Show Notes: INFOSEC & Finding Creative Security Projects with Dr. Michael Biocchi | Episode #13


In this episode I was excited to be joined by Dr. Michael Biocchi. He teaches university courses on a variety of Computer Science topics. His courses on Udemy have been taken by 30,000+ professionals and he’s even authored several books. Leading up to his current projects, Mike studied Computer Science during his undergrad, graduate, and post-graduate studies. Plus, he’s got his CISSP and a ton of practical experience from working his way up from help desk to IT Director and onto security leadership roles.

During our chat, Mike shared some wonderful ideas about the advantage of pursuing creative projects that challenge you to develop your security skills, how to think about balancing academic vs other education mediums, and so much more.

Big Ideas from This Episode

  1. Initiative + Serendipity

    Mike was originally working in software development — then he noticed a gap in the way that his organization addressed security. This inspired him to dive into information security topics, earn his CISSP, and pursue security specific projects.


    The barrier to entry for creating written content, online courses, for podcasting, etc, is super low. And these can be a great source for developing your security skills, your network, having a creative outlet that you just can’t do in most security jobs (true), and if it’s useful for others…maybe generate money too.

  3. Security Certs…

    Many security certifications are “a mile wide and an inch deep”, meaning that they expose you to key ideas, but don’t necessary make you an expert in any particular subtopic.

  4. Computer Science

    Computer science students can complete their entire degree program and NEVER acquire substantive knowledge about security — and this makes the roles of security practitioners that much more important, especially as it relates to educating developers and others.

  5. Be a Sponge

    Find people to look up to. Be receptive to listening and learning. Explore the many educational options available to you: academic, YouTube, Udemy, Coursera, and more. Use your training budget at work (if one exists).

  6. Don’t Fall into the Stereotype of the INFOSEC Person

    To be a good INFOSEC professional you need to be a great communicator! Via report writing, presenting ideas to executives, and more.
  7. Information Security is Not Just an “IT Problem”

    We need to help educate stakeholders regarding this point! It impacts the entire organization.

  8. Millennials (who tend to only spend 3 years at each job) can be an interesting value add for teams because their experience is far more diverse than their counterparts who have worked in a single for for 10+ years / etc.


This Is How They Tell Me the World Ends: The Cyberweapons Arms Race by Nicole Perlroth

Udemy Courses

Use CONTROL + F to search the transcript below if you want to learn more!

Transcript from this episode (#12)

*Note: this transcript was generated using automated software, and my not be a perfect transcription. But I hope you find it useful.

Travis  0:00  
So Mike, I want to get you on the podcast since I stumbled across your website and your Udemy a couple months ago, you have a pretty awesome background when it comes to computer science, your courses on Udemy have been taken by upwards of something like 20,000 people, which is pretty awesome. So they must be some solid courses. And then also, like your multidisciplinary, you're working, you're working doing some creative projects, because you have a number of books that you've written too, which is really cool. So I'd like to dive into that topic as well later on the conversation. And also, you're our first computer science InfoSec guest on the podcast. So I'm really looking forward to you kind of sharing some ideas that let many of our listeners who are involved in investigations, physical security and a little bit of InfoSec just to kind of like give them a new perspective when they think about protecting information. So Mike, welcome onto the podcast. And thank you.

Mike  2:22  
Thank you for having me. I am very happy to be here.

Travis  2:24  
It's my pleasure. So to kick things off, I wanted to throw a hypothetical question your way just so we could kind of like get a feel for how you how you approach things. So imagine that you had a magic wand. And this magic wand gives you the power to change any one thing about the security and risk industry? What would you change? And Why Does anything come to mind?

Mike  2:52  
Yeah, you know, the magic wand would make things a lot easier in the security business. But from my perspective, I think if we can make things easier, and more convenient, when it comes to computer security, that would solve a lot of problems. You know, I have people in my life who I know, still won't put a password on their phone, you know, not not a PIN code or swipe code, just because it's not convenient for them, you know, multiple times a day to unlock their phone. But something as simple as that can really protect you from a lot of various, sorry, it can really protect you from various attack. So I think it convenient, and that anyone can do it.

