Sep 29, 2024
Episode Description
In this conversation, Adi interviews Jose Alvarado, the Director of Information Security at Stagg's Payment, about his journey in the field of cybersecurity. Jose shares how his interest in IT and networking led him to specialize in cybersecurity. They discuss the difference between IT and security roles, the importance of collaboration and communication in the security field, and the challenges of creating a security-focused culture within an organization. Jose also shares his experience dealing with a serious incident involving ransomware and emphasizes the need for organizations to assess and validate their security measures. The conversation with Jose focused on the challenges and priorities in cybersecurity, the importance of effective communication, the issue of burnout in the industry, and advice for those starting out in cybersecurity. Jose emphasized the need for organizations to ensure they are actually implementing the security measures they claim to have in place. He also discussed the challenge of balancing technical expertise with business understanding and the importance of concise and effective communication. Jose highlighted the issue of burnout in the tech industry and emphasized the need for leaders to be aware of their team's workload and mental well-being. He advised those starting out in cybersecurity to prioritize gaining experience and knowledge, rather than focusing on money, and to seek out opportunities that provide a wide range of experiences. Jose also discussed the evolution of cybersecurity as a separate field and the satisfaction he finds in completing projects and seeing the results of his team's efforts.
Watch On YouTube
so hi everyone and welcome to the handson ceso podcast my name is AD and today we'll be talking to Jose Alvar if
I'm pronouncing that right Jose is currently the director of information security at Stacks payment after being
in it for over a decade today we'll talk about the changing field of cyber security and about Jose's Journey how
are you today oh I'm fantastic thank you thank you for having me of course so I'm
really excited for this conversation I think especially in your case you have aexceptionally interesting story of like how you got started so like tell us yeah
um so kind of really way back right in high school I think my journey really started
there um didn't really do well in the public schools and things like that never really enjoyed um k212 I mean
whatever yeah k212 uh and getting out of there I worked at a
warehouse for about 5 years and during that time I just didn't like carrying boxes so started looking at schools and
what would take who would take me and what type of Journey that would be um I found the the had software and web
development and then they had uh networking right which at the time I had no idea what it was I didn't want to do
web development because at the time Hayden math wanted to avoid it uh so he told me some netting is the only math
you need I don't know what that was at the time so I was like okay let's just do it so took a dive in there and their
curriculum was really focused on Cisco got introduced to cisos riding and switching um and really my journey
started there started learning what uh how the internet really communicates
that's really what the the basis of that um degree was and then specifically get
the training on on Cisco Technologies uh when I graduated my associates degree
I left there and I took the first job that can take me a really small MSP Mana service provider and say uh they had
like five customers right and it it was it was a terrible work experience but it
was awesome because I was able to finally work on computers and I jumped into
uh firewall troubleshooting DHCP active directory I was just kind of immediately
thrown in that space I was help I was hired as a help desk technician and then immediately was uh they kind of were
were were encouraging me to go on site because I was really good at critical thinking now I know what it was it's
critical thinking troubleshooting uh point A to point B how is it communicating and what the problem is uh
between the two locations so either it's internet or internal file server Etc um
worked on all that stuff uh and that's pretty much how I got there it's good quick sumary so now you're doing a job
that's really based in security and before that you were doing more it so security was sort of baked into it but
it wasn't your main focus how do you see difference yeah and so the the
the so when my title really started becoming insecurity uh things started changing
started getting more in the business side and I really realize I was insec security until uh like later in my
career firewalls were for me I didn't know the difference between a router and a firewall right I thought they were
just I was really green funny it's funny to say it now but it was really green I
thought that a firewall is a router and the router is a firewall which is security features in it and more
enhanced features are different ranges of firewalls and so I started working on my first network was Sonic walls
firewalls and and some uh I don't even think it was Cisco cus I think there were just N Gear switches uh and and and
and in that space while while I was kind of working my way up uh everyorganization I started I deployed a email spam filter Ideployed uh fishing training fishing campaigns uh Ideployed uh endpoint protection M protection um uh image backups filelevel backups all the encrypting the backups all these things that really are
