What does a young person, eager to get into cybersecurity, have to show or prove to land their first help desk, tech support role?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Geoff Belknap (@geoffbelknap), CISO, LinkedIn and our guest Bryan Zimmer (@bryanzimmer), head of security, Humu.

Got feedback? Join the conversation on LinkedIn.

Thanks to our podcast sponsor, Palo Alto Networks

In 1666, Sir Isaac Newton famously used a prism to disperse white light into colors. Today, cloud security professionals use Prisma Cloud from Palo Alto Networks to disperse full lifecycle security and full stack protection across their multi- and hybrid-cloud environments. We think Sir Isaac would approve. Learn more about Prisma Cloud paloaltonetworks.com/Prisma/cloud.

Full Transcript

David Spark

What does a young person, eager to get into cybersecurity, have to show or prove to land their first help desk, tech support role in cybersecurity?

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. Joining me for this very episode is Geoff Belknap, the CISO of LinkedIn. Geoff, let’s hear the sound of that voice you have.

Geoff Belknap

Hey everybody, and thanks for coming.

David Spark

That’s the sound of Geoff’s voice, you’ll hear a lot more of it during the show. Our sponsor for today’s episode is Palo Alto Networks. We love having Palo Alto Networks coming back and sponsoring us again, so thank you very much, Palo Alto Networks for being a strong supporter of the CISO Series. Today’s conversation is a conversation that I see again and again on LinkedIn, Twitter, on Reddit in particular as well and what ensued from this conversation I was actually very sort of bullied by in terms of how the cybersecurity community responded. Andrew Milsap, a young and eager cybersecurity professional, is trying to get his first cybersecurity job. And he’s proven he wants the role because he’s got a number of security certifications and he’s got some developing experience on cloud platforms as well. He asked the LinkedIn community for their advice. And so, they really kind of came out. I mean, some really good, solid advice. I want you to set us up Geoff, give us your headline advice for others in Andrew’s position.

Geoff Belknap

I think two things. Two pieces of advice here. One, this is a great platform, LinkedIn, for doing exactly what Andrew did. Like, people will earnestly come out and give you advice. Most people. So where I think, usually I’m complaining about people that are being terrible in the community, this was a great moment where people came out and gave earnest advice. And then second, the thing that jumped out at me, being a LinkedIn guys is that you, in applying for any job, you need to adapt your resume and how you’re presenting yourself for the job you want to get. And in this case, you really need to adapt your LinkedIn profile to reflect the kind of career that you want to have and the role that you want to acheive. If you’re starting new. If you’re pivoting your career. And I think that’s something Andrew’s really going to have to focus on.

David Spark

I agree. And to help us in this conversation and to actually go through much of the advice that was given in this LinkedIn thread, I have invited Brian Zimmer, who’s the head of security at Humu. Brian, thank you so much for joining us.

Brian Zimmer

David, always a pleasure to hear your voice.

What’s going on?

00:02:34:17

David Spark

Eric Manning of Open Systems said, “Your resume is heavy on certs but has no actual IT experience.” now this is speaking specifically to Andrew. He goes on to say, “That normally means you will expect a larger salary than is reasonable and you will break a ton of crap in for six months before actually start helping the team.” And Dan Greenhouse of Local Government Federal Credit Union said, “If you applied to an entry level job at my company and I was the hiring manager, I would be very interested. However, I would also be very worried that my company would be spending a lot of time and money in training you in how to think like a good IT support technician, only to have you leave the moment you are offered another job.” So Geoff, both of these quotes say there’s stuff that’s impressive but there’s some slight red flags going on in here, that would scare me from hiring you. Do you agree?