Travis  3:29  
Yeah, that's a great point. And this is something I've done, like a little bit of research on too, which is kind of like, so I did a project during my master's program. It was like fairly. Like, it wasn't super, it wasn't the most professional research project. But we ran a survey to learn about people's, basically their attitudes and some of their approaches to protecting information. And it was really interesting to learn about how, like different generational cohorts will look at protecting information, when it comes to their habits, when it comes to like the different technologies that they use different security controls that they use. And while I was doing that project, too, I did like a quick kind of like review of some literature that was out there. And one really interesting thing that stuck out to me, there was research done by things like a company that's focused on social engineering. And one of their big findings was like, because some of the different generational cohorts trust, like different technology mediums in a different way. It really makes them like more vulnerable to specific types of social engineering attacks. So that's just one thing that came to mind. But I do think building in convenience and making security easy to do is definitely a huge thing. So yeah, user experience, definitely huge insecurity.

Mike  4:58  
And speaking of social Engineering, most attacks have some form of social engineering involved with it. You know, I always say it's easier to ask for someone's password that is to crack their password. Because you can more easily exploit someone's trust than you can, you know, using algorithms and supercomputers to do whatever you need to do to break into computers. But, you know, we used to run a drip, not a drill and activity. And we would ask users for their password, and we would see if they would give it to us. And we would find that if you're, you know, wearing a suit, or if you had professional clothes on, oftentimes people would assume that you needed the password for a very good reason. And a lot of people would just give you their password. And you know, it's just because I think what you're talking about there is that trust that people have with technology, the trust with people, and that's what hackers are looking to exploit now.

Travis  5:50  
Yeah, that's an excellent point. It's like the classic, throwing on a glow vest and walking into a building. And everyone just gives you free rein because it looks like Oh, this guy's wearing a vest, he looks like he must belong here. That's

Mike  6:02  
exactly have a clipboard in your hand, and you're good to go.

Travis  6:06  
That's a great point. And then moving on. So I want to ask you a little bit, could you share some about the role that you play in your organization today and the type of work that you do?

Mike  6:19  
Sure. So I am a Senior Content Manager for security education. And so what we're trying to do is educate developers because I'm finding I'm also a teach part time as well, too, with computer science. I'm finding that the curriculums don't often have a security course built in as a core course. Sometimes it's offered as an elective. And other times, some institutions won't have computer security courses at all being offered to computer science students. And so there is a real possibility that students can graduate with either a diploma or degree and never learned anything about computer security. And so in my role, right now, we're trying to educate developers, so that they can learn about vulnerabilities and learn about mitigation tactics so that they can have their code secure.

Travis  7:06  
That's really interesting. So like, when you think about your day to day, like, typically, what types of projects and tasks do you find yourself being involved in? Or like, what types of stakeholders do you generally communicate with?

Mike  7:22  
Yeah, we work with a wide range of people mean, there's a whole marketing aspect to it so that we can get our lessons ranked high with Google search and other search engines. So there's that whole marketing aspect plus, we want to let people know what we're up to. There's the technical aspects. So we work with like a dev SEC team, that will help us fine tune the code that we give for examples and mitigation techniques to make sure that we are giving the proper advice. And then there's also the content portion of it as well, too, we want it to be written well. We want to make sure that we're not having spelling mistakes, and that the content that we're putting out there is accurate and professional. So I work with various different groups and departments to make sure that the content that we develop is quality content, where developers can learn.

Travis  8:07  
Okay, now, this makes more sense how you're able to get so many students, it's a mix of things. It's being very diligent and putting together super high quality content. It's working with marketing teams, it's having a feel for the whole, the whole Google machine and SEO and all that. So that's, that's very cool that you get to work kind of across disciplines there.

Mike  8:31  
It is nice. Yeah. And the Udemy course, you mentioned that really, you know, I built that a few years ago, I've updated it multiple times a year to keep the content current. But that was something I thought there was a gap in the industry for some security awareness training for individuals. And I built this course, not thinking it was going to be a huge hit, but more as a project for me, do some video editing, you know, make good content. And then all of a sudden, it just kind of took off. It got picked up with Udemy for business. And I believe now, there's 36 plus 1000 People who have taken that course, which is pretty awesome.