are in the in this security space now in 2024 but back in 2013 they were all just
bundled together it's like everything and do you want more security or less security but there wasn't a uh you only
work on computers but you don't Harden uh endpoint it was always part of I had
a checklist or procedures list where when I deploy a computer make sure that my protections on encryptions on etc etc
and those were security requirements that weren't done by a a director ofsecurity they were done by an IT managerright amazing what does your dayto day look like
currently uh So currently my dayto day is uh team meeting every day of with the
security team um then really it's just diing into tickets and the tickets for
myself is really Project based so these are projects because I'm really focused on compliance right now my current role
so I dive into reviewing projects that impact compliance either it's enhancingsecurity or um uh changing a security control or uh my projects for uhchanging up policies updating them Etc and that's pretty much and then
obviously and then of course the the the the numerous meetings that that we have so which is pretty uh common in the
security space and my meetings are skyrocketed definitely when when it comes to uh really focusing on the the
security side because consequently you're now in the business end and froma from a security perspective you're more you're impacting more Departmentat different levels in the it space it's between one pro one service orapplication or system or the other um but there isn't a lot of uh dealing with
a lot of different department heads because this isn't like a PO Global policy you you don't really um you talk
to you update one application it's likely to affect one or two departments in the workflows but in security it's
like impacting everyone and most cases it's it's for a a compliance reason or a
legal reason so everyone starts getting involved you have numerous meetings Etc so that's pretty much I think team
meeting communication heavy meetings and then tickets which is just keeping track of my
projects amazing could you dive a bit deeper into the how business plays intosecurity and vice versa yeah umso I I wasn't used to theuh when I was first brought into security I wasn't expecting uh to be
included in the the business side of things as or I didn't realize how much of an influence it was where in the it
space you the the there was the the department heads Drive the product for
you or the solution it's likely you already have sponsors when you're trying to upgrade something uh because it's
improving somebody's day always uh insecurity that's not always the case there's times where I have to
go into a meeting or bring up a topic uh for numerous department heads and ask
questions and then say hey we're no longer going to do this and it's because
of these reasons you have to kind of figure out how to explain it without um going too technical or or anything like
that and really uh um majority of time you have to convince people and you
don't really have sponsors you have to acquire sponsors now you have to get a lot of people to be on your side uh in
the it space you just tell the accounting team wants a new software for accounting and you say okay cool I'll
put that together and then they help you drive the product security you got to do all
that interesting I didn't think about it like that you're saying in it there'syou're always helping someone someone specific like someone isgetting help but in security you're helping security so sometimes it's not
as convenient yeah yeah and and major and you have to get a lot of people on your
side right and that's where the politics and business side gets comes into play
and that's where you kind of see a lot of these people in in the communities and cyber security communities Etc they
kind of they get real upset right you know they don't understand we need to do this and that's just because you're
you're having trouble acquiring people to support your venture right if if you're if you're getting um and a lot of
the times you're being the advocate for the organization as a whole not individual departments sales is trying
to make sales because they're trying to get bonuses uh marketing is trying to acquire more clients so they'll send
anything and everything you give them if you if you share a document that's highly sensitive to marketing they will
display it if they think anywh they wouldn't care if if they think it'll get more customers right because their
driver is getting customers sales is closing customers so if if for exampleum we're we need a PCI documentation to confirm that we're PCI Compliant
salesperson marketing or business operation staff hey our clients demanding this we need to give them
XYZ and from a security perspective hey we don't want to disclose more information that we need what exactly
are they asking for right and then that now is the communication right it's it's
five or six emails back and forth but from the business side they're like just give me anything and they'll go and look
try to find it and leak out information right then you get leakage right and they're just trying to capture the
customer but for example in in the that's an example of what you'll deal with in the security side in the it side
it's really I'm fixing your stuff or I'm improving something that you're already
complaining is broken that's it and then they they will M their business will say okay we need
we need to upgrade uh bandwidth because our Wi-Fi is terrible they like yeah that's true this is what we need and you