Geoff Belknap

I’ll say what I mentioned at the top of the conversation here, which is, your resume really needs to reflect the kind of job you’re trying to get and I think it’s OK if you don’t have as much experience but you’ve invested in yourself and you’ve invested in this new career with, you’re learning and getting certs and trying to build that base understanding of what you do. I. I think that’s great. I don’t, that doesn’t scream to me that you’re going to request a large salary or anything like that. It does tell me if you’re a junior or an entry level talent, you’re probably going to break something. I hire senior engineers all the time, principal staff, distinguished engineers. These people break things too. In fact, I have broken or caused damaged at almost every organization that I’ve worked for in the first six months. That has nothing to do with your skill level. Ah, maybe it does, maybe I should invest in myself a little more. But I think there is definitely a common trope of people worrying like Dan did, of how much they need to invest in someone to brig them to that minimal level of qualification. I’m personally of the thought that I think that’s OK. It’s OK for me to invest in you. I do think there is some minimal expectation if I’m going to put thousands and thousands of dollars into training into you, I would expect some amount of commitment that you’re going to hang out for some minimal amount of time. But it’s OK for you to leave. If I don’t invest in you, you’re definitely going to leave, but if I invest in you and you leave, that’s OK, I’m improving the quality of talent for everybody, not just for myself.

David Spark

What do you think. Brian, about this? Everyone does want some level of investment. But a lot of them said, and I hear this again and again, the need for experience. And if you don’t have experience then the risk gets transfered to the company to build that experience for them. Do you think it’s a risky proposition in this case or no?

Brian Zimmer

I think if it’s a good company and good culture, good mentorship, good managers, it’s not a risk. You have to set your expectations to the role. So I mean, in theory, if you’re at a good company, no one’s going to throw a junior person in and give them root access and just say, good luck. So there should be some guard rails, some training, some investment of time and money. You can’t just wish them good luck and come back to them after a week and hope they haven’t broken anything. Also, I see the comment about the person being worried that they’d leave after their training but if you’ve got a good company culture and a good mentor, a good team, they’re going to invest that time for both the money for the training, for the career growth, for building a team that they want to stay at and be part of. Because if they don’t then either that person’s going to be miserable and they’ll want to leave, or you’ll eventually want them to leave. So you have to make that team that they want to stick around at.

David Spark

Per what you were saying in your comment, Geoff, is it common to build a contract with an entry level position saying, “We will train you but you’re required to put in six months, nine months, a year,” I don’t know. because I’ve never heard that at an entry level. Does that ever happen?

Geoff Belknap

Yeah, I think and honestly before security, when I was in network engineering and architecture, there are a couple of places where I worked with, they would commit to investing in your training to get you CCIU which is a high level CISCO certification. And frequently what you’d have to do is commit to a year. You’d have to pay back the money or some rate of the money if you didn’t stay for a year after you received the training, something like that. Which I thought was very reasonable. However, that was a different time, that was certainly many moons ago. I have never considered investing in anybody and saying like, “Hey, I want a contract, I want you to commit to stay.” At the same time, I think if we just zoom out a little bit, we think about why people leave. People leave cultures. People leave leaders. People don’t leave, people aren’t taking jobs to get training and then bail for some other job that they know that have at the other end. So I think maybe that’s sort of an antiquated way to be evaluating whether somebody’s going to be a good addition to your organization or not.

This is not just a security issue.

00:07:25:00

David Spark

Mic Merrit, of MyByte said, “Sometimes it’s parts of the story that are missing.” This was a comment that was made often about Andrew’s profile. Mic goes on, “I do not see what you’ve done in any of the roles you have. There’s no quantifiable statements. Tell it clear, in understandable story, reflecting what you will bring to your next role. What makes you different from every other candidate. And one line that I’ve heard from VC was, “What’s your unfair advantage?” I kind of like that line. I’m going to go on here with Tim Connell, of Pulsar Security. He said, “What skills do you have alongside your technical abilities that would be compelling to a company?” We’ve talked in the past about coming from different backgrounds and that creates a sort of marked diverse community. Tim goes on to say, “I got into cybersecurity because the company I wanted to join needed someone who understood the technology and also understood sales as well to help build the sales program. I leaned on my other skills to get the job. Think about that as a way to stand out against the other applicants.” So, I thought that was some pretty good advice, like, it’s not about just building certs. It’s about what are you going to bring unique to the table, yes, Brian?