Travis  9:11  
Yeah, that's crazy. And I hope other people are listening and kind of like generating some ideas here. Because you mentioned this was just a personal project so that you could refine some of your skills as far as the way that you present information, the way that you teach, and really just kind of like refining the way that you think about security awareness. And then that turned into a big project where 10s of 1000s of people are taking your course. So I hope some listeners are, they kind of have like that hamster wheel rolling around thinking, Okay, I wonder if there's similar things that I could do where, one I get the opportunity to improve my own skills and my understanding and educate others. So I hope I hope people take that away as well.

Mike  9:55  
Yeah, you know, it's one thing to write an idea down, it's another thing to do it and so I hope you Oh, you know, if you have an idea, if there's something that you want to try, you know, put some time aside and make sure you, you give it a try because it might be successful.

Travis  10:08  
Yeah, I love that approach. And next, I was curious to learn what type of early influences or late influences got you down the path to pursuing information security and computer science altogether?

Mike  10:24  
Sure, I, my first job, I worked in an IT department and I was an application developer. And security wasn't really on my mind, you know, I did quite a bit of schooling and never once took a computer security course. And so my eyes weren't really open to the whole field of cybersecurity. And as I was working as a developer, we were working on a very old code base, and we were getting alerted of all these vulnerabilities. And I thought, you know, somebody in this organization needs to take ownership of this. And so then I started to take courses take a little bit more schooling. And I ended up getting my CISSP certification a few years later. And that's kind of how I got into this industry, I noticed a gap in our company, the company I was with, and, you know, it needed to be fixed and someone had to do it.

Travis  11:18  
That's really cool. Yeah, so you didn't even set out to do information security. At first, it started out with computer science development, you saw that own, you saw that gap in your organization where someone needed to take on this task, and then you just decided to develop those skills, pursue your CISSP and really just engage in your own learning projects on the side? That's awesome.

Mike  11:43  
Yeah, you know, I don't consider myself that old. But you know, the internet itself. And technology is fairly young. And, you know, the internet in the 90s, wasn't built with security in mind. And it wasn't till layer that we added on this, these layers of security. And I think a lot of jobs and a lot of development jobs are like that now, where security, cybersecurity in particular is at the forefront of a lot of news, you hear about ransomware attacks, you hear about other attacks. And I think companies now are realizing, well, we need to potentially have a dedicated position or multiple dedicated positions to computer security. And so I feel like I kind of got on that path a little bit early, by noticing that our company was lacking in those skill sets.

Travis  12:26  
Yeah, that's very interesting. And then also, so you talked about the role that you're in today? What types of roles did you have leading up to where you are today? Like, were there any that shaped you more than others?

Mike  12:41  
Yeah, you know, I worked in IT department for quite a while, when I first got hired, I was doing just your entry level it stuff, you know, working helpdesk, essentially. And then from there, kind of, I finished, I did a little bit more schooling. And then I took on more responsibilities. And I kind of made my way up the hierarchy in the company, to become a manager, and then to become well, I moved to application development, and then became a manager and then became a director of it for short period until I changed careers. And so I think all of those jobs, kind of led me to where I am today, working with people, you know, soft skills is extremely important in this industry, and having the technical skills and being able to have that drive to learn on your own because not everything is going to be covered in a curriculum in your degree in your diploma. And so it's really, you know, you need to, you need to be able to learn and to find your own path.

Travis  13:42  
Yeah, that's an excellent point. Because, yeah, really, every day, every degree program, it doesn't matter if it's a bachelor's, if it's a master's, there are such giant gaps in your knowledge. When you finish those programs, it's incredibly critical to really identify your weak points, and then go out and pursue, pursue knowledge in those areas. And on it. Honestly, I think it's much easier if you could pursue some kind of project, like what you've done, where you're developing courses, or others, where they're writing on blogs, where they're sending out newsletters on niche topics, because that's similar stuff to what I'm doing today. Like, a couple weeks ago, I got this fancy physical security certification. But at the end of the day, it really doesn't mean a whole lot. Because there's so many areas where I still need to do my own. I need to pursue my own education, developed my own cheat sheets, my own reference materials that I could go to day to day when I'm trying to solve challenges. So I really do love that approach. And I think every security practitioner should really have a similar mindset like that.