show them a $30,000 bill and if you have enough department heads complaining about it they will sign off on it uh you
do that with security hey we need MFA No One's Gonna support you w that's a really interesting change
in mindset wow do you ever feel like you have to be the bad cup like saying we
can't do this anymore like you can't do that uh so I I I don't think so because
I don't approach the conversation that way it's hey I want to improve uh our our
way that we do this I know that you're doing it now is extremely efficient or
you believe it's it's meeting our requirement the problem is I need to I need to I'm concerned about this and I'm
being asked to solve this particular risk and if I instead of telling them no we're not
doing it this way let me understand their workflow and accommodate it and and majority of the time when it's not
motivated by outs outside parties which like politics come into play I think politics come like not 5% 10% of the
time but the other percent of the time usually people are open to understanding
hey this is what I'm dealing with and this is why I don't want you to change it and if you're able to really concisely
deter like these are the objectives and we won't touch this other stuff this only thing that's going to change and
you build enough trust it it's it you don't feel like a bad cop it looks like you're really
collaborating and it sounds very like uh like uh I don't want to say it's like
generic thing to say hey be nice to them um there everyone's people you know they don't want to be interrupting their day
if you are are enforcing the law approach everyone's going to push back
and you're not going to make a lot of Headway you'll maybe knock out one or two projects a year but if you get
people around you and convinced that you're trying to enhance it while also
increasing security then they they'll love you for it perfect how do you create a culture
where security is even like a a thought thatexists um that's a difficult one but because
culture is built on there's so many impacts on culture right depending on your organization when you have a 500%
organization staff it's like significantly different to 50 people umbut I boil it down to you have to have policies you have tohave controls and you have to have sign off and you have to haveconsequences and the the the policy is really just
training every month right or um I think I worked at the warehouse I worked for
for five years um this is my my thingthey were so big on safety OSHA Etc right we go 300 days with no no
incidences right crash someone gets hurt we get like Popeyes for whatever a day
and everyone's goes home early Etc um and they were really big on pushing uh
everyone's is is part of safety like you're safe everyone is safe all you got
to do is worry about yourself and you're as long as you're safe and everyone does that we're all safe right um same thing
with security right if you really push that narrative where you can individually impact whether we're going
to be hit with a cyber attack that that affects us for three four weeks
or a part of an organization that has no incidences year after year over year and
you can continue to get bonuses because our organization will grow right you you have and and people don't really and I
and I think it's difficult for end users to really understand that because you I have a personal phone and I have a phone
for example if I if I worked at a uh Medical Supply organization have a personal phone and they give you a work
phone they don't see the difference right the behavior you have here they will mirror it here unless there's
consequences so if you have a laptop at home it's personal and my behavior is there at work I will do the same um it's
hard for people to really differentiate that you're at work and this technology is now you're impacting the whole
organization by your behavior um and and not many or organizations like CEOs Etc
really push that narrative that that you may have a laptop at home but when you
bring it into our office and connect to our Wi-Fi you need to now take dramatic
differences in security don't open every email don't sign up your work email for
Stuff Etc don't respond to those fishing email uh fishing text messages because
now they know that you like it's a valid number like all these things are just like are are in and the organization
from the top down really needs to push that do you think working for a fintech company is different than working in a
company where the data is maybe a little less
sensitive yes because then you have more compliance right so the the more sensitive the more Global impact your
your data is the more regulations are put into itgation really don't care about data leakage but everyone cares aboutoperations so hey we don't care if they're uh stealing our data okay do you
care if they manipulate it like no we don't no no we don't okay well for example we have a there's a cement
organization here uh I live in Las Vegas and they're all over the place here but
in order to mix the right amount of concrete it's a calculation is done by a system if someone hacks that system they
can throw off the mix and now hundreds of thousands of dollars ofa mix could be uh down the drain right uh people don't really view that as a asas a possibility um so data is always important because the data is what isused to operate your business now if your organization is really like pen and
paper and a very little data is transmitted um you really operate over your cell phone it's like you provide a
service then it becomes like hey it's not important at all but organizations that have a multiple staff and there's