Brian Zimmer

I agree. Although at the same time, it’s too early in certain people’s careers to start adding skills on their resume. It’s really hard to fill, I mean, I’m just putting myself back in these shoes, if you’re just getting into the industry, you don’t have the skills to throw on there. You can put in some stuff like, “I have this personality trait,” or “I did this volunteer work” which definitely helps. But I think hopefully hiring managers realize this and understand that they’re going to have to pull the personality skills out during the interview. So things that are much more important, like, curiosity, persistence, passing, taking initiative, taking ownership and just the general ability to teach yourself, which you could list in your resume, but no one’s really going to believe you until you actually sit down in the interview. And then as they talk about in the threads, there’s things you can get a lab going home to start building up some of your technical skills hands on. You say, “Hey, I’m interested in this, let’s start the lab from scratch” and then document, here’s what I learned, here’s what I did. That shows your curiosity, your passion, you’re taking initiative, you’re teaching yourself and all the sort of stuff employers want. And I also looked on Andrew’s resume and I liked that he had a consulting business too, because than that’s taking it to the next level. He’s added those skills but then he’s also adding on business skills, customer interaction, risk management, influencing, all sorts of good stuff like that.

David Spark

I think that’s exactly right. Look, you, especially when you’re transitioning your career, and for me this really hits home because I’ve had other folks tradition out of reciting, which Mr Milsap is doing here. And I find recruiters sort of hit a couple of the key areas that I’m really interested in for a bunch of roles. One is recruiters are used to dealing with fine details and follow up and they’re usually strong communicators. Another is, recruiters are dealing with the space where there’s a lot of unknowns, right? They don’t always have the full picture. They’re talking to candidate, they might not know whether they’re interested, they might not know exactly whether it’s going to be a fit. They’re trying a lot of different things on, they’re experimenting and they’re also natural learners. They’re learning about, what is this role? What are you hiring for? What does this organization need for somebody to be successful? So I think those are all really good things and I think those are things that you could pull out in your profile, or your resume. But your LinkedIn profile can highlight those things. The other side of it, is I think exactly what Brian is saying. You could build a lab, and spoiler alert, you don’t need to buy stuff to build a lab. There’s plenty of things available online. They’re very inexpensive for you to tinker with and to learn things. And I think the point is there. It’s not a security issue. If you’re moving into any kind of tech role, you just have to highlight the things that would make you a good employee, alongside the thing that you’ve earned, like your security plus or whatever it is that’s going to highlight that you’ve started to learn the basic skills necessary to become a fully format engineer.

Sponsor – Palo Alto Networks

00:11:26:04

Steve Prentice

Palo Alto Networks is an industry leader in network security, cloud threat intel and much more. Matt Chiodi, Chief Security Officer of Public Cloud tells me that as we collectively look towards the new post pandemic normal, he and his team continue to assess and issue warnings about the damage that the pandemic brought to cybersecurity. And it’s bigger than you might think.

Matt Chiodi

In latter part of 2020, we started to notice that there was a great increase in cloud security incidents. And it really started us thinking about the fact that COVID-19 has impacted everybody in different ways and a lot has been talked about in terms of obviously, the physical and the psychological impacts but no one had studied the security impact. And so our cloud through our research team, what we did is we analyzed what changed pre- and post- COVID-19 discovery from a cloud security perspective. And what we found was that cloud security incidents nearly tripled in the second quarter of 2020. Increasing by 188 percent. So just a massive change and I think any time you have this big of a disruption in how a workforce gets things done, it’s almost always bound to lead to these types of negative consequences from a security perspective.

Steve Prentice

For more information, visit PaloAltoNetworks.com.

If you looked at the problem this way…

00:13:03:22

David Spark

Dan Greenhaus of Local Government Federal Credit Union said, “you know your end goal. Now work your way backwards. You need the job more than the job needs you because you don’t have the experience yet. So you will need to jump through the hoops needed to get a job to get you the experience to move you towards the industry you want to be in. And Yana Fayer said, “Do a LinkedIn filtered search. Look up people with the same degree and same certifications with the job that you want. Any gaps in certification when you compare yourself will be there.” I really like this sort of reverse look up way of re-engineering your career. Brian, have you ever done anything like this? And what would you be able to see if you did something like this?