Mike  14:50  
Yeah, even the CISSP certification. They say that, you know, it's a mile wide and an inch deep. So you'll learn about a lot of different things but you won't I dive deep into a lot of the topics. And so you have a broad knowledge of the security field, which is great. But then the onus is on you to dive deeper into areas that interest you, and that you want to learn more about and that you could pursue your career in that area.

Travis  15:15  
Yeah, that's an excellent point for anyone that's pursuing really any security certifications. Moving on. So I wanted to learn a little bit, I wanted to ask you about like any failures you've had in your career? Like, are there any times where you've encountered a failure that's set you up for a later success? Or maybe, do you have a favorite failure that you've encountered during your whole career journey?

Mike  15:40  
Yeah, I think a lot of failures can lead to success, if you look at it through the right lens, you know, failing is, you know, just your first step to getting it right type thing. We had a large project, and this would have been many years ago, we had a homegrown system. So it was coded in house. And since it had launched, we had developers leave and the code had become legacy code, it was very old. And we wanted to move to a out of the box system. So we're going to purchase something off the shelf, and integrate that with the system that we already had. And we didn't do enough requirements, gathering specifications. And the project was a failure. And we learned a lot from that, you know, I learned a lot from that, personally, I wasn't leading the project, I was on the project. And I think watching something be a huge success. And learning from that is just as valuable as watching something fail and learning from that as well too, as long as you learn from it. And so I learned during that failure, that, okay, when you're doing a large project, you need to make sure that you get everything upfront or as much as you can, because changes cost a lot as you move, you know whether it's agile or waterfall, but as you move along the project, making changes can be very costly. And that was the lesson that I learned. And so I any project that I take on now, I always remember this project that failed in the back of my head. And I think how can I make sure to, you know, not have that outcome?

Travis  17:10  
Yeah, and I could totally relate, I could think of a number of failures throughout my career. And it's some of those failures that like really cut deep into your soul that always stick with you. So on future projects, you can't help but have it in the back of your mind to check a handful of boxes that you remember, were critical in that one time where you were unsuccessful. And so I do really like that outlook. Next. So there's lots of young and aspiring practitioners listening today. And I want to ask what advice that you would give them in, in what advice you'd give them for pursuing their own careers in information security? And I think you've, you've touched on this a bit, because like, You've mentioned a little bit about working all the way down from Help Desk to IT director to your current position now. So could you share a little bit of advice for aspiring practitioners?

Mike  18:08  
Yeah, you know, I'm, I have a lot of education. And so I think education is very important, but not just in the classroom. You know, that is one part of the equation. But I think learning outside of that, taking courses online, and now with, you know, not just with the existence of the internet, but even through COVID, where a lot of things have moved online, I think, you know, trying to find courses, either going in person if you want to, or taking something online, YouTube is a great resource Udemy, there's lots of areas, there are lots of different platforms to learn. And so while I'm a big fan of education, I'm also just a massive fan of learning in general. And I think, someone who's listening, who wants to get into this industry or any industry, just try to be a sponge and learn as much as you can. And that could be from the videos and courses or it could be from your colleagues and your co workers, you know, find somebody to look up to. And, you know, don't be afraid to don't be afraid to admit you don't know something. I think that's very important. You know, we all don't know what we don't know. And so if you can be receptive to learning and listening, I think that's, that's gonna go a long way. Yeah,

Travis  19:25  
I like that approach. One. Yes, it's super useful to pursue, like any kind of academic education, but there's also so much free material or relatively cheap material out there online for pursuing an education and any number of niche topics, especially when it comes to security. And I think like one pitfall that some of us insecurity tend to fall in, is that we get really bogged down in like every day to day tasks, and we kind of forget to dedicate some time to it. Our continual learning. So I think that's one thing for us to all be extra aware of and kind of try to try to build it into our calendars in advance so that it's something that doesn't just get pushed off for another day. I like your points.

Mike  20:15  
Yeah, in some workplaces, you know, if someone's working right now at a company, they may have a training budget set aside, I remember when I was working with a previous company, we had a fairly decent sized training budget. And for a few years in a row, I was the only person to tap into that. And you know, I traveled to different cities to take courses, just because I was interested in learning. And so check with your company to see if there's a training budget, and that saves you the cost of learning on your own.