multiple departments communicating it's likely that data Integrity is the most
important thing and H and availability right we need to make sure everyone operates and the data doesn't isn't
changed we're confident that the data we're seeing is a real thing wow that's really interesting so
you're saying the thing is not really if the data if someone sees it like the biggest
issue is someone changes it within the company yeah if
you um confidence in technology it's a very fragile thing where Uh something's
like a network stability up as soon as you have a major outage everyone's insecure like are you sure it's going to
work tomorrow are you sure like dude it's been working 99.9% of the time we
had one outage and impact it was a big outage but people's it's like it's like a where's my remote and they're like oh
I'm not are you sitting on the remote no stand up right type A Deal uh same thing with technology you're seeing a piece of
data and you and you're making decisions off of a spreadsheet um uh yeah yeah
Excel actually that's a good example you have formulas in Excel spreadsheet somebody modifies that and you're now
okay well our budget needs to be 50,000 for the year but someone didn't do the
formula correctly it's really triple that your confidence in the Excel spreadsheet will severely diminish right
because now you're not confident in the formula they can do it there's not enough checks and balances there imagine that your whole data all your data
across multiple departments and you're generating I don't know H1 $200,000 a month and you're and
you're really relying on that data could be Word documents Excel whatever um and
if it's wrong then you're i g be dramatic here but smaller organizationsis pretty much bankruptcy um big organizations like MGM Grand here at the
Las Vegas they got hacked they were offline for about a week right um they say $100 million loss
I think it was more but most organizations can can't operate that way with their expenditures Etc
so wow that's interesting have you ever been part of an organization that had a
serious incident where you had to like fix stuff while everything was onfire yeah um I work for an MSP and they had a
customer uh that it was a it was back when um uh was it uh when they locked up
the files it was crypto Locker I forgot what the specific name was was a whileago uh pretty much they they locked up their data right it was an organization
that you just mentioned specific like the same format where like the data isn't that important right um we use a
website that's somewhere else and we use a computer to really kind of deal with it and and there isn't a whole lot to we
print and it's not a big deal uh they they were out for for about two weeks uh we had to the whole accounting F
everyone they couldn't they couldn't do their their operation and they couldn't make money uh so I was there I was one
of the technicians showed up and I had to reimage all their computers and then they had a uh um some of them were very
basic I could just and I it was funny I had a um real small Nas off of a USB and
I shared it across like five or six computers and I pulled the image from there and reimaged it uh off of a little small
little guy so I got the money's worth off of that thing but um yeah it took about two weeks to get them all back in
operational and even then uh they were very um uh hesitant right on because at
the time was like oh we don't know if we got rid of everything we don't know where it Source from we can open
accidentally open up another file and at that point they started putting all security measures in place like anti mware encryption backups everything uh
so that was very um at the time I didn't know how big of a deal it was because I
was at a very I would say low level technical level we have an incident
respond to it I not from a business side but like I said now from a security perspective I understand how heavy
business is hey that was a major driver for them right where they didn't realize the data was important until someone
started modifying and lock them out of their own files it's really important now wow was that attack like ransomware
or what was happening there like why did it happen I don't remember the detail I don't think it was I don't think they
wanted anything I think it just locked it up I I don't remember I I wasn't atat a position where I knew the details uh but the the they they weren'table to operate it was just their files were just locked up um it could havebeen a yeah ransomware like hey send us crypto but this was back in2014 15 for me I don't remember the details I remember it was just like Iworked 15 s 16 hour days something like that to try to uh image all theirstations and and I really didn't I wasn't at a level of of of knowing ofwhat exactly um decision of it or the response did it
communicate to the hackers or anything like that I don't I wasn't involved with that interesting do you think it's common for
companies to think they're more secure than they are say it
again do you think that it's common that companies feel like they're more secure
than they actually are uh yeah so one of the one of the things that uhum yeah I think understanding or coming coming upwith a solution to confirm what you are saying you're doingis what you actually are doing right it is uh I think there is definitely a termuh about this where you um I actually think is a cicp question it's likeconfirming that the logs are actually occurring are you actually ingesting the