Brian Zimmer

I’d see I have a very long way to go. Yes, it’s definitely helpful, I do this especially when updating my resume or when I’m trying to figure out where I want to focus my career on. One thing that we did touch on here, I think that’s a good point to bring up is that I find this typically easier to chance careers within a company. So say, moving literally into security, say from IT or something like that. Rather than trying to jump into a new company with no experience. So I would say if you’re company has a security team, talk to them, get to know them, go have lunch with them. Definitely go to conferences with them, ask them for tips, volunteer to help. Maybe have them walk you through their latest project, so you can ask questions, things like that, learn along the way. They’ll either think you’re a spy or they’ll soon realize they’ve got someone like a potential new team member on their hands.

Geoff Belknap

To both of those, one, if you join a rather large company, and not like this is easy but if you’re lucky enough to join a rather large company like Microsoft or LinkedIn, it is much easier to transition because then you’re a known quality to folks, but I also think if you get to know people that are doing the role, you can sort of get to understand what skill sets they have. They also will help make you inroads into the network of people that you need to know that are hiring for those roles. There are other people that have those roles and can tell you what are the skill sets that aren’t on the job description that would be helpful for you to have that aren’t necessarily certifications. The other thing I’ll mention is, honestly I do this. If I’m looking at hiring somebody to I’m looking at opening a role, a lot of times I’ll look at other job recs that are out there and see what they’re listing and see how I think about that person. So I think it goes a bunch of different ways. But I also just want to recenter this. When you’re starting, certifications are helpful to demonstrate that you have the basic skills necessary to grow into that job. But I would also stress, do not over invest in certifications. You have to be the person that people want to hire and the certifications just show that you have the minimal technical skill set. You still have to be a strong communicator, you still have to a strong relationship builder, you still have to be somebody that is curious and a learner and somebody that can work on a team. And those things, there are no certification to demonstrate that. So, also I would say let me invest in your certification. If those are important to me an an employer, for whatever reason, I’ll pay for those. Don’t spend thousands and thousands of dollars, thinking that’s what it’s going to take to get the job. Because honestly, if somebody’s hiring you only for your certifications, you probably don’t want to work there anyway, that’s probably a factor floor type job. And you want something that’s probably a little more creative.

David Spark

It’s interesting you say that an ironically, the episode that airs after this episode, is going to be titled “The Value of Certification” so we’re going to go into that topic at great detail. But what’s interesting is, I constantly see young people saying, “What certification should I get?” You see that constantly. And then what you’re seeing from the more seasoned professionals, “Ah, don’t worry about it. There’s no one specific one, you don’t need it.” But at the same time, many of the professionals saying that have a CISSP. It’s weird. It’s kind of easy to say, “You don’t need one” when you’ve got one.

Geoff Belknap

Oh no, I think, let me be clear. I think a certification, specially if you’re transitioning carers. If you’re just starting out, a certification of some kind is really helpful. Because that is a way that you can signal that you’ve been able to teach yourself the basic skills that you need to learn the job. And I really mean that. A certification will not teach you the job. The certification is just helping you gain the basic, fundamental skills you need. You’re going to learn how to do the job on the job for the most part.

David Spark

And we heard, that a lot, by the way, a lot.

Geoff Belknap

Yeah, exactly. And I’m curious Brian, whether you find this to be true, but there is definitely a point of diminishing returns where if you’re going to invest $20,000 in certifications, I don’t think that’s going to give you as much of an edge, it cost a couple of hundred bucks to get the Security Plus. I think that doesn’t make you 10 times more competitive for a job whether you have $20,000 worth of boot camp or that you’ve bought a book and took a Security Plus certification.

Brian Zimmer

Yeah, I totally agree. One or two base certs just to get that experience and get that on your resume, show that you’re in the field and learning that stuff. But yeah, after a couple of certs, you don’t need to go overboard. Also, people that are earlier in their careers, maybe they don’t have a ton of free cash and don’t want to go into a ton of debt to get certs that you don’t need and aren’t going to provide a ton of value.

Geoff Belknap

Yeah, I think that’s really important. Don’t go around thinking that one certs versus another is going to get you the job. Don’t waste all your money trying to get into this space.

What aspects haven’t been considered?