Travis  20:42  
Yeah, that's excellent advice. And it's probably great for retention, it's great for them retaining clients, because now they have much more knowledgeable workers. And I'm sure overall, it's just more enjoyable when they could see that their employees and their teammates are all continuing to grow. And going off at that same point. I was curious, are there any competencies that you think are especially important for people working in information security, like yourself?

Mike  21:11  
Yeah, we have what we call the CIA triad, it's confidentiality, integrity, and accessibility or availability. And I think having a solid understanding of all three of those, you know, understand encryption, and how it differs from hashing and have a good understanding of cryptography. Make sure you understand, you know, the integrity of data, and how important that is, and how that, you know, if, if data goes into a system, it needs to come out the exact same way. And we want to make sure it doesn't get modified or changed, either accidentally, or maliciously. And then also, you know, when we talk about availability, we're talking about uptime, and we're making sure that we have resource services available, and we're not having our systems go down because of a denial of service attack. And so understanding that CIA triad, I think, is really big for any role that you have within it, you know, you can be a database administrator, or sorry, you can be a database administrator, you can be a cybersecurity professional, you can be just a developer as well, too. But I think having an understanding of how all of that ties together to make a platform secure and private, is really important.

Travis  22:25  
I see. So starting with the CIA, triad, confidentiality, availability, integrity, and then outside of some of those technical skills, are there any soft skills or any other I don't know, maybe, like, less tangible or intangible skills that you think, like contribute to one's success working in InfoSec?

Mike  22:50  
Yes, I think movies and media do a little bit of a bad job showing that computer scientists that that cybersecurity person that hacker, you know, it's always somebody in their basement, you know, and they always use that same cliche of, you know, living in a parent's basement type type view of what a programmer looks like. But that's not true at all. And, you know, I think, to be a good developer, to be a good cybersecurity expert. And to work in this industry, you need to have those soft skills. And you want to make sure you go against that cliche that movies talk about. And you want to be able to converse with people to be able to express your ideas both verbally. And in writing, a lot of what you're going to do is writing reports, making sure that, you know, if you do discover a vulnerability, or if you are looking to write up a mitigation on how to avoid this vulnerability, that's all going to be written down, sent through an email, maybe documentation is going to be created. So having that written skill is really important. But as I said, the verbal as well, too, you know, you will be talking to people above you and below you on the company hierarchy. And so you want to make sure you know how to talk to colleagues.

Travis  24:10  
Yeah, I really liked that point. And I think I could relate a lot because I feel like there have been a number of times in my career where I'm in compliancy InfoSec type roles, and then other times, where I'm in more of a physical security, like asset protection type role. And there have been a number of times where I know, I would have been much more successful, had I been basically had I had I better communication skills when it comes to presenting a strong argument for stakeholders or for executives, when it comes to investing and security resources. Maybe that's a security tool. Maybe it's getting a NIST assessment done. Maybe it's a number of things, but I think that's something that's definitely huge and I could think of a number of times I'm swear, I could have been more successful in my role. Had I been? Had I developed some of these communication skills better? And had I been really just more more adept in putting some of those arguments forward. So I think that's an excellent point.

Mike  25:17  
Yeah, you know, there may be times where you go to your boss and you say, I have a really great idea, I think we should do A, B, and C. And your boss might say to you, okay, why, how's that going to help the business? You know, is it going to save us money? Why would we do this rather than do something else? And to be able to explain yourself, I think is really important, you know, not just say, well, we need to do it, because I researched it. And I'm saying, so it's putting together that that business case, and being able to explain why an idea or why a solution is important.

Travis  25:52  
Yeah, that's definitely an entire skill set on its own, that really, we need to pay attention and put forth some effort to develop there. And then next, so I was curious to ask you, what books you've tended to recommend most to your colleagues and some of your peers over the course of your career. Are there any that stand out the most?

Mike  26:18  
Yeah, I read a book recently, it's called this is how they tell me the world ends. It's the cyber weapons arms race, it's by Nicole pearl, pearl Roth, I believe is how you pronounce her last name. And it is a really good book for everyone. It's not a super technical book, you don't have to be a computer science major to read it and understand it. I'll get her name right here, Nicole Pearl Roth was, she is a journalist. And she wrote this book about cybersecurity. And she sort of got thrown into the deep end of this world. And she writes about it. And she talks about how insecure the world really is when it comes to cybersecurity. And so it's an eye opening book. And I recommend it to everyone, just so you can kind of get a glimpse of the security industry and seeing what it's all about.