logs or alerts or are you just or is there nothing really happening right now um and I think that isn't just a problem
with systems themselves hey we're setting up a Sim we want to grab traffic hey we we set up these controls but
we're not 100% sure that they're actually piping through the Sim and triggering the sore whatever actions you
have it's actual business problem where um we're grabbing example we have 15
users being on boarded various different Technologies and we have a um role based
action control list and that's how everyone's being batched on boarded
based off of that and we write in policy hey it's happening every three months that we're reviewed is it really
happening is there a control to confirm that what you're saying you're doing is you're actually doing it or are you just
adding people um W without having the proper scope of permissions uh we have
security we have A's in place are you monitoring to make surethat when r ACL are being adjusted or opened up or closed or is there an
actual approval process because we say we're having it but are we doing it um and then trusting your staff right you
sometimes you have staff where uh they're not as detail oriented as you would like but they have a detail
oriented role and that comes back into full circle where like you you're shortest staff etc etc um yeah it's it's
I think that's probably the the the biggest thing for me is that uh uh one of the biggest fears and is is really
the concern is are you doing what what we we're saying we're doing and how can we confirm that from a holistic cyber
security program interesting what would you sayis one of your biggest challenges right now biggestchallenges um so I I think that I think one of the
biggest challenges is is definitely balancing I think that that's where the balancing between the technical and the
business side I would say is that you want to be technical enough toshow that you are the person to to make this recommendation right it's like adoctor right you want to be you want to be uh cold really kind of really just
give you the facts and tell you how to approach things so that way you don't want to mix emotions into it on the
other hand you want the business side and understand the drivers and really
concisely communicate with a boardroom or executive leadership that pretty much
that that this is why we need to do it and it's it's something that we need to
like with with urgency right we have we have organizations you can have a department
full of admins admin roles and they're all sales staff right um and then you'relike hey a very this is a very small example hey we need to communicate to
the other the department heads hey these sales staff impact these other four or five workflows that impact other
departments these we need to we need to start winding down the permissions it's likely to affect your sales or your
onboarding process everybody loses their money right it's like okay but we can't continue what we're doing now though
because because if their accounts are compromised we lose all this data or they can manipulate all this sta right
um communicating that in one email that's very concise and very simple and
very business mind that isn't leaning to technical or uh lease principle of lease
privilege defense and layers and all these like slogans that cyber security a
community read communicates are really useless in my opinion you have to keep it in one sensus bullet points otherwise
you kind of lose the room and so that that's my biggest challenge right like figuring out
continuously adjust the way I communicate um while still maintainingmy technical mind so I can develop an architecture or a program right or a
workflow how do you balance your attention between on the one hand communication with management leadership
explaining explaining your decisions actually security and making the decisions and
education like teaching people in the company what they should what they shouldn't how what a threat looks
like um that that's a good question I I think uh from a b like from balancing
from all these like the control policies and all that right that's pretty much what you're asking how do you balance
between what's most priority and what isn'tum I think you start off and it kind of goes
back to originally kind of like the four step process right is it always starts with policy you have to have it
somewhere written down um you have to have and and and whether and I think the
real question here is that you have all those pieces in place you have policies you have sign off you have all these
things right and then you as a person how do you even handle all this work um
you can't the truth is you can't um I think I think that's where my takes
start becoming a little bit more controversial I'm completely open to say that it is absolutely ridiculous for one
person to do everything um or two or three people to do everything at a staffof a thousand uh staffed organization right you can't right you can do all you
can try to hire as many unicorns that you think and they they will probably pass your uh exams your interview exams
but you have to prioritize and at that point and then not everyone's good at everything right I'm good at networking
um some of the people are even better at networking than I am there's probably tons of people who are and then there's
uh other areas that has nothing like there's just other areas you can be a software developer really good at AWS
but not good in AER what if your organization has two you really want that person to do both okay they do both
