talk or a trading by, by only broadcasting. Um, I also think it will be a lot more fun if I look at the material that we're getting and the type of exercises that we're, uh, we're building in that it's, it's really a lot more fun than a, than a traditional training. So, and it also applies for trainer. So, uh, so that, I'm really excited to see how that works out actually.
Speaker 1:Yeah. Yeah. And I think definitely if, if your trainer's motivated, then it's, it's one thing along the road to making everybody else motivate. And I totally agree with you when you say that, um, you know, sometimes they, some training has taken what is, you know, essentially a really interesting topic and then turned into something boring. That's, for me, that's always been important that there is no such thing as a boring topic that's just boring training. So just going back to that development of a cybersecurity team, again, you've talked about the importance of upskilling them, the importance of having them work within the actual real world. And I guess a lot of that is, you know, once you need a mentor to help you through it, a lot of it is going to be self directed, isn't it?
Speaker 2:Uh, yes. And, um, I think one of the other really important things is that, uh, that cybersecurity is never a responsibility or a something that only deserves the security team does. And because it's the, it's the actual, the whole company that, that, that, that can be vulnerable. Um, so it's very good to have a cybersecurity team with, with a good knowledge that can actually help in, uh, transferring this to other employees. Um, if you look at, for example, recent ransomware's a lot in the news, uh, if you look how that starts, it starts with a phishing email and it can be sent to everybody. It doesn't have to be a cyber security, uh, employee that it's a, that it starts with an I, I would say that they are more aware than others. But in the end, your cybersecurity team has to work together with all other departments to make sure that the company stays safe, that the data is not breached or when it's breached, that it's resolved or analyzed in a, in a timely matter. So, um, having those like knowledge champions within your team that can also help transferring that knowledge to the, to the organization, I think that's very important when you build it.
Speaker 1:So effectively, if you're recruiting for a cybersecurity team, you're not looking for, you know, sort of the hacker in his bedroom with a hood over his head. You're looking for somebody who can go out, communicate, share what they're doing.
Speaker 2:If, if I as a consultancy company, your, you're hired because you have a certain knowledge. Um, but it's, it's not valuable for a customer if you can transfer it. And so, uh, you need to have some communication skills. You need to have a, you need to be able, if you're a pen tester, it's really good if you're technical, very good, but you always need to report your findings and you need to be able to explain to somebody does, doesn't understand pen testing. Uh, you have to explain the results. Um, so it's one of the things that, that we obviously included in the, in the training. Um, of course there's a lot of technical stuff. You have to know your, uh, uh, the way you pen test, but you have to be able to write a report that you have to able to present the findings to somebody that doesn't understand the technical details.
Speaker 1:You're looking for well rounded people.
Speaker 2:Yes, yes. That's, um, an already, uh, scarce markets. That's an even
Speaker 1:rarer quality. So have you got one last tip for anyone who, who's looking to set up a cybersecurity team, how they might perhaps go out to find these rare, rare and special creatures?
Speaker 2:Uh, if I look for people myself, I, I find the communication skills is something that you, you can develop, uh, but not as much as your technical or security skills. So I can learn somebody and teach somebody security, but already having personal skills, um, is really important. Mindset is the other thing. Um, I think as a security team we're often too, let's say isolated. So we really have to reach out to in the organization to make sure that everybody participates and everybody is aware of security. So having that communication skills is really important.
Speaker 1:Okay. So it's been as always[inaudible] cause your communication skills are great. It's always lovely to talk to you and I always learn something new from you, so thank you so much for contributing and uh, I should see you again soon. We'll see each other soon. Bye. Bye. Bye. Thank you for listening to today's podcast. Please share it with your friends and colleagues and visit our website, stellar labs.edu to learn more about what we do and how we do it. Tune into the next episode.