Travis  27:07  
Okay, yeah, and I'll definitely link to that in the resources in the show notes that we put together afterwards. And I do find those types of book to be those types of books to be the most useful, because really, you could share them with the general population. And it could help them get a better grasp on just thinking about information security, because for so many people, it doesn't matter whether they're in their 20s 30s 40s 50s 60s. So many people are just like, for them information security is something that's just so ambiguous, they just kind of like completely ignore, like, how it impacts them day to day, or really just like diving further into the topic. So I really do appreciate those books that can that can appeal to a broader population and educate them about information security, I like that.

Mike  27:59  
It's something I talk about often when I teach is that security isn't just the responsibility of the IT department. A lot of people assume that, oh, you know, if our organization wants to stay secure, it needs to solve that problem. But it's us people, you know, we are the weakest link in security. And we need to make sure that we understand it, that we're not sharing passwords, that we're using unique passwords. And so I think, having this written by someone who isn't super techie, and being able to explain a lot of tech terms to the general population. Now, I think this book does a really good job. And I think in general, any book that can do that is really good for all of us.

Travis  28:40  
And that's a good segue, I wanted to ask you a little bit about some of the books that you've been writing over the course of your career, and kind of what inspired you to go down that path of doing of becoming an author.

Mike  28:57  
When I was in high school, way back when I wasn't sure what field I wanted to go into. I was debating about English or computer science, and my dad was a manager of it. And so we always had computers at home. And I remember my dad had big clunky cell phone when they first came out. And technology always interests me. And when it came time to apply and to go to university, I ended up going the computer science route. But I always did love writing. I had a passion for that ever since I was young. And it takes time, I will put that upfront right away. You know, writing a book takes significant amount of time to sit and type and think and with my career Early on, and never had a chance to or never had the time to be able to do that. And it wasn't until I got a little bit older where I forced myself to carve out time to do something that I'm passionate about that I wanted to do. And so I started Writing a book and, you know, I put it on Amazon with the hopes of selling one copy, that was my bar, I kept it really low, just because I didn't want to be disappointed. And the books have been selling really well on Amazon, they've been getting good reviews, I have since released a few more. And, you know, this is something now that, you know, because I sit at a computer all day and, you know, work within this industry, I can take a break, I can go outside, go in the backyard, take my laptop. And right now I find that, you know, I've that's relaxing for me, you know, I don't see that as my primary job right now. And so it is it is something that is a hobby, and it's relaxing, but I'm happy that the books are successful.

Travis  30:48  
Yeah, that's a really cool way to kind of like direct some of your creative energy that you may not get to use day to day, but then also kind of like weave in your expertise and your experience from your years of working in this field. And I was also curious, so like, what does the publishing process look like for something like that?

Mike  31:11  
I think it's become easier. And more recent years, even for a podcast like this, there isn't a huge startup cost to it. You know, if someone is really passionate about starting a podcast, they can invest, you know, obviously, you want a really good microphone, do you want some editing tools. And then if you have a good idea and a good topic, you can create your own podcast, or you can do your own YouTube channel. Or if you want to stream video games, you can do that online and hope to get an audience so I think creating your own.

Travis  31:45  
I'm trying to think of the word Yeah, it's like developing your own your own creative medium to put out there. Yes, sorry.

Mike  31:50  
So creating your own medium and putting it out there is easier now than ever. But there is some work involved. So with the book writing, I have a designer for the book covers, I have an editor that I've hired that I've worked with for all the books, and that we'll go through, you know, the the first draft looks similar to the final draft, but there are lots of changes to go along the way. And so, you know, it takes takes me about four to six months to write the novel. And then it goes through the process of editing. And you know, I hope to try to get out two books a year. But it does take time.

Travis  32:29  
Damn get two books is, is pretty courageous. That seems like a lot of work.