and then they want them to learn uh fishing campaigns how to capture people and then build policies these are all
different skill sets so the truth is you can't I think you have to focus on what
your organization needs you want to be successful you you do the quick wins that the organization's really looking
for um you have an organization who doesn't have a documentation right or
policies we have no policies and we're telling people what to do but we no ability to hold hold them accountable
dive into GRC right uh if you if you join an organization and they oh we have
policies we have all this stuff but you know we don't we just don't know if we're getting all the logs we're
supposed to if we're actually getting alerts like because I don't see any of that happening then you're a security
engineer building out a Sim and a sore right I think I think really kind of picking where you where the organization
needs they're hiring for something they're interviewing you it's likely going to put they're going to mention
the first pain points to see if you're the right fit don't get lost in too much
stuff don't don't one day work on email fishing campaigns and the next day work
on policies and the next day work on pen testing uh you it's this is a very um
time I guess I don't know how to say it but it takes a lot of out of your time just to learn Concepts at at a level
that is very useful for an organization trying to do everything all at once I think that leads to burnout
right do you see a lot of burnout in the cyber security space Oh say it again you cut off a
little bit do you see a lot of burnout in the cyber securityspace I I see a lot of burnout in the tech space I think that's more accurate
I think as some of these systems become extremely complex you got organizations
with hundreds of thousands of software Integrations apis all these things andyou got developers learning cloud and various different types of cloud onsite
infrastructure um so security and then you got Security in mind and God forbid
you get hacked right and and then like oh we can't have this happen again okay well I need a budget oh never mind um so
I think that kind of Circle learn new technology enhance itwith very little money being put put in uh pushes people kind of toum uh not not really breaking point but just kind of I'm tired of of of doingthe the the wheel right I do this thing it doesn't stop it I do I put tape on it
breaks again put tape on it so I think I think that that's where I see a lot of it it's across everything
software development um security it everything interesting how have you been
able to manage that b for yourself for yourteam um so how was that so I actually read a whole lot of self-help books uh
when when I got into management I read a bunch well I didn't read I listened to them right ADHD so headphones just run
them through uh and during during during covid 20 2020 I listen to a bunch ofthem and really uh like understand remember your why
um what you do every day is what you want to do you have complete control over it uh it's it's not it's not always
your fault but it's your responsibility um if you're burnt out it's likely because you're choosing to
do the action that's causing you to be burnt out if you are mentally exhaust if you can't really fully think even if
it's one o'clock in the afternoon um I've had staff where I tell them hey man um just just clock out early like just
you make it up later uh it's likely they already made it up a couple weeks prior
because they worked on the Saturday Etc but hey just take off early you're done we had I've had staff where I had them
cut off half day right because they worked a whole lot the weeks prior
leading up to the completion of a project and like just just take off your D um and they won't want to leave right
they don't want to leave they want to stay they want to continue working but I already know what's going to happen right you you you're not fully conscious
of how tired you really are until a month or two later then everything happens all at once right every we're
people right it's it's not everyone's self-aware not everyone's um different level of emotional intelligence and as a
leader I try to constantly be have like a thumb on the pulse of of the staff
where they're at mentally what are they doing um how much workload is being put
on them because it's very easy to say uh what is it pen testing
vulnerability analysis access Administration compliance and policies and then I want you to do all of that
and then not check in on them for a month and then come back and say Hey where's all this and oh this is what I
got I'm like this is all you have and then you do it all over again you do that for a year they're going to be burn
out right uh I think it comes from leadership I think it comes from
um understanding the work some people graduate from a real Prestige College
they jump into a ceso or CTO role or CIO role and they have no idea what it'slike to actually do the work right um to troubleshoot a network can take five
minutes or hours right depending on what decision you make and I think having them M
knowing how how much workload it is going down there and seeing okay like
pin the paper fingers the keyboard what is this what does this look like to build this workflow um communicating in
a budet point is easy but understanding on how many hours it takes to do something it really puts things in
perspective which is like the problem right where the managers don't know they
continue to drive the staff because drivers from the business are saying we need XYZ