00:18:33:15

David Spark

Anna Cotta of Identity Access Management say, “Network and get to know others. Many times, jobs are never posted, especially the entry level ones. Volunteer to build connections.” And Joshua Thomas of AWS said, “Do a hobby project on the side.” To echo what the two of you have said and many others said in the thread, build a home lab. And then one of the other things that was mentioned was, “Become an expert on any one product out there.” There’s a lot of products that offer training on their software for free. And if you can say. I know this product backwards and forwards, that can be a great attractor. Brain, I’ll throw this to you. What do you think of this advice and would you add to it as well?

Brian Zimmer

I definitely agree with the networking portion. I mean, the majority of my jobs. I got my foot in the door thanks to someone I knew. I’m not the sharpest light bulb in the box, so….

David Spark

That’s why we invited you on.

David Spark

Because by the way, light bulbs are not sharp. The phrase is the brightest bulb in the box.

Geoff Belknap

Well, once we break you then, yeah.

David Spark

They’re usually round, actually, no sharp edges.

Brian Zimmer

That was actually on purpose, I was combining the two, the not the sharpest tool in the shed and not the brightest light bulb.

David Spark

For some of our listeners who aren’t as bright to pick that up.

Geoff Belknap

Now I know the next LinkedIn thread we’re going to be talking about.

Brian Zimmer

So, having them highlight my resume in that stack of resumes, or getting it seen even before the job’s announced or posted is really important. Also another pro tip, just be nice to people. One, because it’s good to be a good person in life. Two because karma will bite you, eventually. And three, because industry is very, very small. And you never know who you’re going to run into again. I’ve always wanted to draw out all the connections between the people that’s helped me and my career, just because I know it would be hilariously tangled. So just remember to get out from behind the keyboard and build that tangled mess that turns into a healthy career.

David Spark

Let me add to that, what you said is, even if you don’t know anyone right now, you could start being a connector on day one. And people love connectors and they have very warm feelings. So if you go out of your way not just to network people, but to try to connect other people, that will come back to you as well. Geoff. Advice you would add to this list.

Geoff Belknap

Oh boy. I, I don’t know if I would add anything here, I think just like Brian, I would in a short answer, get to know people. Get to meet people. Now, I fully recognize that right now, that is really difficult to do and I’ll share that before this conversation, the three of us were talking about whether we’d go a conference this year and what we might do. And I recognize those opportunities are few and far between right now. But there’s always ways to do that on LinkedIn, on Twitter and different places. And eventually there will be opportunities to get to meet people in person again. Regionally pending requirements. So look for those opportunities. There are conversations to be had on Clubhouse, there are conversations to be had on Twitter. There are conversations to be had on LinkedIn. Look for those opportunities to engage and like Brian said, just don’t be jerk. Be somebody who’s open to advice. Be somebody who’s open to connecting with people. And you will find other people that are interested in teaching you what they know, or helping you along the path. Focus on those people. Don’t focus on burning money. Just focus on building good will. And I think that goes a long way. Especially because most people can get a good set of skills that can do the job, but most people want to work with someone that is good to work with, that’s fun to work with. That’s engaging and supportive of the team. And once they get to know you, they get a real idea whether you’d be somebody they want to work with. I think that really makes a big difference. That’s the thing that will stand out above all else if you have the opportunity to build a personal connection. The other thing I’ll say it, do a hobby project on the side, that is great advice. If you have the time and the money to be able to invest in doing a hobby project or buying some gear or renting some cloud computing time, that will take you very far in your career trajectory in terms of teaching yourself and learning. But at the same time, I don’t think it’s a hundred percent necessary. I just think, if you can invest in that time, like, great, you will be able to teach yourself lots and lots of things. But it’s not required. I think the most important thing establish yourself as somebody that is someone other people want to work with and then you have the skills, the basic skills necessary and the wherewithal to learn the rest that you’re going to learn along the way.

Closing

00:23:03:07

David Spark

I’m going to quote something an uncle of mine said once, that I felt was appropriate here. Or that is appropriate for our discussion here. And he said, “Everyone gets lucky breaks. People who succeed are the ones who are ready for them.” And that, I think, is kind of key. You see someone that kind of just fell in their lap kind of thing. No, there was a lot of work up to that, it’s just you’ve had lucky breaks, they’ve had lucky breaks, they were ready for theirs. And I think that’s the big thing. You just need to be ready when yours comes. And the problem is, we don’t know often when that’s going to be. Alright, I’m going to ask the two of you what your favorite quote was of these and why? And I’ll start with you, Geoff. Your favorite quote.