Mike  32:36  
It is a lot of work. But like I said, you know, you can write something, it doesn't have to be a novel, you can write a short story, you can write a how to book, if that's what you want to do. And you can get it onto Amazon or a number of other platforms without a very high initial fee.

Travis  32:56  
Yeah, that's really cool that startup costs are so low, like you mentioned for podcasts. Yeah, really, all I bought was a good mic. Sound proved my recording studio a little bit, bought some audio editing tools. And yeah, it was super cheap. And then, yeah, like you mentioned, even for writing and publishing on Amazon, also the bar is fairly low. So I hope this gets some of the listeners thinking about how they might do their own creative projects, and whatever they're interested in, maybe that's security, maybe that's outside.

Mike  33:27  
Yeah. And that ties back to Udemy. As well, too. You know, I didn't invest much into that I recorded myself I spent and you know, this, you know how much time you record something, you spend just as much time if not more editing. And, you know, so I did that I put it on Udemy, there was no fee to put your courses on Udemy. And so it wasn't a high startup cost. But like I said it, it became popular. And I'm happy I did that. And same with writing a novel. You know, I did that. And I'm happy I did it. And so anyone listening who has an idea, you know, go for it.

Travis  34:03  
Yeah, I love that outlook. And I hope this does inspire some listeners as well. And moving on. So I wanted to ask you this question similar to my crazy hypothetical that I kicked off the interview with, which was like today, many of the leaders in the security space, they're older, they're in their 40s, their 50s their 60s, I was curious to learn. Like how do you see the security industry changing if it changes at all, as a younger cohort gains more experience and becomes the leaders within their own organizations?

Mike  34:40  
And I think it has to do a lot with being able to adapt and change quickly. The computer science field itself. You know, it has a very long history, relatively long history and some things haven't really changed you know, since the beginning, but other things have changed. quite a bit, and they continue to change very fast the web, for example, there are lots of different web frameworks and ways to develop websites, as opposed to how there were 20 years ago. And the security industry as well is changing with tools becoming available with computing power, getting better, more vulnerabilities are being found. And it's a game of cat and mouse of, you know, finding the vulnerability and patching the vulnerability. So, I would say that for anyone, you know, regardless of age, you have to be willing to adapt and to change. And to say that, you know, we can't keep going down the same path that we are now, we need to pivot and we need to be able to adapt to the changes happening in the industry so that we ourselves are protected.

Travis  35:50  
Yeah, that's an excellent point. And that's kind of been a theme among a number of conversations that I've had with people, whether it's people working in investigations, or emergency management, or any number of different domains. A number of guests have highlighted the point of being adaptable, and being able to change as the circumstances in your organization, as different security trends as adversary tactics change, being able to adapt there. So I have seen that as like, a theme among a number of guests.

Mike  36:26  
Yeah, I think the younger generation is more adaptable. You know, if you look at the average length, that somebody stays at a job for the older generations, you know, they would stay at a job for a lot longer than a younger generation who may switch jobs now every three, four years. And so I think the younger generation is able to make changes more quickly. But, you know, we all need to kind of take that approach and say, and, you know, so much that they know, I think it really is a balancing act in a, in a corporation. And in an in any industry, you know, you don't just want to push out all the older people, because that's, that's not the solution, either, because there's so much knowledge and experience that they have, and that they can share with the younger generation. And so I think it's balancing the, the change, and balancing the knowledge to make something really good. And some companies have a really good balance, and other companies are still looking for that balance.

Travis  37:25  
Yeah, that's really interesting. And that reminds me, I think it was McKinsey, or was at McKinsey, it was it was one of those groups, they put out a, they put out a research paper about millennials in the workplace, I think it was just sometime around last year. And I think the average time that a millennial spent at any job was something like three years or less. And one interesting thing that happens when you when you spend three year increments with multiple organizations, it's that you get experience with diverse groups, everyone has their own approach to problem solving their own approach to professional development, and their own unique perspectives. So it's kind of like when you get those, when you get those millennials into your organization, there's so much value that they could have that they could add, because they didn't spend 10 years working with a single team, they've spent three years working with three different teams, it's just getting that new blood into the mix, can help, can help the team and the organization develop much more creative solutions, because those millennials have seen things done in so many different ways. So I think that's one really important factor factor there as well.