and and there's not a lot of feedback coming back or I don't understand why this is taking so long right so I think
I think that's the main reason and and how you avoid it really is is from management really understanding getting
getting managers in in leadership I think I think I read um one of mycollege essays Google try to promote the most technicalexperts most senior developers as leaders and they found that the ones
that were media OK developers uh were actually better leaders because they are
they had more different level different type of intelligence they had more emotional intelligence etc etc and then
the leaders that were really really good at The Logical stuff had more of a struggle to to get their team to
accomplish as much as the other team would uh just because they're more used to working individually um and not to
say if you're technical you won't be able to do it it's just you need to be more aware of like hey I can't approach
the problem of of getting my staff to not be burnt out the same way I would approach a problem in uh building a
software building a network or whatever right building a cloud infrastructurecan't approach them the same way wow that's really interesting do you
think do you think that's something that most Security leaders cesos directors
are aware of I think they're um that that's a tough questions I meanI I I don't think so uh some are in myopinion um it's really hard for people to be self-aware right it's really easy
to blame others that person just wasn't the right fit this person ah whatever um
you have to want to build a team right you can't you can't always hire and it'seasier it definitely is easier hiring having an endless budget and hiring a
bunch of self-driven Staff members and you could just give them you do vulnerability analysis you do access
Administration you do compliance you do governance you do risk you just kind of throw all the like individual tasks in
the cyber security program to one person and then it's all gets done but that's
not the real world right you have to build up staff right you can't you don't have quarter million dollars a hire um
one per like quarter million each person right they're not going to do that so you're gonna have to figure out how to
build staff and kind of build them up and build a culture a team culture that encourages you to learn get better do
high quality of work but also not feel like you're failing every day whichcauses burnout not not not an environment that doesn't encourage you
to lie to yourself others about how much experience you have just be honest and Forefront and it bring up to Forefront
and then we could provide a support system to help you get there that's itright uh is it radical cander and I don't think and yeah and I
don't think and I guess to answer your question directly I don't think I there's not many leaders that
really invest their time into doing that what would you say is the
a tip you have for someone who is starting out in cyber security and does want to find a place where that is the
sort of culture in somewhere that he can really grow inse security yeah uh so so they're trying to
get in U my advice would be invest in yourself in a hot take or not hot takecontroversal take in my opinion is don't worry about money uh for the first five
years just double down on I was once given advice uh by a previous CEO that I
were for he said um go to the place thatprovides the most experience for you don't worry about money um and I heldthat true for like five or six years I just I was like it sucks where like oh Iwant to get paid more money and you see all these YouTubers 150 18a year after two years and all this stuff um I've selected roles that werespecifically uh allowed me to work on a lot of technology and own a lot ofprojects uh and that's why I pass that on to everyone is that invest inyourself get go to the places that provide the most um education experience
Etc they allow you to touch more things because that's what's going to matter at the end of the day there in relating to
your career growth if you work at Microsoft and all you touch is like a QA
environment in a very small subsection yeah you're going to get all these job offers because you worked at Microsoft
right but when it comes to execution you're gonna fail in my opinion it is what I've seen actually on the field
people work from Intel Etc and I come in and they compare the two and it's just like oh well he worked from Intel or she
worked from Intel okay cool and then I get called about help hey can you help me sure like it's fine but you're going
to get you're not going to get as much reputation because Google and Microsoft you're gonna have to fight tooth and
nail just to get access to stuff but in smaller companies you get access to
everything right and so you you couple experience with education certifications
degrees whatever you like whatever you prefer whatever suits your thing really just hit the books and use that use
whatever it is you're learning especially the first five years CCNA you want to give your CCNA great grab that
go to a Cisco shop you're you are or any networking try to get into um Spectrum
or these small shops where they have multi-size data centers Etc uh if you'rea p if you want to go uh what was it uh offsec with pentesting ocp okay greatnow take any Ro that allow you to do offensive uh penetration testing or evenvulnerability management just like take anything you can and try to to get
projects appr get projects approved that relate to pentesting do a bunch of that
for five years and you will see opportunities