Geoff Belknap

I’m going to go with Anna Cotter and I apologize if I’m saying that wrong, but networking, get to know others. May times jobs are never posted, especially the entry level ones. Volunteer to build connections. I think that’s right. I actually think the entry level ones are more likely to be posted, but also they’re the ones where a lot more candidates are going to applying for that role and it’s really hard for recruiters to pull out the people that might be great. Well, if you can establish yourself in a network of people that are already security professionals, it’s much easier to get referred for that job and as unfortunate as it is, that is the best way to get a role in info sec today is have somebody that can vouch for the fact that you’re somebody that knows how to work on a team and that you’re somebody that would be a great addition to that team. That will not guarantee you the job, but it will definitely put you ahead of others in terms of getting that first contact in that area.

David Spark

There are no guarantees, and I think Brian, you have the same favorite quote, yes?

Brian Zimmer

Oh indeed. This was one of the biggest things I learned besides straight technical skills that helped my career. It sounds cliché but really, you’re selling yourself, so go build up your skills and then make those connections with people. You can’t sell yourself and your skills when you’re in a box. You’re not Cap’n Crunch. Go break out of that box, go meet people. And make those connections that are so crucial to learning and enjoying your current job and then getting your next job.

David Spark

Thank you very much, Brian, thank you very much Geoff. Thank you to our sponsor, Palo Alto Networks. Thank you so much. Now, Brian, I’m going to let you have the last word. If you are hiring, do let us know. Geoff, I believe you’re constantly hiring, yes?

Geoff Belknap

Always, yes.

David Spark

Always hiring. Any last thoughts on this discussion?

Geoff Belknap

No. I think the most important thing is to understand, yes, it is not you. It is difficult to start out in any new career. Keep trying, it is difficult. But also, and I think we’ve mentioned this before. Feel free to reach out. I’m going to get a million emails again for this, but like.

David Spark

Did you get a million emails when we did the mentorship episode?

Geoff Belknap

Not literally a million but I definitely got connections and I tried to respond to as many as those as I can, can’t to all of them. But the point is, there are people that are willing to share their time and frequently, I’ll end up on 30 minute mentoring calls with people to try to give them a couple of tips or sort of reorient them to how they’re going to make or break themselves in info sec. but also there’s lots of avenues for that. So LinkedIn is a great place to conduct the fantastic community building that happens here. Twitter and Clubhouse are other really good platforms for breaking out.

David Spark

There’s the CISO Series group on LinkedIn.

Geoff Belknap

There is, and I think you have to keep at it. I just want to underscore. It does not take thousands of dollars to get a job in info sec, so if somebody’s telling you to spend money, please talk to someone else. The most important thing you can do is be available for that opportunity, be ready for that lucky break, as David’s uncle would say. And than just get out there and start networking.

David Spark

Brian. Are you hiring at this point?

Brian Zimmer

We are hiring, not in security but engineers. So platform infrastructure engineers, front end, full stack.

David Spark

Alright, any last thoughts on this discussion?

Brian Zimmer

Yes. So related to this. For us more senior security people, just remember Jack Lemon saying, “Remember to send the elevator back down,” kind of when you’re up at the top. Think about the people who are just starting out. So also think about those outside your circle, people who don’t look like the typical security person. People with different backgrounds, people who are just getting the carer. One, because it’s a good thing to help others, makes you feel good, but also it helps increase diversity and it helps solve our hiring problems. And don’t forget to go talk at our local community colleges and high schools. Maybe guide them on their carers, do a little presentation on how did I get into security. I get so many connections from when I go and do these talks, it really makes a big impact on people’s lives and has converted people to the dark side and come over to security.

David Spark

Good to hear. Thank you very much, Brian, thank you very much. Geoff. Thank you to our audience. Kudos to everyone who gave Andrew a lot of advice on this question because I thought it was fantastic, a great opportunity to see how awesome the cybersecurity community can be. As always, thanks for contributing and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.