Mike  38:41  
Yeah, we always call it fresh eyes. And so we would work if we were working on a project or we had a problem, we would sometimes give the problem to somebody else in a completely different department, you know, maybe human resources or maybe finance. And we would say this is the problem we're having, you know, what do you think when you see it, and you look at it, and you know, obviously, we wouldn't share code, cuz they might not understand that, but we would share the overall problem. And it's just getting a different set of eyes. It's getting somebody with different experiences to be able to look at something to find a solution.

Travis  39:14  
That's really fascinating. Yeah, I love that. That idea of getting fresh eyes on a problem. That's very cool. And let's see. So as we begin to wrap up the interview, I was curious. Like, what, Ed, are there any final thoughts that you wanted to share with any young and aspiring practitioners?

Mike  39:36  
Computer science is a broad field, artificial intelligence and cybersecurity and application development. When you dive deep into any one of those, no, it just becomes you go further down the rabbit hole, and there's just so many different career paths to take within computer science itself. And so I would suggest you know, if you Doing that general computer science degree or if you're doing that computer science diploma, get experience with as much as you can, and figure out what you like and what you don't like. Maybe you don't like networking, and maybe you don't like artificial intelligence, but you do like cybersecurity, or a different combination. But find what you like, and then just dive deeper into that, you know, look for certifications, look for ways to gain more knowledge. And then once you have that, don't stop, you know, once you get hired at a job, continue to learn as much as you can. You know, that's, that's what we have to do to continue, you know, we never stopped learning no matter what age we are. Yeah, I

Travis  40:41  
like that advice about exploring different subtopics. Because they're just going to be some topic, some topics that individuals have far less interest in. And we kind of need to find things that are suitable to our personalities to the way that we do work to the things that we find, maybe we find some tasks more meaningful, and we could do more of those. So I really do like that that approach. And oh, actually, I skipped over one question. So I've got one more for you. Sure. So what if any bad recommendations? Have you heard over the course of your career from different people in your field? Are there any that stand out to you?

Mike  41:22  
I think, touching upon something I've already talked about a little bit, it's that, you know, computer security is an IT problem, you know that that is just not the case. And you know, the recommendation that individuals don't need to worry about the bigger picture of cybersecurity. I think that's just totally incorrect. You know, it's going to be a random employee, open up a ransomware, email and bring down the entire network. And so I think it's training, whether it's security awareness training, some sort of training to get everyone up to a certain standard of knowledge when it comes to computer security and cybersecurity. And so, you know, the bad recommendation of, hey, this is it is problem, let's not worry about it, that that's just not the case, it is everyone's problem.

Travis  42:09  
Yeah, that's a great point. Like, it's not just an IT problem, because really, really like the entire surface area of the entire population of people working at a company, they are all potential elements that could be that can be attacked with social engineering with any number of ideas. So yeah, it really is an entire organizational challenge to find a solution for it's not just any particular department, I like that outlook. And, Mike, I really appreciate you sharing your time with me today, we talked about some really cool ideas. And I think one of the really big ones that I hope people will walk away from this conversation with is kind of like some inspiration for pursuing some of their own creative projects. Because, as you mentioned, like during your career, you develop some of your Udemy courses, which helped you develop personally. But then it also helped you educate 10s of 1000s of people as well. And then plus, you've also engaged in doing some creative projects, when it comes to writing and putting some books on Amazon. So I hope one big thing that people can take away from this conversation is the inspiration to pursue some different creative outlet creative outlets that can benefit them personally by finding their own satisfaction and developing it and also being able to help others in the community. And then also, you mentioned a number of other cool ideas when it comes to developing competencies. And then I think this conversation will even give, give a lot of hope to people, maybe they're working in a helpdesk type role today, but giving them ideas for continuing to develop their skills, so that they could be that IT director or that IT manager and move on to some of these other bigger roles. So, Mike, I really appreciate you sharing your time with me today and sharing some really cool perspectives on of course, information security, but also just finding creative pursuits that benefit you and the broader community. So I'm super grateful. Thank you for joining me, Mike.

Mike  44:18  
Oh, thank you for having me. This has been great. And I hope anyone listening, take something away. And again, thank you very much.

Subscribe to the newsletter below, and never miss new content!