amazing what do you think looks different in cyber security Now versus the way it was five years ago
uh so cyber security specifically so it became its own thing I don't know whathappened I I really don't know like how that happened uh I mean maybe like Ihave no idea social media maybe like LinkedIn or it had to
be a driver from the business side where organization started like scratching him out I think when legal got involved
right compliances really started getting hit you started seeing the governance
side really ingesting more and more on their side with the risk vulnerability management um all those things were
becoming requirements so now they they're kind of branching into their branching out into their own
entity um but when I started and and it wasn't too long ago right it's 10 yearsum 2013 it was just it and and then
security was a specialization and and even you even saw it on Sears where and even there's still
now ifications is just security specialization right AWS securityspecialist right CCNA had a security specialist role CCN network security
specialist security and now I think they have their own dedicated security certificate um but back in the day it
was just I saw it as it's a it's an enhancement you want to do security you want to do automation you want to do
Cloud but all fundamentals is it I think that's the big difference is that they kind of split up and I don't necessarily
agree with it um for example the the the dold and someone probably going to
correct me but when I was reading the N documentations you see Security administrator and a system administrator
and the Security administrator really just hardens it it it could either check or Harden the system the it keeps it up
time provides access Etc maintenance all these other things and there isn't like 1500 different roles right I am Senior I
am Senior pentester pentester there isn't all these things right security
architect like it's just like dude like this isn't like we're over complicating something right um and and I think I
think that's a huge thing that's happened in the past 10 years fromsecurity interesting okay so we're just out of time first of all I have one more
question but before that thank you so much like I loved hearing your perspective and I love how learning
about leadership was so much of your journey and it like it shows how you came from this background of do I even
get into working with computers and I wish I could just fix a computer to
being a director of a like Security in a company is amazing um my last question would
be well it has two parts what is one thing that keeps you up as a securityprofessional versus what is one thing that gets you excited about yeah
so the keeps me up at night is really are we it goes back to that question right where are we doing what we're say
we're going to do or are we doing exactly what what we said we are doing
right because legal comes into play comp like legal compliance all these things come into play and really confirming
that on a quarterly monthly basis is what keeps me up and I'm like like
please don't tell me that we're not doing that and then I'm like okay thank God okay cool uh it's really and when I
hear workflows I talk I'm like oh come on and I ask a question like please tell me no no no no we're not doing that okay
cool because we said we're not doing that I don't want us to like be caught right so uh because in no consequence
right we communicate talk we can have all meetings in the world but if the right people aren't in the meetings that
we think they're the right people and we don't get the right information hey like we made a mistake right and I want to
reduce that as much as possible right I think that's like the biggest concern for me um right we're getting logs are
we getting logs because we're supposed to be getting them we getting an alert we didn't get an alert so what's going on here right those are all from across
the board workflows logging everything um what gets me excited so reallyproject I'm really Project based uh work right now and there's nothing morefulfilling than than a one-year project ora six-month project coming to like conclusion I work in compliance I loveseeing a beautiful signed PCI report because it's it's really nerdy uh butit's it's really a a cultiv a cultivation of a bunch of people gettinginvolved to accomplish the compliance whether it's gather it from uh
development uh B different individual business units regarding their workflow data management all these things come
into play everyone's work throughout the year whether it's like fishing campaigns
training um reading the handbook was simple as it is getting confirming that
showing that we have historically done the thing like Harden the end points we
out the endpoints all these things really just compiled into that report saying hey they compliant we're good um
after being audited for three to six months is super awesome um getting a abit uh what what gets me really uh excited as well is you got a team ofthree or four and we're building a new workflow we need to start doing this
because of whatever reason and we start kind of piecing everything together until all of a
sudden we're doing it without being told right without them telling me something where I need to approve or do some make
a change or me telling them something that they need to do an action it's just natural now and that's super awesome
sometimes it takes months sometimes it's super simple takes a couple days but sometime it takes a year to do um and
it's super uh fulfilling amazing thank you so much foryour time oh thank you thank you for having me